• Atlanta
• Boston
• Dallas
• Ft. Lauderdale
• London
• Minneapolis
• New York
• Oakland
• Philadelphia
• Washington, DC

By Jane Warring and Jackson Griner

A Jan. 13 decision out of the U.S. Court of Appeals for the Sixth Circuit is one more nail in the coffin of "silent cyber."

In Home Depot Inc. v. Steadfast Insurance Co., the federal appellate court agreed with the lower court that Home Depot's commercial general liability insurers — unlike its cyber risk insurers — had no duty to defend or indemnify Home Depot against lawsuits brought against it by financial institutions arising from a 2014 data breach.[1]

The highly publicized breach occurred when hackers gained entry to Home Depot's computer network and embedded malware in its point-of-sale terminals, stealing card data and personal information from tens of millions of customers. These customers were not the only victims of the breach.

As a result of the breach, financial institutions that issued credit cards to Home Depot's customers incurred costs associated with cancelling and reissuing cards. The financial institutions also sustained loss during the time their customers were unable to use their cards. They brought lawsuits against Home Depot, which ultimately settled for around $170 million, $100 million of which was paid by the insurers who had issued cyber insurance policies to Home Depot.

Home Depot sought the remainder of the settlement amount from its two general liability carriers. These insurers denied coverage, and Home Depot sued them in federal court. Home Depot's commercial general liability carriers prevailed in both the U.S. District Court for the Southern District of Ohio, and on appeal in the Sixth Circuit.

The Home Depot case presents a classic "silent cyber" scenario — where a policyholder seeks to recover for impacts from a cyberattack under a standard first-party property or commercial general liability policy that was not intended to insure cyber claims.

Silent cyber is nothing new. The largest silent cyber case, or set of cases, arose out of a cyberattack against pharmaceutical giant Merck & Co. Inc. in 2017. When Merck's losses exceeded the limits of its cyber insurance policies, it sought to recover its uninsured losses from its standard first-party property insurance carriers. This sparked coverage litigation that centered on the application of the policies' war risk exclusions.

Merck ultimately prevailed, prompting the insurance industry to examine how noncyber policies could be misconstrued to cover cyber risks.

One thing to keep in mind is that the Home Depot case was decided under policy language in use in 2013 — long before Merck's silent cyber warning and before the insurance industry had an opportunity to shore up noncyber policy wordings against the risk of being construed as providing cyber coverage.

Fortunately for the insurers in the Home Depot case, even under their older policy wording, both the lower and appellate courts concluded that the language clearly precluded coverage for Home Depot's cyber-related liability claims.

The policies at issue covered claims against Home Depot alleging "property damage" which they defined to include either "physical injury to tangible property" or "loss of use of tangible property that is not physically injured." At the same time the policies excluded claims for loss arising "out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data."

Home Depot attempted to thread the needle — trigger coverage and avoid the exclusion — by arguing:

• There was a loss of use of tangible property (the physical credit card), but
• The damage to the financial institutions did not arise out of a loss of use of electronic data.

Home Depot argued that the claims came within the policies' coverage in the first instance because the physical (tangible) credit cards were cancelled and thus became unusable. Specifically, Home Depot argued that there was a loss of use in two ways — (1) there was a partial loss of use when customers reduced their card usage upon learning of the breach, and (2) there was a complete loss of use when financial institutions cancelled the cards.

District Court Opinion

The lower court agreed, in part, concluding that the policies' insuring agreements — the portion of a policy that identifies the risks a policy covers — applied to the financial institutions' claims because "there was a loss of use of a tangible object not physically injured."

However, the lower court determined that only the card cancellation constituted a qualifying loss of use. According to the trial court, the customers' reduced card usage was not a loss of use because they still had the card and could have used it. But the customers' inability to use the card when it was cancelled by the financial institutions was a loss of use.

