BlogLine

Sixth Circuit Court of Appeals affirms denial of coverage for data breach under CGL policies

3/27/25

pic

By: Kyle A. Ference 

In Home Depot, Inc. v. Steadfast Ins. Co., the U.S. Court of Appeals for the Sixth Circuit recently applied Georgia law in ruling that a commercial general liability (CGL) insurance policy did not provide coverage for claims stemming from a data breach. 125 F.4th 769 (6th Cir. 2025). 

In that case, a large retailer suffered a data breach after hackers gained access to its computer system and accessed customers’ sensitive payment information. Several financial institutions then brought claims against the retailer seeking damages for reissuance of payment cards to millions of customers and lost revenue from transaction fees and interest as the result of customers using their payment cards less often. The parties eventually settled those claims for $170 million. The retailer’s cyber insurance policies covered the settlement up to their collective $100 million limits, and the retailer sought coverage for the remaining $70 million under two separate CGL policies. 

The CGL insurers, however, denied coverage on two grounds. The insurers first noted that the grants of coverage required there to be “property damage,” which includes either “physical injury to tangible property” or “[l]oss of use of tangible property that is not physically injured.” Because “tangible property” specifically excluded “electronic data” under the policies, the CGL insurers argued that the claims fell outside the grant of coverage. Second, the insurers argued that a policy exclusion applied which precluded coverage for damages “arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” The retailer filed suit against the CGL insurers, and the trial court granted summary judgment in the insurers’ favor. 

On appeal, the Sixth Circuit held that the electronic data exclusion unambiguously precluded coverage for the financial institutions’ claims against the retailer. First, it held that payment card data, indeed, qualified as “electronic data.” Second, it held that the financial institutions’ claims were, indeed, for the “loss of use” of the electronic data insofar as the data had “lost its use when consumers couldn’t use payment card data to make purchases.” Finally, the Court held that the financial institutions’ damages, indeed, “arose out of” the electronic data loss—in other words, that the data breach was the “but for” cause of the damages. It explained, “… [A]bsent this breach, the consumers wouldn’t have experienced a loss of use of their electronic data. And the issuers wouldn’t have been forced to issue new payment cards, so there would be no damages leading to this dispute. Thus, the data breach sat upstream of the decision to reissue cards. So, that decision wouldn’t have arisen ‘but for’ the loss of use of electronic data.” The Court went on to state: “Consumers stopped using cards because they knew the electronic data that allowed them to make such transactions was compromised. For the everyday Home Depot customer, the breach was relevant precisely because it concerned electronic data and the loss of use of such data.” The Sixth Circuit, therefore, affirmed the trial court’s ruling that the CGL insurers had no duty to indemnify the retailer and likewise concluded they had not breached their duties to defend. 

In a world where large-scale data breaches are increasingly common, this case demonstrates the interplay between CGL and cyber insurance policies and the types of risks typically covered under each. 

For any questions or further clarification, please contact Kyle A. Ference at kyle.ference@fmglaw.com or your local FMG attorney