Electronic Data Exclusion Precludes Coverage for Payment Card Data Breach

The United States Court of Appeals for the Sixth Circuit, applying Georgia law, has held that the electronic data exclusion in commercial general liability (CGL) policies issued to a retail store company precluded coverage for a data breach involving the payment card data of the insured company’s customers. Home Depot, Inc. v. Steadfast Ins. Co., 2025 WL 80114 (6th Cir. Jan. 13, 2025).

After a cyberattack in which hackers stole tens of millions of customers’ payment card data, the insured company entered into an approximately $170 million settlement with the financial institutions that issued the affected payment cards. The company’s cyber insurers covered the loss only up to an aggregate limit of $100 million, and the company turned to its CGL insurers to cover the remainder. The CGL policies contained an electronic data exclusion that precluded coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” “Electronic data” was defined in the policies as “information, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” The CGL insurers denied coverage in part because the settlement arose out of loss of use of electronic data in the form of payment card information. The insured company contended that the electronic data exclusion did not bar indemnity coverage for costs incurred by issuers to reissue physical payment cards or for the issuers’ lost interest and transaction fees stemming from reduced usage of the payment cards. The company also sought reimbursement of defense costs incurred in the underlying claim.

In the ensuing coverage litigation, the district court granted summary judgment to the CGL insurers. On appeal, the court found three questions relevant to deciding whether the exclusion applied: first, whether payment card data was “electronic data”; second, whether there was a “loss of use of” or other covered harm to electronic data; and third, whether the damages “arose out of” that loss. On the first question, the court determined that payment card data, as “a creature of the computer,” met the policy’s definition of “electronic data.” Next, the court found that, when customers could no longer use their payment card data due to the breach, a “loss of use” had occurred in the “ordinary sense of those words.” Finally, the court applied a “but for” standard to assess whether the damages arose out of the loss of use of electronic data. Whether damages were construed as the costs of reissuing cards or as losses from reduced usage, the court concluded that the damages “sat downstream from” the data breach and thus satisfied Georgia’s but-for causation standard that governs application of policy exclusions. Having found that the electronic data exclusion barred indemnity coverage in full, the court also rejected the insured company’s argument that the CGL insurers owed a duty to defend.