A Minnesota federal court in March reversed its own holding and found that Target's multimillion-dollar settlement with card-issuing banks for the costs of replacing Target-affiliated cards post-hack is covered under commercial general liability policies. The court previously held Minnesota law required damages for loss of use of the cards to be related to the value of the cardholders' ability to use the cards and that Target had failed to prove such a relationship.
Target became the latest company to win coverage for a cyber-related incident under a noncyber policy when a Minnesota federal court in a reversal in March held that the chain's settlement costs with card-issuing banks over a 2013 data breach were incurred due to credit cards' loss of use. Courts in recent years have become more willing to consider how traditional policy language about property damage applies to "the new cyber world," says policyholder attorney Emily Garrison. (AP Photo/Charles Krupa)
The court's conclusion that the breach resulted in the cards' "loss of use" demonstrates courts' openness to the idea that cyber incidents' impacts on data or software can be considered property damage under traditional policy language. Federal courts in the 2021 EMOI Services LLC v. Owners Insurance Co. decision and the 2020 National Ink & Stitch LLC v. State Auto Property & Casualty Insurance Co. decision also found cyber incidents caused covered property damage, with those two cases contemplating coverage under property policies.
"Cases like Target are useful for policyholders because I think that it will dispel the notion that a dedicated cyberinsurance policy is the only insurance product that covers a cyber event," Joshua Gold, a policyholder partner with Anderson Kill, told Law360. "There are some insurance companies that do try and argue that they never intended to cover cyber risk under any policy other than a cyber policy, and that simply is not true."
In 2013, Target suffered a data breach in which the credit and debit card information for about 40 million customers was stolen. The retailer in 2016 reached settlements with banks and credit card issuers totaling $138 million, at least $74 million of which was for the costs of the banks replacing compromised cards, according to court documents.
Target sued the Ace insurers in November 2019 for their refusal to pay the claims brought by the banks and issuers, saying that its loss met the specific requirements of its policies with the Ace insurers, which cover damage for the "loss of use of tangible property that is not physically injured."
The Target court's decision is part of a trend by courts of being willing to "keep an open mind" about how traditional policy language about property damage applies to "the new cyber world," Emily Garrison, a partner with Honigman LLP who represents policyholders, told Law360. Given the world's increasing reliance on technology, "the implications of what loss of use means in the cyber context could be interesting," Garrison said.
"I would argue that the coverage has always existed," Gold said, referring to the scope of coverage under commercial general liability policies. "It takes a first factual set of circumstances and hard-fought litigation in order to generate this kind of decision, but I think the decision is sound legally in terms of interpreting what constitutes property damage and applying it to a cyber event."
Besides the Target decision, courts in recent years have held there is coverage for cyber incident-related damages under various noncyber policies. The EMOI and National Ink courts found coverage for cyber incidents' damage to computer hardware and software under property policies. Beyond coverage for property damage, the Fifth Circuit's 2021 decision in Landry's Inc. v. Insurance Co.
of the State of Pennsylvania found coverage for a data breach under privacy provisions of a commercial general liability policy.Additionally, the Indiana Supreme Court's 2021 decision in G&G Oil Co. of Indiana v. Continental Western Insurance Co.
revived a policyholder's claims for coverage of bitcoin ransomware payments under a crime policy.The Target decision is concerning for insurers as the court had found that the loss of use of the cards for their "intended function" was a loss of use of the cards, Jonathan Schwartz, a partner with Freeman Mathis & Gary LLP who represents insurers, told Law360. In the Target case, the cards had not lost their use as they could easily have been reprogrammed, according to Schwartz.
"It's not like the cards were physically damaged where they have, you know, become broken, or brittle, or there's something wrong with the magnet strips," Schwartz said. "The credit card companies have just deemed it that it's easier for them to send out a replacement card than it is for them to either reprogram or fix the existing card."
A possible implication of the Target decision in the context of computer systems is that any policyholder with computer equipment that is "no longer functioning the way they want it to" after a cyber incident might be able to make a claim under a commercial general liability policy, Schwartz said. That is broader than what the policy language contemplates, which is usually strictly coverage for tangible property, according to Schwartz.
"The physical medium is what's intended to be insured, but the data, absent a specific endorsement or coverage that is written for that particular insured, is not intended to be covered under that kind of policy," Schwartz told Law360.
For now, insurers should look to tighten policy language for all kinds of policies in light of the Target decision, Fred Eslami, associate director at insurance credit rating agency AM Best, told Law360. Insurers should be reevaluating policy provisions to ensure they are not "old or obsolete, and to bring them to the era of cyberattacks with specific and well-defined exclusions and inclusions," Eslami said.
Garrison of Honigman noted that many newer noncyber policies do have exclusions for coverage of cyber incidents, but stressed the importance of the policy language's exact wording. For example, newer policies may contain an exclusion for access or disclosure of confidential personal information and for data-related liability. Whether or not the Target settlement would fall under such an exclusion would hinge on the exact wording, given that the damages arose from the loss of use of physical property, Garrison said.
The Target decision is part of a growing collection of cases that will be important as courts continue navigating the issue of cyber coverage under noncyber policies, Gold said. For example, it is possible that a cyber event causes an injury or death and a claim is brought under bodily injury provisions in a commercial general liability policy, according to Gold.
"Given the number of attacks against hospitals … and thinking about how some hackers are targeting infrastructure and industrial facilities, it's just a matter of time before we're going to have a CGL insurance coverage case over whether or not the policy provides coverage for bodily injuries when the event causing it is partly or entirely a cybersecurity compromise," Gold said.
--Additional reporting by Josh Liberatore and Daphne Zhang. Editing by Bruce Goldman.
For a reprint of this article, please contact reprints@law360.com.