Breach Cases Hint At Liability Coverage For Mobile Losses

October 31, 2022

More and more, companies generate revenue through the use of their customers' or users' mobile devices.

This interaction takes many forms, from collecting transaction fees for mobile payments or cryptocurrency purchases to generating advertising revenue when a user views a website or clicks a link.

When a customer or user is unable to use their phone to make purchases or interact with a mobile app as a result of a cyberattack or other tortious conduct, the lost revenue can be extensive.

Since cyber criminals often evade responsibility, companies seek to recover their damages from entities who failed to adequately protect against the breach — frequently the company targeted by the attack. This dynamic makes it important for all companies to ensure that their insurance program covers liability for having allegedly inadequate safeguards against cyberattacks in place, if possible.

Courts have yet to grapple specifically with whether traditional commercial general liability insurance policies, or CGL, cover liability based on the loss of use of customers' mobile devices to generate revenue, but recent cases involving payment cards compromised by data breaches suggest that coverage may be available.[1]

This includes the Target Corp. v. ACE American Insurance Co. case decided by the U.S. District Court for the District of Minnesota in March, and the pending Home Depot Inc. v. Steadfast Insurance Co. case filed in the U.S. District Court for the Southern District of Ohio on April 8, 2021.

Historically, policyholders sought coverage for cyber losses under traditional CGL insurance, directors and officers liability insurance, errors and omissions insurance, commercial crime, and business interruption policies with mixed results.

In response, insurers scrambled to add new exclusions singling out electronic data, increasing the demand and need for cyber-specific coverages. Electronic data exclusions in CGL policies, however, do not necessarily bar coverage for damages an insured is required to pay due to the loss of use of tangible property that transmits electronic information — i.e., the credit cards at issue in Target and Home Depot.

As those cases demonstrate, liability coverage may still be available where the plaintiff's alleged damages arise from its customers' inability to use their property in to engage with the plaintiff's business. This should remain true if, instead of credit cards, customers temporarily lost the ability to make mobile payments or access an app on their phones.

Earlier this year, news that Target's insurer, ACE, was required to cover Target's liability for a data breach that compromised credit cards highlighted the continuing availability of CGL coverage in our interconnected world.

While Target v. ACE Insurance[2] focused on Target's liability to the banks for costs they incurred in replacing compromised credit cards, it is apparent that liability coverage for thec loss of use of tangible property is implicated where a company is unable to use tangible property in the hands of its customers to generate revenue.

In 2013, Target discovered that a hacker obtained payment card data for approximately 110 million of its customers. In response, the issuing banks canceled the cards and issued replacements. Target settled with the banks for $138 million — of which $74 million was paid for costs associated with replacing the payment cards.

Target then sought coverage for this amount under its CGL policy with ACE. Specifically, that policy's coverage for occurrences that result in the "loss of use of tangible property that is not physically injured" applied.

The district court initially rejected Target's argument because the costs associated with replacing the cards were not based on the value of the use lost — whether lost by the banks or by cardholders.[3]

In short, the court's 2021 ruling required insureds to show a connection between the damages incurred, and the value lost because of the loss of use of the tangible property at issue. Notably, the court did not add a requirement to the policy that the lost use of tangible property needs to be physical — such as swiping a credit card — rather than electronic — like collecting a transaction fee.

On March 22, the court corrected course and found that the data breach rendered the payment cards unusable and required ACE to reimburse Target for its settlement payment.[4] Relying on the U.S. Court of Appeals for the Eighth Circuit's 2010 decision in Eyeblaster Inc. v. Federal Insurance Co.,[5] the court reasoned that the inability of the banks and their customers to use the cards was analogous to one's inability to use a computer infected with spyware.

In Eyeblaster, the court agreed with an internet advertising company that its CGL policy covered its liability resulting from the loss of use of a computer infected with spyware.

As in Target, the Eyeblaster policy's definition of "tangible property" excluded electronic data. However, despite the fact that computers — like credit cards — serve little purpose other than allowing people to interact with electronic data, the Eighth Circuit found such exclusions inapplicable where the underlying complaint focused on the computer's functionality.

Likewise, the Target court rejected this same limitation because the issuing banks' claims were focused on the banks' and customers' inability to use tangible payment cards. These exclusions are not triggered simply by the loss of use of tangible property that has as its primary purpose the transmission or use of electronic data. Similarly, these exclusions do not restrict coverage merely because the loss of use was caused in cyberspace.

