The news from Target just gets worse and worse. Now the company has disclosed that more than 70 million customers were impacted by the breach (up from their initial estimate of 40 million), and that hackers also took customer information including names, addresses, phone numbers, and email addresses. Target had first denied that PIN and CVV codes were also exposed in this breach. Target’s subsequent admission concerning the PIN and CVV codes surprised Payment Card Industry (PCI) experts as it would be a violation of PCI Data Security Standards (PCI-DSS) to store such information.
Sources in the insurance industry have confirmed that Target purchases a cyber liability insurance program. The size of the program has not been made public, but chances are, the limits are not enough given the magnitude of this breach.
There are multiple data breach calculators available online, many of them powered by NetDiligence. Plugging in the basic facts of this breach quickly gets you to estimated breach costs exceeding $1 billion. To be sure, however, some of these numbers are wild guesses – such as the cost to settle or resolve class action litigation (nearly 50 lawsuits have been filed so far).
But even the basic costs, such as printing and mailing letters to 70 million customers, paying for a year of credit monitoring, and reimbursing the banks for fraudulent charges and the reissuance of credit cards, will easily reach several hundred million dollars. Then there is the cost of the extensive forensic investigation, and the legal fees in responding to the multitude of regulatory investigations that have already been launched.
Also to be considered is the impact on Target’s investors. On CNBC this morning, analysts were discussing the impact on Target’s sales, noting that the company had already revised EPS guidance downward, citing the breach’s impact on sales. CNBC commentators speculated that the massive costs of this breach could impact Target’s flexibility going forward, including their ability to pay dividends or make new capital expenditures.
That kind of impact has the potential to draw shareholder litigation. If that happens, Target will most certainly be a significant test case for the SEC’s October 2011 guidance on cyber liability disclosure (about which refer here). Target’s most recent 10-K, filed in February 2013, does include cyber liability among its risk factors:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.
A significant disruption in our computer systems could adversely affect our operations.
We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.
If Target’s shareholders decide to bring litigation against Target’s directors and officers, these two risk factors will be the center of their defense. Effectively, Target will argue that they thoroughly warned shareholders that a cyber security incident would have a material impact on their operations. The SEC’s guidance suggests that companies’ disclosure should consider (1) the “probability of cyber incidents occurring” and (2) “the quantitative and qualitative magnitude of those risks.” Do these risk factors rise to that level? Only time – and likely, more expensive litigation – will tell.
Interested in learning more about cyber security and liability issues? Join us on February 4th in San Francisco or January 29th in Portland, Oregon for our Cyber Liability and Network Security seminars! Invitations with further information are below: