Learn About the Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
HOME DEPOT, INC.; Home Depot U.S.A., Inc., Plaintiffs-Appellants, v. STEADFAST INSURANCE COMPANY; Great American Assurance Company, Defendants-Appellees.
OPINION
After a data breach, Home Depot, Inc., and Home Depot U.S.A., Inc. (together, “Home Depot”) sued its insurers for indemnification. Home Depot also claimed the insurers owed it a duty to defend. Because there's no obligation to indemnify or defend these claims, we affirm.
I.
This case involves a contract dispute. Steadfast Insurance Company (“Steadfast”) and Great American Assurance Company (“Great American”) wrote commercial general liability insurance policies for Home Depot. Between the two companies, three policies collectively provided $50 million in coverage. Notably, Home Depot also had more than $100 million in separate cyber insurance policies.
The Steadfast and Great American commercial general liability policies specify what was covered. 1 The insurers indemnified Home Depot from any “property damage” that an “occurrence” caused. See R. 43-2, Pg. ID 663. The policies explain that “property damage” includes either a “physical injury to tangible property” or, relevant here, a “[l]oss of use of tangible property that is not physically injured.” Id. at Pg. ID 677. They also noted that “electronic data” isn't “tangible property.” Id. at Pg. ID 678. And an occurrence is “an accident.” Id. at Pg. ID 677. Thus, the policies cover loss of use of tangible property caused by an accident, so long as that tangible property isn't electronic data.
While the policies state that electronic data isn't tangible property, they also include a separate provision excluding electronic data. This provision explains that the policies don't cover “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Id. at Pg. ID 667. In this section, the policies define “electronic data” as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” Id. So if a loss arises out of the loss of use of electronic data, it's not covered.
The policies further explain who pays to defend against lawsuits. 2 The policies include a “duty to defend” Home Depot against any “suit” seeking damages because of “property damage” to the types of property the policies cover. R. 43-2, Pg. ID 663. In other words, if someone sues Home Depot for something the policies cover, the insurers will pay Home Depot's defense costs.
The policies’ precise wording became relevant after Home Depot suffered a cyberattack. Hackers accessed Home Depot's computer system and stole payment card information from consumers who used the company's self-checkout terminals. All told, the hackers stole tens of millions of customers’ payment card data and personal information. Several months later, Home Depot discovered what happened and announced the breach.
After Home Depot publicized the breach, financial institutions (called “issuers”) sued. These firms incurred losses when they had to “cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraud monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers.” R. 43-19, Pg. ID 1508. Home Depot eventually settled these claims for about $170 million.
The company's cyber insurers covered all required losses, up to the full $100 million aggregate limit. Because this amount was less than the settlement, Home Depot then asked Steadfast and Great American to pay under the commercial general liability policies, too.
But the insurers denied coverage and wouldn't defend the claims. Instead, the insurers argued that the suits didn't fall within the policies’ coverage. Why? Two reasons. First, the policies defined “tangible property” in a way that left electronic data, like credit card payment information, uncovered. And the policies separately excluded losses from “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” R. 43-2, Pg. ID 667. Thus, the insurers denied Home Depot's claims and disclaimed any duty to defend Home Depot in the issuers’ lawsuits.
Unable to reach an agreement with its insurers, Home Depot sued. First, Home Depot asserted that its insurers should indemnify it for costs the issuers incurred by reissuing physical payment cards (the “reissuance theory”). Second, Home Depot sought indemnification for the issuers’ claims about “lost interest and transaction fees,” which stemmed from consumers using their cards less after the breach than before (the “reduced usage theory”). Third, Home Depot alleged that the insurers should reimburse its defense costs.
The district court granted summary judgment to the insurers. Home Depot appealed.
II.
This court reviews the district court's grant of summary judgment de novo. Seeger v. Cincinnati Bell Tel. Co., 681 F.3d 274, 281 (6th Cir. 2012). And since this case comes to us after a motion for summary judgment, we take the evidence in the light most favorable to Home Depot. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248–50, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). Finally, Georgia law governs this dispute because it's the only state with a significant relationship to the transaction and parties. See Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 495–97, 61 S.Ct. 1020, 85 L.Ed. 1477 (1941); Ohayon v. Safeco Ins. Co., 91 Ohio St.3d 474, 747 N.E.2d 206, 208–09 (2001).
