The massive 2013 data hack affecting Target Corp with losses of $138 million in bank settlements by Target has led to a judgment against the insurer for the insured “loss of use of tangible property that is not physically injured”.  The policy required “property damage” caused by an “occurrence” which included an “accident”.  The court found that there was cover because the data breach was neither expected nor intended and the inoperability of the payment cards was an “occurrence”.  There was also a “loss of use” because the payment cards lost their use.  Although the compromised payment cards still existed, they could no longer serve their function.  The expense that Target incurred to settle claims brought by the banks that issued the cards was a cost incurred due to the loss of use of the payment cards and was therefore covered.

Thirdly, there was loss of use of “tangible property that was not physically injured”.  Although the policies expressly excluded “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy discs, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment”, Target was not seeking compensation for the missing data but for the inoperable payment cards which the parties agreed were tangible property not physically injured.  It was the payment cards, not the use of electronic data, that was lost.  The insurer was therefore obliged to indemnify Target’s loss resulting from payments to third parties as covered by the liability policies.

The court referred to another case Eyeblaster, Inc v Fed. Ins. Co. 613 F. 3d797 (8th Cir. 2010) where an online company was covered for a situation where spyware infected the consumer’s computer which froze up and stopped running.  The court held that the plain meaning of tangible property included computers and the loss was the loss of use of the computer.

These cases demonstrate how silent cyber coverage can arise under a liability policy where wide language is used. Wordings need to be looked at carefully in this age of widespread hacking.

Target Corp. v ACE American Insurance Co case no. 0/19-cv-02916: US District Court for the district of Minnesota