Target Corp. his $ 138 million insurance claim against ACE (now Chubb) insurance companies was denied as a result of a data breach in 2013. A federal judge in Minnesota ruled that the retailer had failed to prove reimbursement to banks for their cost of issuing new credit cards to Victims of the data breach were covered by "loss of use" under its two commercial general liability policies (CGL).
The ruling came in a breach of contract by Target against ACE, in which Target sought a declaratory judgment that Target's liability for the bank payment card claims is covered by the policies. Target has also filed a judgment against ACE for the settlement payments it made in respect of the credit card claims.
The retailer's data breach occurred in December 2013. In May 2016, Target reached a settlement in the class action lawsuit filed on behalf of a class of banks for approximately $ 58 million, which the court approved. In addition to settling the class action disputes, Target has entered into confidentiality settlements with major credit card issuers, including Visa, MasterCard, American Express and Discover, as well as numerous individual banks.
In total, Target settled all claims for approximately $ 138 million, including $ 20 million in attorney fees.
On January 14, 2014, Target notified ACE of Target's potential liability for costs related to the data breach. ACE declined coverage under the two CGL policies it issued.
Target filed a breach of contract action against ACE in November 2019. The parties have filed a cross-request for interim relief before US District Judge Wilhelmina M. Wright. This week, in a 12-page decision, Judge Wright denied Target's motion for a partial summary judgment and approved ACE's motion for a summary judgment.
Target first argued that ACE's agreement to defend Target in the data breach confirmed that coverage was available for the loss. However, Judge Wright rejected that argument, citing precedents that an insurer's duty to defend an insured "differs from and is broader than (an insurer's) duty to indemnify the insured."
Target also relied on a Minnesota Supreme Court finding in a case involving Concrete Units, which stated that an insurer "must pay for all damages that are causally related to an item of" property damage "that meets the policy definitions. concerned a grain elevator whose initial value decreased after the installation of defective concrete.
But the court told Target that the Concrete Units case was not applicable because Target did not provide facts about the value of the plastic payment cards and thus the issue of depreciation of the cards was not raised.
ACE's argument was based on the distinction between material damage and real estate depreciation. The payment cards compromised by the data breach lost their value, not their use, and so Target's claims were rightly dismissed as only damages from loss of use could be compensated under the policy, ACE argued and the judge agreed.
The parties disputed whether the damage resulting from the banks' payment card claims is "based on" the loss of the use of the payment cards. ACE argued that there is no link between the alleged loss of use damage and the value of the loss of use of payment cards. Target considered that because the payment cards would have lost their use and Target resolved the claims against the payment card by paying banks a settlement, the settlement of that liability necessarily constituted damages for loss of use.
Judge Wright noted that other courts have concluded that there must be a link between the value of the customer's or company's ability to use the product or service that has been lost and the damage associated with that loss of use.
That was more bad news for Target.
"Here the record does not contain any claim or evidence as to what the value of the use of the payment cards is, either to Target's customers or to the payment card companies," the judge wrote, concluding that since the value of the use has not been established or even approximated, the damage cannot be "based on" the loss of use because there is no relationship between the damage and the loss of use.
In short, Target has not established a link between the damages incurred in settling claims related to the replacement of the payment cards and the value of the use of those cards, neither for the payment cardholders nor for the issuers.
The Target breach was one of the largest data breaches to hit a U.S. retailer at the time. Target reported that hackers had stolen data on up to 40 million credit and debit cards from customers who visited the stores during the 2013 holiday season.
In 2017, Target agreed to pay $ 18.5 million to settle claims from 47 states and the District of Columbia and resolve a multi-state investigation into the massive data breach. The retailer also reached a $ 10 million settlement from a federal consumer class action.
The case is Target Corp. ACE American Insurance Co.
Interested in Claims?
Receive automatic alerts on this topic.