The U.S. District Court in St. Paul has reconsidered its prior decision and ruled that Target Corp. can recover settlements it paid to banks in connection to a 2013 data breach under its general liability policy from its insurer, ACE American Insurance Company.
In 2013, Target discovered that a hacker had stolen payment card data and personal contact information of individuals with Target payment cards. This data breach included payment cards. As a result, the banks that issued those cards canceled the cards and issued replacements. The issuing banks incurred costs when they issued the replacement cards, and sought compensation for those costs from Target. Target settled the issuing banks’ claims.
Target alleges that under ACE’s general liability policies, ACE is obligated to indemnify Target for the payments they made to the issuing banks in the form of settlements. The applicable policies provided coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured.’ The policies applied to property damage only if that damage was caused by an ‘occurrence.’