Nearly a Decade After Breach, Home Depot Appeals to Get Defense Costs From CGL Policies

By Chad Hemenway | December 15, 2023

Think cyber events don’t have long tail? Consider this: Home Depot is still in a legal battle to get $50 million in coverage from two insurers nearly a decade after hackers used point-of-sale machines to hack the retailer.

In a filing earlier this week with the 6th Circuit Court of Appeals, Home Depot asked to continue to make its case for defense coverage under commercial general liability policies it had with Steadfast Insurance Co. and Great American Assurance Co.

Following the hacking of Home Depot’s payment systems in 2014, the retailer faced myriad lawsuits from consumers, payment card issuers, and banks seeking damages. The payment card issuers sought damages for the costs related to replacing the customers’ cards as well as lost transaction fees and interest.

According to court records filed by Home Depot, it looked for defense coverage with the insurers because the matter was related to physical, or tangible property – the payment cards. “The insurers refused, leaving Home Depot to fend for itself,” the retailer said.

Home Depot said it paid more than $170 million to settle claims with the card issuers and then sued Zurich subsidiary Steadfast Insurance Co. and Great American Assurance for breach of contract and damages. According to court records, Steadfast issued a primary policy to $25 million. Home Depot was to pay the first $1 million of covered losses, and Steadfast covered the next $9 million subject to a matching deductible, and Home Depot covered the next $15 million as a self-insured retention. The next two layers provided $50 million in total coverage, with a Steadfast excess policy covering losses between $25 and $50 million, and a Great American umbrella policy covering losses between $50 and $75 million.

However, the U.S. District Court for the Southern District of Ohio in August granted summary judgement to the insurers on the basis of an electronic data exclusion within the policies, ruling that the claims was “inextricably intertwined with electronic data.” Home Depot promptly appealed.

“The court was mistaken,” claimed Home Depot in a brief filed Dec. 13. “The data breach did not entail the loss of use of electronic data, but rather made the data available for greater use (by the hackers and their customers, in addition to the cardholders). And even if the reissuance of the payment cards may have involved some loss of use of electronic data, that loss of use did not cause the separate loss of use of the physical cards themselves.”

Photo: The Home Depot corporate headquarters in Atlanta. Photo/David Goldman/The Associated Press.

Was this article valuable?

Here are more articles you may enjoy.