Is there CGL Coverage for Cyber Breach Claims?

Cozen O'Connor

Cozen O'Connor

The coverage dispute in Home Depot, Inc., et al v. Steadfast Insurance Company, et al. arises out of a 2014 data breach of millions of Home Depot’s customers’ payment information. As a result of the breach, the financial institutions needed to cancel and replace the effected cards. Subsequently, these financial institutions filed a class action lawsuit against Home Depot seeking damages for the costs to replace the physical payment cards as they alleged the cards could no longer be used for secure transactions. Home Depot sought coverage under its primary and excess policies with Steadfast Insurance Company and Zurich American Insurance Co. (collectively “Zurich”) and its umbrella policy with Great American Assurance Co. (“Great American”). In response, Zurich and Great American denied coverage to Home Depot for the class action lawsuit.

After defending itself in the class action lawsuit, Home Depot entered two settlements with the financial institutions – issuing one payment to the larger financial institutions for over $136 million and issuing a second payment to the class members for $27.25 million.  Home Depot then sought coverage for its settlement payments, which it claimed it incurred because of the loss of the physical payment cards, from Zurich and Great American. Again, Zurich and Great American denied coverage under the commercial general liability policies on the basis that the loss was related to damages to electronic data rather than the physical cards, which fell within the policies’ electronic data exclusion. Zurich and Great American also noted Home Depot obtained coverage for the financial institutions claims under Home Depot’s cyber insurance for the cyber related risks. 

Subsequently, The Home Depot, Inc. and Home Depot U.S.A., Inc. (collectively, “Home Depot”) filed a lawsuit against Zurich and Great American in the Southern District of Ohio at Cincinnati.  Home Depot alleges Zurich and Great American breached their obligations under CGL and excess policies issued to Home Depot by refusing to indemnify Home Depot for the losses it incurred during the 2014 data breach. Home Depot brings claims for breach of contract, bad faith and stubborn litigiousness (O.C.G.A. § 13-6-11) against Zurich and Great American.

In the coverage action, the parties filed motions for summary judgment, agreeing Georgia law applied to the interpretation of the policies. The District Court granted Zurich’s and Great American’s motions for summary judgment and denied Home Depot’s partial motion for summary judgment. In its opinion, the Court noted the applicable policies cover, inter alia, the “loss of use of tangible property that is not physically injured” if that loss is caused by an “occurrence.” In its motion, Home Depot argued the payment cards were tangible property not physically injured, and that there was a loss of use of that tangible property due to the data breach. While the court agreed with Home Depot that the incident constituted a loss of use of tangible property caused by an occurrence, the court ultimately granted the insurers’ motions based on the policies’ electronic data exclusion.

The electronic data exclusion precluded coverage for the “loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data”. Because numbers printed on the back of credit cards are “useful for reminding cardholders of their card numbers when doing things like entering their card numbers online,” the Court found that when the cards were cancelled, the numbers were no longer accurate, thereby constituting a “loss of use.” However, the Court reasoned that the card cancellations were “inextricably intertwined” with the loss of electronic data and therefore, held the electronic data exclusion applied because the loss of use of the physical card numbers arose out of the loss of use of the electronically stored card numbers. The matter was then appealed to the Sixth Circuit.


On appeal, Home Depot contends, under Georgia law, there must be a fair and broad interpretation of insurance contracts that favors policyholders’ reasonable expectations. In addition, Home Depot argues that when the duty to defend is in question, insurers must provide a defense if the claims arguably fall within the policy’s coverage. Second, Home Depot argues that the District Court correctly recognized the “loss of use of tangible property” and “occurrence” elements concerning its principal card-reissuance theory. However, it asserts that the District Court wrongly applied the electronic-data exclusion, contending that the data breach did not entail a loss of use of electronic data. Finally, Home Depot challenges the District Court’s dismissal of its reduced-usage theory, claiming that some uses of physical payment cards involve only the tangible cards, not electronic data, and reduced usage led to damages that the insurers should cover.

Zurich argues the District Court correctly applied the electronic data exclusion and Home Depot is not entitled to “property damage” coverage for the data breach claims. Similarly, Great American argues the electronic data exclusion bars coverage for Home Depot’s claims, the alleged damages are excluded because they arise out of the loss of, loss of use of, or inability to access “electronic data”, and the applicable insuring agreement also bars coverage.

We will be following this matter to see how the Court of Appeals for the Sixth Circuit rules on these issues. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide