During the holiday season, Bullseye, a big box retailer, was the victim of a cyber attack that compromised the credit and debit card information (including PIN and CVV codes) of nearly 40 million of its customers. The attack immediately spawned dozens of class action lawsuits against Bullseye by customers, alleging that the retailer was negligent in protecting their financial information. What liability does Bullseye face and what can be done to mitigate that exposure?
It’s been said that businesses fall into two categories: Those that have already suffered a cyber attack and those that will. Cyber attacks are coming with increasing frequency and across all sizes of businesses. (In fact, small and medium sized businesses may be most at risk as they present an easier target due to less sophisticated security.) The cyber attack against Bullseye will invite lawsuits alleging generally that it failed to use reasonable measures to properly secure customer information and that it failed to promptly notify customers of the breach. Lawsuits may also be filed against Bullseye’s officers, directors and IT professionals alleging breaches of fiduciary duty and fraud. Despite the unappealing prospect of having to defend against lawsuits, Bullseye’s liability to customers will probably be minimal. As described in last month’s blog post Lost or Stolen: Liability for Unauthorized Credit Card Charges, the actual damages suffered by customers is usually nominal. However, Bulleye’s liability to credit card companies and financial institutions in connection with fraudulent purchases, refunds and reissuance of cards, etc. will be significant.
There is very little legal guidance on what constitutes negligence and reasonable care in the area of cyber security. The Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006, represents the closest thing to cyber security standards. The PCI DSS, which was created by the major credit card companies, is a set of requirements designed to ensure that all businesses that process, store or transmit credit card information maintain a secure environment. The PCI DSS applies to all businesses, organizations and merchants regardless of size or number of transactions processed. However, the PCI DSS has created four merchant levels that contain increasing security requirements based upon a VISA transaction volume over a 12-month period. Whether or not Bullseye is ultimately held liable may depend on whether it is found to have complied with PCI DSS standards and whether, for example, it had sufficient safeguards in place should a vendor’s access to its computer network become compromised.
(The stolen credentials of an HVAC vendor with access to Target’s portal was apparently the cause of its massive December 2013 cyber breach.) With respect to customer notification, 46 states have passed laws requiring customer disclosure by businesses (both public and private), but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion. There is currently no federal standard delineating when a business must report data breaches.
In an effort to mitigate losses associated with data security breaches, businesses that handle sensitive customer financial information should consider purchasing cyber-liability insurance. These policies can be an effective tool to control the significant expense associated with a breach (e.g. notification costs, regulatory compliance, lawsuit defense, judgments, etc.). Due to an increasing amount of competition and a lack of standardization, the terms in cyber liability policies are usually highly negotiable.