E&S Exposure: Lessons From Minnesota

The General Accounting Office counted over 570 reported breaches in 2005 and 2006. Yet despite the frequency, there is still no uniform federal law mandating consumer notification or assigning liability with respect to such violations.

A number of states, frustrated with the absence of leadership on this issue in Washington, are taking action. To date, more than 35 states have passed post-breach notification laws.

Though standards and triggers vary state to state when a breach takes place, there is one constant: customers must be notified.

While this is clearly a positive development for consumers, it may not be so great for retailers. The mandate to go public with breach events heightens susceptibility to lawsuits, at the same time raising interest in network security and privacy insurance.

The vast and well-publicized "mega-breach" at TJ Maxx, which an investigation concluded was the consequence of its failure to upgrade its data-encryption system, has become a rallying cry, a call to action, sparking states to adopt privacy legislation.

Nowhere has the call been heeded more than in Minnesota, which passed the "Plastic Card Security Act" by an overwhelming majority in May 2007. The law places the onus squarely on the retailer, imposing liability on merchants or retailers for the costs associated with data breaches.

Similar legislation has or is surfacing in several other states, including California, Connecticut, Illinois, Massachusetts and Texas.

MINNESOTA'S STANDARD

The Minnesota law goes beyond notification–it deals with data retention, plus just what data a retailer may or may not store and for how long.

As of August 1, merchants with customers in Minnesota may not keep so-called "Track II data." Track II data refers to customer and account information stored on a credit card strip, chip, or elsewhere.

Also, PIN (personal identification number) information must disappear 48 hours after the time of transaction.

As of Aug. 1, 2008, merchants will be strictly liable to financial institutions for losses incurred where the merchant violated data retention policy. Thus, even if the retailer unintentionally stores and compromises the data, it will still be liable to the banks.

As part of the legislation, banks may recover the cost:

o Of any damages which financial institutions may pay to cardholders

o Of notification

o To cancel and/or reissue the cards

o To close an account or to stop payments or transactions

o Of refunds or credits due as a result of the breach

Though the new Minnesota law essentially codifies elements of the "Payment Card Industry Data Security Standards" (PCI DDS), these standards, which were created by the major companies in the credit card industry, serve as uniform best practices. And these standards carry weight. The banking industry relies on provisions in its business contracts to PCI standards, and many credit companies require merchants to meet the PCI standards in order to process their payments.

Visa has instituted incentives ($20 million worth) to help reward banks with merchants who are PCI compliant. And as of Aug. 31, 2007, noncompliant banks will be fined, beginning at $5,000 per month. For those institutions which are still not compliant in 2008, there will be fines up to $25,000 per month.

Last year, Visa imposed over $4 million in fines including those for banks that failed to ensure merchants were meeting the security standards. Failing to prove compliance in the latter half of 2007 could make 2008 fines even higher.

What's more, new initiatives to create federal legislation encompassing uniform data security standards are underway.

FACING NEW EXPOSURES

Even adherence to changing standards doesn't necessarily mean retailers can relax. Current and proposed legislation, along with self-regulation in the credit card industry, creates new exposures.

Certainly, policies address this type of exposure; however, the spectrum of errors and omissions insurance coverage for privacy, network security, cyber-liability, etc. can be daunting.

While insurers are flexible and provide only those coverage pieces companies are interested in, insureds need to talk with their brokers and insurance underwriters about the nature of their coverage.

Here are three of the most immediate questions insureds should be asking:

1. How do I trigger my policy, and do I need to wait until I am sued before I can access my policy?

2. Will my policy contribute to my defense and to any insurable fines and penalties that may arise from governmental actions?

3. Will my policy contribute to my defense and to any insurable fines and penalties levied by self-regulating bodies and standards, such as Visa and PCI DSS?

State legislatures and the movement toward strict liability for violating data retention policies drive the need for risk transfer alternatives in the E&O market. Solutions for this type of transfer already exist, and they are broader and less expensive than ever before.

But caveat emptor, let the buyer beware. Because every organization is unique, policy forms will necessarily vary greatly in coverage and trigger points.

To craft the appropriate coverage, it takes veteran expertise plus day-in and day-out attention to the insured's business and to fresh developments in the E&O marketplace.

Take a lesson from the good people of Minnesota and the 35 other state legislatures who are following suit–retailers and other merchants will face liability charges if and when data security breaks down.

Seek assurance your organization's E&O coverage is adequate and appropriate in light of existing and emerging exposures.

Ted Doolittle is the Global E&O Practice Leader at Carpenter Moore in San Francisco. He may be reached at ted.doolittle@nasdaq.com.