It was a quaint, innocent time before social engineering scams, ransomware or any of the other threats had evolved to hassle both large and small data collectors. In 2014 and 2015, large-scale data breaches at Home Depot, Best Buy and Target roamed the Earth. While all that has changed drastically in the last five years, we still have a few fossils providing insight on a time when huge data breaches caused huge damages to companies with huge insurance policy limits.
Five years, ago, on September 19, 2014, we posted about Target Corporation’s motion to dismiss a lawsuit filed by a number of banks  that claimed they incurred costs to reissue credit/debit cards compromised in Target’s December 2013 data breach.
A year later, on September 16, 2015, we posted about the class action litigation brought by financial institutions related to the Target data breach.  This litigation involved class action litigation brought by banks that had to reissue credit and debit cards that were compromised in Target’s massive data breach. We had been monitoring this litigation for months in 2014 and 2015  as Target and the Banks issuing cards caught in the Target’s breach slugged it out in court.
Almost four years later, the insurance coverage issues related to Target’s litigation with financial institutions is just reaching the courts. On November 15, 2019, Target Corporation (“Target”) filed a complaint  seeking damages for breach of contract claims and seeking a declaratory judgment concerning insurance coverage in the United States District Court for the District of Minnesota against its insurer, ACE American Insurance Company (“ACE”).
The Complaint generally alleges the following facts gave rise to Target’s tender for insurance coverage:
In December 2013, Target discovered that a hacker had installed malicious software on its computer network (“Data Breach”). The Data Breach enabled the attacker to steal payment card data and personal contact information, thus rendering the related physical payment cards unusable. As a result, numerous banks were required to dedicate substantial resources to canceling and reissuing physical payment cards. These costs include, for example, the cost of producing the plastic card, mailing the card to consumers, and otherwise reissuing the physical card. Those banks subsequently sued Target for their losses, including the losses directly caused by the replacement of the physical cards.Target was able to settle all of the claims, including the claim for the replacement of physical payment cards.
More specifically, Target claims ACE had a duty under two general liability insurance policies that provide coverage for “Property Damage” defined to include the “loss of use of tangible property that is not physically injured.” In particular, the banks claimed, “that, as a result of the Data Breach, they were forced to dedicate significant resources to canceling and reissuing these physical payment cards.” Target claims it is entitled to coverage because it was found liable “for the loss of use of plastic payment cards that were not physically injured.” The Complaint alleges the parties litigated the underlying class action brought by the banks to the point that the matter was ultimately settled for approximately $58 million. Target also settled with Visa, Mastercard, American Express and Discovery for approximately $138 million. The Complaint alleges that approximately $74 million went to the Banks for costs related to replacing cards compromised by the breach.
Target seeks coverage under two primary policies and an excess policy by asserting the Banks “sought damages for, among other things, loss of use of tangible property (i.e., physical plastic payment cards) that, while not physically injured, counsel not be used without risk to the customer and the bank.” The Complaint about Declaratory Judgment alleges ACE breached its duty when it refused to indemnify Target for damages incurred to reissue the compromised cards and seeks a judicial declaration that ACE owes coverage under all the policies.
In addition to serving as a reminder of a bygone era, the Target data breach provides insight into the unique issues data breaches cause under traditional lines of insurance for both large and small data collectors. While this declaratory judgment matter is only in the initial pleading stages, Target is already making a unique argument that costs related to reissuing credit/debit cards by Banks fall into the definition of “property damage” in the CGL policies. Further, Target will need to show the retained limits of the policy, which is essentially a deductible, was exhausted solely on costs from reissuing the “physical plastic payment cards.” This case may develop to provide some much-needed authority concerning breach claims under CGL policies. Either way, we can count on this case adding to the substantial body of privacy law in general created by the Target breach in 2013.