Target Data Breach Insurance Case Study - By Christine Marciano

20/12/2013 21:59

Target was targeted by data thieves starting on Black Friday during the most busiest holiday shopping season of the year (between Nov. 27 and Dec.15). It seems that data thieves did some shopping themselves for about 40,000,000 credit and debit cards. With 1,797 stores in the U.S. and another 124 in Canada, the Target data breach is proof in itself that these types of data breaches are getting more sophisticated and targeted.

Now with up to 40,000,000 customers to notify, Target could face a huge bill just in notification letters alone, not including credit monitoring costs and potential legal defense and settlement costs. Though according to the Target data breach notification letter on its website, it does not appear that they’re currently offering credit monitoring just yet. With 2014 just around the corner, the Target data breach has surpassed the recent Adobe data breach (38,000,000 individuals) and will surely go down as one of the biggest data breaches of 2013 and perhaps one of the most expensive.

How did the breach happen?
While the data theft did not happen online, it happened in the physical Target locations. Based on  news reports, data thieves tampered with the (POS) point-of-sale systems that customers use at checkout registers to swipe their credit or debit cards when making purchases and gained access to the data that is stored on the magnetic stripe on the back of credit and debit cards.

What was stolen in the data breach?
The data affected in the breach included customer names, credit or debit card numbers, expiration dates and CVV security codes, according to a notice posted for customers on the Target website.

Are you a Target Shopper? 
If you shopped at Target during November 27th through Dec. 15th, Target has an important notice with comprehensive and important steps you should take to protect yourself against potential misuse of your credit and debit card information.

Potential Credit and Debit Card Fraud is now a factor for those 40,000,000 individuals affected in the Target Data Breach

Data thieves now have access to the magnetic strips found on the back of the stolen credit and debit cards and can use that data to encode that information on a counterfeit card. This allows criminals to sell the cards in batches or use the cloned cards at retailers to purchase goods.

Though when it comes to the debit card numbers that were stolen, from my understanding it may be a bit more difficult for criminals to use, as fortunately the PIN is not on the card — it is encrypted (hidden in code) in a database. According to this source, the PIN can be either in the bank’s computers in an encrypted form (as a cipher) or encrypted on the card itself. The transformation used in this type of cryptography is called one-way. This means that it’s easy to compute a cipher given the bank’s key and the customer’s PIN, but not computationally feasible to obtain the plain-text PIN from the cipher, even if the key is known. This feature was designed to protect the cardholder from being impersonated by someone who has access to the bank’s computer files. However, if there’s a chance that the PINs can be intercepted then victims are indeed at risk for fraudulent ATM cash withdrawals.

What are Target’s Risks Due to this Data Breach?

The Target data breach involves many issues, such as stolen customer credit card and debit card numbers, reputational damage, legal and PR issues, potential legal liability for fraudulent charges, regulatory fines, POS network security failure, potential drop in share price and will impact its P&L reports.

Playing the Devil’s Advocate as it Relates to the SEC’s CF Disclosure Guidance

While this data breach was not reported as being cyber related, it does involve network information security failure of the POS system and the question on my mind is whether or not Target will disclose this data breach in its Form 10-K filing.  As the SEC asks its registrants to disclose the risk of cyber (though in this instance, this is what I’m questioning) incidents along with actual cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.  A POS system does indeed connect to a computer (“cyber”) network.  As the SEC states in its CF Disclosure Guidance, ‘cyber’ incidents can result from deliberate attacks or unintentional events. The SEC continues with, “We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security…..” Needless to say the Target data breach has many similarities to a cyber (or “computer”) security breach and clearly in this case it was a POS security breach – isn’t that “cyber” related? Let me know what you think on Twitter:

Cyber Data/Breach Insurance Helps to Mitigate the Costs of Security Failure Incidents 

While its unknown if Target has cyber/data breach insurance, we explain below how data breach insurance coverage could help respond to the Target data breach/cyber attack.

