(Article from Insurance Law Alert, February 2025)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
The Sixth Circuit ruled that liability insurers were not obligated to defend or indemnify suits arising out of a cyberattack on Home Depot’s computer system, finding that an electronic data exclusion unambiguously barred coverage. Home Depot, Inc. v. Steadfast Ins. Co., 2025 U.S. App. LEXIS 687 (6th Cir. Jan. 13, 2025).
Background
Home Depot was the victim of a cyberattack in which hackers stole personal information from tens of millions of customers. Following the breach, financial institutions sued Home Depot, seeking damages for the losses incurred due to the cancellation and reissuance of payment cards, the closing of accounts and notifying of customers, and various other investigative and remedial measures. Home Depot ultimately settled these claims for approximately $170 million.
Home Depot’s cyber insurers covered losses up to their $100 million limit, but Home Depot also sought coverage from two general liability insurers. The general liability insurers refused to defend or indemnify, arguing that the policies defined “tangible property” in a way that omitted electronic data such credit card information, and that in any event, coverage was barred by a policy exclusion for “[d]amages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
An Ohio district court granted the insurers’ summary judgment motion and the Sixth Circuit affirmed.
Decision
Applying Georgia law, the Sixth Circuit ruled that even assuming that a covered loss of use of tangible property occurred, the electronic data exclusion unambiguously barred coverage. First, the court held that payment card data is electronic data within the meaning of the exclusion. Second, the court found that the reissuance of new cards and the reduced usage of Home Depot cards following the breach constituted a “loss of use” under the exclusion. The court explained that while the physical credit cards still existed, “purchasers could no longer use their payment card data to make secure payments.” As the court noted, “the entire value of a credit card—or any payment card—is the ability to make secure and seamless transactions. . . . When that critical function is affected, the data doesn’t work the same as before; it loses its function.”
Finally, the court held that the reissuance of new cards and subsequent reduced usage of the cards “arose out of” the electronic data loss. Construing “arising out of” to require “but for” causation, the court concluded that the reissuance and reduced usage both occurred as a result of the data breach. In so ruling, the court noted that the insurers were not required to reveal precisely how the card cancellation process worked. Rather, the fact that the data breach was the “motivating cause” in cancelling the cards was sufficient under Georgia’s but-for causation standards.
Comments
The Sixth Circuit expressly rejected Home Depot’s assertion that revisionary language in subsequent policies was relevant to interpretation of policy language in the operative policies. Dismissing this contention, the court explained that coverage is determined by the textual language in the policies at issue, and that in any event, “subsequent history” arguments are inherently suspect. The decision reinforces the well-established principle that where, as here, contractual language is unambiguous, courts need not look beyond the policies’ four corners.
This month, the Sixth Circuit denied Home Depot’s petition for rehearing.