III.
Applying Georgia law, the district court was correct to grant summary judgment on Home Depot's reissuance and reduced usage claims.
A.
Courts interpreting an insurance policy start with its text. See Reed v. Auto-Owners Ins. Co., 284 Ga. 286, 667 S.E.2d 90, 92 (2008). A policy should be “read as a layman would read it.” State Farm Mut. Auto. Ins. Co. v. Staton, 286 Ga. 23, 685 S.E.2d 263, 265 (2009) (quotation omitted). When contractual language isn't ambiguous, courts apply the contract as the parties wrote it. Reed, 667 S.E.2d at 92.
While Georgia courts look to a contract's plain text, they also have presumptions about how to read those texts. For instance, when a policy has multiple meanings, it “will be construed strictly against the insurer/drafter and in favor of the insured.” Ga. Farm Bureau Mut. Ins. Co. v. Smith, 298 Ga. 716, 784 S.E.2d 422, 424–25 (2016); Ga. Code Ann. § 13-2-2(5). Another relevant presumption is that courts interpret exclusions—like the electronic data provision here—narrowly. Auto-Owners Ins. Co. v. Neisler, 334 Ga.App. 284, 779 S.E.2d 55, 59 (2015). Courts read these exclusions narrowly because if an insurer is promising broad coverage, it needs to be specific about what isn't covered. See, e.g., Am. S. Ins. Co. v. SPN Trans, LLC, 360 Ga.App. 241, 858 S.E.2d 558, 562 (2021).
Georgia courts apply these principles as they evaluate two duties. The first is the duty to indemnify. This duty is sometimes called the “duty to pay.” Penn-Am. Ins. Co. v. Disabled Am. Veterans, Inc., 268 Ga. 564, 490 S.E.2d 374, 376 (1997) (citation omitted). As that shorthand suggests, insurance companies must honor their agreements with the insured and keep their promises to pay. See id. And to find out when a firm must pay, Georgia courts apply the standard, textual approach to contract interpretation. See id. Courts apply this duty only after they have concluded that the policy covers the injuries. See Travelers Cas. Ins. Co. of Am. v. Bozovich, 367 Ga.App. 868, 888 S.E.2d 656, 659–61 (2023).
The second duty, called the “duty to defend,” is a separate and independent obligation from the duty to indemnify. See Penn-America, 490 S.E.2d at 376. The “duty to defend” is broader than the duty to indemnify. It applies so long as a complaint's allegations arguably fit within a policy's language. BBL-McCarthy, LLC v. Baldwin Paving Co., 285 Ga.App. 494, 646 S.E.2d 682, 685 (2007). To determine whether a policy's language covers allegations, courts examine the policy's text and determine whether it's ambiguous. If it is, courts try to resolve the dispute by looking to the ordinary rules of contract construction. Bozovich, 888 S.E.2d at 659–61. And in Georgia, one such rule is that the insurer must defend the insured. Ga. Code Ann. § 13-2-2(5). But if the text is clear, courts apply its plain meaning. Richards v. Hanover Ins. Co., 250 Ga. 613, 299 S.E.2d 561, 563 (1983).
All told, these rules and duties yield a tidy picture. Courts first look at a policy's text. If it's clear, then courts follow the policy—including any applicable duty to defend. If it's unclear, the courts construe the language to benefit the insured party.
B.
We need not decide whether Home Depot is right that the data breach led to “loss of use” of tangible property (the payment cards themselves) under both the reissuance and reduced usage theories. Even if we assume that this loss of use occurred, the electronic data exclusion would unambiguously bar coverage.
1.
The electronic data exclusion precludes coverage of both the reissuance and reduced usage claims. Recall that the policies don't cover “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” R. 43, Pg. ID 667. Thus, three questions are relevant. The first is whether payment card data is electronic data. The second is whether there was a “loss of use of” (or other covered harm to) electronic data. The third is whether the damages “arose out of” that loss. We address each question in turn.
i.
The first question is whether payment card data is “electronic data.” It is. Payment card information falls within the policy's terms: “information, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” R. 43-2, Pg. ID 678. Indeed, Home Depot explains that “hackers accessed electronic data on Home Depot's self-checkout machines.” Appellant Br. at 27. Because payment card data is a creature of the computer, it falls under the policy's definition of “electronic data.”
ii.
Next, consider whether the reissuance and reduced usage of payment cards implicated one of the defined events: damages arising out of a (1) “loss of”; (2) “loss of use of”; (3) “damage to”; (4) “corruption of”; (5) “inability to access” or (6) “inability to manipulate” electronic data. R. 43-2, Pg. ID 667. If so, the insurance policies don't cover it.
Here, the most relevant term is “loss of use.” To see why, start with the plain text. A “loss of use” is the inability to use an item. A “loss of use” occurs when an item exists but has lost its function. That's what happened here: Purchasers could no longer use their payment card data to make secure payments.
Georgia courts haven't interpreted the phrase “loss of use” in the insurance context. But courts applying Georgia's laws have looked to the “ordinary sense of those words.” Barrs v. Auto-Owners Ins. Co., 564 F. Supp. 3d 1362, 1377 (M.D. Ga. 2021) (citation omitted). Here, doing just that, we see that data lost its use when consumers couldn't use payment card data to make purchases.
Thus, the data breach resulted in a qualifying event under the electronic data exclusion. When hackers broke into Home Depot's system, they gained access to payment card data. The hackers’ access made that data useless. Why? The entire value of a credit card—or any payment card—is the ability to make secure and seamless transactions. The data is valuable not just for its presence on some computer or cloud. Instead, payment card data is useful because it allows a purchaser to buy goods securely. When that critical function is affected, the data doesn't work the same as before; it loses its function.
In response, Home Depot makes a handful of arguments. Its principal point is that the data breach made electronic payment card data more, not less, accessible. As Home Depot sees things, the breach let many people use the data, “allowing not only use by the issuers and cardholders, but also misuse by the hackers and those to whom the hackers sold the data.” Appellant Br. at 27 (citing R. 43-19, Pg. ID 1450) (emphasis omitted).
But this argument isn't how an ordinary reader would read the policies at issue. Consider the following hypothetical. If a man creates a password that he uses for his bank accounts, and then a hacker learns it and starts logging into the accounts, the password isn't useful anymore. Why? The password no longer keeps his accounts secure. Thus, the man has lost the use of his password. It wouldn't matter that the password exists on his bank's servers and still allows him to log in. No ordinary person would think that his password was just as good as before. So too here.
Home Depot runs into a second problem. It makes two contradictory claims: (1) there was no loss of use and (2) it's nevertheless entitled to recovery for reduced usage. But if the data was just as good as before the breach—and even “more accessible”—then it makes little sense for Home Depot to seek to collect for reduced usage of the cards.
Finally, while Home Depot tries to argue that only occurrences like a “ransomware attack” would qualify for the electronic data exclusion, that rebuttal runs headlong into the policies’ plain text. Appellant Br. at 28. The exclusion's language covers more than a cyberattack. It covers damages arising out of six specific events. The policy provides no reason to limit this language to a narrower subset of circumstances. Instead, it sets out what is and isn't covered. Courts can't alter the categories that the contracting parties agreed on.
iii.
Next, did the reissuance and reduced usage damages arise out of the electronic data loss described above? Both did, and thus aren't covered by the policies.
When the term “arising out of” appears in an insurance policy, Georgia law says that courts should apply a “but for” standard. Barrett v. Nat'l Union Fire Ins. Co., 304 Ga.App. 314, 696 S.E.2d 326, 332 (2010); Cont'l Cas. Co. v. H.S.I. Fin. Servs., 266 Ga. 260, 466 S.E.2d 4, 6 (1996). So the question is whether, “but for” the electronic data breach, the reissuance and reduced usage damages would have occurred. The data breach satisfies this but-for standard: It caused both forms of damages and the lawsuit.
