Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance of applicable insurance never has been more important. While companies historically sought coverage for losses under traditional CGL, D&O, E&O, commercial crime, and business interruption policies, their mixed results––coupled with new exclusions singling out electronic data––have led to increasing need for cyber-specific coverages. However, as evidenced by Minnesota District Court’s recent decision in Target Corporation v. ACE American Insurance Company, 2022 WL 848095 (D. Minn. Mar. 22, 2022), CGL policies still may be in play where damages result from the inability to use tangible property.
In 2013, Target discovered that a hacker breached its systems and obtained payment card data for approximately 110 million individuals with Target cards. The issuing banks then canceled the cards, issued replacements, and sought reimbursement from Target. In total, Target settled these claims for $138 million––of which $74 million was paid for costs associated with replacing the payment cards. Target sought coverage for this amount from ACE under the common CGL coverage provision for damages because of “property damage”, including the “loss of use of tangible property that is not physically injured”, caused by an “occurrence”.
Because Target’s claimed damages were the costs associated with replacing the cards and not based on the value of the use lost by the banks or consumers, the court initially granted ACE’s motion for summary judgment in February 2021. In short, the court’s prior ruling would have required insureds to show a connection between the damages incurred and the value lost by someone being unable to use the tangible property at issue. Certainly, where covered, an insured’s damages may be the value of the use lost, but, as the court later recognized, an insured need only show that damages––however calculated––were “caused by” the “property damage” (i.e. the loss of use). See id. at *3 n.2 (finding a sufficient causal connection between the expense of settling the banks’ claims for the cost of replacing the cards and the payment cards’ loss of use).
In its March 22, 2022 correction, the court found that the compromised data rendered the payment cards inoperable without physically injuring them and permitted Target to recover amounts it paid the banks for replacing the cards. In doing so, the court analogized these facts to the Eighth Circuit’s decision in Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010). In Eyeblaster, an internet advertising company sought coverage under a CGL policy for claims that it damaged a user’s computer by infecting it with spyware. As in Target, the policy at issue excluded electronic data from its definition of “tangible property”––prompting the insurer to deny coverage. However, because the Eyeblaster underlying complaint’s allegations were aimed at problems with the computer’s functionality, the insured’s damages were associated with the loss of use of tangible property. Likewise, the Target court noted that the issuing banks’ claims were focused on the inability to use tangible payment cards, despite the fact that the cause arose in cyberspace.
Importantly, Target involved a situation where consumers lost the ability to use their payment cards, yet, unlike the computer owner in Eyeblaster, they were not involved in the underlying litigation. Nonetheless, Target was able to recover for claims brought by the issuing banks without addressing whose loss of use matters in these situations. Was it the banks’ inability to use the cards to collect transaction fees? Or, was the loss of use by cardholders sufficient despite their absence from the lawsuit? Nothing in CGL policies like the one issued in Target suggest this makes a difference, but it is worth noting where the property use at issue isn’t as apparent.
Target demonstrates the continuing viability of traditional coverages to losses seemingly resulting from damage to intangible property or data. However, it remains to be seen just how receptive courts will be to similar claims as we move away from physical modes of payment. Would courts apply the same reasoning to claims resulting from the loss of use of a smartphone or other device to access a third-party app that had been compromised––rendering the phone inoperable for making payments or buying Bitcoin for example? Would the claim be recognized where the app maker claims it lost the use of the device to generate revenue, or need it be end-user’s loss of use? In a plain reading of these CGL “loss of use” provisions, Target, and Eyeblaster suggest that coverage may be available, but companies should still be on the lookout for additional exclusions and consider broader cyber-specific policies.