Square Peg, Round Hole: 6th Circuit Affirms Finding That Cyber Claims Are Not Covered by CGL Policies

In Home Depot Inc. v. Steadfast Insurance Co., Home Depot learned the hard way a rule every DIY enthusiast knows: measure twice, cut once. It appears Home Depot’s measurements were off when it sized up its insurance needs, and when its cyber coverage didn’t measure up to the costs of a data breach, the company tried to fit those cyber claims into its commercial general liability (CGL) policies. However, the Sixth Circuit ruled that those claims do not fit within the coverage of those policies.

Background of Underlying Action

Home Depot built what appeared to be a robust tower of insurance protection, purchasing $50 million in commercial general liability coverage and an additional $100 million in cyber insurance policies. However, when cyber criminals began siphoning payment card information off Home Depot’s self-checkout terminals, Home Depot’s cyber insurance policies did not measure up to the $170 million settlement it made with financial institutions that sued Home Depot alleging they were damaged by the disclosure of their customers’ payment card information.

After the cyber insurers covered the first $100 million in settlement costs, Home Depot attempted to fit $50 million of the remaining settlement costs into the constraints of the company’s CGL policies.

Unlike specialized cyber policies, these CGL policies provided general coverage for “property damage” caused by an occurrence. The term property damage was defined to include “[l]oss of use of tangible property that is not physically injured.” However, the CGL policies clarified that “electronic data” did not count as tangible property. The policies also specifically barred coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Thus, when Home Depot sought to recover damages suffered related to the cyberattack, the insurers denied coverage because (1) there was no loss to tangible property, as electronic data is not tangible property, and (2) the underlying suit sought damages relating to the loss of use of electronic data in the form of the payment cards.

After the CGL carriers denied coverage, Home Depot sued, seeking: (1) indemnification for costs the financial institutions incurred in reissuing the compromised payment cards; (2) indemnification losses stemming from the financial institutions’ claims that they were harmed when customers used their payment cards less following the cyberattack; and (3) reimbursement for Home Depot’s expenditure in the underlying litigation. Ultimately, the district court granted summary judgment in favor of the insurers, and Home Depot appealed.

Sixth Circuit’s Decision

The Sixth Circuit did not mince words finding “the district court was correct to grant summary judgment on Home Depot’s reissuance and reduced usage claims.” The court determined whether the insurance policies provided coverage under Georgia law for Home Depot’s claims by examining whether the policies’ plain text was clear. “If [the policy language is] clear, then courts follow the policy — including any applicable duty to defend. If [the policy language is] unclear, the courts construe the language to benefit the insured party.”

The court found that these cyber claims did not fit within the policies’ more generalized framework because they were unambiguously excluded from coverage by the exclusion barring coverage for damage caused by “loss of use” of “electronic data.” Examining the policies’ detailed definition of “electronic data,” the court concluded that the payment card information was electronic data because it was a “creature of the computer.” Further, the court recognized that the plain meaning of the phrase “loss of use” covered payment card data lost to consumers when consumers were no longer able to use their payment cards following the data breach because, by gaining access to the payment card information, the hackers had rendered that payment card information useless.

Having determined that stealing payment card information constituted a loss of use of electronic data, the court pivoted to whether the damages in the underlying action were caused by the theft of the payment card information. In Georgia, the phrase “arising out of” is a signal for the court to ask whether an event was a “but for” cause of damage. The court analyzed both of the damages theories in the underlying litigation to determine if the data breach was a “but for” cause of the injuries the financial institutions suffered. The court then determined that the plain language of the CGL policies did not provide coverage for cyber claims because the clear language of the policies excluded coverage for losses arising from the loss of use of electronic data.

Determining that cyber claims simply do not fit within the coverage of the CGL policies, the court quickly dispatched with Home Depot’s claim that the CGL insurers should have defended Home Depot in the underlying action. In Georgia, if a complaint against an insured is “even arguably ... within the policy’s coverage,” the insurer has a duty to defend the insured in the action. The Sixth Circuit admitted that the duty defend is broad and may even require insurers to defend “groundless suits” in Georgia. However, “if a claim isn’t within a policy’s coverage — no matter how the plaintiffs ‘spin’ the facts — then the duty to defend doesn’t apply.” Citing its prior analysis, the Sixth Circuit concluded that the underlying claims were not covered by the CGL policies.