Cyber/data breach insurance coverage could help Target:

  1. hire a computer forensics investigator to determine how the breach occurred and what data was exposed,
  2. hire a data privacy attorney to help navigate the various U.S. State (and international) data privacy laws,
  3. send notification letters to the affected customers,
  4. offer a one-year credit monitoring service to the customers affected as well as a dedicated call center to answer any customer questions,
  5. hire a public relations firm to help with the media,
  6. pay for customer damages due to identity theft as well as defense costs in the event there’s a lawsuit due to their data breach and
  7. pay for privacy regulatory defense and where insurable by state law, regulatory fines and penalties.

According to the Ponemon 2013 Cost of Data Breach Study, the average cost of a breached record is $188. This means that based on the 40,000,000 Target customers that had their credit and debit card numbers stolen, the total cost amounts to $752,400,000. Putting that amount aside for a moment, the cost just to mail notification letters to the 40,000,000 customers affected is $18,480,000. These amounts, needless to say are significant. However, for a company such as Target these amounts as significant as they may be will not force Target out of business even if they don’t have a cyber/data breach insurance policy. However, when Target reports its annual earnings next year it will be interesting to see if this data breach will impact their profits and most likely it will.

Data Breaches Happen Daily and are Not Going to End

Just this month alone, there have been at least three healthcare data breaches as we wrote about them in an earlier blog article. While Target may be able to survive the impact it will see from the potential huge costs it will incur from this data breach, this may not be the case with other businesses or organizations who may not have the financial ability to sustain such significant costs that occur when a data breach happens. (Read Big Data Collection Means Bigger and More Expensive Data Breaches.)

Cyber/data breach insurance can help businesses and organizations in significant ways when a data breach happens, as mentioned above. A cyber/data breach insurance policy just may be what keeps businesses and organizations from closing their doors due to their inability to financially sustain the high associated costs of a data breach. Contact us today to learn how your business or organization can proactively plan ahead for data breach costs.



Learning from Target: Insurance Coverage For Data Breaches by  Alex Purvis

Cyber liability is a clear and present danger. Target Corp. recently reported at least $235 million as gross expenses related to its 2013 data breach. Fortunately, Target was able to recover $90 million of that loss under insurance coverage dedicated to cyber liability.

Target's experience is the most recent wake-up call on this front, and business executives should be evaluating what protection they have against this potentially enormous risk, one that can rear its head in many forms (e.g., laptop loss, hacking, and employee theft). A significant piece of that risk analysis should include consideration of available insurance coverage.

Insurance protection for cyber risks may be available in one of two forms. First, cyber liability policies are becoming available on the market and can offer a tailored layer of protection. Second, coverage may be available under more traditional insurance products (e.g., Commercial General Liability ("CGL"), Directors & Officers ("D&O"), or crime/fidelity policies).

Cyber Coverage

Now is the time to start considering cyber coverage if your business does not already have it. There are numerous forms available in an ever-changing market, and the industry is designing these products to address the unique risks that arise in this context. For example, one of the largest risks related to cyber liability is exposure to regulatory investigations and inquiries. Insurers on traditional policies may argue that the costs of a regulatory investigation are not covered, and a cyber liability policy should provide more certainty on that issue. Insurance professionals can provide access to the various markets and advice on the differences between certain products.


If evaluating cyber coverage, keep in mind that care in the application process may be critical. Most cyber insurers will ask a series of detailed questions about the current status of your data protection system, and it is important to read and answer these questions with caution. Many of the cyber policies will include harsh exclusions related to any perceived misrepresentation in the application process, and most experts anticipate the industry may rely heavily upon these exclusions in the face of future claims. The cyber policy you pay for may prove worthless if questions later emerge about the veracity of the underwriting process, so make sure all questions are understood and answered correctly.


There should also be room for negotiation on these policies. As always, reading the policy form before agreeing to it is critical, and any questions should be raised up front. The offering insurers or their agents should provide clarification relative to any ambiguities, and clarifying endorsements may be particularly helpful on these new products.

