Schnucks' Insurer Drops Breach Lawsuit
Case Highlights Need for Cyber-InsuranceAn insurance company has dropped its lawsuit filed in an attempt to avoid covering damages suffered in the breach that affected the Schnuck Markets Inc. grocery store chain.
See Also: Netskope PCI DSS 4.0 Mapping Guide
Now, Schnucks says it is working with its insurer, Liberty Mutual Insurance Co., to reach a settlement outside the court. But one legal expert says this case should serve as a warning that insurance companies are increasingly pursuing legal action to avoid paying for losses linked to data breaches. The case is another indicator that companies need cyber-insurance, he says.
Meanwhile, Schnucks still faces eight other breach-related lawsuits, including a class-action suit filed in April. All of these suits seek damages for fraud losses linked to the estimated 2.4 million debit and credit cards that were compromised after Schnucks' POS network was attacked by a unique strain of malware, according to court records.
Schnucks traced card compromises back to 79 of its 100 retail locations, the Liberty Mutual complaint notes.
In August, Liberty Mutual filed a complaint for declaratory judgment, asking a Missouri District Court to determine its obligation to cover breach-related damages, as well as financial losses suffered by Schnucks as a result of its breach.
In the complaint, Liberty Mutual argued it was not obligated to provide indemnity to Schnucks for costs related to the breach because coverage for those losses was not included in Schnucks' insurance policy. But just weeks later, the insurance company filed for a voluntary dismissal of the case, according to court records. On Oct. 1, the case was terminated.
Lori Willis, spokeswoman for Schnucks, would not release any details about the dismissed litigation. She acknowledged that Liberty Mutual and Schnucks have agreed to discuss alternatives to litigation. Liberty Mutual's attorney, Matthew Hendricks, did not respond to Information Security Media Group's request for comment about the company's voluntary dismissal of the case.
Necessity for Cyber Insurance
Dan Mitchell, the attorney who represented fraud victim PATCO Construction Inc. in its federal appeal of an account-takeover ruling, says Liberty Mutual's actions are reflective of a growing trend in cyber-security litigation.
More insurance companies are seeking declaratory judgments for claims filed by breached businesses, says Mitchell, who works for the Maine-based law firm Bernstein Shur. At the heart of these disputes is determining where the line should be drawn between data losses and damage to tangible property, Mitchell says.
"From a procedural perspective, it's actually pretty straight forward," he says. "This is a whole area of the law that deals with insurance and companies that have general liability policies."
These insurance policies provide coverage when physical property is damaged, Mitchell says. But questions come up when the damages are linked to data compromises, he says.
"There has been a fight going on for several years now about whether damage to data is the same as damage to property," Mitchell says. "These policies have been around a long time; data breaches are not specifically mentioned in these policies. So the legal question becomes, 'Is damage to data equal to physical injury to tangible property?' And the insurance companies say, 'No.'"
This is why a new subcategory of cyber-insurance polices has cropped up in the last few years, he adds.
"But cyber-liability insurance is still unusual for companies to have," he says. "It's an emerging market in the insurance field, and these policies are all over the board, as far as what they cover."
Cyber-insurance is still in its infancy, which has created confusion for both insurers and the companies that are insured, Mitchell says (see Debating the Maturity of Cyber-Insurance).
Liberty Mutual's dismissal of the suit definitely benefits Schnucks, he says, because the insurer probably would have had a viable argument for not paying damages claimed by Schnucks as a result of the breach, Mitchell says.
But the case should serve as a warning to other breached entities that are relying on standard insurance policies to protect them when damages are sought after a cyber-security breach, Mitchell explains.
"Insurance policies are not completely standardized, and companies that don't have cyber-insurance are going to find out the hard way that they probably aren't covered."
More suits between insurance companies and the companies they insure can be expected, Mitchell says. "My guess is that there are probably a fair number of these types of disputes going on around the country; this one just got more attention."