SDV Insights

CGL Policy May Not Cover Cybersecurity and Data-Related Losses


The construction industry, like many other industries, has experienced an increased reliance on, and implementation of, technology in the past few years. Smart phones and tablets are used on most project sites, computers are an integral part of the planning process, and various software programs are used throughout the construction process. Likewise, much of the machinery and equipment used during construction (e.g., total stations, trucks, tower cranes) is interconnected, and in some cases, operated or monitored remotely.1

With an increase in technology comes a risk of cybersecurity and data-related losses. Many large businesses purchase Commercial General Liability (“CGL”) insurance and assume cybersecurity and data-related losses are covered. Unfortunately, this is generally not the case. CGL policies typically cover three general types of damage: bodily injury, property damage, and advertising injury.   

In 2013, the Insurance Services Office, Inc. (“ISO”), an advisory association for the property and casualty insurance industry, introduced a model CGL form that excludes certain losses related to electronic data. The insurance industry embraced the exclusion. Now, CGL policies tend to exclude the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. This exclusion may prevent recovery of damages when cybersecurity issues arise.

Sixth Circuit Applies Electronic Data Exclusion in CGL Policy to Bar Coverage for Data Breach Suit.

Recently, the Sixth Circuit held that a data breach was not covered under Home Depot’s various CGL policies. In Home Depot Inc. et al. v. Steadfast Insurance Co. et al.2, Home Depot sued its CGL insurance carriers (“CGL Insurers”) alleging breach of the duties to defend and indemnify, seeking to recoup the cost of a settlement in connection with an underlying data breach suit (“Underlying Action”). In the Underlying Action, Home Depot was sued by banking institutions that had to re-issue credit and debit cards to millions of Home Depot customers whose information, including credit card and debit card numbers, was stolen. When the breach was discovered, the banks canceled their customers’ payment cards, replaced them, and sued Home Depot for the cost of replacement. Home Depot tendered defense and indemnity for the Underlying Action to  its CGL Insurers, who denied coverage because “the damages were related to electronic data rather than physical cards.”

The CGL Insurers issued policies (“Policies”) to Home Depot that covered damages caused by, in relevant part, the “loss of use of tangible property that is not physically injured” if that loss was caused by an “occurrence.” However, the Policies had an electronic data exclusion that excluded loss of use that “arise[s] out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” 

In Home Depot’s Motion for Partial Summary Judgment and the Insurers’ Motion for Summary Judgment, Home Depot and the CGL Insurers agreed that the payment cards were tangible property that was not physically injured, but disagreed about whether there was a loss of use of the payment cards. Home Depot argued that there was a partial loss of use of the payment cards when customers reduced their card usage – which reduced the amount of fees and interest the banks could collect – and a complete loss of use when the banks canceled the cards. The CGL Insurers argued that “loss of use” refers to only a temporary loss. The Court disagreed with the CGL Insurers, in part, holding that the loss of fees and interest did not constitute a loss of use of the payment cards; but the Court also held that the cancellation of the payment cards did result in a loss of use of tangible property and a loss of use of the electronic data associated with the cards. Therefore, there was property damage under the terms of the Policies. The Court went on to find the remainder of the insuring agreement satisfied because this loss of use was caused by an “occurrence” – that is, an accident – because the cancellation of the cards was an unforeseen intentional act of a third party qualified as an accident.

After determining there was a covered loss, the Court considered whether the electronic data exclusion barred coverage. The Court held that the banks’ cancellation of the cards was inextricably intertwined with electronic data. The electronic data use was lost both when the card data was stolen, rendering the card insecure, and when the cards were cancelled by the bank. Ultimately, because the loss of use of the physical numbers on the card arose out of the loss of use of electronic data, the Court held that the electronic data exclusion barred coverage for the Underlying Action and granted the CGL Insurers’ Motion for Summary Judgment. 

 Policyholders that use the internet or web-based software to conduct business should heed the Court’s findings and ensure they are not relying exclusively on CGL coverage to respond to data or cybersecurity-related losses. To learn more about available coverage options for these kinds of claims, please reach out to a member of our team.

For more information on this topic, contact Susana Arce at SArce@sdvlaw.com

____________________________________
1iga Turk, Borja García de Soto, Bharadwaj R.K. Mantha, Abel Maciel & Alexandru Georgescu, A systemic framework for addressing cybersecurity in construction, Volume 133, Automation in Construction, at 1, January 2022, https://doi.org/10.1016/j.autcon.2021.103988.
2Home Depot, Inc. v. Steadfast Ins. Co., No. 1:21-CV-242, 2023 WL 5278049, at *1 (S.D. Ohio Aug. 16, 2023), appeal dismissed, No. 23-3764, 2023 WL 8940280 (6th Cir. Nov. 3, 2023)






CONTACT US


The email you are sending does not create an attorney-client relationship with SDV. We do not agree to representation until we have performed a check for conflicts of interest and expressly agree to provide services in a particular matter via an engagement letter. The information submitted to us via this website will NOT be treated as confidential or privileged as a lawyer/client communication and our receipt of this information does not prevent us from representing a client related to the subject of your inquiry.

Northeast

35 Nutmeg Drive
Trumbull, CT 06611

203.287.2100

136 Madison Avenue
New York, NY 10016

203.287.2100

233 Mount Airy Road
Basking Ridge, NJ 07920

973.446.7300

Southeast

999 Vanderbilt Beach Road, Ste 603
Naples, FL 34108

239.316.7244

West Coast

One BetterWorld Circle
Temecula, CA 92590

951.365.3145

SDV is headquartered in Connecticut, with regional offices located in New York, New Jersey, Florida, and California to better serve our clients nationwide. We have the experience and insight to effectively address your insurance coverage concerns and provide practical solutions to any risk transfer challenges you face.