An in-depth look at the Target decision finding that loss-of-use damages included costs of replacing payment cards compromised in data breach

On March 22, 2022, the United States District Court for the District of Minnesota ruled that two ACE insurers were obligated to indemnify Target Corporation (“Target”) for the amounts it paid to settle claims related to replacement of payment cards impacted in a data breach, vacating an earlier decision in which the court found that Target was not entitled to coverage. Target Corp. v. ACE Am. Ins. Co., No. 19-CV-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022), vacating 517 F. Supp. 3d 798 (D. Minn. 2021). The new decision deviates from how other courts have evaluated general liability coverage for damages because of “loss of use of tangible property that is not physically injured.” Insurers would do well to take notice.

Background

In 2013, Target was the victim of a massive data breach that occurred after hackers installed malicious software on its computer network, which enabled them to steal the payment card data and personal contact information of an estimated 110 million individuals with Target payment cards (the “Data Breach”). Multiple lawsuits were brought against Target, including suits by financial institutions (the “Issuing Banks”) that had issued debit and credit cards (the “Payment Cards”) affected by the Data Breach. The Issuing Banks filed class action lawsuits against Target, which were consolidated, along with various consumer suits, in the United States District Court for the District of Minnesota, in In re: Target Corporation Customer Data Security Breach Litigation, All Financial Institutions Cases, MDL No. 14-2522 (the “Issuing Banks Litigation”). In their Consolidated Class Action Complaint, the Issuing Banks asserted various causes of action against Target, including a claim for negligence by which they alleged that Target breached its duty to implement adequate technical systems or security practices that could have prevented the loss of customers’ sensitive personal and financial information. The Issuing Banks alleged that, because of Target’s failures, they incurred various losses, including costs associated with cancelling and reissuing Payment Cards that were compromised in the Data Breach. In May 2016, Target reached a settlement in the Issuing Banks Litigation for approximately $58 million, which the district court approved.

In addition to settling the Issuing Bank Litigation, Target reached confidential settlements with the major card issuers, including Visa, MasterCard, American Express, and Discover, as well as numerous individual Issuing Banks. In total, Target settled all of the claims for approximately $138 million. Of that amount, according to Target, at least $74 million was paid to settle the Issuing Banks’ claims for the costs associated with replacing Payment Cards that they alleged had been compromised as a result of the Data Breach (the “Payment Card Claims”).

Target gave notice of the Data Breach to its commercial general liability (“CGL”) insurers, including ACE American Insurance Company and ACE Property & Casualty Insurance Company (collectively, “ACE”), which had issued two CGL policies to Target that were in effect at the time of the Data Breach (the “ACE Policies”). In relevant part, the ACE Policies provided coverage for “‘ultimate net loss’ . . . because of ‘property damage’.” The policies defined “occurrence” as an “accident, including continuous or repeated exposure to substantially the same general harmful conditions.” They defined “property damage” to include “[l]oss of use of tangible property that is not physically injured,” and provided that “[a]ll such loss of use shall be deemed to occur at the time of the ‘occurrence’ that caused it.” The policies expressly stated that “electronic data” was “not tangible property.”

ACE denied coverage. Subsequently, Target sued ACE, seeking indemnification exclusively for the payments Target made to settle the Payment Card Claims. Target and ACE agreed that the duty to defend was not at issue. At their Rule 26(f) conference, the parties agreed that they would file cross-motions for summary judgment on the sole issue of coverage and, if the court found coverage, the issue of the amount of damages would be resolved at trial.

The Motions for Summary Judgment

Target moved for partial summary judgment, seeking a declaration that the ACE Policies covered the costs Target incurred settling the Payment Card Claims. ACE cross-moved for summary judgment, arguing that Target had failed to satisfy its burden of establishing the elements required to trigger coverage under the ACE Policies—namely, that its settlement satisfied a legal obligation to pay “damages because of loss of use of tangible property” caused by an “occurrence.”

In their motions, Target and ACE disputed a number of issues related to the question of whether the Issuing Banks claimed “damages because of loss of use of tangible property.” Among other things, the parties proffered contrasting explanations of what was compromised by the Data Breach. Target contended that the physical Payment Cards were compromised. By contrast, ACE argued that it was the intangible data embedded in the Payment Cards, not the Payment Cards themselves, that was compromised in the Data Breach.

