Just when you thought that it could not get worse for companies in the context of cybersecurity and privacy issues … it does. Perhaps most significant, a court recently allowed banks to proceed against a retailer to pursue damages allegedly flowing from a cyberattack and data privacy incident involving payment card numbers. That same retailer disclosed hundreds of millions of dollars in losses as a result of the cyberattack and data privacy incident. Another retailer fell victim to a cyberattack and data privacy incident involving payment card numbers. Major entertainment businesses suffered cyberattacks, with one reportedly involving information about celebrities, corporate IP, and user names and passwords for social media accounts of the company. Distributed denial of service attacks (DDoS) are also on the rise. Below, we review the sobering news about cyberattacks and some tips when considering insurance for cyber risk in 2015. How Bad Is It? First, the decision involving banks and retailers is significant. In In re Target Corp. Customer Data Breach Security Litigation, the court refused to dismiss a complaint in the “Financial Institution Cases.” In re Target Corp. Customer Data Breach Security Litigation, MDL No. 14-2522, slip op. [Dkt. 261] (D. Minn. Dec. 2, 2014). The refusal to dismiss a putative class action complaint against a corporate defendant in connection with a data privacy incident is not the eye-opening part. Rather, it’s the identity of the plaintiffs. “Plaintiffs here are a putative class of issuer banks whose customers’ data was stolen in the Target data breach.” Id. at 2. Those banks have sued Target Corporation, alleging that Target was negligent in failing to secure payment card numbers, that Target violated Minnesota’s Plastic Security Card Act, that there was negligence per se (because of the alleged statutory violation), and that the failure to tell the banks of Target’s allegedly insufficient security practices was a negligent misrepresentation by omission. Id. There is little case law on this point, as the law is nascent and continues to be developed. Even less case law exists on the exact question of whether banks can pursue retailers for alleged losses resulting from a cyberattack and data privacy incident involving payment card numbers. Unfortunately for Target, however, the court ruled that the banks could proceed with their action. There can be little doubt that Target’s defense costs will continue to mount. Second, the losses that Target has suffered already are noteworthy. Target disclosed in its Form 10-Q for the quarterly period ended Nov. 1, 2014, that it already had “incurred $248 million of cumulative expenses” as a result of the cyberattack and data privacy incident. Target, Form 10-Q, at 9 (Nov. 26, 2014), available here. Third, Target is just one example in a continuing stream of news regarding retailers that have had payment card information stolen. In early December, 2014, Brian Krebs reported that international retailer Bebe Stores Inc. was another victim of a criminal cyberattack. Krebs wrote that Bebe had confirmed “[t]hat hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.” Brian Krebs, “Bebe Stores Confirms Credit Card Breach,” Krebs on Security (Dec. 5, 2014), available here. Click here to read more.
Reprinted with permission from the March 15, 2015, edition of the Law Journal Newsletters © 2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 - reprints@alm.com or visit www.almreprints.com.Cybercrime: How Insurance Can Protect Your Company
Scott N. Godes
Partner Data Security and Privacy Co-Chair, Insurance Recovery and Counseling Group Co-ChairRELATED ARTICLES
Illinois Federal Court Rejects Arbitration of BIPA Class Action
June 10, 2020 | Currents - Employment Law
Seventh Circuit Confirms Article III Standing for BIPA Plaintiffs
May 7, 2020 | Currents - Employment Law
Third-Party Biometric Timekeeping Provider Chops Down BIPA Liability
April 14, 2020 | Currents - Employment Law
Illinois Court Shines a (Heat) Lamp on Insurer’s Duty to Defend BIPA Claims
March 26, 2020 | Policyholder Protection, Privacy, Currents - Employment Law
After a Ransomware Attack, Does Property Insurance Cover Damaged Software and Hardware?
February 11, 2020 | Policyholder Protection, Cyber Insurance, Policy, Data Security
Illinois Federal Court Rejects Arbitration of BIPA Class Action
June 10, 2020 | Currents - Employment Law
Seventh Circuit Confirms Article III Standing for BIPA Plaintiffs
May 7, 2020 | Currents - Employment Law
Third-Party Biometric Timekeeping Provider Chops Down BIPA Liability
April 14, 2020 | Currents - Employment Law
Illinois Court Shines a (Heat) Lamp on Insurer’s Duty to Defend BIPA Claims
March 26, 2020 | Policyholder Protection, Privacy, Currents - Employment Law
After a Ransomware Attack, Does Property Insurance Cover Damaged Software and Hardware?
February 11, 2020 | Policyholder Protection, Cyber Insurance, Policy, Data Security
The Cloud: Selected Benefits, Risks, and Insurance Coverage Issues (Part 2)
May 5, 2017 | Policyholder Protection, Insurance, Data Security
Insurance Coverage Basics for Cloud Computing: 3 Cs to Remember
February 23, 2017 | Data Security, Insurance, Policyholder Protection
Does a CGL Insurance Policy Cover a Data Breach? The Fourth Circuit Says ‘Yes’
May 17, 2016 | Cyber Insurance, Data Breach, Policyholder Protection
Does a CGL Insurance Policy Cover a Data Breach? The Fourth Circuit Says 'Yes'
April 26, 2016 | Cyber Insurance, Insurance, Policyholder Protection
Scott Godes quoted in Law360 Article, “Privacy ‘Bill of Rights’ to Boost Demand for Breach Coverage”
October 27, 2015 | Cyber Insurance, Policyholder Protection
Regulation S-P Violation: Are You Prepared For A Cyber-Security Breach?
October 8, 2015 | Cyber Insurance, Data Security, Policyholder Protection
Scott Godes Quoted in Law360 Article, “A Cyberattack Survival Guide for Policyholders”
October 2, 2015 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes Quoted in Law360 Article, “4 Insurance Takeaways from Lloyd’s Cyberattack Report"
July 14, 2015 | Cyber Insurance, Policyholder Protection
Cyber Insurance is Only for Retailers, Right?
June 17, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Law360 Article, "Cyberinsurance Thaw Hinges On Data-Sharing Bills”
April 29, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Cyber Risk Network’s article, “10 million settlement with consumers a ‘good deal’ for Target, insurers”
March 25, 2015 | Data Breach, Policyholder Protection
Should Retailers Rely On CGL Coverage For Data Breaches?
March 13, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Advisen’s Cyber Risk Network Weekly Download
March 2, 2015 | Cyber Insurance, Policyholder Protection
The Other Cyber Shoe Has Dropped – What Does that Mean for Your Insurance Program?
December 9, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes to Present at the Comprehensive Conference on Cybersecurity Law Presented by Law Seminars International
November 20, 2014 | Cyber Insurance, Policyholder Protection
Scott Godes to Present “Be a Cyber Risk Hero: Understand the Risks & Learn Best Practices to Get Them Insured”
August 29, 2014 | Cyber Insurance, Policyholder Protection
Scott Godes to present at the 21st Annual Nonprofit Risk Management Seminar
May 13, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Increasing data breach costs should lead to a review of insurance policies and vendor contracts
May 8, 2014 | Cyber Insurance, Data Breach, Privacy, Policyholder Protection
Scott Godes to Speak at the NetDiligence Cyber Risk & Privacy Liability Forum June 11-13, 2014
April 29, 2014 | Cyber Insurance, Policyholder Protection
5 Tips For Reviewing And Buying Cyberinsurance
April 29, 2014 | Cyber Insurance, Policyholder Protection
RELATED PRACTICE AREAS
Subscribe
Do you want to receive more valuable insights directly in your inbox? Visit our subscription center and let us know what you're interested in learning more about.
View Subscription Center