Target was targeted by data thieves starting on Black Friday during the most busiest holiday shopping season of the year (between Nov. 27 and Dec.15). It seems that data thieves did some shopping themselves for about 40,000,000 credit and debit cards. With 1,797 stores in the U.S. and another 124 in Canada, the Target data breach is proof in itself that these types of data breaches are getting more sophisticated and targeted.
Now with up to 40,000,000 customers to notify, Target could face a huge bill just in notification letters alone, not including credit monitoring costs and potential legal defense and settlement costs. Though according to the Target data breach notification letter on its website, it does not appear that they’re currently offering credit monitoring just yet. With 2014 just around the corner, the Target data breach has surpassed the recent Adobe data breach (38,000,000 individuals) and will surely go down as one of the biggest data breaches of 2013 and perhaps one of the most expensive.
How did the breach happen?
While the data theft did not happen online, it happened in the physical Target locations. Based on news reports, data thieves tampered with the (POS) point-of-sale systems that customers use at checkout registers to swipe their credit or debit cards when making purchases and gained access to the data that is stored on the magnetic stripe on the back of credit and debit cards.
What was stolen in the data breach?
The data affected in the breach included customer names, credit or debit card numbers, expiration dates and CVV security codes, according to a notice posted for customers on the Target website.
Are you a Target Shopper?
If you shopped at Target during November 27th through Dec. 15th, Target has an important notice with comprehensive and important steps you should take to protect yourself against potential misuse of your credit and debit card information.
Potential Credit and Debit Card Fraud is now a factor for those 40,000,000 individuals affected in the Target Data Breach
Data thieves now have access to the magnetic strips found on the back of the stolen credit and debit cards and can use that data to encode that information on a counterfeit card. This allows criminals to sell the cards in batches or use the cloned cards at retailers to purchase goods.
Though when it comes to the debit card numbers that were stolen, from my understanding it may be a bit more difficult for criminals to use, as fortunately the PIN is not on the card — it is encrypted (hidden in code) in a database. According to this source, the PIN can be either in the bank’s computers in an encrypted form (as a cipher) or encrypted on the card itself. The transformation used in this type of cryptography is called one-way. This means that it’s easy to compute a cipher given the bank’s key and the customer’s PIN, but not computationally feasible to obtain the plain-text PIN from the cipher, even if the key is known. This feature was designed to protect the cardholder from being impersonated by someone who has access to the bank’s computer files. However, if there’s a chance that the PINs can be intercepted then victims are indeed at risk for fraudulent ATM cash withdrawals.
What are Target’s Risks Due to this Data Breach?
The Target data breach involves many issues, such as stolen customer credit card and debit card numbers, reputational damage, legal and PR issues, potential legal liability for fraudulent charges, regulatory fines, POS network security failure, potential drop in share price and will impact its P&L reports.
Playing the Devil’s Advocate as it Relates to the SEC’s CF Disclosure Guidance
While this data breach was not reported as being cyber related, it does involve network information security failure of the POS system and the question on my mind is whether or not Target will disclose this data breach in its Form 10-K filing. As the SEC asks its registrants to disclose the risk of cyber (though in this instance, this is what I’m questioning) incidents along with actual cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. A POS system does indeed connect to a computer (“cyber”) network. As the SEC states in its CF Disclosure Guidance, ‘cyber’ incidents can result from deliberate attacks or unintentional events. The SEC continues with, “We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security…..” Needless to say the Target data breach has many similarities to a cyber (or “computer”) security breach and clearly in this case it was a POS security breach – isn’t that “cyber” related? Let me know what you think on Twitter: https://twitter.com/dataprivacyrisk.
Cyber Data/Breach Insurance Helps to Mitigate the Costs of Security Failure Incidents
While its unknown if Target has cyber/data breach insurance, we explain below how data breach insurance coverage could help respond to the Target data breach/cyber attack.
