Insurance Implications of Data Breaches Reach Commercial General Liability Policies

As published in the February issue of the Cleveland Metropolitan Bar Journal, a monthly newsletter published by the Cleveland Metropolitan Bar Association.

An infamous data breach suffered by the well-known retail company Target in 2013 resulted in a coverage dispute that caught attention of the insurance industry for displaying the sometimes-blurry lines of data-adjacent coverage under commercial general liability (CGL) policies. In this article, Sarah Sears highlights the similarities to Target’s coverage case in a currently pending suit that has emerged from a 2014 data breach suffered by home improvement retailer Home Depot. As in Target’s data breach, the breach of Home Depot also compromised personal and payment information of millions of customers. This was again a catalyst for financial institutions cancelling millions of compromised payment cards, who in turn sought compensation from Home Depot. Sarah notes that Home Depot’s insurers, like Target’s insurer, denied all claims on the grounds that the property, in the form of payment cards, had not been damaged or compromised—only the data itself had—leaving the policyholder to defend litigation without insurer assistance. After settling with the plaintiffs, Home Depot filed suit against its insurers in the Southern District of Ohio to recover losses.

Target’s win on summary judgment in its case turned heads throughout the insurance industry. Sarah points out that a win for Home Depot on their pending motion for summary judgment against their insurers would reinforce the policyholder-side of the debate surrounding coverage for data-adjacent losses under CGL policies, and the implications for policy coverage, whatever the outcome, will be noted throughout the industry.

To read the full article, click here.