Reissuance Theory: Start with reissuance. The data breach was the but-for cause of issuing new payment cards. Indeed, the issuers’ consolidated complaint—which led to the damages here—says so. That document says, “[a]s a result of the Home Depot data breach, the Financial Institution Plaintiffs and class members have been forced to cancel and reissue payment cards.” R.43-19, Pg. ID 1508 (emphasis added). In other words, absent this breach, the consumers wouldn't have experienced a loss of use of their electronic data. And the issuers wouldn't have been forced to issue new payment cards, so there would be no damages leading to this dispute. Thus, the data breach sat upstream of the decision to reissue cards. So, that decision wouldn't have arisen “but for” the loss of use of electronic data.
In response, Home Depot asserts that the issuers’ decision to reissue payment cards didn't arise because of a loss of use of electronic data, but rather caused the loss of use. It says that the decision to reissue cards caused both inability to use electronic data and the issuance of new payment cards. In this framework, the loss of use of any electronic data was “incidental to” the loss of use of a physical payment card. Appellant Br. at 34 (emphasis omitted). Why? It says the inability to use data didn't happen until the issuers changed the payment account information.
But this argument doesn't ring true. The issuers’ decision to issue new payment cards didn't occur in a vacuum. They only changed credit card numbers and reissued credit cards because of the data breach and consequent loss of use. To conclude otherwise would be to assume that a bank might decide to issue new payment cards with the old underlying data—which would make no sense. Instead, as the insurers argued below, reissuance occurred precisely because the data breach made digital changes necessary, which in turn prompted physical changes.
Home Depot erroneously analogizes this situation to a woman who decides to change her name on her credit card account after getting married. To Home Depot, the fact that a woman who changes her name will face several downstream consequences—such as a new name on her account, new electronic information, and a new physical card—proves that the electronic data and physical reissuance sit side by side. But that analogy fails. The woman's decision to change her name is analogous to the data breach: It prompted a digital change, which in turn mandated a physical change. That satisfies but-for causation.
Home Depot also argues that the insurers didn't adequately reveal how the card cancellation process worked. But the insurers explain that the data breach prompted the financial institutions to change the cards’ electronic data and cancel the cards. The financial institutions had to “act immediately” after the breach to change card numbers to prevent further fraud. R. 43-19, Pg. ID 1507. The motivating cause was not a gratuitous decision to change payment card numbers. It was the breach. And that's enough under Georgia's but-for causation standard.
Reduced Usage Theory: Next, consider the reduced usage theory. Here, the reduced usage claims flow from the loss of use of electronic data. As alleged in the issuers’ complaint, the payment card data breach caused the reduced usage. Moreover, Home Depot explains that the reduced usage “follows directly from the breach: After the breach became public, the issuers’ customers used their physical payment cards less, leading to fewer transaction fees and less interest for the issuers.” Appellant Br. at 45 (citing R. 43-19, Pg. ID 1508) (emphasis added). Thus, the reduced usage sat downstream from the breach.
Here, Home Depot appears to concede that the breach was the but-for cause of the customers’ reduced usage. Consumers stopped using cards because they knew the electronic data that allowed them to make such transactions was compromised. For the everyday Home Depot customer, the breach was relevant precisely because it concerned electronic data and the loss of use of such data.
iv.
Home Depot makes two final but unconvincing arguments. The first is an argument from subsequent drafting. Home Depot asserts that, in the years after the breach, Steadfast wrote policies that explain that the types of losses at issue here aren't covered. Home Depot claims that because those documents disclaim coverage, the policies here cover such losses or are ambiguous enough that Georgia's presumption for the insured applies. To Home Depot, Steadfast's subsequent revision means the prior policy covered such damages.
But that logic doesn't hold up. First off, it's not a textual argument. And even putting that aside, subsequent history is suspect. In the statutory interpretation context, subsequent legislative history is a “hazardous basis for inferring the intent” of an earlier Congress. United States v. Price, 361 U.S. 304, 313, 80 S.Ct. 326, 4 L.Ed.2d 334 (1960). While this case doesn't deal with a statute, the logic is similar. Here, the subsequent drafting history provides arguments to both sides. See generally John Randolph Prince III, Where No Minds Meet: Insurance Policy Interpretation and the Use of Drafting History, 18 Vt. L. Rev. 409, 422–29 (1994). Home Depot argues that the post-data-breach policy changes show that these earlier damages were covered. But the insurers argue that subsequent changes confirmed the original coverage because they included a disclaimer that the later changes were “a reinforcement of coverage intent.” See Steadfast Br. at 33 (quoting R. 43-12, Pg. ID 1314). Thus, argues Steadfast, any revisions comported with the original intent “not to insure cyber-related risks.” Id. Thus, both sides draw on arguments from subsequent history.