Relatedly, the parties disputed whether the Payment Cards lost their use as a result of the Data Breach. Relying heavily on the Eighth Circuit’s decision in Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (8th Cir. 2010),[1] Target argued that the Data Breach caused a loss of use of the Payment Cards because it resulted in the cards’ inability to function as intended. In particular, Target contended that an essential function of the Payment Cards was that each card applied exclusively to the cardholder’s own debts (i.e., the charges the cardholder made) and not to the fraudulent charges of some third person. When the data connected to accounts was compromised in the Data Breach, Target maintained, the physical Payment Cards associated with those compromised accounts could no longer be safely used without the risk of fraud. Accordingly, Target argued that the Payment Cards associated with the hacked accounts immediately lost their ability to function as intended—i.e., to provide secure access only to the cardholder.

ACE disputed that the Data Breach resulted in loss of use of the Payment Cards. Among other things, ACE disagreed with Target’s contention that the function of the Payment Cards was to make payment transactions “safe and secure.” ACE argued that such a security function was the function not of the Payment Cards but, rather, of the merchant’s computer system. ACE maintained that the function of the Payment Cards was only to facilitate efficient point-of-sale purchases by carrying data and permitting that data to be transmitted to a merchant’s computer network via a “swipe” or “insert.” ACE then contended that the Payment Cards continued to have the ability to perform their function of carrying and transmitting data after the Data Breach. Because of this, and because the Data Breach did not result in the Payment Cards being physically removed from any cardholder’s possession, ACE argued that there was no loss of use of the cards.

The parties also disputed whether there was a relevant distinction between “loss of use” and “loss of value.” ACE argued that the Supreme Court of Minnesota’s decision in Federated Mutual Insurance Co. v. Concrete Units, Inc., 363 N.W.2d 751 (Minn. 1985) created a distinction between “loss of use” and “loss of value,” holding that “diminution in value” was not “property damage” when the latter was defined as either “physical injury to . . . tangible property” or as “loss of use of tangible property.” Concrete Units, 363 N.W.2d at 756. Relying on Concrete Units, ACE contended that the Data Breach caused the Payment Cards to lose their value, not their use, and therefore Target’s settlement liability arising from the Issuing Banks’ replacement of the Payment Cards did not constitute loss-of-use damages.

Target countered that Concrete Units did not draw the distinction between losses that ACE claimed it did. Target further asserted that the Issuing Banks did not allege that the Payment Cards merely became less valuable—and did not seek to recoup the economic loss they suffered because the cards’ market value decreased—as a result of the Data Breach. Instead, Target claimed, the Issuing Banks were forced to cancel and reissue the Payment Cards because the cards could no longer effectively or safely be used to perform their intended function.

The parties further disputed whether the ACE Policies’ loss-of-use coverage applied only to time-based damages. ACE contended that was the case, and argued that loss-of-use damages under the policies should be measured by the losses a claimant incurred because of, and during, the tangible property’s temporary down time. Target countered that no such temporal limitation appeared in the policies or was recognized by, or consistent with, Minnesota case law.

In addition, the parties disputed whether Target’s liability for the Payment Cards’ replacement costs was caused by a covered “occurrence” (which, as noted above, the ACE Policies defined, in part, as an “accident”). The parties’ dispute in this regard concerned, among other things, from whose perspective an “accident” was determined. Targeted maintained that an accident was determined from the perspective of the policyholder (i.e., Target). Target then argued that, because the Data Breach was an unexpected and unintended happening from its standpoint, its losses stemmed from an accidental “occurrence.”

ACE counter-argued that an accident had to be determined from the standpoint of the actor who caused the “property damage.” ACE then contended that the relevant actors for purposes of the accident inquiry were the Issuing Banks that deactivated and replaced the Payment Cards. In addition, ACE maintained that the Issuing Banks knowingly, intentionally, and purposefully deactivated and replaced the Payment Cards so as to mitigate future economic losses incurred through fraudulent transactions. ACE argued that, as a result, Target’s liability did not arise out of an accidental “occurrence.”

The February 8, 2021 Decision

On February 8, 2021, the Minnesota federal district court, applying Minnesota law, denied Target’s motion for partial summary judgment and granted ACE’s motion for summary judgment, holding that Target had not met its burden of establishing that its settlement liability arising out of the Payment Card Claims was covered under the ACE Policies. Target, 517 F. Supp. 3d at 806 (the “2021 Decision”) Specifically, the court determined that there was an insufficient causal connection between Target’s claimed damages arising out of the Payment Card Claims and the alleged loss of use of the Payment Cards to trigger coverage. Id.

In arriving at that conclusion, the court initially observed that Target’s theory appeared to be that, because the Payment Cards allegedly lost their use and Target resolved the Payment Card Claims by paying a settlement, the settlement of that liability necessarily constituted damages because of a loss of use. Id. at 804. The court stated that this was, “in essence, a but-for theory of loss-of-use damages.” Id. at 804-05. The court then cited—and seemingly agreed with—several decisions wherein courts rejected a “but-for” test for loss-of-use damages. Id. at 805 (citing Vicor Corp. v. Vigilant Ins. Co., 674 F.3d 1, 13 (1st Cir. 2012); Atmel Corp. v. St. Paul Fire & Marine Ins. Co., 430 F. Supp. 2d 989, 994 (N.D. Cal. 2006)). The court determined that, for loss-of-use damages to be “based on” alleged loss of use under Minnesota law, the damages had to “have some connection to the value of the use of the now-damaged property when it previously was unimpaired.” Id. The court explained that “[a] ‘commonly used measure of loss-of-use’ damages—reasonable rental value—illustrates this point.” Id. (quoting Jacobs v. Rosemount Dodge-Winnebago South, 310 N.W.2d 71, 78 (Minn. 1981)). “Renting a vehicle,” the court added, “allows for use of a vehicle when another vehicle has been rendered unusable and, as such, vehicle-rental costs typically are recognized as loss-of-use damages.” Id. (italics in original, underline added) (citing Barbarossa & Sons, Inc. v. Iten Chevrolet, Inc., 265 N.W.2d 655, 662-63 (Minn. 1978)).

The court then observed that “the record [was] devoid of any allegation or evidence as to what the value of the use of the payment cards [was], either to Target’s customers or to the payment card companies.” Id. (emphasis in original). Because “the value of the use [was] not established or even approximated,” the court determined that “damages [could not] . . . be ‘based on’ the loss of use because there [was] no nexus between the damages and the loss of use.” Id. (emphasis in original) (citations omitted). The court concluded that Target had “not established a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers.” Id. For that reason, the court found that “the connection between the damages claimed and the loss of use of the payment cards [was] insufficiently direct and, therefore, the damages claimed [were] not loss-of-use damages covered under the [ACE] Policies.” Id. at 806.

Before arriving at this conclusion, the court stated that Target’s reliance on the Eighth Circuit’s decision in Eyeblaster was “misplaced” because Eyeblaster involved the duty to defend, which was “distinct” from and “broader” than the duty to indemnify that was at issue. Id. at 803. The court explained:

Target filed a motion to alter or amend the court’s 2021 Decision pursuant to Federal Rule of Civil Procedure 59(e). In its motion, Target argued that the court’s decision was in error for two reasons.

First, Target argued that ACE never raised the legal theory on which the court resolved the summary judgment motions—i.e., that Target had not established “a connection between the damages incurred for settling [the Payment Card Claims] . . . and the value of the use of those cards.” Target contended that the court likewise did not raise that argument at the hearing on the motions. Target claimed that, as a result, it did not have notice of and a reasonable time to respond to the argument, which constituted a violation of Federal Rule of Civil Procedure 56(f)(2).

Second, Target argued that the 2021 Decision represented a “manifest error of the law” justifying alteration or amendment under Rule 59(e). Target contended that, to obtain coverage under a CGL policy for damages because of “loss of use,” Minnesota law requires the policyholder to demonstrate only that the damages be “causally related” to the loss of use. Target argued that the court “went further and imposed an additional requirement on Target to establish a connection between such damages and the value of the use of the property when it was unimpaired.” Target argued that this additional requirement had never been imposed by a Minnesota court and, furthermore, was incompatible with the Eighth Circuit’s decision in Eyeblaster.

Target asked the court to (1) vacate its 2021 Decision and entry of judgment to permit additional briefing, evidentiary submissions, and (potentially) discovery; or, in the alternative, (2) alter or amend the judgment to grant summary judgment for Target; or, in the alternative, (3) alter or amend the judgment to deny both Target’s and ACE’s motions for summary judgment, which would permit the case to move forward into discovery and, ultimately, to trial.

The March 22, 2022 Decision

On March 22, 2022, the district court granted Target’s motion to alter or amend the 2021 Decision, vacated the court’s 2021 Decision, denied ACE’s motion for summary judgment, and granted Target’s motion for partial summary judgment. Target, 2022 WL 848095, at *4-5 (the “2022 Decision”). The court determined that the expenses Target incurred in settling the Issuing Banks’ Payment Card Claims were covered under the terms of the ACE Policies and that ACE was obligated to indemnify. Id. at *4. The court stated that it had “erred in its prior judgment” when it found that Target’s claim was not covered. Id.

