So far the focus of the Target data breach has been on its scope, how it may have happened, Target’s response and the various types of financial havoc that it could cause for the nation’s second largest retailer. But no doubt it won’t be long before insurance coverage becomes a front and center issue. It would be hard to imagine insurance coverage not having a place at the table for such large scale and out of the blue losses. Think of insurance coverage as the tortoise in his race with the hare. After all the dust settles, insurance sometimes emerges as the most important issue.
What types of insurance does Target have and how much? Business Insurance reported that the company has at least $90 million of cyber insurance that sits over a self insured retention of $10 million. BI also reported that Target has $55 million of director’s and officer’s coverage that kicks in after a $10 million SIR. The sources for this report were well-placed in the industry who requested anonymity. It is not often that insurance news stories read in such cloak and dagger terms.
Target’s SEC filings indicate that, as you might suspect for a company of this type, it is self-insured for general liability insurance (and workers’ compensation) and then employs stop loss coverage. The amount of self-insurance for GL is not indicated. However, it appears to be a large number. A public filing indicates that workers compensation and general liability accrual was $627 million and $646 million at February 2, 2013 and January 28, 2012, respectively.
The coverage issues that arise under D&O insurance, for shareholder suits, are well tested. Much less is known about how any general liability and cyber coverage may respond to various claims filed against Target.
In general, when it comes to the potential for general liability coverage, for a data breach, the question is whether there has been “personal and advertising injury,” which is defined, in part, as the offense of an oral or written publication, in any manner, of material that violates a person’s right of privacy. Data breach + personal information being revealed = no surprise that attempts will be made to obtain coverage, for such losses, under a provision that addresses violation of the right of privacy. However, at some point this issue may be minimized as Insurance Services Office, Inc. does not believe that such cyber claims should be covered under a commercial general liability policy. To that end, ISO recently filed data breach exclusions for certain of its policies. Putting aside some different formats, a CGL exclusion (with a May 2014 date) has been filed titled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exception.”
Coincidentally, right as the Target story was in full gear, a Connecticut appeals court issued an opinion that addressed the potential for general liability coverage for a loss of personal information. In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. 34716 (Conn. App. Ct. Jan. 14, 2014) the court addressed whether a data breach case constituted a publication of material, that violates a person’s right to privacy, under the following wacky facts.
Recall entered into a records storage agreement with IBM. Recall agreed to transport and store various IBM electronic media and records. Recall subcontracted transportation services for the work to Ex Log. In February 2007, Ex Log dispatched a van to transport IBM computer tapes offsite from an IBM facility. During the transport, a cart containing the tapes fell out of the back of the van near a highway exit ramp. Before Ex Log realized what happened, approximately 130 of the tapes had been removed from the roadside by an unknown person and have never been recovered. The tapes contained personal identification information for approximately 500,000 past and present IBM employees, including social security numbers, birthdates and contact information. The tapes apparently were of such that they could not be read by personal computers or other machines accessible to the average person.
Putting aside how the claims arose, the court held: “On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief . . . . . As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.” (emphasis in the original).
What does the case mean? This is how my colleague Josh Mooney answered that question in his newsletter “The Coverage Inkwell,” which addresses emerging coverage issues in intellectual property, privacy and cyber liability:
“On the one hand, the holding in Recall Total is somewhat limited by its facts. Because there was no evidence that the information on the IBM tapes had been accessed, the court held that there was no ‘publication,’ no matter the meaning of the term. In most data breach cases, however, there is evidence that someone accessed the stolen data, either by means of hacking or with the assistance of an inside company employee. Thus, for many cases, Recall Total may be distinguished on its facts.
On the other hand, the case highlights problems with the meaning of publication. For instance, the trial court employed the meaning of publication as used in the tort of defamation. The ‘publication’ element in a right of privacy/publicity given to private life tort, however, is much more stringent. Most states, following the Restatement, require a dissemination of the information to the public at large or to so many people that it is substantially certain that the information will become generally known. The appellate court never seemed to consider such a stringent requirement; although, it did not have to because of the unique facts of the case.
Nevertheless, some may choose to characterize this case as one requiring a very low threshold for the ‘publication’ element of ‘personal and advertising injury’ in the context of a data breach claim. Given the paucity of published data breach coverage cases, this decision may get more attention that it merits.”
Not surprisingly, policyholder counsel see Recall Total as supporting general liability coverage for a data breach, despite the court’s actual decision in the case. Roberta Anderson of K&L Gates, writing in a client alert (that was picked up by The Wall Street Journal) described the decision like this: “Although the insureds in the Recall case did not hit the coverage bulls-eye, in contrast to the facts in that case, there is no doubt that there has been a ‘publication’ of the data of those individuals impacted by the Target data breach. Under Recall, therefore, and numerous other cases, the ‘personal injury’ coverage presumably would be triggered by the facts in connection with the Target breach. Where there has been a ‘publication’ (an undefined term in CGL policies that courts have construed broadly in favor of coverage), numerous courts have upheld coverage for data breaches and other privacy related claims.”
Cyber coverage is also a relatively untested area for a data breach. Target’s $90 million of such coverage may provide a test of how such policies (which are manuscript and differ widely in what’s offered and how they are drafted) respond.
But the biggest insurance story to come out of the Target situation is likely to be the insurance industry’s ability to use the Target data breach to demonstrate the need for companies to have cyber liability coverage. For the past few years some insurers have been placing a lot of emphasis on their cyber insurance policies. Has there been a big take-up rate? Nobody knows that for sure. However, The Wall Street Journal recently reported that only 31% of respondents to a research center’s survey had insurance to specifically protect against a data breach. [And that number seems high to me.] Insurers that have been marketing cyber policies can thank Target (and Nieman Marcus) for the immeasurable free advertising that the companies’ data breaches have provided to them in this effort. If the take-up rate for cyber policies is low, even after such well-publicized breaches, then perhaps there is not as wide of a market for the coverage as some believe (at least not yet).