Cyber/data breach insurance coverage could help Target:
- hire a computer forensics investigator to determine how the breach occurred and what data was exposed,
- hire a data privacy attorney to help navigate the various U.S. State (and international) data privacy laws,
- send notification letters to the affected customers,
- offer a one-year credit monitoring service to the customers affected as well as a dedicated call center to answer any customer questions,
- hire a public relations firm to help with the media,
- pay for customer damages due to identity theft as well as defense costs in the event there’s a lawsuit due to their data breach and
- pay for privacy regulatory defense and where insurable by state law, regulatory fines and penalties.
According to the Ponemon 2013 Cost of Data Breach Study, the average cost of a breached record is $188. This means that based on the 40,000,000 Target customers that had their credit and debit card numbers stolen, the total cost amounts to $752,400,000. Putting that amount aside for a moment, the cost just to mail notification letters to the 40,000,000 customers affected is $18,480,000. These amounts, needless to say are significant. However, for a company such as Target these amounts as significant as they may be will not force Target out of business even if they don’t have a cyber/data breach insurance policy. However, when Target reports its annual earnings next year it will be interesting to see if this data breach will impact their profits and most likely it will.
Data Breaches Happen Daily and are Not Going to End
Just this month alone, there have been at least three healthcare data breaches as we wrote about them in an earlier blog article. While Target may be able to survive the impact it will see from the potential huge costs it will incur from this data breach, this may not be the case with other businesses or organizations who may not have the financial ability to sustain such significant costs that occur when a data breach happens. (Read Big Data Collection Means Bigger and More Expensive Data Breaches.)
Cyber/data breach insurance can help businesses and organizations in significant ways when a data breach happens, as mentioned above. A cyber/data breach insurance policy just may be what keeps businesses and organizations from closing their doors due to their inability to financially sustain the high associated costs of a data breach. Contact us today to learn how your business or organization can proactively plan ahead for data breach costs.
Learning from Target: Insurance Coverage For Data Breaches by Alex Purvis
Cyber liability is a clear and present danger. Target Corp. recently reported at least $235 million as gross expenses related to its 2013 data breach. Fortunately, Target was able to recover $90 million of that loss under insurance coverage dedicated to cyber liability.
Target's experience is the most recent wake-up call on this front, and business executives should be evaluating what protection they have against this potentially enormous risk, one that can rear its head in many forms (e.g., laptop loss, hacking, and employee theft). A significant piece of that risk analysis should include consideration of available insurance coverage.
Insurance protection for cyber risks may be available in one of two forms. First, cyber liability policies are becoming available on the market and can offer a tailored layer of protection. Second, coverage may be available under more traditional insurance products (e.g., Commercial General Liability ("CGL"), Directors & Officers ("D&O"), or crime/fidelity policies).
Now is the time to start considering cyber coverage if your business does not already have it. There are numerous forms available in an ever-changing market, and the industry is designing these products to address the unique risks that arise in this context. For example, one of the largest risks related to cyber liability is exposure to regulatory investigations and inquiries. Insurers on traditional policies may argue that the costs of a regulatory investigation are not covered, and a cyber liability policy should provide more certainty on that issue. Insurance professionals can provide access to the various markets and advice on the differences between certain products.
If evaluating cyber coverage, keep in mind that care in the application process may be critical. Most cyber insurers will ask a series of detailed questions about the current status of your data protection system, and it is important to read and answer these questions with caution. Many of the cyber policies will include harsh exclusions related to any perceived misrepresentation in the application process, and most experts anticipate the industry may rely heavily upon these exclusions in the face of future claims. The cyber policy you pay for may prove worthless if questions later emerge about the veracity of the underwriting process, so make sure all questions are understood and answered correctly.
There should also be room for negotiation on these policies. As always, reading the policy form before agreeing to it is critical, and any questions should be raised up front. The offering insurers or their agents should provide clarification relative to any ambiguities, and clarifying endorsements may be particularly helpful on these new products.
