In a long-fought dispute about who bears the costs of its massive 2013 data breach, Target has prevailed on one key claim over its insurers. As part of settling the costs of the breach with several banks, Target paid to replace millions of credit and debit cards that were compromised in the data breach. Target sought to pass that cost on to its insurer, which denied coverage. Nearly a decade later, the insurer has been ordered to pay the cost under policy language that covered a "loss of use" of tangible property. Because the cards exposed by the data breach could not be used anymore, the court held that Target's policy should cover the costs to replace them.
Why It Matters
There are no laws about who covers the costs of a data breach. In this case, Target, the banks that issued the compromised cards, individual shoppers, and the insurers have all been part of the years-long effort to apportion the losses. This multi-million-dollar problem was caused when hackers penetrated Target's environment thanks to credentials stolen from Target's HVAC vendor. The complexity, length, and cost of this case should be instructive to any company about best practices in vendor contract/security management, insurance planning, and shoring up the company's own cyber defenses.
Had this breach occurred today, it would have had an added layer of cost and complexity: allegations of privacy violations under recent state privacy laws, which likely would have compounded the losses. And cyber and privacy risks do not apply only to large companies: that HVAC vendor would be squarely in the cross-hairs today. Fighting in court over whose fault a breach was -- and who should pay to cover the myriad losses that can result -- is expensive and disruptive. Prevention and planning are far cheaper, and they are no longer just the province of retail and global brands.