On January 13, 2025, the Sixth Circuit Court of Appeals addressed whether an insured is entitled to coverage under a standard commercial general liability (“CGL”) policy for losses resulting from a data breach. In Home Depot, Inc. v. Steadfast Insurance Co., No. 23-3720, 2025 U.S. App. LEXIS 687 (6th Cir. Jan. 13, 2025), the Sixth Circuit affirmed the United States District Court for the Southern District of Ohio’s decision holding that the CGL insurance policies at issue did not cover damages arising out of the loss of use of electronic data, including payment card data compromised in a data breach.
The underlying dispute arose from a cyberattack where hackers accessed Home Depot’s computer system and stole payment card information and personal information from millions of consumers who used the company’s self-checkout terminals. Following the breach, several financial institutions (the “issuers”) sued for losses incurred as a result of the breach, including costs of reissuing payment cards and covering fraudulent charges.
Home Depot settled the claims for $170 million and sought reimbursement from its CGL insurers, Steadfast and Great American. The insurers denied coverage citing the policies’ exclusion for damages arising out of the loss of use of electronic data. Home Depot sued, asserting the insurers should indemnify it for costs the issuers incurred by reissuing physical payment cards (the “reissuance theory”), and for claims regarding lost interest and transaction fees stemming from consumers using their cards less after the breach (the “reduced usage theory”). Home Depot further alleged the insurers should reimburse its defense costs.
In deciding whether the electronic data exclusion applied to preclude coverage, the Sixth Circuit first found that because the payment card data at issue qualified as “electronic data” under the policies’ definition of the term. Next, the court found that the data breach resulted in a “loss of use” of the electronic payment card data because it rendered the data useless for making secure transactions. According to the court, the data lost its use when consumers couldn’t use payment card data to make purchases, which in turn meant the data breach resulted in a qualifying event under the electronic data exclusion. The Sixth Circuit reasoned that the entire value of any payment card is the ability to make secure and seamless transactions, and when that critical function is affected, the data does not work the same as before, thus losing its function.
The Sixth Circuit ultimately found that the reissuance and reduced usage damages arose out of the electronic data loss and thus aren’t covered by the policies. Applying a “but for” standard, the court held that the reissuance and reduced usage damages, and the lawsuit itself, would not have occurred but for the data breach, and therefore, arose out of the loss of use of the electronic data, which satisfied the exclusion.
As to the reissuance theory, the Sixth Circuit rejected Home Depot’s assertion that the decision to reissue payment cards didn’t arise because of a loss of use of electronic data, but rather caused the loss of use, and that the insurers did not adequately reveal how the card cancellation process worked. Rather, the Sixth Circuit held that the data breach sat upstream of the decision to reissue cards. Absent the breach, the consumers wouldn’t have experienced a loss of use of their electronic data, the issuers wouldn’t have been forced to issue new payment cards, and there would have been no damages leading to the dispute.
The Sixth Circuit also found Home Depot’s reduced usage theory unpersuasive. The court noted that consumers stopped using the cards because they knew the electronic data that allowed them to make such transactions was compromised. Thus, the reduced usage also existed downstream from the breach, and therefore, also arose out of the loss of use of such electronic data.
Finally, the Sixth Circuit rejected Home Depot’s argument that the duty to defend applies because the elements of the original complaint dealt with tangible property. The court determined that the complaint expressly alleged harm arising out of the electronic data breach, and no evidence was provided to suggest otherwise. According to the court, a single sentence in the complaint referring to payment cards did not incorporate tangible property and that crediting such a theory would rely on “labels” and “spin,” in contravention of the policies’ plain and unambiguous terms. Because the underlying complaint alleged harms arising out of the data breach and electronic data loss, it did not trigger the insurers’ duty to defend under the policies.