There will certainly be coverage fights as cyber policies start responding to claims, and the courts will need to provide direction and clarification. That said, any company with concerns about data breach exposure should explore these products.

Coverage Under Traditional Policies

Many businesses will face a data breach loss without cyber coverage and may wonder whether all is lost. Fortunately, some more traditional insurance may provide coverage for data breaches, and there is a developing body of case law that provides some guidance. For example, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals held that an insured's loss of a computer tape containing third-party data constituted "property damage" under the standard CGL definition. As another example, CGL policies typically provide coverage for invasion of privacy, and the Ninth Circuit, inNetscape v. Federal Insurance Company, applied that language to find coverage for Netscape related to allegations that it was employing software that improperly collected user information. Other courts have examined similar issues and have denied coverage based on interpretations of the relevant policy language.

Most importantly, your business's current insurance portfolio should be carefully considered in the event of a loss. Even policies that you might not expect to provide coverage could be responsive to the claim. Notice should be provided to any potentially applicable policies, and any coverage denials should be given scrutiny by someone with coverage experience on your side of the issue.

Finally, be aware of the recent endorsements being offered by the Insurance Services Office ("ISO"). The industry is unlikely to admit that prior traditional policy forms are unclear in any way, but ISO has obtained approval in almost every state for a series of endorsements that seek to expressly exclude any coverage for cyber liability under traditional policy forms. Courts will need to interpret these endorsements over time, but policyholders should be given an opportunity to have a complete understanding of their impact before agreeing to add them to their policies. If presented with anything that looks like an exclusionary endorsement, ask questions of your insurance professional.


The takeaway here is that cyber liability can no longer be ignored. Insurance coverage for this threat is an important part of any risk management plan. If your business has not yet suffered a loss, consider protection for the future. If you have suffered a loss, determine what protection you may already have and consider strengthening your cyber coverage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.


Cards Stolen in Target Breach Flood Underground Markets. 

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.


Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?


Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like BitcoinLitecoinWebMoney andPerfectMoney, as well as the more traditional wire transfers via Western Union andMoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

Exclusive: More well-known U.S. retailers victims of cyber attacks - sources - Reuters

18/01/2014 17:57

BOSTON/WASHINGTON Sun Jan 12, 2014 4:26pm EST

People shop at a Target store during Black Friday sales in the Brooklyn borough of New York, in this November 29, 2013, file photo. REUTERS-Eric Thayer-Files

(Reuters) - Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.

Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.

The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches.

Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.

Only one well-known retailer, Neiman Marcus, has said that they too have been victim of a cyber attack since Target's December 19 disclosure that some 40 million payment card numbers had been stolen in a cyber attack. On Friday, Target said the data breach was worse than initially thought.

An investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Neiman Marcus said it was not sure if the breach was related to the Target incident.

Most states have laws that require companies to contact customers when certain personal information is compromised. In many cases the task of notification falls on the credit card issuer.

Merchants are required to report breaches of personal information including social security numbers. It was not immediately clear if that was the case with the retailers who were attacked around the same time as Target.

The Secret Service and Department of Justice, which are investigating the Target breach, declined to comment on Saturday.


Target has not disclosed how the attackers managed to breach its network or siphon off some of its most sensitive data.

The sources who spoke to Reuters about the breaches said that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from Target and other retailers.

One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.

While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.

Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.

The alerts, published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them.

A Visa spokeswoman declined comment on the reports, which did not identify specific victims.

It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.

Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.

That is because the attackers were more sophisticated than the ones in the previous attacks described in the Visa alerts, according to the source. The source asked not to be identified because they were not authorized to discuss the matter publicly.


Retailers are often reluctant to report breaches out of concern it could hurt their businesses. Target only acknowledged its 2013 attack after security blogger Brian Krebs reported the breach, prompting inquiries from journalists and investors.

Neiman Marcus said an outside forensics firm discovered evidence on January 1 that indicated the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer.

Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers.

During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C Penney.

Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.

"It is really frustrating to the bank and also the customer," Johnson said.

One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.

