Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.