The court began by explaining that, to establish coverage under the ACE Policies for the costs it incurred settling the Payment Card Claims, Target needed to establish: (1) that its losses were the result of an “occurrence”; (2) that the “occurrence” resulted in the “loss of use” of property; and (3) that the property lacking use was “tangible property that [was] not physically injured.” Id. at *2. The court addressed each requirement and concluded that each was satisfied. Id. at *2-4.

The court first found that Target satisfied its burden of demonstrating that its losses resulted from an “occurrence.” Id. at *2-3. The court reasoned:

Next, the court determined that Target met its burden of establishing that the Data Breach resulted in “loss of use” of the Payment Cards. Id. In doing so, the court favorably cited the Eight Circuit’s decision in Eyeblaster, which the court described as presenting a “factually analogous loss of use” issue—without discussing its previous determination that Target’s reliance on Eyeblaster was “misplaced” or explaining why the court no longer found that to be the case. See id. The court reasoned:

The court briefly discussed, in a footnote, the causation issue that formed the basis for the 2021 Decision, stating:

Finally, the court concluded that Target satisfied its burden of showing that its claim was for property damage to “tangible property that [was] not physically injured.” Id. at *4. The court reasoned:

For those reasons, the court concluded that the costs of replacing the Payment Cards affected by the Data Breach were covered under the ACE Policies. Id. Subsequently, the court held that ACE was obligated to indemnify Target for Target’s settlement with the Issuing Banks for those costs. Id.

Analysis

The 2022 Decision represents a significant deviation from how other courts have viewed CGL coverage for damages because of “loss of use of tangible property that is not physically injured.” Of particular note is the court’s unexplained change in opinion with respect to whether Target’s claimed damages were sufficiently tied to the alleged loss of use of the Target Payment Cards.

Courts have often couched loss-of-use damages in terms of consequential damages. See, e.g., J & D Towing, LLC v. Am. Alternative Ins. Corp., 478 S.W.3d 649, 655 (Tex. 2016); see also generally IRMI, Loss of Use as Property Damage, https://www.irmi.com/articles/expert-commentary/loss-of-use-as-property-damage (last visited Apr. 20, 2022). In doing so, courts have determined that, to constitute damages because of “loss of use of tangible property,” the claimed loss-of-use damages must be directly traceable to the loss of use of the tangible property. See, e.g., J & D Towing, 478 S.W.3d at 677.

Consistent with the foregoing, many courts have determined that loss-of-use damages are not replacement costs. See, e.g., Advanced Network, Inc. v. Peerless Ins. Co., 119 Cal. Rptr. 3d 17, 25 (Cal. Ct. App. 2010) (“Coverage for ‘loss of use’ does not apply to an underlying action in which the claimant seeks only the replacement value of converted property.”). Atmel Corp. v. St. Paul Fire & Marine Insurance Co., 430 F. Supp. 2d 989, supra is illustrative. There, the insured, Atmel, manufactured and sold to Seagate electronic chips, which Seagate incorporated into disk drives that it later sold to its customers. Atmel, 430 F. Supp. 2d at 991. The Atmel chips were allegedly defective and caused Seagate’s disk drives to fail. Id. As a result, Seagate had to repair or replace the defective disk drives. Id. Seagate subsequently sued Atmel, and Atmel ultimately settled the lawsuit by agreeing to pay Seagate millions of dollars. Id. at 991-92.

In ensuing coverage litigation between Atmel and its CGL insurers, the United States District Court for the Northern District of California held that Atmel’s settlement liability in the Seagate action did not trigger the at-issue CGL policies’ coverage for “loss of use of tangible property of others that isn’t physically damaged.” Id. at 994. The court reasoned:

The 2021 Decision was largely in accord with Atmel and other decisions finding that costs to repair or replace property are too remote from a loss of use of the property to constitute loss-of-use damages. See Target, 517 F. Supp. 3d at 805. But in its 2022 Decision, the court reversed course, concluding that there was “a sufficient causal connection between Target’s claim for coverage and the payment cards’ loss of use so as to satisfy the causation requirement of Minnesota law.” Target, 2022 WL 848095, at *3 n.2. It is unclear what led to this change in heart by the court. In particular, it is unclear if the court was accepting the but-for theory of loss-of-use damages the court had seemingly rejected in its 2021 Decision.

