Who Pays for Security Breaches

By: The National Association of Convenience & Fuel Retailing, June 2014

​WASHINGTON – With data breaches on the rise and seemingly no end to the damage that a breach can have on an organization, the issue of who pays is heating up. At the same time that NACS and a coalition of retailers have challenged the National Association of Federal Credit Unions’ a credit union’s call to shift greater liability for breaches to retailers, an insurer has petitioned a court to find that it’s not required to defend Michaels against a bevy of class action lawsuits resulting from a breach and a retail group challenges. 

Safety National, which issued a commercial general liability insurance policy to Michaels, told a U.S. District Court in Texas last week, that it shouldn’t be required to defend Michaels in the breach cases because those lawsuits don’t seek payout for bodily injury or property damages that the policy covers, according to an article in SC Magazine.

The insurer notes that “at least four class action lawsuits” have been filed against the retailer claiming Michaels didn’t adequately protect customer data and asking for damages for the denial of privacy protections, unauthorized charges and bank fees incurred, identity theft costs as well as other costs. In turn, Michaels petitioned “Safety National provide [it] with a defense” against those claims, according to court documents.

The issue of who pays and how much will grow increasingly important as companies struggle to mitigate the financial damage done by a breach. SC Magazine cites a report by the Ponemon Institute, stating that the average cost of a data breach is $3.5 million. But as Target’s December breach proves, organizations often don’t have a firm fix on just how much a breach might cost. In fact, associated costs can ripple out for months, even years.

While financial institutions have routinely eaten the costs of fraudulent charges resulting from a breach, the wind is beginning to shift, with growing support for putting the onus on retailers.

In SC Magazine’s 2014 Data Breach Survey, 36 percent of respondents favored national legislation that places the burden on the company, not the banks, to cover fraud-related costs — 32 percent opposed the measure.