Electronic Data Exclusion – Sixth Circuit (Georgia Law)

Home Depot, Inc. v. Steadfast Ins. Co.
--- F.4th ---, 2025 WL 80114 (6th Cir. Jan. 13, 2025)

The U.S. Court of Appeals for the Sixth Circuit, applying Georgia law, affirmed the U.S. District Court for the Southern District of Ohio’s order granting the dispositive motions of Steadfast Insurance Company (Steadfast) and Great American Assurance Company (Great American), finding that the electronic-data exclusion contained in the insurers’ commercial general liability excess policies unambiguously applied to preclude liability coverage for a data breach suffered by its insureds, Home Depot, Inc. and Home Depot U.S.A. (collectively Home Depot).
 
In 2014, Home Depot’s computer system was hacked. The hackers stole the payment and personal information of tens of millions of Home Depot’s customers who utilized self-checkout terminals at the stores. Home Depot discovered the cyberattack several months later and announced the breach. After announcing the breach, financial institutions sued Home Depot for losses they incurred when they, among other things, had to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, and increase fraud monitoring on potentially impacted accounts. Home Depot settled the financial institutions’ claims for about $170 million with the company’s cyber insurers covering up to $100 million of the settlement. Since this was less than the settlement amount, Home Depot sought indemnification from Steadfast and Great American under their commercial general liability policies, but the insurers denied coverage.
 
Home Depot then  sued Steadfast and Great American seeking reimbursement of its defense costs for the lawsuits and indemnification related to the settlement payments for the reissuing of physical payment cards (the reissuance theory) and for lost interest and transaction fees due to consumers using their cards less after the breach than before (the reduced usage theory). The parties filed cross motions for summary judgment agreeing that Georgia law applied because the place of contracting and negotiations were both in Georgia and Home Depot’s principal place of business is in Georgia. The district court, applying Georgia law, granted the insurers’ dispositive motion and denied Home Depot’s. Although the district court agreed with Home Depot that it sustained a loss of use of tangible property caused by an occurrence, the district court determined that the electronic data exclusion applied because the theft of the card numbers and the subsequent cancellation of the cards was “inextricably intertwined” with electronic data. Home Depot appealed.
 
Although the appellate court affirmed the district court’s ruling, it did not decide the issue of whether the data breach led to the “loss of use” of tangible property under the reissuance or reduced usage theories because the electronic data exclusion unambiguously excluded coverage. The appellate court determined that, because payment card data is a “creature of the computer,” it is electronic data within the meaning of the policies. The appellate court next determined that there was a “loss of use” of the electronic card data because customers could no longer securely pay with their cards. The appellate court rejected Home Depot’s argument that there was not a “loss of use” of the card information because many individuals could use the information that the hackers sold, since the card information was no longer secure and the financial institutions canceled the cards. Because there was a loss of use of electronic data, the electronic data exclusion applied to preclude indemnification coverage.   
 
As to Home Depot’s reissuance and reduced usage theories, the appellate court noted that, but for the data breach, there would have been no need to reissue new payment cards and there would not have been reduced usage and there would be no damages. Since the damages arose out of the data breach, the electronic data exclusion applied to bar coverage.
 
The appellate court also rejected Home Depot’s arguments that the electronic data exclusion was ambiguous. Home Depot claimed that the exclusion was ambiguous because Steadfast, in subsequent policies, explained that losses such as this one are not covered. As noted by the appellate court, to accept this argument would ignore the plain text of the policy and admit subsequent extrinsic evidence. As to Home Depot’s alternative argument that the exclusion was ambiguous because the company’s expert found it to be unclear, the appellate court declined to consider the expert’s report because it pertained to other insurance policies and general cyber insurance trends. The appellate court found that the expert’s opinion was irrelevant because a plain reading of the exclusion establishes that coverage is excluded.
 
Additionally, the appellate court determined that Home Depot was not entitled to recover its defense costs in the lawsuits filed by the financial institutions because the underlying complaints alleged damages arising from the electronic data breach, which falls within the electronic data exclusion.