In Target Corp. v. ACE American Ins. Co., et al, 2021 WL 424468 (D. Minn. Feb. 8, 2021), the U.S. District Court for the District of Minnesota held that Target Corporation could not obtain coverage from its commercial general liability insurer, ACE, for losses to replace stolen credit and debit cards after a data breach affecting thousands of its customers. In 2013, Target Corporation suffered a data breach when an unauthorized individual hacked into the company’s computer networks and stole the payment and personal contact information of thousands of Target’s customers. Among the compromised data were customer’s store-issued credit and debit card numbers. Following the breach, multiple banks that had issued the compromised cards cancelled and reissued cards to customers, incurring costs associated with those actions. The banks sued Target for these costs, which were subsequently resolved through confidential settlements.
Target sought indemnification for its settlement liability from its insurer, ACE, under two commercial general liability (CGL) policies. The CGL policies provided coverage in relevant part “for the ‘ultimate net loss’ [. . .] because of ‘bodily injury’ or ‘property damage.’” The policies defined “property damage” as the “[l]oss of use of tangible property that is not physically injured” and provided that “[a]ll such loss of use shall be deemed to occur at the time of the ‘occurrence’ that caused it.” ACE denied coverage and Target filed an action for breach of contract and declaratory judgment in District Court.
In early February, the District Court ruled against Target, holding that Target was not able to meet its burden of showing that the settlement liability was due to a “loss of use of tangible property” under the CGL policies. Target argued that the settlement damages paid to the banks constituted damages “because the payment cards allegedly lost their use and Target resolved the Payment Card Claims by paying a settlement.”
ACE, in contrast, argued that there was no “loss of use” of the credit and debit cards resulting from the breach. ACE’s position rested on the distinction between property damage and the diminution in property value. ACE argued that the payment cards that were compromised by the data breach may have lost their value, but the cards did not lose their use. And because only loss of use damages are compensable under the policies, Target’s claim for coverage failed. The District Court agreed with ACE, reasoning that “‘diminution in value’ is not ‘property damage’ when defined as either ‘physical injury to [. . .] tangible property’ or as ‘loss of use of tangible property’” and, therefore, the diminution in value alone was not a recoverable damage under a loss-of-use policy. Id. at *7 quoting Federated Mutual Insurance Co. v. Concrete Units, Inc., 363 N.W.2d 751 (Minn. 1985).
Target’s theory appeared to be that because the payment cards allegedly could not be used and Target resolved the payment card claims by paying a settlement, the settlement of that liability necessarily constituted damages “because of…a loss of use” -- in essence, a “but-for” theory of loss-of-use damages. The District Court recognized that although a “but-for” theory of loss-of-use damages has not been expressly articulated in the state, Minnesota courts have held that loss-of-use damages must be “based on” the alleged loss of use. As such, Minnesota law requires loss-of-use damages to have some direct connection to the value of the use of the now-damaged property when it previously was unimpaired.
Unfortunately for Target, the District Court found no allegations or evidence as to what the value of the use of the payment cards was, either to Target’s customers or to the payment card companies. As the value of the use was not established or even approximated, the damages could not be “based on” the loss of use because there is no nexus between the damages and the loss of use. In other words, Target did not establish a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers. In the end, the District Court found that the connection between the damages claimed and the loss of use of the payment cards was not sufficiently direct and, therefore, the damages claimed were not loss-of-use damages covered under the CGL policies.
The Court also determined that Target must demonstrate that there was an “occurrence” pursuant to the policies in order to obtain coverage. However, failure to establish the connection between the loss of use and the damages was fatal to Target’s claim. Therefore, the court assumed, without deciding, that the data breach constituted an “occurrence” under the policies even though Target still could not prevail.