Breaking News – Target and Trustwave Sued
Source:Yahoo News via Reuters, March 26, 2014
A lawsuit was filed Monday, March 24, 2014 against the national retailer and the security auditor firm that Target outsourced its data security protection to seeking more than $1 billion in damages, as a result of the now famous breach of 40 million Target consumers over the 2013 holiday shopping season.
The complaint accuses the defendants of negligence for their failure to adequately prevent exposure to consumer data through appropriate security controls. The plaintiffs in this case are Trustmark National Bank and Green Bank N.A. who are seeking the damages as reimbursement for their financial loss from customer notification, reissuance of credit and debit cards, and payment for fraudulent charges.
While Target is already facing dozens of other lawsuits around the country, totaling 5 million in damages, this lawsuit hopes to be representative of a class action suit that could seek up to $18 billion in damages for banks and retailers combined. If those types of damages are claimed and awarded in a class action, this could become a nail in Target’s coffin.
In reading the story, I was not as fascinated by the amount of the damages being sought as I was by the emerging details of the lawsuit. Apparently, a report on Tuesday which was issued for a Senate committee hearing claims that Target “missed a number of opportunities” to prevent this breach from occurring. The retail giant knew as early as 2007 that its systems were vulnerable according to the lawsuit, resisting making the necessary improvement due to cost, resulting in the outsourcing of its data security to Trustwave.
The complaint further alleges that despite advertising its expertise in Payment Card Industry (PCI) compliance, Trustwave did not bring Target to PCI compliant standards, and that they found “no vulnerabilities” as late as September 20, 2013, a little over 2 months prior to the beginning of the breach event.
Payment Card Industry Standards- What Is That?
PCI standards are a set of security standards which were developed by the payment card industry to protect card information during and after a financial transaction. Compliance with these standards is required by all of the major credit card companies. A failure to comply with these standards can result in significant fines and/or penalties assessed against the merchant.
Although the set of security standards established is too lengthy to detail in today’s article (request these at email@example.com), there are 6 main requirements a vendor must do to be compliant:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain and follow an information security policy
Cyber Liability Insurance and its Impact
Cyber Liability Insurance is readily available in today’s marketplace, but the coverage remains very different from carrier to carrier. Among the common coverages provided are notification costs, legal/defense expenses, customer support and credit monitoring, and crisis management expenses. Lesser known coverage components are as important as the common coverage parts, but these are not always offered by every carrier. For Cyber Insurance, choosing the right program is much more important than with any other insurance that is purchased. The coverage stakes are too high.
One of these unique coverage components is PCI/DSS Fines and Penalties coverage.
This provides the Insured coverage for a written demand received by the Insured from its bank or a card association for a monetary assessment of a penalty or fine due to the Insured’s non-compliance with PCI security standards. When provided, the coverage is a sublimit of the aggregate, and subject to a higher retention as well.
This would be an important coverage part for Target unders its policy, but would likely be limited in the overall limit available for claims. PCI coverage is important to all entities doing credit card transactions of any kind.
A hard lesson has been learned by Target, and as a result, taught to all the rest of us. Network security and Privacy Breach is no picnic, and even the slightest lack of attention can result in devastating consequences. Choose a Cyber policy today, and choose wisely. The money you save up front may be the difference in how much money it costs you when a claim occurs. With Cyber, it eventually will, and for the uninsured, it will be too late.