Target Sues Insurer Over 2013 Data Breach CostsLawsuit Claims Insurer Owes Retailer for Coverage of Card Replacement Costs
Target has filed a lawsuit against its long-time insurer, ACE American Insurance Co., in an attempt to recoup money it spent to replace payment cards as part of settlements over the retailer's massive 2013 data breach.
See Also: HIPAA Audits: A Revised Game Plan
The lawsuit, filed Nov. 15 in U.S. District Court in Minnesota, claims the insurer owes Target approximately $74 million for coverage of its costs for replacing payment cards.
The Target breach resulted in the compromise of payment card details for 41 million customers and the exposure of contact information for more than 60 million. The security incident sparked several lawsuits as well as federal and state investigations .
In May 2016, Target settled a class action lawsuit brought by several banks that issued new payment cards to the retailer's customers, according to the retailer's lawsuit. Target says it paid $138 million to settle these claims and cover attorneys' fees.
"We believe the costs are covered within the scope of the insurance policy Target has with ACE and are focused on resolving the outstanding claim."
After that class action lawsuit was settled, Target filed a claim with several of its insurance companies to recoup those costs. While some of its insurers picked up parts of those costs, Target claims in its lawsuit that ACE rejected the company's claims that its insurance policy covered the cost of replacing those payments cards.
In its lawsuit, Target argues that its general liability policy with ACE covers property damage that includes "loss of tangible property that is not physically injured." This, according to Target's lawsuit, includes the replacement of those payment cards because they were "damaged" by the 2013 and could no longer be used.
"ACE has refused to acknowledge coverage for the payment card claims and has further disregarded its contractual obligation to indemnify Target for the settlement payments relating to the payment card claims," according to the lawsuit. "ACE has improperly refused to indemnify Target for settlement payments falling within its aggregate coverage layer."
Philadelphia-based ACE American Insurance, which is owned by Chubb Corp., declined to comment on the lawsuit.
A Target spokesperson told Information Security Media Group that the company had been negotiating with ACE for a year over this issue before deciding to file the lawsuit in federal court earlier this month. "We believe the costs are covered within the scope of the insurance policy Target has with ACE and are focused on resolving the outstanding claim," the Target spokesperson says.
Following the 2013 breach, Target was hit by several lawsuits, which blamed the company and its security policies for allowing attackers to skim customer data from point-of-sale devices infected with malware.
An investigation by several state attorneys general found that in November 2013, the attackers were able to access Target's gateway server through credentials stolen from a third-party HVAC vendor that the company used. From there, skimmer malware was installed on point-of-sale devices, according to those investigations.
In one of the lawsuits stemming from the breach, several banks and financial institutions sued Target to recoup their cost of replacing the payment cards that were exposed. Target eventually settled a class action lawsuit with one group of banks for approximately $58 million, and the retailer then reached confidential settlements with Visa, MasterCard, American Express, Discover and several other banks related to the replacement of payment cards, according to the retailer's lawsuit.
Target has reported that it faced $292 million in breach-related expenses and has received about $90 million in reimbursements from insurance companies so far, according to the Star Tribune newspaper in Minneapolis, home of the retailer's headquarters.
Insurance and Cybersecurity
The massive Target breach spurred a series of investigations by federal and state authorities that led to several changes at the company regarding its cybersecurity policies.
In recent years, however, other breaches have surpassed the incident at Target, including the 2013 breach at Yahoo that exposed 3 billion users' accounts; the 2017 breach at Equifax that exposed over 147 million records; and the 2018 breach involving Marriott, which led to 339 million accounts being compromised.
As more data breaches have come to light over the past six years, victimized companies have asked the courts to weigh in over what breach-related expenses insurance policies should cover.
One of the most significant cases being watched right now involves snack food company Mondelez International, which sustained severe losses in 2017 after its systems were infected with the NotPetya ransomware. Mondelez executives believed the company's insurer, Zurich Insurance, would cover the costs; the company and the insurer are now arguing over that issue in court.
Steve Durbin, the managing director of the Information Security Forum, notes: "Cyber insurance is still in its infancy, and it is perhaps not surprising that courts are now being asked to rule on situations such as that between Target and its insurer. Insurance policies are traditionally written around past precedent. And in such a fast moving environment as cyber, I expect to continue to see such cases arising where courts will be asked to set precedent in the absence of historical reference points."
Most companies, however don't rely on their general liability policies to cover data breach expenses, says Todd Rowe, an attorney with Tressler LLP of Chicago who specializes in insurance and privacy issues.
"With all the breaches that have happened since Target, a lot has changed and you don't see these scenarios any more that involve general liability polices," Rowe tells ISMG. "Even if companies have to physically replace credit cards, these issues would be covered under a cyber insurance policy these days."