Breach Cases Hint At Liability Coverage For Mobile Losses
More and more, companies generate revenue through the use of their customers' or users' mobile devices.
This interaction takes many forms, from collecting transaction fees for mobile payments or cryptocurrency purchases to generating advertising revenue when a user views a website or clicks a link.
When a customer or user is unable to use their phone to make purchases or interact with a mobile app as a result of a cyberattack or other tortious conduct, the lost revenue can be extensive.
Since cyber criminals often evade responsibility, companies seek to recover their damages from entities who failed to adequately protect against the breach — frequently the company targeted by the attack. This dynamic makes it important for all companies to ensure that their insurance program covers liability for having allegedly inadequate safeguards against cyberattacks in place, if possible.
Courts have yet to grapple specifically with whether traditional commercial general liability insurance policies, or CGL, cover liability based on the loss of use of customers' mobile devices to generate revenue, but recent cases involving payment cards compromised by data breaches suggest that coverage may be available.[1]
This includes the Target Corp. v. ACE American Insurance Co. case decided by the U.S. District Court for the District of Minnesota in March, and the pending Home Depot Inc. v. Steadfast Insurance Co. case filed in the U.S. District Court for the Southern District of Ohio on April 8, 2021.
Historically, policyholders sought coverage for cyber losses under traditional CGL insurance, directors and officers liability insurance, errors and omissions insurance, commercial crime, and business interruption policies with mixed results.
In response, insurers scrambled to add new exclusions singling out electronic data, increasing the demand and need for cyber-specific coverages. Electronic data exclusions in CGL policies, however, do not necessarily bar coverage for damages an insured is required to pay due to the loss of use of tangible property that transmits electronic information — i.e., the credit cards at issue in Target and Home Depot.
As those cases demonstrate, liability coverage may still be available where the plaintiff's alleged damages arise from its customers' inability to use their property in to engage with the plaintiff's business. This should remain true if, instead of credit cards, customers temporarily lost the ability to make mobile payments or access an app on their phones.
Earlier this year, news that Target's insurer, ACE, was required to cover Target's liability for a data breach that compromised credit cards highlighted the continuing availability of CGL coverage in our interconnected world.
While Target v. ACE Insurance[2] focused on Target's liability to the banks for costs they incurred in replacing compromised credit cards, it is apparent that liability coverage for thec loss of use of tangible property is implicated where a company is unable to use tangible property in the hands of its customers to generate revenue.
In 2013, Target discovered that a hacker obtained payment card data for approximately 110 million of its customers. In response, the issuing banks canceled the cards and issued replacements. Target settled with the banks for $138 million — of which $74 million was paid for costs associated with replacing the payment cards.
Target then sought coverage for this amount under its CGL policy with ACE. Specifically, that policy's coverage for occurrences that result in the "loss of use of tangible property that is not physically injured" applied.
The district court initially rejected Target's argument because the costs associated with replacing the cards were not based on the value of the use lost — whether lost by the banks or by cardholders.[3]
In short, the court's 2021 ruling required insureds to show a connection between the damages incurred, and the value lost because of the loss of use of the tangible property at issue. Notably, the court did not add a requirement to the policy that the lost use of tangible property needs to be physical — such as swiping a credit card — rather than electronic — like collecting a transaction fee.
On March 22, the court corrected course and found that the data breach rendered the payment cards unusable and required ACE to reimburse Target for its settlement payment.[4] Relying on the U.S. Court of Appeals for the Eighth Circuit's 2010 decision in Eyeblaster Inc. v. Federal Insurance Co.,[5] the court reasoned that the inability of the banks and their customers to use the cards was analogous to one's inability to use a computer infected with spyware.
In Eyeblaster, the court agreed with an internet advertising company that its CGL policy covered its liability resulting from the loss of use of a computer infected with spyware.
As in Target, the Eyeblaster policy's definition of "tangible property" excluded electronic data. However, despite the fact that computers — like credit cards — serve little purpose other than allowing people to interact with electronic data, the Eighth Circuit found such exclusions inapplicable where the underlying complaint focused on the computer's functionality.
Likewise, the Target court rejected this same limitation because the issuing banks' claims were focused on the banks' and customers' inability to use tangible payment cards. These exclusions are not triggered simply by the loss of use of tangible property that has as its primary purpose the transmission or use of electronic data. Similarly, these exclusions do not restrict coverage merely because the loss of use was caused in cyberspace.
In September, the Target court, declining to certify questions for interlocutory appeal, reiterated these conclusions in rejecting ACE's reliance on loss of use cases in other contexts and attempt to distinguish Eyeblaster.[6]
On nearly identical facts, these same questions are now the subject of pending summary judgment motions in Home Depot v. Steadfast Insurance.[7] After Home Depot fell victim to a data breach that compromised millions of its customers' payment cards, financial institutions sought to recover their lost transaction fees and replacement costs from Home Depot.
Home Depot settled these claims and sought coverage under its CGL policy, which covers damages due to the "loss of use of tangible property … not physically injured."
If anything, Home Depot presents a cleaner case for coverage and appears poised to avoid the hurdles that initially stalled Target's case in 2021. Unlike Target, Home Depot explicitly links amounts it paid to settle claims by issuing banks to the value of the lost use — the inability to use payment cards to collect transaction fees in addition to the replacement costs.
Importantly, liability coverage for these lost transaction fees helps illustrate how CGL policies may continue to apply as mobile payments become the norm — where the phone itself would not need to be replaced. Or, by extension, where temporarily disabling an app results in the inability of a company's customers to use their mobile devices to access webpages or view sponsored material — generating revenue for the company.
While both Target and Home Depot address liability coverage arising from compromised credit cards, the policy language at issue encompasses myriad similar interactions we have with companies through our mobile devices. Perhaps the cleanest example is the inability of cardholders to use their phones to make mobile payments with compromised cards or accounts. As a result, as was the case in Home Depot, banks may lose transaction fees and seek to recover those amounts from the victim of the breach.
Likewise, other companies may incur damages where its customers are unable to make payments on their platforms using a cell phone. Since either situation results from the loss of use of tangible property — the mobile device — CGL policies may provide liability coverage for the victim of the attack.
Similar damages may also arise where a third-party vendor suffers a data breach that ultimately interferes with the ability of its clients' customers to use their devices to visit websites or transact business on client apps. Here, CGL policies similar to those in Target and Home Depot may provide coverage for a vendor's liability.
Ultimately, businesses should closely consider and negotiate their coverages at renewal time to address cyber-specific risks. However, where liability can be traced to the inability of an end-user to use tangible property, CGL policies can still be used to fill gaps in coverage even where the cause is rooted in cyberspace.
[1] Target Corporation v. ACE American Insurance Company, No. 19-cv-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022); Home Depot, Inc. v. Steadfast Insurance Co., No. 1:21-cv-00242 (S.D. Ohio).
[2] 2022 WL 848095.
[3] Target Corp. v. ACE American Insurance Company, No. 19-cv-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022).
[4] Id.
[5] Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (8th Cir. 2010).
[6] Target Corp. v. ACE Am. Ins. Co., No. 19-cv-2916 (WMW/DTS), 2021 WL 424468 (D. Minn. Feb. 8, 2021) (declining to certify questions for interlocutory appeal).
[7] No. 1:21-cv-00242 (S.D. Ohio).
