On 15 November 2019, Target Corporation (the “Plaintiff”), a listed general merchandise retailer in the United States of America, filed a complaint in the District Court of Minnesota, against ACE American Insurance Company and Ace Property and Casualty Insurance Company (the “Defendant”), now incorporated into Chubb Limited, as a result of the Defendant’s refusal to indemnify the Plaintiff for part of the costs it incurred following a data breach of the Plaintiff’s computer network (the “Complaint”).
The data breach occurred in December 2013, following the installation of malicious software by a hacker on the Plaintiff’s computer network. It is reported that the payment card data of 40 million customers, and the personal information of 60 million customers, were stolen. These customers were consequently exposed to a high risk of fraudulent transactions.
As a result of the high exposure, several banks were obliged to incur the costs of cancelling and reissuing payment cards to the affected customers, which included the costs of reproducing the plastic cards and mailing them to customers. As a result of the losses incurred, the banks sued the Plaintiff a class action lawsuit. The Plaintiff settled all demands with the banks. Furthermore, the Plaintiff settled other lawsuits with card issuers such as Visa, MasterCard, American Express, Discover, as well as other banks. According to the Complaint, the Plaintiff settled for a total of $138 million, which included $20 million in attorneys’ fees and class representative payments.
While some of the Plaintiff’s losses were covered by insurance, the costs of replacing the payment cards were not. This has resulted in a dispute between the Plaintiff and the Defendant for the $74 million portion of the total settlement that makes up the costs incurred by the banks in replacing the payments cards. The Plaintiff contends that such costs are covered under its General Liability insurance.
The relevant General Liability insurance policies purchased by target in 2013 were as follows:
- Primary policy underwritten by the Defendant
- Two excess layer policies underwritten by other insurers
- A third excess layer policy underwritten by the Defendant
All policies except the third excess layer have been exhausted. The Plaintiff is now attempting to obtain coverage for the costs of replacing the payment cards, as settled with the banks, under the primary policy and third excess layer policy for there to be a response in the aggregate.
The primary policy states as follows in the insuring clause:
“We will pay the insured for the “ultimate net loss” in excess of the “retained limit” because of “bodily injury” or “property damage” to which this insurance applies.”
The primary policy defines “property damage” as follows:
“a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.”
According to the Plaintiff, the claim for the costs of replacing the payment cards are for damages resulting from the loss of use of tangible property, that while not physically injured, were not able to be used without risk to the customer or the banks.
This matter is ongoing, and it will be interesting to see how the provisions of the General Liability policies will be interpreted by the courts. However, in the meantime, we are faced with a live example of potential silent cyber coverage. It is crucial to consider the effects of a cyberattack on all insurance policies, and whether the policy wording will explicitly provide or exclude such cover. It is also essential to ensure that reinsurance arrangements reflect the intention of the insurer on cyber coverage. Planning is vital in avoiding a mismatch of the expectations of the insured and the possible treating customers fairly implications.