The Target Breach: Show me the insurance

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply? And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Initially, it can be assumed that Target has asked its CPT insurers to cover some or all of its costs, including: Crisis management expenses incurred in connection with a forensic investigation, consumer notification, public relations, the reissuance of credit/debit cards, and credit monitoring or other consumer protections; third-party expense, including those attendant to the defense (and possible resolution) of privacy suits and regulatory actions; PCI fines and penalties and; first party loss such as lost income, reputational and brand damage, and data restoration.

Target also will likely seek personal injury coverage under general liability insurance policies, advocating that the theft of consumers’ financial information constitutes the “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

To date, the overwhelming majority of insurance coverage disputes arising from CPT incidents involve policyholders’ efforts to pigeonhole the loss of third-party financial, personal and/or healthcare information into personal injury coverage.

Some courts have agreed; some have not. What is certain that such coverage disputes will continue to mount as incidents like this proliferate.

We can expect Target to also pursue crime/fidelity coverage, which potentially applies to direct loss from the theft of money, securities, and other “tangible” property.

Some policies of this genre insure against the loss of covered property (including money and securities) resulting from “computer fraud” as well as the costs incurred to restore or replace certain data or programs which have become lost because of a virus or vandalism.

At present, the public reports surrounding the Target breach do not necessarily appear to implicate crime/fidelity coverage, but we should know more as the investigation and analyses evolve.

Finally, and potentially the biggest area of concern for Target and its insurers, is in the securities fraud/breach of fiduciary duty realm, potentially implicating Target’s D&O coverage.

Up until 2012, the 2008 Heartland cyber breach stood alone as the only reported D&O/cyber-related lawsuit. In that case, a United States District Court dismissed the shareholders’ Section 10(b)-5 suit on a motion to dismiss. In turn, over the last 18 months, D&O/cyber class action lawsuits have been filed against a number of companies, including News Corp. and Stratfor.

In short, a cyber breach not only impacts those individuals whose personal information is compromised, it has a potential residual effect on shareholders and insurers.

And, like the rapidly evolving advances in technology, questions about whether consumers have suffered actual damage and, if so, who – if anyone – should compensate them aren’t going away.