Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach incident. In the wake of any significant breach involving payment cards, such as the Target breach, retailors and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions seeking to recover their losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data protection statutes, and purported non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA, and Discover, seeking substantial fines, penalties, and assessments for purported PCI DSS non-compliance.
These potential sources of liability can eclipse other sources of liability. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement, as did TJZ’s prior $24 million card issuer settlement.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed as to any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. To the extent the litigation proceeds, the Amended Class Action Complaint filed in the Target consolidated financial institution cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]
Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including, but certainly not limited to, commercial general liability insurance (CGL), which most companies have in place, in addition to specialty cybersecurity/data privacy insurance and other types of insurance.
Here are 5 steps for securing coverage for data breach and PCI DSS-related liability:
Step 1: Look to CGL Coverage
Coverage A: “Property Damage” Coverage
Payment card issuers typically seek damages because of the necessity to replace payment cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees, and the like. By way of illustration, the Amended Class Action Complaint in the Target financial institution litigation alleges as follows:
The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes, but is not limited to, sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts, and the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]
The financial institution class in the Target litigation further alleges that “Plaintiffs and the FI [financial institution] Class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]
These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of… ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any… civil proceeding in which damages because of… ‘property damage’… are alleged.”[12]
Importantly, the key term “property damage” is defined to include—not just “[p]hysical injury to tangible property”—but also “[l]oss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:
17. “Property damage” means:
a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.[13]
Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the Amended Class Action Complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.
These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]
Coverage B: “Personal and Advertising Injury” Coverage
There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any… civil proceeding in which damages because of… ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]
The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include the offense of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]
Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach insurance coverage litigation recently ruled against coverage...
