(Article from Insurance Law Alert, April 2022)
For more information, please visit the Insurance Law Alert Resource Center.
Our February 2021 Alert discussed a decision that held that an insurer was not obligated to indemnify Target Corp.’s data breach settlement payment because the cost of replacing cancelled credit and debit cards did not constitute a loss of use of tangible property under a general liability policy. Target Corp. v. ACE American Ins. Co., 2021 WL 424468 (D. Minn. Feb. 8, 2021). This month, the Minnesota district court vacated its decision and granted Target’s summary judgment motion. Target Corp. v. ACE American Ins. Co., 2022 WL 848095 (D. Minn. Mar. 22, 2022).
Following a breach of Target’s computer networks, several banks that had issued the compromised credit and debit cards cancelled and reissued those cards to customers. The banks sued Target for the costs associated with those actions. The parties eventually settled, and Target sought indemnification from ACE.
In its original ruling, the court granted ACE’s summary judgment motion, finding that Target failed to demonstrate covered property damage, defined as the “loss of use of tangible property that is not physically injured.” The court explained that Minnesota law requires loss-of-use damages to be “based on” the loss of use of the tangible property, and that here, there was no nexus between the settlement payment and the value of the loss of the use of the payment cards.
Vacating that decision, the court concluded that the inoperability of payment cards following a data breach constitutes a loss of use under the policy. Addressing this matter of first impression under Minnesota law, the court explained: “Cancellation of the compromised payment cards rendered the payment cards inoperable. The payment cards lost their use. Although the compromised payment cards still existed . . . they could no longer serve their function.” The court further held that Minnesota’s causation requirement was satisfied because Target’s expense in settling the banks’ claims “was a cost incurred due to the loss of use of the payment cards.”
Finally, the court held that the policy requirement of “tangible property that is not physically injured” was met. The insurer argued that coverage was unavailable because Target sought compensation for the stolen data and the policy expressly excluded electronic data from the definition of tangible property. The court rejected this contention, reasoning that it was the use of the “payment cards, not the use of electronic data, that was lost.”