There will certainly be coverage fights as cyber policies start responding to claims, and the courts will need to provide direction and clarification. That said, any company with concerns about data breach exposure should explore these products.
Coverage Under Traditional Policies
Many businesses will face a data breach loss without cyber coverage and may wonder whether all is lost. Fortunately, some more traditional insurance may provide coverage for data breaches, and there is a developing body of case law that provides some guidance. For example, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals held that an insured's loss of a computer tape containing third-party data constituted "property damage" under the standard CGL definition. As another example, CGL policies typically provide coverage for invasion of privacy, and the Ninth Circuit, inNetscape v. Federal Insurance Company, applied that language to find coverage for Netscape related to allegations that it was employing software that improperly collected user information. Other courts have examined similar issues and have denied coverage based on interpretations of the relevant policy language.
Most importantly, your business's current insurance portfolio should be carefully considered in the event of a loss. Even policies that you might not expect to provide coverage could be responsive to the claim. Notice should be provided to any potentially applicable policies, and any coverage denials should be given scrutiny by someone with coverage experience on your side of the issue.
Finally, be aware of the recent endorsements being offered by the Insurance Services Office ("ISO"). The industry is unlikely to admit that prior traditional policy forms are unclear in any way, but ISO has obtained approval in almost every state for a series of endorsements that seek to expressly exclude any coverage for cyber liability under traditional policy forms. Courts will need to interpret these endorsements over time, but policyholders should be given an opportunity to have a complete understanding of their impact before agreeing to add them to their policies. If presented with anything that looks like an exclusionary endorsement, ask questions of your insurance professional.
The takeaway here is that cyber liability can no longer be ignored. Insurance coverage for this threat is an important part of any risk management plan. If your business has not yet suffered a loss, consider protection for the future. If you have suffered a loss, determine what protection you may already have and consider strengthening your cyber coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
BY JIM FINKLE AND MARK HOSENBALL
BOSTON/WASHINGTON Sun Jan 12, 2014 4:26pm EST
(Reuters) - Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.
Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.
The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches.
Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.
Only one well-known retailer, Neiman Marcus, has said that they too have been victim of a cyber attack since Target's December 19 disclosure that some 40 million payment card numbers had been stolen in a cyber attack. On Friday, Target said the data breach was worse than initially thought.
An investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Neiman Marcus said it was not sure if the breach was related to the Target incident.
Most states have laws that require companies to contact customers when certain personal information is compromised. In many cases the task of notification falls on the credit card issuer.
Merchants are required to report breaches of personal information including social security numbers. It was not immediately clear if that was the case with the retailers who were attacked around the same time as Target.
The Secret Service and Department of Justice, which are investigating the Target breach, declined to comment on Saturday.
Target has not disclosed how the attackers managed to breach its network or siphon off some of its most sensitive data.
The sources who spoke to Reuters about the breaches said that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from Target and other retailers.
One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.
While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
The alerts, published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them.
A Visa spokeswoman declined comment on the reports, which did not identify specific victims.
It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.
Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.
That is because the attackers were more sophisticated than the ones in the previous attacks described in the Visa alerts, according to the source. The source asked not to be identified because they were not authorized to discuss the matter publicly.
Retailers are often reluctant to report breaches out of concern it could hurt their businesses. Target only acknowledged its 2013 attack after security blogger Brian Krebs reported the breach, prompting inquiries from journalists and investors.
Neiman Marcus said an outside forensics firm discovered evidence on January 1 that indicated the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer.
Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers.
During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C Penney.
Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.
"It is really frustrating to the bank and also the customer," Johnson said.
One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.
Target spokeswoman Molly Snyder said the retailer is not commenting on the company's investigation of the breach.
"This continues to be an active and ongoing investigation. It would be inappropriate to discuss details at this point."
Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.
"Target was not the only retailer who got hit, but they got hit the biggest," Litan said.
Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.
Chris Gray, director of Denver, Colorado -based Accuvant information security firm's risk and compliance practice, said that sophisticated cyber crime groups do that because they only have once chance to get it right before victims catch on.
"You want to test it and make sure it works," Gray said. "Then you push it out at the appropriate time and do as much damage as you can."
(Reporting by Jim Finkle in Boston and Mark Hosenball in Washington; Editing by Grant McCool)
Target has $100M of Cyber Insurance, $65M of D&O cover: Sources
January 14, 2014 - 3:05 pm ET
Target Corp., which last month had a massive data breach that exposed the credit and debit card information of some 70 million customers, has at least $100 million of cyber insurance, including self-insured retentions, and $65 million of directors and officers liability coverage, according to insurance industry sources.
These well-placed sources, who requested anonymity, said Minneapolis-based Target is self-insured for the first $10 million of cyber coverage.
On top of that, there's additional cyber insurance through: $15 million of excess coverage with Ace Ltd.; then a $15 million layer with American International Group Inc.; a $10 million layer with Bermuda-based Axis Capital Holdings Ltd.; another $10 million coverage layer with AIG; then a quota share for the next $40 million of cyber insurance divided among four unidentified insurers. To protect against executive liability, the third-largest U.S. retailer has a $10 million self-insured retention, followed by $25 million in primary D&O coverage with AIG, followed by an additional $15 million of coverage with Ace, then $15 million of coverage with the Hartford, Conn.-based based Travelers Cos. Inc.
On Tuesday, a Target spokeswoman said in an email that the company had no additional details to share. A Travelers spokeswoman said in a statement the insurer cannot confirm whether anyone is a client. An Ace spokeswoman said in a statement: “As a matter of company policy and confidentiality, we do not comment on specific claim incidents and cannot confirm or deny coverage with any particular company.'' AIG declined to comment. An Axis representative could not be reached for comment.Initially, Target on Dec. 19 said the data breachduring three weeks of the recent holiday shopping season affected 40 million customers. Then last week, the retailer said its investigation showed the breach was worse than anticipated and involved the theft of financial information of 70 million customers. That personal information, the retailer said, included PIN data embedded in customers' credits cards.Target said its customers will have no liability for fraudulent charges resulting from the data breach. The breach has triggered state and federal investigations, as well as several lawsuits against Target.
Will consumer class actions vs. Target survive?
January 13, 2014 5:46 PM ET
By Alison Frankel
NEW YORK (Reuters) - Who doesn't empathize with the 70 million Target customers whose private information was supposedly hacked?
No one likes to worry about identity theft and impaired credit ratings, the odds of which, according to Reuters, drastically increase for data breach victims. But that doesn't mean Target customers have a cause of action in federal court.
I don't see how the vast majority of hacked Target shoppers can get past the threshold constitutional requirement that they show an actual injury, at least under the U.S. Supreme Court's 2013 definition of injury in Clapper v. Amnesty International.
I'm not saying Target faces no litigation exposure for the data breach. Some of the new cases against the company are class actions by financial institutions that had to bear the cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards.
Those cases involve real-money claims that will be tough for the company to fend off with threshold defenses. So too will be suits by state attorneys general making claims in state court under state consumer protection laws (assuming, of course, that the Supreme Court does not hold that state AG suits have to be litigated in federal court in this term's Mississippi v. AU Optronics case).
And depending on the facts that emerge about Target's disclosure decisions, Target shareholders may have viable class action claims that the company engaged in misrepresentation-by-omission.
A FATAL INTERSECTION
Customers, however, are a different story, thanks to what I predict will be a fatal intersection between the 2013 Clapper decision and the Class Action Fairness Act.
CAFA, as the class action law is known, requires that class actions involving more than 100 people and claims of more than $5 million be litigated in federal court, even if they assert only state laws. Target will almost certainly be able to remove all of the consumer class actions stemming from the data breach to federal court.
