Target acknowledged Thursday that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.
It’s considered the largest credit card breach in U.S. history since the breach discovered in 2007 involving retailer T.J. Maxx and roughly 45 million card users.
This massive breach is a wake-up call for organizations to take a better look at what types of security they have in place, and what types of training their employees are going through.
Already, at least two lawsuits seeking class-action status have been filed against Target. And attorneys general from New York, Massachusetts, and Connecticut have contacted the retailer seeking more information about the breach and the steps being taken by Target to protect consumers.
And according to media reports, these stolen consumer data are already flooding the black market. Credit and debit card accounts stolen from Target’s data breach are being sold on underground black markets for anywhere from $20 to more than $100 per card, reports KrebsOnSecurity, a security news website.
In such data breach cases, there are several policies that are important for the companies to look at as possible insurance coverages to be triggered, according to attorneys who spoke with Insurance Journal.
Target declined to comment on an inquiry regarding its insurance coverage. But attorneys observed many companies are purchasing insurance coverages to protect against such data breaches.
“A lot of companies are purchasing specialized cyber insurance policies so those have to be examined,” said Joshua Gold, a New York-based attorney and shareholder at law firm Anderson Kill. Gold regularly represents corporate policyholders in insurance coverage matters. Such cyber insurance can be tailored to cover a wide range of expenses, even costs for forensic accounting, credit monitoring, crisis management, notification and setting up call centers to respond to consumer inquiries.
There could also be some measure of protection under traditional policies like the commercial general liability policy, even though finding coverage under traditional policies may be getting increasingly more challenging as the industry continues to add data breach-related exclusions. Most recently, Insurance Services Office Inc. (ISO) filed this year data breach exclusion endorsements concerning its standard-form primary and excess/umbrella commercial general liability policies, to be effective next May. http://www.insurancejournal.com/news/national/2013/12/22/315222.htm
According to a 2012 Cyber Claim Study, the most frequently breached sectors are healthcare and financial services. The average cost per breach was $3.7 million, with the majority devoted to legal damages. http://www.netdiligence.com/files/CyberClaimsStudy-2012sh.pdf