By Eduard Goodman
Schnucks, the grocery chain based in the Midwest, is mostly off the hook for a data breach that hit 2.4 million customers a few years back. But the case still provides an object lesson for insurers going forward.
Schnucks and its customers were victimized over a three-month period in late 2012 and early 2013, when malicious code inserted into the grocer’s point-of-sale systems resulted in data from credit and debit cards being stolen from 79 stores.
The impacted customers filed a class-action lawsuit against Schnucks, and the company eventually settled that case for $2.1 million. Unfortunately, Schnucks was forced into a separate fight after its card processor and bank seized an undisclosed (but substantial) amount of money from its accounts as a result of the breach. These institutions claimed the right to these payment card breach-related penalties under their contract with Schnucks and via secondary payment card operating agreements put out by the various card brands. Schnucks argued that its damages and amount due under these agreements should be capped by the terms of the documents. Recently, a federal judge agreed, capping Schnucks’ liability at $500,000.
Key takeaways for insurers
There are two main points insurers should understand about this case and its potential implications:
What’s to come1. Contractual liability exclusions are a must-have safety net for carriers unless carriers are looking to subsidize the payment card industry. With the exception of specialized stand-alone endorsements and carriers that specifically cover these payment card-related costs, carriers need to be aware of the fact that poorly worded fines and penalties language meant to cover government-related fines could be misconstrued by crafty legal counsel to attempt overage for these situations.
2. But while liability in the form of consumer class actions for card breaches is typically very low, the assessments or other forms of penalties due to the processors, banks and card companies remains wide open. In many cases, the assessments that result from a breach event will simply be taken from the retail company's coffers. In looking at the Schnucks situation, it’s clear that very few protections exist for the breached organizations.
The Schnucks lawsuit ruling becomes downright concerning for insurers when taking into account a breach landscape filled with events that are truly colossal in scale. From experience we have seen much smaller payment card breaches involving much smaller entities and population classes result in large assessments by the card companies.
Prudent insurers may consider reaching out to clients and networking with industry peers to get a sense of how widespread payment of these assessments might be, especially by smaller and midsized businesses who experience card breaches.
While breaches of every type, size and scope are destined to be a regular occurrence for years to come, the dark nuances of payment card breaches and the payment card industries ‘internal’ enforcement mechanisms need to be further explored by insurers who may be covering these risks, whether knowingly or unknowingly.
Eduard Goodman is chief privacy officer at IDT911.