It's also a near certainty that the suits will be consolidated into a multidistrict litigation, in which a single federal judge will decide pretrial motions. Target's first substantive motion in the consolidated litigation, you can be sure, will be an argument that the privacy breach cases must be dismissed because consumers do not have standing, under Article III of the U.S. Constitution, to sue in federal court because they can't show they've been injured.
That's where the Clapper decision comes in.
As I've explained in previous blog posts, the Clapper case involved allegations by human rights groups and public interest lawyers claiming that the National Security Agency's warrantless wiretapping program violated their First and Fourth Amendment rights.
The Supreme Court held that the human rights advocates did not have standing because they couldn't show their communications with terrorism suspects were actually intercepted, only that they might have been. (That finding came before Edward Snowden's revelations about the extent of NSA wiretapping.)
The majority opinion in Clapper, written by Justice Samuel Alito, said that standing requirements can be met only by showing actual harm or "certainly impending" injury. Alito also said that plaintiffs can't establish standing by spending money to ward off a feared injury.
"If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear," he wrote. "(Plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending."
Soon after the Clapper decision came down, defense lawyers in privacy breach cases realized that the ruling's definition of standing would be useful to them as well. (Kudos to the privacy team at Ropes & Gray, which was, I believe, the first to make a connection between Clapper and data breach class actions.)
Under Clapper, the defense argument goes, consumers can't establish standing based on either the possibility that their personal information may be misused or the costs they've incurred to monitor their credit reports for unauthorized charges.
So far, federal trial judges have been receptive to these arguments in privacy breach litigation. I told you last September about the first two decisions that tossed privacy cases based on Clapper, one a case stemming from the breach of Barnes & Noble customer data, the other a class action accusing Sam's Club of failing to institute adequate data protection protocols. The third Clappper-based dismissal of a privacy breach class action came late in December, when U.S. District Judge Noel Hillman of New Jersey tossed a case against several healthcare providers and a company that provides them with pharmaceutical dispensary software.
According to Judy Selby of Baker & Hostetler, whose firm represented one of the defendants in the New Jersey case (and who blogged about the ruling last week), no federal judge has so far rejected Clapper standing arguments in a privacy class action.
WILL FLOODGATES OPEN?
"Without a real injury, there's nothing (consumers) can do," Selby told me. "Without jurisdiction, you're done." Especially because Target has already pledged to offer a year of credit-monitoring services to customers whose information was hacked, Selby said, consumers will have a very, very hard time showing enough of an injury to establish their right to sue in federal court.
There are still two live federal circuit court decisions to the contrary. In 2011, the 1st Circuit Court of Appeals held in Anderson v. Hannaford that grocery store customers could show they were injured by a data breach through the credit-monitoring costs they incurred.
The following year, the 11th Circuit Court of Appeals found standing under somewhat distinct circumstances in Resnick v. Avmed. But both of those rulings predated Clapper, which would certainly seem to contradict the 1st Circuit's reasoning on standing and mitigation costs.
Whether the 1st and 11th Circuit decisions are still good law after Clapper is very much an open question.
There could well be some consumers victimized by identity theft after their personal information was stolen from Target, and perhaps they can show a strong enough link between the Target hacking and injuries they suffered from identity theft to establish Target's liability. There may even be a class of identity theft victims with viable claims. The rest of Target's customers, though, should be excluded from recovery - especially because Target has already promised to pay for credit-monitoring services for them.
I hope Target's defense lawyers - including the privacy team at Ropes that first realized the impact in these cases of the Supreme Court's holding in Clapper - stand firm and litigate the standing question, rather than caving in the face of a 70 million-member putative class.
Retailers everywhere are watching, said data privacy lawyer Al Saikali of Shook, Hardy & Bacon, who has also blogged about the Target cases. Saikali said precedent is heavily in Target's favor and the complaints against the company seem so far to be based on speculation. But if Target is forced to settle, he told me, every company that does business on the Internet should be worried.
