Sixth Circuit finds no cover for 2014 data breach under Home Depot's CGL policies

By Erin Ayers, Front Page News

Home Depot’s liability insurers have no duty to indemnify or defend the retailer for losses stemming from a 2014 data breach, the U.S. Court of Appeals for the Sixth Circuit has decided, upholding a lower court’s ruling.

Home Depot suffered a high-profile cyber event in 2014, resulting in the compromise of “tens of millions” of customer payment cards and personal information. Financial institutions, forced to issue new cards and investigate fraudulent activity, sued Home Depot. The company eventually settled the claims for $170 million.

According to the Sixth Circuit, Home Depot recovered more than $100 million from its cyber policies but sought coverage for the remaining funds under its commercial general liability policies issued by Steadfast Insurance Company and Great American Assurance Company.

The CGL policies (three in total) had $50 million in coverage and covered losses incurred due to physical damage to or loss of use of tangible property. However, they state that electronic data is not tangible property and exclude electronic data from coverage. On this basis, Steadfast and Great American denied the claim.

Home Depot sued, arguing that the reissuance of physical cards should trigger coverage, as well as customers’ loss of use of the cards. The retailer also sought reimbursement for its defense costs. A district court disagreed, granting summary judgment to the insurers.

The Sixth Circuit upheld the ruling, finding that even if the data breach cause loss of use of tangible payment cards, the electronic data exclusion “would unambiguously bar coverage.”

“Because payment card data is a creature of the computer, it falls under the policy’s definition of ‘electronic data,’ the Court said in its Jan. 13 opinion, adding, “A ‘loss of use’ occurs when an item exists but has lost its function. That’s what happened here: Purchasers could no longer use their payment card data to make secure payments.”

The Court dismissed several arguments made by Home Depot, including the assertion that the electronic payment card data was “more, not less accessible” as result of the breach since hackers in addition to cardholders and issuers could use the data. The reissuance of physical cards is what triggered the loss of use, the store reasoned.

Not so, the Sixth Circuit said, stating that absent the electronic data breach, there would have been no loss of use or need to reissue physical cards. The Court also refuted Home Depot’s claim for the duty to defend, finding that the financial institutions’ lawsuit expressly arose out of the data breach.

“The insurers were right. The complaint makes clear that the damages at issue arose out of the loss of use of electronic data. It begins with a quote about electronic data and features that phrase on nearly every one of its 93 pages,” concluded the Sixth Circuit.