Target Data Breach Insurance Case Study - By Christine Marciano

20/12/2013 21:59

Target was targeted by data thieves starting on Black Friday during the most busiest holiday shopping season of the year (between Nov. 27 and Dec.15). It seems that data thieves did some shopping themselves for about 40,000,000 credit and debit cards. With 1,797 stores in the U.S. and another 124 in Canada, the Target data breach is proof in itself that these types of data breaches are getting more sophisticated and targeted.

Now with up to 40,000,000 customers to notify, Target could face a huge bill just in notification letters alone, not including credit monitoring costs and potential legal defense and settlement costs. Though according to the Target data breach notification letter on its website, it does not appear that they’re currently offering credit monitoring just yet. With 2014 just around the corner, the Target data breach has surpassed the recent Adobe data breach (38,000,000 individuals) and will surely go down as one of the biggest data breaches of 2013 and perhaps one of the most expensive.

How did the breach happen?
While the data theft did not happen online, it happened in the physical Target locations. Based on  news reports, data thieves tampered with the (POS) point-of-sale systems that customers use at checkout registers to swipe their credit or debit cards when making purchases and gained access to the data that is stored on the magnetic stripe on the back of credit and debit cards.

What was stolen in the data breach?
The data affected in the breach included customer names, credit or debit card numbers, expiration dates and CVV security codes, according to a notice posted for customers on the Target website.

Are you a Target Shopper? 
If you shopped at Target during November 27th through Dec. 15th, Target has animportant notice with comprehensive and important steps you should take to protect yourself against potential misuse of your credit and debit card information.

Potential Credit and Debit Card Fraud is now a factor for those 40,000,000 individuals affected in the Target Data Breach

Data thieves now have access to the magnetic strips found on the back of the stolen credit and debit cards and can use that data to encode that information on a counterfeit card. This allows criminals to sell the cards in batches or use the cloned cards at retailers to purchase goods.

Though when it comes to the debit card numbers that were stolen, from my understanding it may be a bit more difficult for criminals to use, as fortunately the PIN is not on the card — it is encrypted (hidden in code) in a database. According to this source, the PIN can be either in the bank’s computers in an encrypted form (as a cipher) or encrypted on the card itself. The transformation used in this type of cryptography is called one-way. This means that it’s easy to compute a cipher given the bank’s key and the customer’s PIN, but not computationally feasible to obtain the plain-text PIN from the cipher, even if the key is known. This feature was designed to protect the cardholder from being impersonated by someone who has access to the bank’s computer files. However, if there’s a chance that the PINs can be intercepted then victims are indeed at risk for fraudulent ATM cash withdrawals.

What are Target’s Risks Due to this Data Breach?

The Target data breach involves many issues, such as stolen customer credit card and debit card numbers, reputational damage, legal and PR issues, potential legal liability for fraudulent charges, regulatory fines, POS network security failure, potential drop in share price and will impact its P&L reports.

Playing the Devil’s Advocate as it Relates to the SEC’s CF Disclosure Guidance

While this data breach was not reported as being cyber related, it does involve network information security failure of the POS system and the question on my mind is whether or not Target will disclose this data breach in its Form 10-K filing.  As the SEC asks its registrants to disclose the risk of cyber (though in this instance, this is what I’m questioning) incidents along with actual cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.  A POS system does indeed connect to a computer (“cyber”) network.  As the SEC states in its CF Disclosure Guidance, ‘cyber’ incidents can result from deliberate attacks or unintentional events. The SEC continues with, “We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security…..” Needless to say the Target data breach has many similarities to a cyber (or “computer”) security breach and clearly in this case it was a POS security breach – isn’t that “cyber” related? Let me know what you think on Twitter:

Cyber Data/Breach Insurance Helps to Mitigate the Costs of Security Failure Incidents 

While its unknown if Target has cyber/data breach insurance, we explain below how data breach insurance coverage could help respond to the Target data breach/cyber attack.

Cyber/data breach insurance coverage could help Target:

  • hire a computer forensics investigator to determine how the breach occurred and what data was exposed,
  • hire a data privacy attorney to help navigate the various U.S. State (and international) data privacy laws,
  • send notification letters to the affected customers,
  • offer a one-year credit monitoring service to the customers affected as well as a dedicated call center to answer any customer questions,
  • hire a public relations firm to help with the media,
  • pay for customer damages due to identity theft as well as defense costs in the event there’s a lawsuit due to their data breach and
  • pay for privacy regulatory defense and where insurable by state law, regulatory fines and penalties.

According to the Ponemon 2013 Cost of Data Breach Study, the average cost of a breached record is $188. This means that based on the 40,000,000 Target customers that had their credit and debit card numbers stolen, the total cost amounts to $752,400,000. Putting that amount aside for a moment, the cost just to mail notification letters to the 40,000,000 customers affected is $18,480,000. These amounts, needless to say are significant. However, for a company such as Target these amounts as significant as they may be will not force Target out of business even if they don’t have a cyber/data breach insurance policy. However, when Target reports its annual earnings next year it will be interesting to see if this data breach will impact their profits and most likely it will.

Data Breaches Happen Daily and are Not Going to End

Just this month alone, there have been at least three healthcare data breaches as we wrote about them in an earlier blog article. While Target may be able to survive the impact it will see from the potential huge costs it will incur from this data breach, this may not be the case with other businesses or organizations who may not have the financial ability to sustain such significant costs that occur when a data breach happens. (Read Big Data Collection Means Bigger and More Expensive Data Breaches.)

Cyber/data breach insurance can help businesses and organizations in significant ways when a data breach happens, as mentioned above. A cyber/data breach insurance policy just may be what keeps businesses and organizations from closing their doors due to their inability to financially sustain the high associated costs of a data breach. Contact us today to learn how your business or organization can proactively plan ahead for data breach costs.