Federal Court Decision Illustrates Differing Analysis Used In Addressing Data Breach Coverage Under A CGL Policy

On reexamination, a federal district court determined that a CGL (commercial general liability) policy purchased by Target Corporation covered the replacement costs for Target payment cards that were compromised as a result of a data breach. Of significance, the federal district court’s decision contrasts with other federal court decisions, which found that data breaches do not result in the “loss of use” of payment cards – a standard requirement for an “occurrence” under a CGL policy.

Pertinent Background

Data breaches that compromise a retail company’s payment cards have resulted in insurance coverage disputes under CGL policies.  This is one of those lawsuits.

In connection with a data breach, Target discovered that a hacker had stolen payment card data and personally identifiable information (PII) of individuals with Target payment cards. The issuing banks cancelled the payment cards, incurring costs, and sought compensation from Target, which ultimately settled the claims. Target then brought an action against its insurer, alleging that the insurer was obligated to indemnify Target under the CGL policy for the money paid to settle the claims. 

The policy at issue provide coverage for losses resulting from property damage, including “loss of use of tangible property that is not physically injured.” The policy applied to property damage only if the “property damage” was caused by an “occurrence.”

Target provided its insurer with notice and a detailed accounting of the loss, but after the insurer denied coverage, Target filed a lawsuit alleging breach of contract and seeking declaratory and compensatory damages. Target also moved for partial summary judgment, seeking a declaration that the CGL policy covered the costs incurred in settling the claims. The original order entered by the federal district court denied Target’s motion, but after addressing a motion to alter or amend the original order filed by Target, the court reached a different conclusion.

District Court’s Waterfall Analysis of Policy Coverage Requirements

The parties agreed that Target had to satisfy three requirements to establish coverage for the cost of replacing the payment cards: (1) the losses must have been the result of an “occurrence”; (2) the “occurrence” must have resulted in the “loss of use” of the property; and (3) the property lacking use must have been “tangible property that is not physically injured.” The court addressed each of the three coverage requirements in turn.

An Occurrence

The policy defined an “occurrence” as an “accident, including continuous or repeated exposure to substantially the same general harmful conditions.” The policy did not define the term “accident.”  As a result, the court turned to state law for a generally understood meaning of the word “accident.”  Per the definition relied upon by the court, an “accident” is a happening that is unexpected and unintended.  Of significance, the court found Minnesota courts (the state where the federal court was sitting) have established that the word “accident” encompasses both the acts of the insured and the consequences of the insured’s acts.

The parties did not dispute that Target neither expected nor intended the data breach. As a result, the data breach was an accident, which was an “occurrence” within the terms of the policy.  Under the court’s reasoning, the cancellation and resulting inoperability of the payment cards were the consequences of Target’s discovery of the accident, the data breach. For this reason, the court concluded that the inoperability of the payment cards – necessitated by the data breach – was an “occurrence” within the terms of the policy.

Loss of Use

Under the policy, the insurer must indemnify Target for coverable property damage resulting from an occurrence. The policy defined property damage, in relevant part, as “loss of use” of “tangible property that is not physically injured.” The parties disputed what constitutes “loss of use,” a term not defined in the policy.

Neither party presented controlling legal authority to the court squarely addressing whether “loss of use” includes the inoperability of payment cards following a data breach. The court’s research similarly failed to identify legal authority directly on point. 

Under the court’s analysis, the data breach compromised Target’s payment cards. By compromising the payment information listed on and associated with the payment cards, the data breach caused the issuing banks to cancel the compromised payment cards and issue replacement payment cards. Cancellation of the compromised payment cards rendered the payment cards inoperable and, therefore, the payment cards lost their use. Relying on a decision issued by the Eight Circuit addressing coverage for an insured’s spyware which infected a third-party’s computer, the court determined that, although the compromised payment cards still existed, they could no longer serve their function. As a corollary, the court found the expense that Target incurred to settle claims brought by the issuing banks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards. For those reasons, the court found that Target met the second coverage requirement.

Tangible Property that is not Physically Injured

To establish coverage under the policy, the claim must be for property damage to “tangible property that is not physically injured.” The policy expressly excluded electronic data from the definition of tangible property. Electronic data was defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”

The insurer contended that Target was actually seeking compensation for the missing data, not the payment cards. However, the parties did not dispute that the payment cards, the damaged property for which Target sought coverage, are “tangible property that is not physically injured.” As viewed by the court, it was the use of the payment cards, not the use of electronic data, that was lost. Because the payment cards were tangible property and the payment cards were not physically injured, the court determined that Target met the third requirement to establish a basis for its coverage claim.

District Court’s Duty to Indemnify Conclusion

The parties disagreed whether the expenses Target incurred settling the issuing banks’ claims for compensation for payment-card replacements were covered by the insurer’s duty to indemnify.  As reiterated by the court, the interpretation of an insurance policy, including whether a legal duty to defend or indemnify exists, is governed by state law.  Under Minnesota law, the holder of a liability insurance policy has a contractual right to payment – and an insurer the corresponding duty to indemnify the insured – when the insured’s liability to a third party is within the scope of the insurance policy. The court concluded that the insurer was obligated to indemnify Target for the settlement with the banks for the replacement costs because the cost of replacing the payment cards was covered under the terms of the policy.

In summary, the court concluded that the data breach was an “occurrence” within the terms of the policy and that the expense Target incurred to settle claims for replacing the payment cards was a cost due to the loss of use of the payment cards.  The court’s decision stands in contrast to other federal court decisions that found data breaches do not result in the “loss of use” of payment cards, which is required for an “occurrence” under a CGL policy.

A copy of the Target Corp. v. ACE American Ins. Co., 2022 WL 848095 (D. Minn. March 3, 2022) decision can be accessed here.