In September, the Target court, declining to certify questions for interlocutory appeal, reiterated these conclusions in rejecting ACE's reliance on loss of use cases in other contexts and attempt to distinguish Eyeblaster.[6]

On nearly identical facts, these same questions are now the subject of pending summary judgment motions in Home Depot v. Steadfast Insurance.[7] After Home Depot fell victim to a data breach that compromised millions of its customers' payment cards, financial institutions sought to recover their lost transaction fees and replacement costs from Home Depot.

Home Depot settled these claims and sought coverage under its CGL policy, which covers damages due to the "loss of use of tangible property … not physically injured."

If anything, Home Depot presents a cleaner case for coverage and appears poised to avoid the hurdles that initially stalled Target's case in 2021. Unlike Target, Home Depot explicitly links amounts it paid to settle claims by issuing banks to the value of the lost use — the inability to use payment cards to collect transaction fees in addition to the replacement costs.

Importantly, liability coverage for these lost transaction fees helps illustrate how CGL policies may continue to apply as mobile payments become the norm — where the phone itself would not need to be replaced. Or, by extension, where temporarily disabling an app results in the inability of a company's customers to use their mobile devices to access webpages or view sponsored material — generating revenue for the company.

While both Target and Home Depot address liability coverage arising from compromised credit cards, the policy language at issue encompasses myriad similar interactions we have with companies through our mobile devices. Perhaps the cleanest example is the inability of cardholders to use their phones to make mobile payments with compromised cards or accounts. As a result, as was the case in Home Depot, banks may lose transaction fees and seek to recover those amounts from the victim of the breach.

Likewise, other companies may incur damages where its customers are unable to make payments on their platforms using a cell phone. Since either situation results from the loss of use of tangible property — the mobile device — CGL policies may provide liability coverage for the victim of the attack.

Similar damages may also arise where a third-party vendor suffers a data breach that ultimately interferes with the ability of its clients' customers to use their devices to visit websites or transact business on client apps. Here, CGL policies similar to those in Target and Home Depot may provide coverage for a vendor's liability.

Ultimately, businesses should closely consider and negotiate their coverages at renewal time to address cyber-specific risks. However, where liability can be traced to the inability of an end-user to use tangible property, CGL policies can still be used to fill gaps in coverage even where the cause is rooted in cyberspace.

[1] Target Corporation v. ACE American Insurance Company, No. 19-cv-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022); Home Depot, Inc. v. Steadfast Insurance Co., No. 1:21-cv-00242 (S.D. Ohio).

[2] 2022 WL 848095.

[3] Target Corp. v. ACE American Insurance Company, No. 19-cv-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022).

[4] Id.

[5] Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (8th Cir. 2010).

[6] Target Corp. v. ACE Am. Ins. Co., No. 19-cv-2916 (WMW/DTS), 2021 WL 424468 (D. Minn. Feb. 8, 2021) (declining to certify questions for interlocutory appeal).

[7] No. 1:21-cv-00242 (S.D. Ohio).

Firm Highlights


Farella Braun + Martel Attorneys Named to 2023 Northern California Super Lawyers and Rising Stars

Thirty-eight Farella Braun + Martel lawyers were named to the Super Lawyers and Rising Stars lists of top attorneys in Northern California for 2023. 2023 Farella Northern California Super Lawyers: Carly Alameda – Business...

Read More

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More

Farella Braun + Martel Earns 2024 Best Law Firms® Rankings

Read More

Farella Lawyers Recognized in The Best Lawyers in America® 2024 Edition

Read More

Disputes Between Shareholders May Not Be Governed by Fiduciary Duties but Could Be Covered by Insurance

(As published in Private Company Director ) Disputes regarding ownership interests often arise in the context of closely held corporations, particularly when directors, officers, or majority shareholders sell or acquire ownership interests in the...

Read More

Who’s Who Legal 2023 Recognizes Farella Lawyers

Six Farella Braun + Martel lawyers have been recommended by Who’s Who Legal 2023 as leading practitioners in their fields. Who’s Who Legal – Environment 2023 James Colopy Robert Hines David Lazerwitz Chris Locke...

Read More

Patrick Loi Selected to MCCA Sources of Success Program

Read More

Reporting Dispute Claims Within Closely Held Wineries

Many wineries operate as closely held companies, meaning they’re owned by an individual or small group of shareholders, who are often members of the same family. Disputes regarding ownership interests can arise, particularly when directors...

Read More

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part One)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, PeterJ. Georgiton, and J. Mark Hart When an insurer accepts an insured’s tender and agrees to provide a defense, it is often an afterthought as to...

Read More