In such a situation, courts must stick to the text and look to the words’ ordinary meaning. When contractual language is unambiguous, as here, courts need not look beyond the contract's four corners. Here, applying the contract as written reveals that the exclusion means what it says. Reed, 667 S.E.2d at 92.
Georgia caselaw doesn't mandate a different result. Home Depot cites MAG Mutual Insurance Co. v. Gatewood to assert that Georgia courts should interpret a policy revision as an admission that the original policy was different. 186 Ga.App. 169, 367 S.E.2d 63, 66–67 (1988). But MAG merely references a trial court determination without comment. Id. And even MAG tells courts to turn to traditional contract law principles to determine what the contract says. See id. When we do so here, the policies’ text shows that the electronic data exclusion applies to Home Depot's claims.
Finally, Home Depot argues that one of the insurers’ experts said the electronic data exclusion is ambiguous. If true, this claim would mean Georgia's presumption for the insured would kick in and Home Depot would enjoy coverage.
To Home Depot, the key is David Stegall's expert report. Stegall served as an expert for the insurers. In his report, Stegall noted that “it was unclear” whether a separate electronic data coverage endorsement would apply to a breach in which data is “still useable or accessible.” R. 59-6, Pg. ID 2743. Home Depot contends that this “concession” is “the ballgame.” Appellant Br. at 30. If that provision is ambiguous, says Home Depot, it would mean that the whole electronic data exclusion is ambiguous. And if that were true, then the insurers would be on the hook.
But Home Depot's argument succumbs to a critical problem. It asks us to deviate from the plain text and admit extrinsic evidence. We can't do that—after all, if the contract isn't ambiguous, one expert's testimony is irrelevant. We shouldn't look to Stegall's report on other insurance policies and general cyber insurance trends when the policies’ plain text excludes coverage.
*
Both the reissuance and reduced usage damages “arose out of” the data breach. Thus, the electronic data exclusion controls and Home Depot can't recover under either theory.
C.
We now turn to Home Depot's final argument: that the duty to defend applies. Home Depot argues that the duty to defend means Steadfast should've paid its defense costs. But that's wrong.
1.
Steadfast's insurance policy included a provision promising to defend Home Depot from all claims the policy covered. Steadfast explained that it had a “duty to defend” Home Depot against any “suit” seeking damages because of “property damage” to the types of property the policy covered: damage to tangible property, not electronic data. R. 43-2, Pg. ID 663. In other words, the policy said that if someone sued Home Depot for something the policy covered, Steadfast would pay Home Depot's defense costs.
Whether an insurer has a duty to defend depends on whether the original complaint's allegations (here the issuers’ complaint's allegations) match up with a policy's language. Hoover v. Maxum Indem. Co., 291 Ga. 402, 730 S.E.2d 413, 418 (2012). Insurers have a duty to defend claims that someone filed against the insured, so if a third party files a complaint against an insured person, courts compare the policy's language with the allegations in the complaint. Auto-Owners Ins. Co. v. State Farm Fire & Cas. Co., 297 Ga.App. 751, 678 S.E.2d 196, 199–200 (2009). If the original complaint giving rise to the coverage dispute has facts that “even arguably bring the occurrence within the policy's coverage, the insurer has a duty to defend the action.” BBL-McCarthy, 646 S.E.2d at 685 (citation omitted). Of course, this coverage depends on whether the issuers’ complaint arguably fits within the policy language, as governed by the “ordinary rules of contract construction.” Id. (citation omitted); see also N. Metro Directories Pub., LLC v. Cotton States Mut. Ins. Co., 279 Ga.App. 492, 631 S.E.2d 726, 729 (2006). If the policy isn't ambiguous—as defined by “duplicity, indistinctness, or an uncertainty of meaning or expression”—we apply the contract's plain meaning. N. Metro Directories Pub., LLC, 631 S.E.2d at 729 (citation omitted). If the contract says some conduct that's arguably covered by the policy isn't covered, then there's no duty to defend.
