In Home Depot, Inc. v. Steadfast Insurance Co., No. 23-3720 (6th Cir. 1/13/2025), insured Home Depot suffered a data breach when hackers accessed its computer system and stole customer payment card information collected from its self-checkout terminals. Financial institutions which had issued the payment cards sued Home Depot seeking damages incurred as result of the data breach, namely costs related to reissuing the payment cards and damages resulting from reduced use of the cards by customers following the breach. Home Depot tendered the suits to both its cyber insurers and its commercial general liability insurers. The cyber insurers paid their full limits towards settlement of the claims. The CGL insurers denied coverage and Home Depot filed suit. The federal district court granted summary judgment for the insurers and the Sixth Circuit Court of Appeals affirmed. Applying Georgia law, the court held that an “electronic data exclusion” applied to preclude coverage. That exclusion provides in pertinent part that the policy does not apply to “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” The court first held that the payment card data—“a creature of the computer”–clearly constituted “electronic data” as broadly defined in the policy. The court next held that the customers’ inability to use their payment card data to make purchases constituted “loss of use” of the “electronic data.” While acknowledging the absence of any Georgia reported decisions on “loss of use,” the court states that the “ordinary sense” of the terms means the “inability to use an item.” The court rejected Home Depot’s argument that the data remained useable by the hackers and those obtaining the data from the hackers. Finally, the court held that the reissuance and reduced usage damages alleged by the payment card issues did “arise out of” of the “loss of use.”
Electronic Data Exclusion Applied