"Target is a very large company that undoubtedly had in place complex and sophisticated safeguards to protect against this type of a data breach, and from what we know so far, they notified affected individuals very quickly," Saikali wrote at his blog. "If there is anything less than a dismissal or summary judgment entered in all of these cases, then the proverbial blood will be in the water and we can expect the floodgates of data breach litigation to open."
Target Data Breach Lessons Learned
Target Stores Data Breach
How can you protect yourself from a data breach
Target hack strips banks and credit unions of $200M. By Dara Kerr
The widespread security breach reportedly compromised 40 million credit and debit cards, which are costing banks a pretty penny to reissue.
Not only were as many as 110 million Target customers affected by the massive hack on the retailer in December, but banks have also had to deal with the security breach.
The hack is said to have cost banks and credit unions more than $200 million, according to datagathered by the Consumer Bankers Association and the Credit Union National Association. Originally, the two associations estimated that losses tallied around $178 million but now say those costs are rising.
In all, 40 million credit and debit cards were compromised in the breach. So far, banks and credit unions have replaced 54.5 percent, or 21.8 million cards. The cost to banks could increase if additional fraudulent activity occurs with the compromised cards.
The security breach, which yielded the personal information of an estimated 110 million customers, was first identified on December 15. Apparently, cybercriminals accessed customers' private information at point-of-sale terminals during checkout.
Target said the breach occurred between November 27 and December 15 and resulted in the theft of names, mailing addresses, phone numbers, e-mail addresses, and debit and credit card data of people who shopped at the retailer during those dates.
Working to gain consumer confidence in the aftermath of the breach, Target has offered affected customers one year of free credit monitoring and begun development of high-security smart credit cards embedded with microprocessor chips. According to a report earlier this month, the retailer is said to be paying up to $420 million to cover such costs associated with the breach.
Insurance Questions, Lawsuits Arise in Wake of Target’s Data Breach - By Young Ha
U.S. retail giant Target Corp. is busy dealing with the aftermath of the massive data breach that exposed account details of some 40 million credit and debit cards.
Already, at least two lawsuits seeking class-action status have been filed against Target. And attorneys general from New York, Massachusetts and Connecticut have contacted the retailer seeking more information about the breach and the steps being taken by Target to protect consumers.
In New York, the state’s Attorney General Eric Schneiderman said there are already reported incidents of identity theft affecting New York consumers.
And according to media reports, these stolen consumer data are already flooding the black market. Credit and debit card accounts stolen from Target’s data breach are being sold on underground black markets for anywhere from $20 to more than $100 per card, reportsKrebsOnSecurity, a security news website.
In such data breach cases, there are several policies that are important for the companies to look at as possible insurance coverages to be triggered, according to attorneys who spoke with Insurance Journal.
Target declined to comment on an inquiry regarding its insurance coverage. But attorneys observed many companies are purchasing insurance coverages to protect against such data breaches.
“A lot of companies are purchasing specialized cyber insurance policies so those have to be examined,” said Joshua Gold, a New York-based attorney and shareholder at law firm Anderson Kill. Gold regularly represents corporate policyholders in insurance coverage matters. Such cyber insurance can be tailored to cover a wide range of expenses, even costs for forensic accounting, credit monitoring, crisis management, notification and setting up call centers to respond to consumer inquiries.
There could also be some measure of protection under traditional policies like the commercial general liability policy, even though finding coverage under traditional policies may be getting increasingly more challenging as the industry continues to add data breach-related exclusions. Most recently, Insurance Services Office Inc. (ISO) filed this year data breach exclusion endorsements concerning its standard-form primary and excess/umbrella commercial general liability policies, to be effective next May.
