Court reverses, rules for Target against Chubb over breach

In an unusual move, a federal district court has reversed its 2021 decision and ruled that Target Corp. can recover from Chubb Ltd. units the settlements it paid to banks in connection with a 2013 data breach under its general liability policy.

The U.S. District Court in St. Paul said it reconsidered its February 2021 ruling in Target Corp. v. ACE American Insurance Co. et al. after Target filed a motion to alter or amend its judgment in the case a month later.

The Minneapolis-based retailer was the target of a computer breach that exposed the payment card information of some 110 million customers in December 2013.

It filed suit against Chubb Ltd. units in federal district court in St. Paul in November 2019, charging the insurer improperly refused to indemnify it for part of the costs it incurred in connection with the data breach. The suit asked to recoup up to the $74 million in costs that Target incurred.

In its ruling Monday stating it had “erred in its prior judgment,” the court said Target must satisfy three requirements to establish coverage for the cost of replacing the payment cards: the losses must have been the result of an “occurrence”; the occurrence must have resulted in the “loss of use” of the property; and the property lacking use must have been “tangible property that is not physically injured.”

The court had previously found Target could not demonstrate loss of use. Tuesday’s ruling said neither party “has presented controlling legal authority squarely addressing” whether loss of use includes the inoperability of payment cards, and its research “has not identified legal authority directly on point.”

However, Target relies on a 2010 ruling by the 8th U.S. Circuit Court of Appeals in St. Louis in Eyeblaster Inc. v. Federal Insurance Co. that is “factually analogous,” the ruling said, in now holding that Target meets the “loss of use” requirement.

The ruling said, “Because the payment cards are tangible property and the payment cards are not physically injured, Target has met the third requirement to establish a basis for its claim for coverage.”

The court vacated its previous ruling, denied the insurers’ motion for summary judgment, and ruled that Target has coverage under its policies.

The ruling said the amount of the covered loss will be determined at trial.

Gretchen Hoff Varner, a partner with Covington & Burling LLP in San Francisco, said in a statement, "After nearly a decade of hard-fought dispute, we are delighted with the court's decision to award our client Target with summary judgment, adopting our position and ordering ACE to indemnify Target for the costs of replacing payment cards that were affected by the 2013 data breach. This is an important decision for policyholders who have experienced a data breach or other type of cyber event."

Chubb’s attorneys did not respond to a request for comment.