To be sure, the duty to defend is broad. Most cases involving this duty note that Georgia makes insurers defend even “groundless suits.” See, e.g., Great Am. Ins. Co. v. McKemie, 244 Ga. 84, 259 S.E.2d 39, 40 (1979). But those same cases explain that insurers need not defend actions “which, even if successful[,] would not be within the policy coverage.” Id. (citation omitted). Courts look to the “substance of the allegations, rather than the labels or ‘spin’ placed by claimant attorneys trying to trigger coverage.” Ga. Prop. & Liab. Ins. Law § 11:1. All told, if a claim isn't within a policy's coverage—no matter how the plaintiffs “spin” the facts—then the duty to defend doesn't apply. Id.
Here, the issuers’ complaint against Home Depot didn't fall within the policy's coverage. After the issuers’ lawsuits, Home Depot sent the complaint to its insurers. Home Depot's email to the insurers, which was three sentences long, did not explain why the policy covered the breach. In response, the insurers sent letters to Home Depot indicating that the lawsuit wasn't covered by their policies because it arose out of a data breach. In other words, they consulted the policy's language and determined that it excluded claims arising out of the loss of use of electronic data.
The insurers were right. The complaint makes clear that the damages at issue arose out of the loss of use of electronic data. It begins with a quote about electronic data and features that phrase on nearly every one of its 93 pages. Indeed, the complaint explains that the lawsuit seeks to “recover the costs that” the issuers “have been forced to bear as a direct result of the Home Depot data breach.” R. 43-19, Pg. ID 1452. It talks about data systems and how Home Depot flouted data security programs. Indeed, the same sentence that Home Depot claims entitles it to coverage declares that as “a result of the Home Depot data breach, the Financial Institution Plaintiffs and class members” had to reissue and reduce use of payment cards, respectively. Id. at 1508 (emphasis added). Indeed, each of the complaint's counts concerns damages arising out of electronic data or data security and the loss of use of such data caused by the breach.
That's enough to satisfy the duty to defend. Under Georgia law, courts must compare the “true allegations of the complaint” with the “provisions of the policy, taking into consideration any additional facts the insured has brought to the attention of the insurer that might establish coverage under the policy.” Storch v. Cambridge Mut. Fire Ins. Co., 230 Ga.App. 878, 497 S.E.2d 606, 607 (1998). And in this case, the true allegations of the original complaint centered on electronic harms. Home Depot didn't bring forward additional facts telling the insurers anything that might establish coverage. All the insurers had was a complaint in which each count dealt with electronic data and insurance policies that stated such claims weren't covered.
Home Depot's primary argument to the contrary is unavailing. Home Depot argues that elements of the original complaint dealt with tangible property and thus implicate the duty to defend. This argument is facially strong. After all, Georgia caselaw suggests that a plaintiff need only assert “potential” or “arguable” coverage to trigger the duty to defend. Penn-America, 490 S.E.2d at 376 (citation omitted). Thus, Home Depot says, because it makes arguments about why the insurance policy covers the harms here, it should win.
But there are a few problems with this logic. First, Georgia law explains that courts look to whether the “complaint sets forth true factual allegations showing no coverage.” Id. And here, the complaint expressly dealt with harms arising out of the electronic data breach. Home Depot provided no evidence at the time suggesting otherwise. While it now argues that a single sentence in the complaint's reference to payment cards incorporates tangible property, that argument doesn't prevail, either. The policies unambiguously excluded recovery for damages arising out of harms to electronic data. That bars coverage.
Second, while Home Depot's claims about “arguable” coverage appear reasonable at first glance, they reflect a misunderstanding about how the duty to defend applies to insurance contracts. Crediting Home Depot's theory would require this court to accept certain arguments that rely on “labels” and “spin,” in contravention of the policies’ plain and unambiguous terms, which we can't do. Ga. Prop. & Liab. Ins. Law § 11:1. The policies aren't susceptible to two reasonable meanings. Instead, a plain reading excludes coverage. Bozovich, 888 S.E.2d at 659–60; accord City of Atlanta v. St. Paul Fire & Marine Ins. Co., 231 Ga.App. 206, 498 S.E.2d 782, 784 (1998).
