Chubb Wins in Judge’s Denial of Target’s Data Breach Bank Claims

February 11, 2021 by Andrew Simpson

Target Corp. has been denied its $138 million insurance claim against ACE (now Chubb) Insurance companies stemming from a 2013 data breach. A federal judge in Minnesota ruled the retailer had failed to prove that its reimbursement to banks for their costs of issuing new credit cards to victims of the data breach was a covered “loss of use” under its two commercial general liability (CGL) policies.

The ruling came in a breach-of-contract action by Target against ACE, with Target seeking a declaratory judgment that Target’s liability for the banks’ payment card claims is covered under the policies. Target also sought judgment against ACE for the settlement payments it made relating to the credit card claims.

The retailer’s data breach occurred in December 2013. In May 2016, Target reached a settlement in the class action lawsuit brought on behalf of a class of banks for approximately $58 million, which the district court approved. In addition to settling the class action litigation, Target reached confidential settlements with the major credit card issuers, including Visa, MasterCard, American Express, and Discover, as well as numerous individual banks.

In total, Target settled all of claims for approximately $138 million, including $20 million in attorneys’ fees.

On January 14, 2014, Target notified ACE of Target’s potential liability for costs associated with the data breach. ACE denied coverage under the two CGL policies it had issued.

Target brought its breach-of-contract action against ACE in November 2019. The parties cross-moved for summary judgment before U.S. District Judge Wilhelmina M. Wright. This week in a 12-page decision, Judge Wright denied Target’s motion for partial summary judgment and granted ACE’s motion for summary judgment.

Target first argued that ACE’s agreeing to defend Target in the data breaccurh confirmed that the coverage was available for its loss. However, Judge Wright rejected that argument, citing precedents that an insurer’s duty to defend an insured is “distinct from and broader than [an insurer’s] duty to indemnify the insured.”

Target also relied on a Minnesota Supreme Court’s conclusion in a case involving Concrete Units that said an insurer must “pay all damages which are causally related to an item of ‘property damage’ ” that meets the policy definitions. That case involved a grain elevator that had an initial value that diminished after the incorporation of defective concrete.

But the court told Target that the Concrete Units case did not apply because Target did not present any facts regarding the value of the plastic payment cards and thus the question of a diminution of the value of the cards was not at issue.

ACE’s argument rested on the distinction between property damage and the diminution in property value. The payment cards that were compromised by the data breach lost their value, not their use, and thus Target’s claims were rightfully denied because only loss-of-use damages are compensable under the policies, ACE argued and the judge agreed.

The parties disputed whether damages arising out of the payment card claims by the banks are damages “based on” loss of use of the payment cards. ACE contended that there is no nexus between the loss-of-use damages alleged and the value of the loss of the use of payment cards. Target felt that because the payment cards allegedly lost their use and Target resolved the payment card claims by paying banks a settlement, the settlement of that liability necessarily constituted damages because of a loss of use.

Judge Wright noted that other courts have concluded that there must be a nexus between the value of the customer’s or company’s ability to use the product or service that has been lost and the damages associated with that loss of use.

That was more bad news for Target.

“Here, the record is devoid of any allegation or evidence as to what the value of the use of the payment cards is, either to Target’s customers or to the payment card companies,” the judge wrote, concluding that since the value of the use is not established or even approximated, damages cannot be “based on” the loss of use because there is no nexus between the damages and the loss of use.

In short, Target did not establish a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers.

The Target breach was one of the biggest data breaches to hit a U.S. retailer at the time. Target reported that hackers stole data from up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season.

In 2017, Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into the massive data breach. The retailer also reached a $10 million settlement of a federal consumer class action.

The case is Target Corp. v. ACE American Insurance Co.

*This story ran previously in our sister publication Insurance Journal.