Commenting on a California lawsuit seeking class-action status, William Um, a policyholder counsel at Hunton & Williams in Los Angeles, said there are allegations that there was a violation of privacy rights. “And those traditional general liability policies will provide that type of coverage and at least trigger the carrier’s duty to defend in that instance,” he said. In the lawsuit, a Target customer in California has alleged invasion of privacy and negligence. (A copy of the complaint is shown at the end of the article.)
“Obviously you need to be mindful of exclusions that are out there. But I would say this falls within the personal injury line of coverage under a general liability policy,” said attorney Um, who has handled a variety of insurance coverage disputes involving class actions, data breach and privacy issues, directors’ and officers’ liability, and other matters. He is not involved in the Target lawsuit.
And based on allegations in the California lawsuit, there is also a potential for coverage under a directors’ and officers’ policy, the attorney said. He observed that the lawsuit appears to include allegations about Target’s failure to act and allegations of “wrongful acts” that would be covered under traditional D&O entity coverages.
In such data breach cases, crime insurance is another possible place to look at, attorney Gold added. “We represented a retailer some time ago and they had a computer hacking breach. We were able to get their insurance coverage for them under a crime policy,” he said.
As Target grapples with the aftermath of the massive data breach, the retailer could face a lot of expenses incurred for defense costs, Um said. “I think that’s going to be the biggest cost out there because you are going to hire lawyers to defend the lawsuits, and you are going to have to have lawyers out there assisting with the appropriate notifications and responses,” he said.
One question, the attorney said, is whether the plaintiffs in Target lawsuits can manage to overcome what has been difficult in the past — namely, alleging actual compensable damage and getting over the hurdle of showing that individuals have been harmed beyond just their personal information being out in the public.
Um also noted how quickly these lawsuits are getting filed after such incidents occur and how sophisticated the lawsuits have become. He said the California lawsuit was filed on the same day that the media outlets began reporting the data breach.
The lawsuit in California, which was filed in federal court in San Francisco, tries to allege as much damage as possible and with broader allegations, Um said. The lawsuit makes very broad allegations about specific negligent acts on the part of Target, he said.
Attorney Gold from Anderson Kill also said technology-related insurance claims tend to receive added scrutiny.
“It’s hard to say how each claim is going to be handled because it really does depend upon what insurance policies the policyholder has in place, the circumstances of the loss, and lots of other factors,” he said. But technology-related claims tend to draw added scrutiny from insurance companies, and the more serious the claim, the tougher the insurer could get in paying it, he said.
Gold said he and his firm had cases for policyholders where cyber-specific languages were included into more traditional insurance policies. In terms of the newer, standalone cyber coverages, fights have mostly been “behind the scene” so far, he said.
“I am only aware of one case that’s been litigated involving an actual cyber policy where the insurance company is denying coverage and the policyholder and the insurance company ended up in litigation. I don’t think there has been any meaningful case yet,” Gold said.
Gold also commented on some of the data breach-related insurance cases he has handled in the past. In one case, there was an argument that the data stolen was confidential information and therefore was subject to a policy exclusion.
In another case, an insurer argued that the policyholder’s cyber losses did not directly result from a hacking incident. “So we had a whole fight over what the phrase ‘directly resulting from’ meant in the context of an insurance policy,” he said. “And we obviously didn’t agree with the insurance company’s position, nor did the court. But we still had to go through a very long legal battle over that.”
In yet another case, “a big fight” rose over whether forged wire transfer instructions were covered under a financial institution crime policy, Gold said. “We finally got the insurance company to pay the claim. But these exclusions can get so technical,” he said. “That’s why we always recommend that policyholders really try and understand the insurance policy language that they are going to buy.”
Gold advised, “If you see some fine print in your insurance policy that you can’t understand, it’s much better to try to deal with those issues when you are actually in the process of purchasing the policy, versus having to fight about them later when you have a claim.”
He also offered some general advice for companies that suffer a data security breach. First, companies should start the forensic accounting process right away to ensure the damage is not more widespread than was initially known and to fix whatever security holes that may exist or were exploited by hackers.
