WHAT HAPPENED TO TARGET COULD HAPPEN TO YOU: DATA BREACHES AND WHAT EVERY CALIFORNIA COMPANY SHOULD KNOW

Data breaches have been the top story in the news in recent months and while many California companies have taken steps to bolster their network security, most business owners are not aware that they must comply with specific notification and reporting requirements (i.e. California Civil Code § 1798.82) if a breach occurs. Even fewer businesses are aware that they can purchase insurance to protect themselves against many of these cyber risks.

From November 27, 2013 to December 15, 2013, Minneapolis-based mega-retailer, Target Corp., was the victim of one of the largest cyber-data security breaches in U.S. corporate history. Over the course of the now infamous 20-day security breach, it was initially thought that 40 million customers of the chain's U.S. stores had their customer names, card numbers and security codes obtained by hackers to allow for fraudulent charges. However, most recently, Target now fears that hackers lifted personal information – including names, addresses, e-mail addresses and phone numbers – for 70 million customers. While there may be some overlap, it is suspected that 110 million customers were affected by the data breach, which now includes information taken regarding customers who have not shopped at Target recently, but whose information was stored in company databases.

Over the past weeks, Target's general counsel and team of corporate attorneys have been working feverishly to manage the fears and concerns of the public (and several states' Attorneys General). Concurrently, Target hired third-party forensic experts to work with federal authorities to determine the cause of the massive breach of consumer information.

Undoubtedly, Target will pay tens of millions of dollars (possibly hundreds of millions) to law firms, forensic experts, public relations firms, and customers before it will be able to put this ordeal in its corporate "rear view mirror." In addition, Target will sustain a hit in consumer confidence which it will need to regain in the coming years.

Importantly, Target is not alone as it was recently reported that luxury retailer Neiman Marcus was also the victim of a "criminal cyber-security intrusion" involving customers' credit cards and data. In fact, Reuters reported that smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target. Law enforcement sources have said they suspect the ring leaders for these data breaches are from Eastern Europe, which is where most big cyber-crime cases have been hatched over the past decade.

Target's data breach should be a wake-up call for all businesses, large and small, to re-examine their electronic data security systems, to investigate whether they are adequately covered for data breaches through insurance and to brush up on the disclosure and notice requirements set forth in California should a cyber-security or data breach occur.

Data breaches can cost companies millions of dollars per incident in direct costs, such as notifying victims. One study in 2011 found that breaches cost on average $214 per compromised record. In addition, the public relations fallout from the data breach can be significant. Corporate reputations can suffer tremendously, resulting in the loss of customers.

As a result of the Target data breach, the Senate introduced a new bill on January 16, 2014 intended to improve safeguards for consumer information, obligate companies to have policies and procedures in place to protect consumer data from hackers and would require businesses to investigate breaches and further secure data targeted by hackers. California's legislature has long been at the forefront of privacy protection laws. In fact, on September 27, 2013, California Governor Jerry Brown signed into law an amendment to California's data breach of notification law (California Civil Code § 1798.82) and the California Online Privacy Protection Act ("CalOPPA"). Both amendments went into effect on January 1, 2014.

If you are a person, business, or state agency that does business in California and owns or licenses computerized data that includes personal information (i.e. names, SSNs, credit card or debit card information, addresses, telephone numbers, driver's license or state identification card numbers, insurance policy number, medical information, or a user name or email address used in combination with a password that would permit access to an online account or website, etc.) you must do the following if an unauthorized acquisition of computerized data or data security breach occurs:

• Disclose the breach of data security following discovery or notification of the breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
• The disclosure must be made in the most expedient manner possible and without unreasonable delay (consistent with the needs of law enforcement).
• The notice must be written in plain language and include:
• The name and contact information of the reporting person or business giving notice;
• A list of the types of personal information that were or are reasonably believed to have been the subject of the breach;
• If known, the date of the breach, estimated time of the breach or the date range within which the breach occurred;
• Whether there was a delay in notification due to a law enforcement investigation;
• A general description of the breach incident;
• The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach involved a social security number, driver's license or California identification card number; and
• At the discretion of the reporting person or business, the notice can also contain information regarding what steps the person or business has taken to protect individuals whose information has been breached and advice on steps that the person whose information has been breached may take to protect himself or herself.
• If the reporting person or business is required to notify more than 500 California residents, the entity must electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the Attorney General.
• If the reporting person or business maintains computerized data that includes personal information that the entity does not own, the reporting person or business must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

In addition to understanding what must be done under the law when data breaches occur, smart companies look to protect themselves before breaches occur. After all, in the data security business, there is a phrase: "There are organizations that have breaches and know it, and there are organizations that have breaches and don't know it – yet."

In addition to bolstering encryption software, servers and security firewalls, insurance policies can be obtained to further protect persons and companies against data breaches. The types of insurance policies that typically cover data breaches include:

• The Personal Injury portion of an existing Commercial General Liability policy;
• A stand-alone Cyber policy (typically providing the broadest coverage);
• Professional Errors and Omissions policies; and
• Some Media Liability policies offer coverage for cyber risks.

Coverages fall into three general categories:

1. Liability – Protection for the insured company should it be sued for negligence leading to a security breach. Coverage includes taking care of defense and settlement costs related to corporate liability for the failure to properly care for private data.
2. Remediation – Coverage for response costs following a data breach, including investigation, public relations, customer notification and credit monitoring.
3. Fines and/or Penalties – While not typically provided, some carriers and policies cover the cost to investigate, defend and settle fines and penalties that may be assessed by a regulator.

Some carriers specify the types of data covered, while others provide general coverage for data breaches. Specific types of data covered by insurance, include, but are not limited to:

• An individual's personally identifiable information;
• Nonpublic data, such as corporate information; and
• Non-electronic data, such as paper records and printout.

Smart California companies, large and small, should take stock of the lessons learned by Target and other retailers hit by cyber theft and data breaches during the recent holiday season. Knowing what to do when a data breach occurs and having insurance and other protections in place to address these inevitable breaches may be the difference between carrying forward and closing up shop.

Should you or your company sustain a data breach, we recommend that you consult with counsel knowledgeable in privacy law, cyber risks and the insurance products affording coverage for such claims. Mr. Little is a seasoned litigator handling complex commercial litigation matters and advises clients as to various forms of insurance, including general liability, errors and omissions, directors and officers and employment practices liability coverage.