Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.^[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”^[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).^[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.^[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.^[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.^[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.^[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.^[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.^[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.^[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:^[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”^[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.

---

_{[1] See, e.g., First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).}

_{[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).}

_{[3] See, e.g., Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).}

_{[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.}

_[7] Id.

_{[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.}

_{[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).}

_{[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.}

_{[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.}

_{[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

ARTICLE BY

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.^[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”^[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).^[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.^[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.^[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.^[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.^[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.^[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.^[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.^[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:^[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”^[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.

---

_{[1] See, e.g., First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).}

_{[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).}

_{[3] See, e.g., Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).}

_{[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.}

_[7] Id.

_{[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.}

_{[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).}

_{[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.}

_{[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.}

_{[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

ARTICLE BY

ARTICLE BY

ARTICLE BY

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

Article By: