CYBER CORNER

COURT RULING DEALS ANOTHER BLOW TO SO-CALLED “SILENT CYBER” COVERAGE

The Home Depot Inc. et al. v. Steadfast Insurance Co. et al., 1:21-cv-00242 (S.D. Ohio Aug 16, 2023).

A federal judge ruled against a retailer in a lawsuit arising out of a data breach involving stolen payment card information, concluding that an exclusion for the theft of electronic data served to bar coverage under the retailer’s Commercial General Liability policies.

 

The data breach impacted millions of customers, which led the issuing banks to sue the retailer for the cost of replacing the cards, alleging that the retailer was negligent in its data security.  The retailer’s general liability carriers denied coverage under the electronic data exclusion, and the retailer was left to defend and settle the litigation out of pocket. The retailer filed suit against its insurers, claiming that they had breached their duties to defend and indemnify the retailer by wrongfully denying coverage. 

 

The retailer acknowledged that the policies at issue did not cover the loss of use of electronic data associated with the payment cards but argued that the physical card numbers were still covered.  The court disagreed and dismissed the case. The court did so even while finding that there had been a “loss of use” of tangible property in terms of the physical cards having to be canceled by the banks. The judge reasoned that the loss of use was intertwined with, and resulted from, the compromise of the electronic card numbers, and thus triggered the electronic data exclusion.

The Takeaway

It bears noting that the retailer was able to recover from its cyber insurers for other losses related to the breach, but the limits of the cyber program were apparently insufficient to also cover the costs of litigation with the financial institutions that had issued the customers’ payment cards.  This case serves as a cautionary tale that reliance upon Commercial General Liability policies to cover losses arising from a cyber incident is misplaced.  A dedicated and broadly worded cyber insurance program, with sufficient limits for the foreseeable exposure, is the best solution for managing this challenging and constantly evolving risk.

CONTRACTUAL CLASS ACTION WAIVER HOLDS UP CLASS CERTIFICATION 

In re Marriot International, Inc., Customer Data Security Breach Litigation, 22-cv-1744 (4th Cir. Aug. 18, 2023).

The Fourth Circuit vacated a lower court’s order granting class certification in litigation stemming from a major hotel group’s 2018 data breach, affecting roughly 133 million customers, based on the failure to consider the effect of a class action waiver. Following the breach, customers across the country filed lawsuits against the hotel and the IT service provider that managed the customer database, which were eventually consolidated in Maryland. The lower court certified several classes based on alleged damages and state law violations, however, held off on determining the effect of a class action waiver, which all the customers signed as part of the hotel’s rewards program.

 

The Fourth Circuit determined that the effect of the waiver was a threshold issue, rather than an affirmative defense to be evaluated later in the litigation. Following the decision, the lower court will need to consider the scope of the class waiver and the customers’ ability to move forward as a class. In this case, the inclusion of a contractual class action waiver could prove a powerful tool in limiting or avoiding a costly class action suit stemming from a cyber event.