Second, companies should do everything they can to comply with state notification laws regarding data breaches, he said.
Third, companies should make sure to give notice to every potentially applicable insurance company. “One thing that can happen is that people understandably are very focused on dealing with the immediate underlying exposure and that is certainly something that is important,” Gold said. “But companies also have to remember they’ve got all kinds of insurance policies that they may need to put on notice.”
“So when in doubt, they should give notice under every potentially applicable policy,” Gold said.
He explained that there is usually very little problem in withdrawing a claim if it turns out the coverage belongs under one policy rather than another. But, on the other hand, if the policyholder gets it wrong and doesn’t give notice under a policy that later turns out to provide meaningful coverage, it could be costly for the policyholder. “Lots of insurance companies will argue that somehow the late notice prejudiced them and somehow void or reduce the insurance coverage that they would otherwise have,” he said.
And if there is an initial denial or some type of reservation from the carrier, the policyholder shouldn’t just accept it, attorney Um said. “Don’t accept the initial denial…[policyholders should] push back,” he said, “and on a going-forward basis, think about these risks as you get into negotiations about policy renewals and the type of policies you want to take a look at.”
Below is a copy of a complaint against Target, filed in the U.S. District Court, Northern District of California: Kirk et al. v. Target Corp., case no. cv 13 5885.
Target Data Breach Highlights Importance Of Insuring Cyber Risks
While cyber risks are sometimes thought of as "online" or Internet risks, a massive information theft recently occurred at Target's brick-and-mortar stores when customers swiped cards and entered PINs while making in-store purchases. On December 19, 2013, Target disclosed that it was the victim of a serious data breach from at least November 27 to December 15 of 2013. More than 40 million debit and credit card numbers were stolen. Hackers stole customer names, card numbers, card expiration dates, the embedded codes on the magnetic strips on the backs of cards, and in some cases PINs for debit cards used at Target.
The card information has reportedly already begun to flood the black market, selling for between $20 and $100 per card. Target has stated that it will offer free credit monitoring services to affected customers.
Specialized cyber risk insurance policies may cover liabilities like those that have inevitably already begun to arise from Target's data breach. Such policies can cover a company's costs of notifying customers of a data breach, offering credit monitoring services, and defense costs and damages for any resulting lawsuits. They may also cover any data or systems lost or destroyed as a result of a hack. Some policies may also cover any resulting loss of revenue, or even damage to a company's reputation following a data breach. Investigations by government agencies targeted at the victim company, such as the Federal Trade Commission or state regulators, may also be covered under cyber risk policies or under a company's comprehensive general liability (CGL) insurance policies.
It is critically important, however, for companies suffering losses like these to position themselves to receive the most coverage. Providing notice to all implicated insurers as soon as practicable, evaluating all available insurance policies, coordinating defense counsel, and communicating with insurers to provide relevant information, are all issues that arise early and must be dealt with swiftly and skillfully to maximize coverage.
Other types of insurance may also come into play. About 40 lawsuits have already been filed against Target. At least one alleges, among other things, that the stolen information constitutes an invasion of privacy. Most CGL policies provide coverage for "personal and advertising injury," which is generally defined to include invasion of privacy claims.
The shareholder lawsuits that usually follow an event like a data breach, alleging wrongdoing by a company's leadership, may also implicate directors' and officers' (D&O) coverage. Some D&O policies, generally those purchased by privately held companies, may also provide "entity" or company coverage for a loss like a data breach as well.
Companies should ensure that their insurance policies are tailored to their specific needs and risks. Having appropriate coverage in place, and seeking guidance from experienced coverage counsel to maximize the funds available, can provide crucial support at a critical time in the event of a cyberattack. Additionally, retaining counsel familiar with navigating cybersecurity issues is essential, both to proactively avoid the risks associated with data breaches and to minimize the impact of an attack after it has occurred.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.