With data breaches on the rise and seemingly no end to the damage that a breach can have on an organization, the issue of who pays has heated up as an insurer petitions a court to find it's not required to defend Michaels against a bevy of class action lawsuits resulting from a breach and a retail group challenges a credit union's call to shift greater liability for breaches to retailers.
Safety National, which issued a commercial general liability insurance policy to Michaels, told a U.S. District Court in Texas Wednesday that it shouldn't be required to defend Michaels in the breach cases because those lawsuits don't seek payout for bodily injury or property damages that the policy covers.
The insurer notes that “at least four class action lawsuits” have been filed against the retailer claiming Michaels didn't adequately protect customer data, such as credit and debit card information and asking for damages for the denial of privacy protections, unauthorized charges and bank fees incurred, identity theft costs as well as other costs.
In turn, Michaels petitioned “Safety National provide [it] with a defense” against those claims, according to court documents.
In documents filed with the Court, the insurance provider said Michaels had requested that it provide the retailer with “a defense in the Consolidated Class Action and seeks coverage from Safety National under the Policy for the claims asserted in the Consolidated Class Action” and informed Michaels “ there is no coverage under the Policy for the claims asserted in the class action lawsuits, based upon information provided and available to Safety National.” Wednesday's filing asked the court for relief.
The issue of who pays and how much will grow increasingly important as companies struggle to mitigate the financial damage done by a breach. According to the Ponemon Institute, the average cost of a data breach is $3.5 million. But as Target's December breach proves, organizations often don't have a firm fix on just how much a breach might cost. In fact, associated costs can ripple out for months, even years.
In the past, financial institutions have routinely eaten the costs of fraudulent charges resulting from a breach, but the wind is beginning to shift there, too, as a groundswell of support has grown in favor of putting the onus on retailers.
In SC Magazine's 2014 Data Breach Survey, 36 percent of respondents favored national legislation that places the burden on the company, not the banks, to cover fraud-related costs — 32 percent opposed the measure.
Earlier this week, the National Association of Convenience Stores took issue with a call by the National Association of Federal Credit Unions for Congress to pass legislation that would shift liability to retailers, according to a report by The Hill.
In a letter to members of Congress Tuesday, Lyle Beckwith, NACS's senior vice president, claimed that “Financial institutions do not reimburse retailers for fraud costs retailers incurred when the financial institutions suffer data breaches” and don't “object to getting paid for these costs twice.”
Beckwith pins part of the blame for breach damage on the “fraud-prone” cards — lacking more secure chip and PIN technology — that financial institutions routinely issue and which directly contradicts our shared interest in improving data security.”