Target spokeswoman Molly Snyder said the retailer is not commenting on the company's investigation of the breach.

"This continues to be an active and ongoing investigation. It would be inappropriate to discuss details at this point."

Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.

"Target was not the only retailer who got hit, but they got hit the biggest," Litan said.

Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.

Chris Gray, director of Denver, Colorado -based Accuvant information security firm's risk and compliance practice, said that sophisticated cyber crime groups do that because they only have once chance to get it right before victims catch on.

"You want to test it and make sure it works," Gray said. "Then you push it out at the appropriate time and do as much damage as you can."


(Reporting by Jim Finkle in Boston and Mark Hosenball in Washington; Editing by Grant McCool)



Target Data Breach Lessons Learned

Target Stores Data Breach

How can you protect yourself from a data breach

Target hack strips banks and credit unions of $200M. By Dara Kerr

23/02/2014 20:09

The widespread security breach reportedly compromised 40 million credit and debit cards, which are costing banks a pretty penny to reissue.


Not only were as many as 110 million Target customers affected by the massive hack on the retailer in December, but banks have also had to deal with the security breach.

The hack is said to have cost banks and credit unions more than $200 million, according to datagathered by the Consumer Bankers Association and the Credit Union National Association. Originally, the two associations estimated that losses tallied around $178 million but now say those costs are rising.

In all, 40 million credit and debit cards were compromised in the breach. So far, banks and credit unions have replaced 54.5 percent, or 21.8 million cards. The cost to banks could increase if additional fraudulent activity occurs with the compromised cards.

The security breach, which yielded the personal information of an estimated 110 million customers, was first identified on December 15. Apparently, cybercriminals accessed customers' private information at point-of-sale terminals during checkout.

Target said the breach occurred between November 27 and December 15 and resulted in the theft of names, mailing addresses, phone numbers, e-mail addresses, and debit and credit card data of people who shopped at the retailer during those dates.

Working to gain consumer confidence in the aftermath of the breach, Target has offered affected customers one year of free credit monitoring and begun development of high-security smart credit cards embedded with microprocessor chips. According to a report earlier this month, the retailer is said to be paying up to $420 million to cover such costs associated with the breach.



Insurance Questions, Lawsuits Arise in Wake of Target’s Data Breach - By Young Ha

U.S. retail giant Target Corp. is busy dealing with the aftermath of the massive data breach that exposed account details of some 40 million credit and debit cards.

Already, at least two lawsuits seeking class-action status have been filed against Target. And attorneys general from New York, Massachusetts and Connecticut have contacted the retailer seeking more information about the breach and the steps being taken by Target to protect consumers.

In New York, the state’s Attorney General Eric Schneiderman said there are already reported incidents of identity theft affecting New York consumers.

And according to media reports, these stolen consumer data are already flooding the black market. Credit and debit card accounts stolen from Target’s data breach are being sold on underground black markets for anywhere from $20 to more than $100 per card, reportsKrebsOnSecurity, a security news website.

In such data breach cases, there are several policies that are important for the companies to look at as possible insurance coverages to be triggered, according to attorneys who spoke with Insurance Journal.

Target declined to comment on an inquiry regarding its insurance coverage. But attorneys observed many companies are purchasing insurance coverages to protect against such data breaches.

“A lot of companies are purchasing specialized cyber insurance policies so those have to be examined,” said Joshua Gold, a New York-based attorney and shareholder at law firm Anderson Kill. Gold regularly represents corporate policyholders in insurance coverage matters. Such cyber insurance can be tailored to cover a wide range of expenses, even costs for forensic accounting, credit monitoring, crisis management, notification and setting up call centers to respond to consumer inquiries.

There could also be some measure of protection under traditional policies like the commercial general liability policy, even though finding coverage under traditional policies may be getting increasingly more challenging as the industry continues to add data breach-related exclusions. Most recently, Insurance Services Office Inc. (ISO) filed this year data breach exclusion endorsements concerning its standard-form primary and excess/umbrella commercial general liability policies, to be effective next May.