All told, these cases indicate that what matters isn't whether the party can make an argument for coverage. Instead, the ultimate question is whether the policy could arguably cover the complaint's allegations. And here, the policy's terms expressly deny coverage.
*
In the insurance arena, courts must enforce a contract's plain language. Here, because the underlying complaint alleged harms that weren't covered, it didn't implicate the duty to defend. Thus, Home Depot's duty to defend claims fail, too.
IV.
Because Home Depot's arguments fail, we affirm.
CONCURRENCE
I agree with Judge Thapar's thoughtful opinion that the insurance policies in this case bar coverage for the data breach suffered by Home Depot, Inc., and Home Depot U.S.A., Inc. (collectively, “Home Depot”). Yet I am less sure about the proper path to that result. The policies both include coverage for certain losses and exclude coverage for other losses. As for the included losses, the insurers agreed to pay for the “[l]oss of use of tangible property that is not physically injured.” Policy, R.43-2, PageID 677 (emphasis added). In this case, the physical payment cards qualify as “tangible property.” As for the excluded losses, the insurers refused to pay for “[d]amages arising out of the ․ loss of use of ․ electronic data.” Id., PageID 667 (emphasis added). In this case, the payment-card data qualifies as “electronic data.”
Home Depot sought coverage under this policy language on the ground that the data breach caused a loss of use of the cardholders’ physical payment cards. Home Depot asserted two theories. First, it alleged that cardholders used these cards less once they learned of the breach and that this reduced usage led the financial institutions that had issued the cards to earn less fees and interest (the “reduced usage theory”). Second, Home Depot alleged that those institutions changed the account information for the affected cardholders and thus had to spend money providing their customers with new payment cards that had the correct information (the “reissuance theory”).
The majority opinion rejects both theories on the same premise: that the data breach itself caused a “loss of use” of the electronic payment-card data. I am not as confident in this premise. During the breach, cyber criminals merely copied that payment-card data; they did not prevent cardholders from using it to buy things. The cardholders, for example, presumably used the data in the same way in between the time of the breach and the time of its disclosure by Home Depot. So the breach itself may well not have caused any loss of use of the electronic payment-card data.
But this conclusion would do Home Depot no good. If the breach did not trigger a “loss of use” of that electronic payment-card data, it also would not have triggered a “loss of use” of the physical payment cards. As the district court found, then, this conclusion would doom Home Depot's reduced-usage theory under the affirmative coverage language. In short, the data breach either caused a “loss of use” of the physical payment cards and the electronic payment-card data or it caused a “loss of use” of neither of them. Either way, the policy would not cover the customers’ reduced usage (either because that reduced usage would not fall within the affirmative coverage language or because it would fall within the coverage exclusion).
That conclusion leaves Home Depot's reissuance theory. I agree with Home Depot that the physical payment cards suffered a “loss of use” when the financial institutions changed the affected cardholders’ account information and rendered those outdated cards unable to make further purchases. But this loss of use of the physical cards would also trigger the coverage exclusion because it would have “aris[en] out of the ․ loss of use of” the electronic payment-card data. Policy, R.43-2, PageID 667. As Judge Thapar well explains, the financial institutions reissued the cards precisely because of the change to (and loss of use of) the electronic data that they stored. In sum, even if the data breach did not itself trigger a loss of use, Home Depot's claims would fail all the same. With that caveat, I concur in the majority opinion.
FOOTNOTES
1. Because the policies’ language on this topic is largely identical, we follow the district court and the parties in referring to the Steadfast Primary Policy's language.
2. On appeal, Home Depot pursues its duty-to-defend claim against Steadfast, but not Great American.
THAPAR, Circuit Judge.
THAPAR, J., delivered the opinion of the court in which STRANCH and MURPHY, JJ., joined. MURPHY J. (pp. –––– – ––––), delivered a separate concurring opinion.
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes visit FindLaw's Learn About the Law.
Docket No: No. 23-3720
Decided: January 13, 2025
Court: United States Court of Appeals, Sixth Circuit.
Search our directory by legal issue
Enter information in one or both fields (Required)
Harness the power of our directory with your own profile. Select the button below to sign up.
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)