Erin L. Webb
While cyber risks are sometimes thought of as “online” or Internet risks, a massive information theft recently occurred at Target’s brick-and-mortar stores when customers swiped cards and entered PINs while making in-store purchases. On December 19, 2013, Target disclosed that it was the victim of a serious data breach from at least November 27 to December 15 of 2013. More than 40 million debit and credit card numbers were stolen. Hackers stole customer names, card numbers, card expiration dates, the embedded codes on the magnetic strips on the backs of cards, and in some cases PINs for debit cards used at Target.
The card information has reportedly already begun to flood the black market, selling for between $20 and $100 per card. Target has stated that it will offer free credit monitoring services to affected customers.
Specialized cyber risk insurance policies may cover liabilities like those that have inevitably already begun to arise from Target’s data breach. Such policies can cover a company’s costs of notifying customers of a data breach, offering credit monitoring services, and defense costs and damages for any resulting lawsuits. They may also cover any data or systems lost or destroyed as a result of a hack. Some policies may also cover any resulting loss of revenue, or even damage to a company’s reputation following a data breach. Investigations by government agencies targeted at the victim company, such as the Federal Trade Commission or state regulators, may also be covered under cyber risk policies or under a company’s comprehensive general liability (CGL) insurance policies.
It is critically important, however, for companies suffering losses like these to position themselves to receive the most coverage. Providing notice to all implicated insurers as soon as practicable, evaluating all available insurance policies, coordinating defense counsel, and communicating with insurers to provide relevant information, are all issues that arise early and must be dealt with swiftly and skillfully to maximize coverage.
Other types of insurance may also come into play. About 40 lawsuits have already been filed against Target. At least one alleges, among other things, that the stolen information constitutes an invasion of privacy. Most CGL policies provide coverage for “personal and advertising injury,” which is generally defined to include invasion of privacy claims.
The shareholder lawsuits that usually follow an event like a data breach, alleging wrongdoing by a company’s leadership, may also implicate directors’ and officers’ (D&O) coverage. Some D&O policies, generally those purchased by privately held companies, may also provide “entity” or company coverage for a loss like a data breach as well.
Companies should ensure that their insurance policies are tailored to their specific needs and risks. Having appropriate coverage in place, and seeking guidance from experienced coverage counsel to maximize the funds available, can provide crucial support at a critical time in the event of a cyberattack. Additionally, retaining counsel familiar with navigating cybersecurity issues is essential, both to proactively avoid the risks associated with data breaches and to minimize the impact of an attack after it has occurred.