Target’s $19 million settlement with MasterCard underscores very significant sources of potential exposure that often follow a data breach incident.
In the wake of any significant breach involving payment cards, such as the Target breach, retailors and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions seeking to recover their losses associated with issuing replacement credit and debit cards, among other losses.
The financial-institution card issuers typically allege, among other things, negligence, breach of data protection statutes, and purported non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA, and Discover, seeking substantial fines, penalties, and assessments for purported PCI DSS non-compliance.
These potential sources of liability can eclipse other sources of liability. While consumer lawsuits often get dismissed for lack of Article III standing, for example, or may settle for relatively modest amounts, the Target financial institution litigation survived a motion to dismiss and involved a relatively high settlement amount as compared with the consumer litigation settlement, as did TJX’s prior $24 million card issuer settlement. The current settlement involves only MasterCard, moreover, and the Target financial institution litigation will proceed as to any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer.
To the extent the litigation proceeds, the Amended Class Action Complaint filed in the Target consolidated financial institution cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”
Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including, but certainly not limited to, commercial general liability insurance (CGL), which most companies have in place, in addition to specialty cybersecurity/data privacy insurance and other types of insurance.
Here are 5 steps for securing coverage for data breach and PCI DSS-related liability:
Coverage A: “Property Damage” Coverage
Payment card issuers typically seek damages because of the necessity to replace payment cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees, and the like. By way of illustration, the Amended Class Action Complaint in the Target financial institution litigation alleges as follows:
The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes, but is not limited to, sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts, and the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.
The financial institution class in the Target litigation further alleges that “Plaintiffs and the FI [financial institution] Class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”
These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’” that “occurs during the policy period.” The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”
Importantly, the key term “property damage” is defined to include—not just “physical injury to tangible property”—but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:
17. “Property damage” means:
a.Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed), the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the Amended Class Action Complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards. The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.
These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.
Coverage B: “Personal and Advertising Injury” Coverage
There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B.
Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is “caused by an offense arising out of [the insured’s] business … during the policy period.” Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”
The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include the offense of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.It warrants mention that, although the trial court in the Sony PlayStation data breach insurance coverage litigation recently ruled against coverage, the trial court’s decision, which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured, Sony, and not of the actions of the third-parties who hacked into its network, that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.”
The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third party actions.
Organizations also should be aware that Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements and, in filing the endorsements, ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions:
At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.
*****
To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.
Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]
The bottom line: there may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.
Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident.
This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation.
By way of example, one specimen policy insuring agreement states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging a Security Failure or a Privacy Event.” The key term “Privacy Event” includes, among other things, “any failure to protect Confidential Information,” a term that is broadly defined to include, among other things, “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, social security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” broadly includes, among other things, “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and Defense Costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.
Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “Loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:
“PCI-DSS Assessment” means any written demand received by an Insured from a Payment Card Association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “Acquiring Bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an Insured’s non-compliance with PCI Data Security Standards which resulted in a Security Failure or Privacy Event.
This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS compliant and the PCI Forensic Investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach.
As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”
The bottom line: “cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card issuer litigation and payment brand claims alleging PCI non-compliance.
It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach incident. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies, and commercial crime policies. In the event of a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.
Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny an insured’s claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage if they effectively pursue their claim.
If an insurer reflectively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, for example, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards, and lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion.
Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims, and has been held inapplicable where the law at issue fashions relief for common law rights.
Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation, and the burden is on the insurer to demonstrate an exclusion’s applicability.
Various types of insurance policies may be triggered by a data breach incident, as discussed above, and the various triggered policies may carry different insurance limits, deductibles, retentions, and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance, and stacking of limits.
For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio.
By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits and structure the coverage strategy accordingly.
* * * * *
When facing a data breach event, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, the sufficiency of their existing insurance coverage, and the role of specialized cyber coverage.
In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.