Commenting on a California lawsuit seeking class-action status, William Um, a policyholder counsel at Hunton & Williams in Los Angeles, said there are allegations that there was a violation of privacy rights. “And those traditional general liability policies will provide that type of coverage and at least trigger the carrier’s duty to defend in that instance,” he said. In the lawsuit, a Target customer in California has alleged invasion of privacy and negligence. (A copy of the complaint is shown at the end of the article.)

“Obviously you need to be mindful of exclusions that are out there. But I would say this falls within the personal injury line of coverage under a general liability policy,” said attorney Um, who has handled a variety of insurance coverage disputes involving class actions, data breach and privacy issues, directors’ and officers’ liability, and other matters. He is not involved in the Target lawsuit.

And based on allegations in the California lawsuit, there is also a potential for coverage under a directors’ and officers’ policy, the attorney said. He observed that the lawsuit appears to include allegations about Target’s failure to act and allegations of “wrongful acts” that would be covered under traditional D&O entity coverages.

In such data breach cases, crime insurance is another possible place to look at, attorney Gold added. “We represented a retailer some time ago and they had a computer hacking breach. We were able to get their insurance coverage for them under a crime policy,” he said.

Defense Costs

As Target grapples with the aftermath of the massive data breach, the retailer could face a lot of expenses incurred for defense costs, Um said. “I think that’s going to be the biggest cost out there because you are going to hire lawyers to defend the lawsuits, and you are going to have to have lawyers out there assisting with the appropriate notifications and responses,” he said.

One question, the attorney said, is whether the plaintiffs in Target lawsuits can manage to overcome what has been difficult in the past — namely, alleging actual compensable damage and getting over the hurdle of showing that individuals have been harmed beyond just their personal information being out in the public.

Um also noted how quickly these lawsuits are getting filed after such incidents occur and how sophisticated the lawsuits have become. He said the California lawsuit was filed on the same day that the media outlets began reporting the data breach.

The lawsuit in California, which was filed in federal court in San Francisco, tries to allege as much damage as possible and with broader allegations, Um said. The lawsuit makes very broad allegations about specific negligent acts on the part of Target, he said.

Technology-Related Claims

Attorney Gold from Anderson Kill also said technology-related insurance claims tend to receive added scrutiny.

“It’s hard to say how each claim is going to be handled because it really does depend upon what insurance policies the policyholder has in place, the circumstances of the loss, and lots of other factors,” he said. But technology-related claims tend to draw added scrutiny from insurance companies, and the more serious the claim, the tougher the insurer could get in paying it, he said.

Gold said he and his firm had cases for policyholders where cyber-specific languages were included into more traditional insurance policies. In terms of the newer, standalone cyber coverages, fights have mostly been “behind the scene” so far, he said.

“I am only aware of one case that’s been litigated involving an actual cyber policy where the insurance company is denying coverage and the policyholder and the insurance company ended up in litigation. I don’t think there has been any meaningful case yet,” Gold said.

Gold also commented on some of the data breach-related insurance cases he has handled in the past. In one case, there was an argument that the data stolen was confidential information and therefore was subject to a policy exclusion.

In another case, an insurer argued that the policyholder’s cyber losses did not directly result from a hacking incident. “So we had a whole fight over what the phrase ‘directly resulting from’ meant in the context of an insurance policy,” he said. “And we obviously didn’t agree with the insurance company’s position, nor did the court. But we still had to go through a very long legal battle over that.”

In yet another case, “a big fight” rose over whether forged wire transfer instructions were covered under a financial institution crime policy, Gold said. “We finally got the insurance company to pay the claim. But these exclusions can get so technical,” he said. “That’s why we always recommend that policyholders really try and understand the insurance policy language that they are going to buy.”

Gold advised, “If you see some fine print in your insurance policy that you can’t understand, it’s much better to try to deal with those issues when you are actually in the process of purchasing the policy, versus having to fight about them later when you have a claim.”

