By Elizabeth Haecker Ryan and Amanda Wingfield Goldman
As we rapidly evolve through the information age, businesses rush to keep pace. Unfortunately, hackers have not only kept pace, but are now outpacing their victims as they find more creative ways to breach the security measures erected to keep them out.
While retailers and merchants are obvious targets of a data breach, any business that maintains personal information is a potential target. Data breaches result in a virtual goldmine of stolen information, and the use of stolen credit card numbers is just the beginning. Email addresses enable thieves to create phony email designed to obtain sensitive personal information by making an email appear to originate from a legitimate source, such as a bank.
The greatest data breach occurred at Target during the 2013 holiday season. After a staggering 40 million credit and debit cards were stolen in a few weeks, the company incurred an estimated $400 million in administrative costs, an estimated $236 million in expenses and a 46 percent drop in profits.
Target was sued on two fronts—by compromised consumers and by the issuing banks that bore the costs of replacing credit and debit cards and paying the fraudulent charges.
Target filed a motion to dismiss the issuing banks’ suit, arguing that it did not owe a duty to the banks to protect them from the hackers’ wrongful acts. The court denied Target’s motion, stating that Target played a key role in allowing the harm to occur.
As for allegations that Target purposefully disabled a security feature that would have prevented the harm, the court concluded that Target’s own conduct could have created a risk of injury to a foreseeable plaintiff. (For purposes of a motion to dismiss, the plaintiffs’ allegations were presumed to be true, as the court was determining whether the issuing banks had a cause of action to proceed against Target, not whether their claims were true. In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014).
A class action suit was filed by the individuals whose data was compromised pursuant to 38 state data breach statutes. The suit asserted that Target failed to provide timely and adequate notice of the breach.
The court recognized that some state statutes were ambiguous, but allowed the class action to proceed under 26 state data breach statutes. Other states have taken notice, and many have enacted breach disclosure statutes that provide a private right of action.
The Role of Cyber-insurance: The Market Responds
As a result of actual and threatened events, the insurance market has responded with a new product to protect businesses from data breaches: cyber-insurance. Traditionally, businesses sought coverage for losses of data breaches under commercial property, commercial general liability, and business interruption policies for first-party losses, and under commercial liability and directors and officers liability policies for third-party losses.
However, in the late 1990s, insurers began offering cyber-insurance in the form of standalone policies. Yet, despite recent data breaches, only 20 to 30 percent of American firms purchase cyber-insurance.
The case law interpreting these policies is scarce, as courts struggle to define the parameters of cyber-liability. Courts are increasingly allowing plaintiffs to file creative claims against businesses in the wake of data breaches.
There are two types of cyber-insurance coverage available—first-party coverage and third-party coverage.
First-party coverage handles direct costs incurred when responding to a data breach or security failure. Common first-party costs include forensic investigations; legal counsel to advise a company regarding its notification and regulatory obligations; notification costs; credit monitoring; security liability to prevent the entrance or spread of a cyber-attack; cyber-extortion; public relations expenses; plus lost profits and extra expenses incurred while the victim’s network is down.
Third-party coverage applies to costs incurred when a business is sued, when claims are made against the business or when regulators demand information. Common third-party costs include legal defense charges; liability for the loss of customer and/or employee information; settlements, damages and judgments related to the breach; liability to issuing banks for new card expenses; cost of responding to regulatory inquiries; and regulatory fines and penalties.