The lower court nonetheless found that coverage for the financial institutions' claims against Home Depot was barred due to the policies' electronic data exclusion. Despite having several options — loss of, loss of use of and inability to access data — the court homed in on "loss of use" of electronic data as triggering the exclusion. The lower court stated that "[t]he use of electronic data was lost in two ways."

First, the electronic data lost its use when it was no longer secure. Home Depot had argued there was no loss of use of the data — if anything it was more accessible (to others even) after the breach. But the court rejected this argument: "Home Depot cannot have it both ways. If, as Home Depot argues, the payment cards lost their use when the data breach rendered them insecure, then so too did the electronic data lose its use after the data breach rendered it insecure."

Second, the electronic data lost its use when the cards were cancelled:

The strings of numbers on the payment cards are not useful in and of themselves. Rather, they are useful only because they correspond to the cardholder's actual payment information. ... [O]nce the electronically stored payment information no longer matched the numbers printed on the card, the cards were useless. Thus, the loss of use of the physical card numbers arose out of the loss of use of the electronically stored card numbers.

Sixth Circuit Opinion

On appeal, the Sixth Circuit agreed with the lower court that there was no coverage. However, unlike the trial court, the Sixth Circuit concluded that, as a threshold issue, there was no coverage under the policies' insuring agreements, which merely covered loss of tangible property.

Applying Georgia law, the court examined the policies' language and confirmed that payment card information indeed constituted electronic data pursuant to the policies. The court artfully noted that because the data is "a creature of the computer," it was electronic data.[2]

The court also considered whether the financial institutions alleged either a loss or loss of use of electronic data, and if so, whether its damages arose out of that loss. It determined that because customers lost access to their personal information and payment card data, the event constituted the loss of use of electronic data, and that because the loss of such data was the ultimate but-for cause of the financial institutions' claimed damages, their damages arose out of a loss of use of electronic data.

In other words, because the data breach sat upstream of the reissuance of payment cards and the less frequent use of services, but naturally led to the same, the data breach was the but-for cause of the financial institutions' claimed loss. As a result, the loss fit squarely into the exception set forth in the insurer's policies and was not covered.

Regarding defense costs, the Sixth Circuit further explained that the insurers' policies only covered defense costs for claims that the policies would also cover. As a result, Home Depot's defense costs were not covered because the claims against it concerned loss of use of electronic data, not tangible property.

The court explained: "[C]ourts must stick to the text and look to the words' ordinary meaning. When contractual language is unambiguous, as here, courts need not look beyond the contract's four corners. ... [B]ecause the underlying complaint alleged harms that weren't covered, it didn't implicate the duty to defend."[3]

Conclusion

The Sixth Circuit's thoughtful and readable opinion in Home Depot will no doubt be cited by insurance companies defending such claims under Georgia law and nationwide. The opinion will give underwriters of commercial liability and first-party property policies helpful guidance as to what policy language effectively eliminates exposure to cyber risks under policies that were never intended to insure them.

This opinion is a significant win for insurers that issue commercial general liability policies with cyber risk exclusions but likely has application to first-party property as well. The insurance industry relies on the ability to accurately identify and predict risk. Silent cyber or any other silent, i.e., unanticipated or unintentional findings of, coverage compromise the industry's ability to calculate premiums and control risk portfolios.

Those underwriters in 2013 may not have fully appreciated the risk they were addressing, but the courts in Home Depot rightly concluded that the policy language precluded coverage.

Such decisions give welcome validation for the underwriters of today who are crafting exclusions to control emerging risks — like losses stemming from the use of artificial intelligence — without a full appreciation of how those risks may manifest.

The opinions expressed are those of the authors and do not necessarily reflect the views of the firm or its clients. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

________________________________________________

[1] Home Depot, Inc. v. Steadfast Ins. Co. , No. 23-3720, 2025 WL 80114 (6th Cir. Jan. 13, 2025)(applying Georgia law).

[2] Home Depot, No. 23-3720, 2025 WL 80114, at *3.

[3] Home Depot, No. 23-3720, 2025 WL 80114, at *8-9.