The Sixth Circuit’s January 13, 2025 decision in Home Depot Inc. v. Steadfast Insurance Co. is a major development in the fight against “silent cyber” coverage. Applying Georgia law, the court held that Home Depot’s commercial general liability (CGL) policies did not cover claims brought by financial institutions after a data breach. Even though the breach caused physical credit cards to be cancelled, the court found that the underlying harm flowed from the loss of use of electronic data and the policies explicitly excluded coverage for such losses. The court also made clear that because the underlying complaint alleged harms outside the scope of coverage, the duty to defend was not triggered.
For Georgia law, this decision is significant because it affirms that CGL policies with electronic data exclusions effectively bar coverage for cyber-related claims, even when plaintiffs try to frame the loss as damage to tangible property. It reinforces the view that cyber risks must be insured through dedicated cyber policies, not general liability forms. This provides insurers with strong authority in Georgia to deny “silent cyber” claims under older or broadly worded exclusions and validates the industry’s more recent efforts to draft tighter cyber exclusions. Notably, underwriters today are already crafting AI-specific exclusions to preempt future “silent AI” disputes.
Looking ahead, the broader implication is that Georgia courts are likely to extend this reasoning beyond cyber risks to other emerging, difficult-to-quantify exposures, such as losses tied to AI in the area of cyber. The Home Depot ruling gives courts and insurers a roadmap: if policy language is clear and unambiguous, Georgia law will enforce exclusions as written. For policyholders, the ruling also highlights the need to obtain specialized coverage for novel risks rather than assuming traditional CGL or property policies will fill the gap.