He also offered some general advice for companies that suffer a data security breach. First, companies should start the forensic accounting process right away to ensure the damage is not more widespread than was initially known and to fix whatever security holes that may exist or were exploited by hackers.

Second, companies should do everything they can to comply with state notification laws regarding data breaches, he said.

Third, companies should make sure to give notice to every potentially applicable insurance company. “One thing that can happen is that people understandably are very focused on dealing with the immediate underlying exposure and that is certainly something that is important,” Gold said. “But companies also have to remember they’ve got all kinds of insurance policies that they may need to put on notice.”

“So when in doubt, they should give notice under every potentially applicable policy,” Gold said.

He explained that there is usually very little problem in withdrawing a claim if it turns out the coverage belongs under one policy rather than another. But, on the other hand, if the policyholder gets it wrong and doesn’t give notice under a policy that later turns out to provide meaningful coverage, it could be costly for the policyholder. “Lots of insurance companies will argue that somehow the late notice prejudiced them and somehow void or reduce the insurance coverage that they would otherwise have,” he said.

And if there is an initial denial or some type of reservation from the carrier, the policyholder shouldn’t just accept it, attorney Um said. “Don’t accept the initial denial…[policyholders should] push back,” he said, “and on a going-forward basis, think about these risks as you get into negotiations about policy renewals and the type of policies you want to take a look at.”

Below is a copy of a complaint against Target, filed in the U.S. District Court, Northern District of California: Kirk et al. v. Target Corp., case no. cv 13 5885.



Target Data Breach Highlights Importance Of Insuring Cyber Risks

While cyber risks are sometimes thought of as "online" or Internet risks, a massive information theft recently occurred at Target's brick-and-mortar stores when customers swiped cards and entered PINs while making in-store purchases. On December 19, 2013, Target disclosed that it was the victim of a serious data breach from at least November 27 to December 15 of 2013. More than 40 million debit and credit card numbers were stolen. Hackers stole customer names, card numbers, card expiration dates, the embedded codes on the magnetic strips on the backs of cards, and in some cases PINs for debit cards used at Target.


The card information has reportedly already begun to flood the black market, selling for between $20 and $100 per card. Target has stated that it will offer free credit monitoring services to affected customers.


Specialized cyber risk insurance policies may cover liabilities like those that have inevitably already begun to arise from Target's data breach. Such policies can cover a company's costs of notifying customers of a data breach, offering credit monitoring services, and defense costs and damages for any resulting lawsuits. They may also cover any data or systems lost or destroyed as a result of a hack. Some policies may also cover any resulting loss of revenue, or even damage to a company's reputation following a data breach. Investigations by government agencies targeted at the victim company, such as the Federal Trade Commission or state regulators, may also be covered under cyber risk policies or under a company's comprehensive general liability (CGL) insurance policies.


It is critically important, however, for companies suffering losses like these to position themselves to receive the most coverage. Providing notice to all implicated insurers as soon as practicable, evaluating all available insurance policies, coordinating defense counsel, and communicating with insurers to provide relevant information, are all issues that arise early and must be dealt with swiftly and skillfully to maximize coverage.

Other types of insurance may also come into play. About 40 lawsuits have already been filed against Target. At least one alleges, among other things, that the stolen information constitutes an invasion of privacy. Most CGL policies provide coverage for "personal and advertising injury," which is generally defined to include invasion of privacy claims.


The shareholder lawsuits that usually follow an event like a data breach, alleging wrongdoing by a company's leadership, may also implicate directors' and officers' (D&O) coverage. Some D&O policies, generally those purchased by privately held companies, may also provide "entity" or company coverage for a loss like a data breach as well.

Companies should ensure that their insurance policies are tailored to their specific needs and risks. Having appropriate coverage in place, and seeking guidance from experienced coverage counsel to maximize the funds available, can provide crucial support at a critical time in the event of a cyberattack. Additionally, retaining counsel familiar with navigating cybersecurity issues is essential, both to proactively avoid the risks associated with data breaches and to minimize the impact of an attack after it has occurred.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.