The U.S. District Court in St. Paul has reconsidered its prior decision and ruled that Target Corp. can recover settlements it paid to banks in connection with a 2013 data breach under its general liability policy from its insurer. The case is Target Corp. v. Ace Am. Ins. Co., No. 19-cv-2916 (WMW/DTS), 2022 U.S. Dist. LEXIS 51044 (D. Minn. Mar. 22, 2022).
In 2013, Target discovered that a hacker had stolen payment card data and personal contact information of individuals with Target payment cards. This will be known in this article as the Data Breach. This Data Breach compromised the payment cards, so the banks that issued those cards (Issuing Banks) canceled the cards and issued replacement cards. The Issuing Banks incurred costs when they issued the replacement cards, and sought compensation for those costs from Target. Target settled the Issuing Banks claims.
Target alleges that under ACE's general liability polilcies, ACE is obligated to indemnify Target for the payments they made to the Issuing Banks in the form of the settlements. The applicable policies provided coverage for losses resulting from property damage, including "loss of use of tangible property that is not physically injured." The policies applied to property damage only if that damage was caused by an "occurrence."