MY TAKE: Target settlement likely to make cyber insurance much more costly

By Byron V. Acohido

The liability exposure for businesses that collect and store sensitive data—and the insurance carriers that provide those businesses with cyber liability coverage—just got more complicated and burdensome.

Last week U.S. District Judge Paul Magnuson gave a cadre of smaller financial institutions a green light to collectively seek damages from Target in connection with the massive 2013 data breach, in which the giant retailer lost sensitive data for 110 million people.

By certifying class-action status for Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain, Magnuson opened the door for the firms to move forward with litigation seeking damages of $30 million—the cost of reissuing 25,000 payment cards.

Security & Privacy News Roundup: Stay informed of key patterns and trends

This case ultimately could result in a rich settlement for the banks—and mounting financial pain for Target. Last month, the giant retailer agreed to participate with Visa in reimbursing Visa member banks up to $67 million to cover similar losses. And Target is attempting to reach a similar settlement, in the neighborhood of at least $19 million, with MasterCard member banks.

A game-changer for IT and cyber insurance

What’s more, this latest ruling in the Target lawsuit also is sending wider shockwaves reverberating through the corporate defense and cyber insurance communities, says Joe Salpietro, cyber claims manager at IDT911, which sponsors ThirdCertainty.

This decision speaks directly to the amount of uncertainty that exists and will cause a wave throughout the insurance industry,” Salpietro says. “It will certainly result in an increase in current reserves with the assumption of larger future settlements.”

According to The New York Times, Target held $100 million in cyber liability coverage, with a $10 million deductible at the time of its breach, and had been turned away by at least one insurer when it tried to acquire more cyber insurance.

sh_insurance_750pxThe Target lawsuit, and others like it, ultimately will impact how much businesses must set aside in reserves to cover damages associated with a cyber attack, and how much insurance companies will charge for cyber liability policies.

The principles in the thick of this dynamic are the retailers, media companies and health care organizations making headlines when forced to disclose massive data breaches—and the insurance companies that sold them cyber liability policies.

I would assume the Target ruling will probably be appealed, thus we have not seen the final result,” Salpietro says. “But it will certainly cause cyber insurance carriers to rethink their current strategy and consider settlements going forward.”

Breaches take toll on finances

Each multimillion-dollar settlement—and each legal precedent favoring plaintiffs—reinforces the notion that companies and their cyber insurance carriers should not be surprised to be hit by serious financial ramifications in cases where ineffective security practices enable a massive data breach.

This rising exposure has only intensified since hackers plundered Target’s databases for a period of several months in 2013.

Information collection and data mining has become more sophisticated and ubiquitous as public- and private-sector organizations manifest an unquenchable thirst to crawl into every nook and cranny of our lives,” observes Adam Levin, chairman and co-founder of Credit.com and IDT911. “And with the geometric growth of Internet of Things devices and the sensornet, our attackable surface increases.”

Meanwhile, business practices and contract case law that evolved over the course of the Industrial Age are proving to be increasingly inadequate in the Information Age.

Target, for instance, was in full compliance with the Payment Card Industry Data Security Standard (PCI DSS)—the rules imposed on merchants by Visa and MasterCard for secure sales transaction data. And the retailer had spent a small fortune on cutting-edge network intrusion detection technology, including FireEye malware detection sandboxes that flagged the intruders. But the bad guys got to Target’s data anyway.

Not so clear who is liable

The legal liability and risk mitigation debates now taking place in lawyers’ offices, boardrooms and courtrooms is part of an unfolding process to determine who should be held most accountable for protecting sensitive data. Judge Magnuson’s ruling, for the moment, tilts the responsibility to the organization that collects and stores the data.

Kevin Foisy, STEALTHbits co-founder and chief software architect
Kevin Foisy, STEALTHbits co-founder and chief software architect

If a construction company leaves a hole in the ground and someone falls in it, there’s liability due to negligence, and litigation follows,” observes Kevin Foisy, co-founder and chief software architect at STEALTHbits. “But if they put a barrier around the hole and a vandal removes it through the night, who is at fault?

If the defendant can prove under cross-examination that they took all reasonable precautions to avoid a breach, but were nevertheless breached, then perhaps the court will rule in favor of the defendant,” Foisy continues. “In my experience, though, most organizations still think of security as a typical IT cost center, and IT costs are always minimized.”

Security and insurance experts are monitoring the Target lawsuit to see if it might be a tipping point. Post Target breach, more corporations at least are more aware of cyber exposures. But elevating security to a mission-critical component of daily operations, for many organizations, is a ways off.

Given all the breaches of the last year, it’s hard to believe that business executives have not shifted their thinking on IT security,” Foisy says. “Breach protection is a cutting-edge skill set. Most IT staff are simply not equipped to make use of these tools to actually detect and prevent breaches.

Executives put blind trust in their IT staff, and in many cases the IT staff don’t know what they don’t know,” Foisy says. “They believe they’re covered until they’re not and they convince executives of the same. Big monetary penalties might shift the executive mind-set into a greater state of awareness, but expect it to be a very slow shift.”

(This article also appeared in ThirdCertainty.com)

Three-part series on cyber insurance:
Not all cyber insurance is created equal: Tips for businesses shopping for coverage
Despite barriers, cyber insurance catches on in key sectors
Cyber insurance rises to meet increasing security challenges

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone