After Target filed a motion to alter or amend its judgment in the case a month later, the U.S. District Court in St. Paul said it reconsidered its February 2021 ruling in Target Corp. v. ACE American Insurance Co. et al.
In December 2013, the Minneapolis-based retailer was the victim of a computer breach that exposed the payment card information of approximately 110 million customers.
In November 2019, it filed a lawsuit against Chubb Ltd. units in federal district court in St. Paul, alleging that the insurer improperly refused to indemnify it for a portion of the costs incurred as a result of the data breach. The suit sought recoupment of up to $74 million in Target's costs.
Target must satisfy three requirements to establish coverage for the cost of replacing the payment cards, according to the court's ruling Monday, which stated that it had "erred in its prior judgment": the losses must have been the result of a "occurrence," the occurrence must have resulted in the "loss of use" of the property, and the property lacking use must have been "tangible property that is not physically injured."
Target had previously failed to demonstrate loss of use, according to the court. According to the ruling issued on Tuesday, neither party "has presented controlling legal authority squarely addressing" whether loss of use includes payment card inoperability, and its research "has not identified legal authority directly on point."
Target, on the other hand, relies on a 2010 ruling by the 8th U.S. Circuit Court of Appeals in St. Louis in Eyeblaster Inc. v. Federal Insurance Co. that is "factually analogous," according to the ruling, in holding that Target meets the "loss of use" requirement.
"Because the payment cards are tangible property and the payment cards are not physically injured," the ruling stated, "Target has met the third requirement to establish a basis for its claim for coverage."
The court overturned its previous decision, denied the insurers' motion for summary judgment, and determined that Target is covered by its policies.
The amount of the covered loss will be determined at trial, according to the ruling.
In a statement, Gretchen Hoff Varner, a partner at Covington & Burling LLP in San Francisco, said, "After nearly a decade of hard fought litigation, we are pleased with the court's decision to grant summary judgment to our client Target, adopting our position and ordering ACE to reimburse Target for the costs of replacing payment cards affected by the 2013 data breach. This is a critical decision for policyholders who have been the victim of a data breach or other type of cyber event."
The attorneys for Chubb did not respond to a request for comment.