A recent Order recently reversed the fortunes for Target, which is claiming coverage for payment cards that could not be used.1 Numerous missing data cases are being decided for relatively new and old forms of property insurance. The policy language is important as policyholders and insurers spar over the meaning and new facts involving cyber and electronic data-related loss. Target argued that its liability policy covered the costs for loss of use in this case.
The court Order recited the factual background of the case:
In 2013, Target discovered that a hacker stole payment card data and personal contact information of individuals with Target payment cards (Data Breach). Because the Data Breach compromised the payment cards, the banks that issued these payment cards (Issuing Banks) cancelled the payment cards and issued replacement payment cards, incurring costs for which the Issuing Banks sought compensation from Target. Target settled the Issuing Banks’ claims.
In this case, Target alleges that under ACE’s general liability policies (the Policies), ACE is obligated to indemnify Target with respect to the settlements with the Issuing Banks. The Policies provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured.’ The Policies apply to property damage only if the ‘property damage’ is caused by an ‘occurrence.’ Target provided ACE with notice and a detailed accounting of the loss. ACE denied coverage as to Target’s claim and refused to compensate Target. Target filed this lawsuit against ACE in November 2019, alleging breach of contract and seeking declaratory and compensatory damages.
The court holding is important and is a lesson for policyholders seeking coverage for data loss that both the property and liability policies may provide cover depending on first-party losses and third-party liabilities which can arise from the same occurrence:
To establish coverage under the Policies, the claim must be for property damage to ‘tangible property that is not physically injured.’ The Policies expressly exclude electronic data from the definition of tangible property. Electronic data is defined as ‘information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.’ ACE contends that Target is actually seeking compensation for the missing data, not the payment cards. But the parties do not dispute that the payment cards, the damaged property for which Target seeks coverage, are ‘tangible property that is not physically injured.’ And it is the use of the payment cards, not the use of electronic data, that was lost. Because the payment cards are tangible property and the payment cards are not physically injured, Target has met the third requirement to establish a basis for its claim for coverage.
The Court erred in its prior judgment.
“Loss of use” liability resulting from property damage to third parties is fairly common. In liability policies, the term is usually broad because an insured can cause economic damages in numerous ways to a third party.
Insurers have had their share of victories in these types of cases. However, the Court distinguished other cases where the insurer won:
ACE contends that other courts have found that data breaches do not result in the ‘loss of use’ of payment cards and argues that this Court should do the same, relying primarily on Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 180 (3d Cir. 2008). ACE’s argument is unpersuasive for several reasons. First, BJ’s Wholesale is a case from the United States Court of Appeals for the Third Circuit and is, therefore, at most only persuasive authority for this Court. Second, the claims for compensation for the cost of replacing payment cards brought in BJ’s Wholesale were alleged pursuant to a theory of negligence—not the breach of a specific term in a liability contract. BJ’s Wholesale, 533 F.3d at 179–80. Third, the injured party in BJ’s Wholesale sought to prove “physical damage” to the cards that were compromised in the data breach, unlike here, where Target asserts a claim related to property that was not physically injured. Id. at 179. For these reasons, BJ’s Wholesale is distinguishable and unpersuasive.
Business policyholders and those overseeing cyber risks should spend considerable time developing an insurance plan hedging the cyber risk. I noted this several months ago in Can Businesses Trust Their Cyber and Crime Package Policies To Provide Coverage?
Thought For The Day
Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.
1 Target Corp. v. ACE American Ins. Co., No. 19-cv-2916 (D. Minn. Mar. 22, 2022).