The 2022 Decision also raises questions concerning the court’s change of position as to the import of the Eight Circuit’s Eyeblaster decision. It is also unclear to what extent, if at all, the court’s decision was informed by the “loss of use” versus “loss of value” distinction urged by ACE.

In light of the issues left unresolved by the 2022 Decision, it remains to be seen how the decision will impact courts’ evaluation of similar claims going forward. It will be particularly interesting to see how Target factors into the Home Depot, Inc. v. Steadfast Insurance Co. case, which is currently pending in the United States District Court for the Southern District of Ohio, under docket number 1:21-cv-00242.

Home Depot involves facts that, at least as alleged by Home Depot, appear to be materially identical to those in Target—with the exception that Home Depot involves alleged breaches of both the duty to indemnify and the duty to defend (whereas Target involved just the former). Specifically, Home Depot was the victim of a data breach that allegedly compromised the payment cards of millions of Home Depot customers. Subsequent to the data breach, credit card issuers that were allegedly forced to cancel the compromised cards and issue replacement cards to customers sued Home Depot, seeking to recover, among other things, the costs they incurred in replacing the cards. Home Depot ultimately reached a settlement with the card issuers. It then sued its CGL insurers, alleging that they wrongfully denied coverage under policies that provided coverage for, in relevant part, “property damage” caused by an “occurrence.”

Like the policies at issue in Target, the policies at issue in Home Depot define “property damage” to include “[l]oss of use of tangible property that is not physically injured,” and define “occurrence” to mean “an accident, including continuous or repeated exposure to substantially the same general harmful conditions.” Unlike the policies at issue in Target, however, the policies at issue in Home Depot—according to Home Depot, at least—are governed by Georgia law.

We expect that Home Depot will point to the Target court’s 2022 Decision in an attempt to support an argument that it is entitled to coverage.[2] It is uncertain how the Home Depot court would in that instance evaluate the merits or persuasiveness of the Target decision, which we would expect to be appealed at the appropriate time. We are actively monitoring both the Target and Home Depot cases and will report on any developments.

[1] In Eyeblaster, the insured, Eyeblaster, was an online marketing campaign management company. Eyeblaster, 613 F.3d at 799. A computer user sued Eyeblaster, alleging that Eyeblaster injured his computer, software, and data after he visited an Eyeblaster website. Id. Specifically, the plaintiff alleged, in pertinent part, that his computer was infected with a spyware program from Eyeblaster, which caused his computer to immediately freeze up and to operate so slowly that it essentially became inoperable. Id. at 799, 802. The plaintiff also alleged that he experienced “a hijacked browser” and “slowed computer performance, sometimes resulting in crashes.” Id. at 802. Additionally, he asserted that his computer had three years of client tax returns that he could not transfer because he believed the spyware files would also be transferred, and he therefore had to reconstruct those records on a new computer. Id. The plaintiff argued that his computer was no longer usable, and claimed among his losses “the cost of his existing computer.” Id.

In coverage litigation between Eyeblaster and its insurers concerning whether the insurers breached their duties to defend and indemnify Eyeblaster in the underlying action, one of the issues was whether the allegations in the underlying action triggered coverage under a general liability policy that defined “property damage” to include “loss of use of tangible property that is not physically injured.” See id. at 802-03. The Eighth Circuit, applying Minnesota law, held that the allegations triggered coverage, reasoning that “[t]he plain meaning of tangible property include[d] computers, and the [underlying] complaint allege[d] repeatedly the ‘loss of use’ of [the plaintiff’s] computer.” Id. at 802.

[2] No doubt cognizant of the Target court’s 2021 Decision, Home Depot appeared to craft the allegations in its complaint (which it filed two months after that decision was rendered) to address the standards articulated in the 2021 Decision. For instance, Home Depot alleged in its complaint that the ability to use the payment cards “had significant value” to the card issuers. Complaint ¶ 39, Home Depot, Inc. v. Steadfast Ins. Co., No. 1:21-cv-00242 (S.D. Ohio filed April 8, 2021). Home Depot further alleged that, as a result of the data breach, the card issuers “incurred costs including the cost to replace the compromised plastic payment cards as well as lost interest and transaction fees due to reduced card usage.” Id. ¶ 46. “Alternatively,” Home Depot asserted, “the cost to replace the compromised plastic payment cards approximates the value to the Issuing Banks of the loss of use of these cards.” Id.