Alert

Sixth Circuit Unanimously Affirms No Coverage under CGL Policies for Home Depot’s Data Breach

On January 13, 2025, the U.S. Court of Appeals for the Sixth Circuit upheld the U.S. District Court for the Southern District of Ohio’s ruling that Home Depot’s commercial general liability (“CGL”) insurers, including the primary and excess insurer represented by Coughlin Midlige & Garland, LLP, had no duty to defend or indemnify claims stemming from a data breach. Home Depot, Inc., et al. v. Steadfast Ins. Co., et al., 2025 U.S. App. LEXIS 687, ___ F.3d ___ (6th Cir. 2025). This closely watched decision clarifies the scope of coverage under CGL policies for electronic data breaches, which are commonly associated with the retail industry.

Following a massive 2014 data breach, in which hackers stole payment card data and personal information from millions of Home Depot’s retail customers, financial institutions (“card issuers”) brought suit against Home Depot. The card issuers alleged Home Depot’s insufficient security protocols led to the card issuers’ losses, including costs associated with both reduced usage of the cards by the customers (the “reduced usage theory”) and reissuing new cards to the customers (the “reissuance theory”). Home Depot’s cyber insurers paid their full aggregate limits totaling $100M. Home Depot then turned to its CGL insurers to make up the difference for its remaining losses.

In pursuing coverage, Home Depot argued the data breach resulted in “property damage” to the cards as defined by the CGL policies, specifically that there was a “loss of use of tangible property that is not physically injured.” But like the District Court, the Sixth Circuit’s majority opinion (Stranch and Thapar, JJ.) concluded that the reduced usage theory and the reissuance theory were excluded based on an electronic data exclusion, which barred coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

In its detailed decision, the majority opinion conducted a three-pronged analysis to determine whether: (1) payment card data is electronic data; (2) there was a “loss of use of” (or other covered harm to) electronic data; and (3) the damages “arose out of” that loss.

On the first issue, the majority opinion concluded that the compromised payment card data is “electronic data.” Second, the Sixth Circuit found that there was a “loss of use” of the electronic data because that data lost its function to make secure transactions. In its analysis of this second point, the majority opinion disagreed with Home Depot’s argument that the data breach made electronic payment card data more, not less, accessible. Instead, it ruled that this contention ran contrary to how an ordinary reader would read the policies at issue; primarily because the ordinary reader would think there is a loss of use of their payment card if it no longer provides for secure and seamless transactions. With regard to the third prong, the majority opinion concluded the reissuance and reduced usage damages arise out of the electronic data loss. Under Georgia law, the phrase “arising out of”, as used in the electronic data exclusion, requires the application of a “but for” analysis. In other words, the question becomes whether, “but for” the electronic data breach, the reissuance and reduced usage damages would have occurred. The majority opinion found that absent the data breach, the card issuers would not have sustained the damages they alleged, whether from reduced usage or reissuance damages.

The concurring opinion (Murphy, J.) agreed that the CGL policies “bar coverage” for Home Depot’s data breach, but found a different path to reach this result. Judge Murphy questioned coverage under the reduced usage theory, specifically, whether there was a loss of use of the payment card data in the first place because the data breach (or its disclosure) did not necessarily prevent the customers from using the compromised data. Moreover, “[i]f the breach did not trigger a ‘loss of use’ of that electronic payment-card data, it also would not have triggered a ‘loss of use’ of the physical payment cards” to satisfy the coverage grant. (Italics in original.) Even if there was a loss of use, it would be excluded based upon the electronic data exclusion. The concurring opinion also concluded that the loss of use of the physical cards under the reissuance theory triggers the exclusion because it would have arisen out of the loss of use of the electronic payment card data.

This decision follows other cases applying the electronic data exclusion in claims involving similar breaches of retail customers’ payment data. See, e.g., Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 2016 U.S. Dist. LEXIS 147361, *22 (N.D. Al. Oct. 25, 2016); RVST Holdings, LLC v. Main Street Amer. Assur. Co., 136 A.D.3d 1196, 1198 (N.Y. App. Div. 3rd Dept. 2016).  This decision is also distinguishable from the holding in Target Corp. v. ACE Am. Ins. Co., 2022 U.S. Dist. LEXIS 51044 (D. Minn. Mar. 22, 2022), which found coverage for claims associated with the replacement of payment cards following a data breach, as a subsequent decision noted that the policy at issue in Target did not contain an electronic data exclusion. See Target Corp. v. Ace Am. Ins. Co., 2022 U.S. Dist. LEXIS 178307, *6 (D. Minn Sept. 30, 2022). This decision also serves as a reminder for policyholders to procure sufficient cyber coverage and that they should not count on CGL insurers to pay for any gaps in coverage where the policy at issue contains an electronic data exclusion. Although cyber risks have evolved over the years, they continue to present significant threats to businesses and their customers. Policyholders should therefore look to the cyber insurance market to mitigate exposures for these continuing threats.

About Coughlin Midlige & Garland LLP

Coughlin Midlige & Garland LLP is a diverse, full-service firm committed to providing legal services of exceptional quality and superior value. We serve regional, national, and international clients, bringing to each matter the energy, experience, and imagination of a talented group of lawyers and staff dedicated to obtaining optimal results and to fulfilling the highest standards of the profession.

The materials presented herein are for informational purposes only and are not offered as legal advice. No reader should act on the basis of these materials without first seeking appropriate professional advice as to the particular facts and applicable law involved. Opinions presented herein are the opinions of the individual authors, and do not necessarily reflect the opinion of the firm of Coughlin Midlige & Garland LLP, or any of its other attorneys or its clients.