UPDATE: The Target data breach is the largest ever retail breach according to Advisen Loss Insight data. On the morning of January 10—after the deadline for this story—Target announced that as many as 70 million customers could have had personal information stolen as a part of the Nov.27-Dec.15 breach. This news is separate from a previous announcement that 40 million customer debit and credit card were exposed. Read about this development and the company’s statements on potential liabilities at the end of this story.
While Target continues to handle the fallout from its recent data breach, which exposed about 40 million debit and credit cards, it appears that losses incurred by the third-largest retailer in the US could exhaust its insurance.
The exact details of Target’s insurance coverage tower are unknown but sources told Advisen that the firm has specific cyber protection.
Considering trends among large retail cyber-insurance buyers, losses from the breach—blamed on a malware infection of Target’s point-of-sale system from November 27 to December 15—have the potential to surpass coverage, according to sources.
“They can expect tens, if not hundreds, of millions of dollars in claimed losses,” said Richard Bortnick, shareholder in law firm Christie, Parabue and Young and publisher of cyber industry blog, Cyberinquirer.com. “Whether claimants can prove their alleged damages is another story.”
In an email, a Target spokesperson responded: “At this time we are focused on our guests and are not speculating or commenting on the financial impact.”
Theoretically, many insurers will share the loss. Carriers typically provide $10 million of cover though a few in the marketplace offer higher limits—some up to $20 million. Therefore, a company with $100 million in cyber coverage could have 10 or more underwriters on the account. Additionally, Target is said to have a multi-million dollar retention.
Target has not publicly disclosed how the breach occurred but it is thought to be among the largest ever retail data breaches (see table). According to Advisen data, which is ranked by affected customers, the Target data breach is currently the fourth largest such loss since 2002.
The oft-cited TJ Maxx (TJX) cyber breach in January 2007, which affected more than 45 million consumers, resulted in the retailer reportedly paying out more than $250 million.
Crisis management and remediation strides Target has taken since the breach point to the ownership of at least some cyber insurance. Possession of cyber coverage is not a guarantee, as many of Target’s peers still do not purchase it.
Chris Keegan, senior vice president and national resource for cyber and errors and omissions coverage at Willis, said that although the take-up rate of coverage for large retailers has improved dramatically, many companies go without it.
Large insureds such as Target “tend to dip their toe in the water and begin to build their tower from there,” said Keegan. But when Target first tested the marketplace waters is unknown. Keegan added he has received more calls about cyber coverage since the Target breach.
In this case the national retailer has notified affected consumers, offered credit-monitoring services, attained a forensics firm to investigate the breach and possibly acquired help with public relations. All are likely covered by its insurers, as are costs to get a network back up and running if it ever went down.
Response costs alone could cost tens of millions of dollars, said Ben Beeson, executive director in the global technology and privacy practice at Lockton.
Whether Target appropriately carried out each of these liability-reducing measures is up for interpretation, as is whether Target had appropriate processes in place to prevent the breach.
Attorneys general in at least four states—Connecticut, Massachusetts, New York and South Dakota—want Target to provide more information about the breach, which has additionally been used as a springboard in Congress for calls to hold companies accountable when customer information is stolen.
The Secret Service, FBI and Federal Trade Commission are taking hard looks at the retailer’s compliance with guidelines, specifically the PCI Data Security Standard.
Therein sits the crux of Target’s future liability—and ultimately how large the check it and its insurers write to settle all cyber-breach matters becomes.
It appears as though Target thus far “did some things well, but there’s always room for improvement,” said Jake Kouns, director of cyber security and technology risks underwriting at Markel. “Of course some people are angry but [Target] did come out and tell consumers about this during the holiday shopping season. That’s an enormous pressure. I’ve seen breaches not reported at all.”
“I don’t know the controls [Target] had in place but this did happen,” said Beeson. “Something went wrong here. It’s unusual to have this occur across the country at the POS machines.
“The risk evolves and keeps changing—and it’s not going away. It’s getting worse.”
Dozens of class-action lawsuits—around 40 or more—have already been filed, claiming Target failed to safeguard customers from a breach and exposing customers to fraudulent charges, identity theft and credit-score damage. Customer information has landed on underground, black-market websites for sale.
In separate lawsuits filed in Target’s home state of Minnesota, shoppers seek class-action certification and allege Target committed a nationwide breach of its duty by “failing to exercise reasonable care in protecting and safeguarding” the stolen debit and credit card information.
Target could also face lawsuits filed by shareholders, bringing in D&O coverage. Another potentially more costly federal class-action lawsuit was filed in Alabama on behalf of financial institutions, with the Alabama State Employees Credit Union as lead plaintiff. The suit looks to Target to pay damages for defrauded deposits as well as costs related to closing accounts and issuing new checks, debit cards and credits cards.
“Target could have taken steps to ensure the safety of its information technology systems,” said plaintiffs’ attorney firm Beasley Allen in a statement. “Instead, people were left scrambling at the holiday season, unsure of their financial security.”
In the case of credit card fraud, the payment processor usually refunds the charges to the customer and leaves it to the merchant to bear costs. But with ATM or debit card purchases, the bank is normally responsible for covering the loss.
David Navetta, one of the founding partners of legal services provider Information Law Group, says there is now a process to allow banks to recover costs from the retailer by using a back-end program based on the forensic assessments.
“This allows them to recover the fraud amounts based on this generated estimate,” explained Navetta. However, the process is being challenged in other courts of law. If Target has this arrangement with payment processors and decides to challenge the process, it could wind up a plaintiff.
Target’s litigation future could hinge on proof of actual damages, where the competing class actions are consolidated, whether a court grants class certification, and how and which laws are applied. Bortnick called these issues the claimants’ “greatest hurdle,” and ones that will be very difficult to overcome. The location of multi-district litigation is “huge,” added Beeson.
“This is a script that’s been written a thousand times and will be written a thousand more times,” Bortnick said. “This is interesting due to the severity more than as a unique incident. Hell hath no fury than a person whose personal and financial information has been stolen.”
Attorney Randy J. Maniloff of Philadelphia firm White and Williams says there is “something wrong with the system” when companies like Target “seems to have done everything they could, but it’s still not enough”.
“[Plaintiffs’ attorney] fees aren’t commensurate with the value provided to the class,” said Maniloff, who represents insurers in coverage disputes over primary and excess obligations under a host of policies. In an op-ed to The Wall Street Journal, Maniloff wrote: “The class members get enough for a latte, and the lawyers pocket an amount that could buy half of Brazil.”
Plaintiffs’ attorney firm Anderson Kill and defense firms Nelson Levine and Marshall Dennehey declined to comment, citing potential conflicts of interest.
Target now says the names, mailing addresses, phone numbers and/or email addresses of up to 70 million customers could be affected by the recent data breach.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information–separate from the payment card data previously disclosed–was taken during the data breach,” Target said in an early Jan. 10 statement.
Target spokeswoman Molly Snyder said the company’s announcement on Dec. 19 is separate from the announcement on Jan. 10.
“They are two distinct pieces of this breach,” she said. “There could be some overlap.”
Target said it will attempt to notify affected guests by email. The retailer continued to reiterate customers have “zero liability” for any fraudulent charges related to the data breach and the company continues to offer a year of free credit monitoring and identity theft protection to customers.
Target said its fourth-quarter earnings may include adverse costs related to the breach.
While it could not provide a range of expected losses, the company said the costs could include “liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs; liabilities related to REDcard fraud and card reissuance; liabilities from civil litigation, governmental investigations and enforcement proceedings; expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.”
Fourth-quarter sales were stronger-than-expected before Target went public with news of the data breach on Dec. 19, the company said. Since, sales are ”meaningfully weaker-than-expected.” Target told investors to expect a decline of 2 percent to 6 percent for the rest of the year.