Silent Cyber: Unforeseen Data Breach Claim Under a General Liability Policy

On 15 November 2019, Target Corporation (the “Plaintiff”), a listed general merchandise retailer in the United States of America, filed a complaint in the District Court of Minnesota, against ACE American Insurance Company and Ace Property and Casualty Insurance Company (the “Defendant”), now incorporated into Chubb Limited, as a result of the Defendant’s refusal to indemnify the Plaintiff for part of the costs it incurred following a data breach of the Plaintiff’s computer network (the “Complaint”).

On 15 November 2019, Target Corporation (the “Plaintiff”), a listed general merchandise retailer in the United States of America, filed a complaint in the District Court of Minnesota, against ACE American Insurance Company and Ace Property and Casualty Insurance Company (the “Defendant”), now incorporated into Chubb Limited, as a result of the Defendant’s refusal to indemnify the Plaintiff for part of the costs it incurred following a data breach of the Plaintiff’s computer network (the “Complaint”).

The data breach occurred in December 2013, following the installation of malicious software by a hacker on the Plaintiff’s computer network. It is reported that the payment card data of 40 million customers, and the personal information of 60 million customers, were stolen. These customers were consequently exposed to a high risk of fraudulent transactions.

As a result of the high exposure, several banks were obliged to incur the costs of cancelling and reissuing payment cards to the affected customers, which included the costs of reproducing the plastic cards and mailing them to customers. As a result of the losses incurred, the banks sued the Plaintiff a class action lawsuit. The Plaintiff settled all demands with the banks. Furthermore, the Plaintiff settled other lawsuits with card issuers such as Visa, MasterCard, American Express, Discover, as well as other banks. According to the Complaint, the Plaintiff settled for a total of $138 million, which included $20 million in attorneys’ fees and class representative payments.

While some of the Plaintiff’s losses were covered by insurance, the costs of replacing the payment cards were not. This has resulted in a dispute between the Plaintiff and the Defendant for the $74 million portion of the total settlement that makes up the costs incurred by the banks in replacing the payments cards. The Plaintiff contends that such costs are covered under its General Liability insurance.

The relevant General Liability insurance policies purchased by target in 2013 were as follows:

  • Primary policy underwritten by the Defendant
  • Two excess layer policies underwritten by other insurers
  • A third excess layer policy underwritten by the Defendant

All policies except the third excess layer have been exhausted. The Plaintiff is now attempting to obtain coverage for the costs of replacing the payment cards, as settled with the banks, under the primary policy and third excess layer policy for there to be a response in the aggregate.

The primary policy states as follows in the insuring clause:

“We will pay the insured for the “ultimate net loss” in excess of the “retained limit” because of “bodily injury” or “property damage” to which this insurance applies.”

The primary policy defines “property damage” as follows:

“a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.”

According to the Plaintiff, the claim for the costs of replacing the payment cards are for damages resulting from the loss of use of tangible property, that while not physically injured, were not able to be used without risk to the customer or the banks.

This matter is ongoing, and it will be interesting to see how the provisions of the General Liability policies will be interpreted by the courts. However, in the meantime, we are faced with a live example of potential silent cyber coverage. It is crucial to consider the effects of a cyberattack on all insurance policies, and whether the policy wording will explicitly provide or exclude such cover. It is also essential to ensure that reinsurance arrangements reflect the intention of the insurer on cyber coverage. Planning is vital in avoiding a mismatch of the expectations of the insured and the possible treating customers fairly implications.


More News Stories

October 12, 2021
Camargue | Brit Announcement

Camargue Underwriting Managers (“Camargue”) announced that Brit Insurance Holdings Limited (“Brit”), the global specialty insurer and reinsurer, has acquired a further interest in Camargue, taking its ownership to 100% of the business.

Read story
October 8, 2021
Can Covid 19 be used as a supervening impossibility defence?

Covid 19 has been in the spotlight for an extended period and will probably continue to be a lively topic of discussion for the foreseeable future. The Covid pandemic has undoubtedly had a negative impact on businesses resulting in the failure to perform contractually.

Read story
May 20, 2021
The COVID-19 Pandemic: A Black Swan event & Claim trends

The revolutionary idea that defines the boundary between modern times and the past is our ability to understand and manage risk - it converted the unknown future from an enemy into an opportunity (Bernstein Against the Gods – The Remarkable Story of Risk).

Read story