client data protection Archives

Analysis of Target Decision that Loss-of-Use Damages Included Card Replacement Costs Post-Data Breach | By Joshua Mooney, Judy Selby, and Tracey Kline | Kennedys Law

April 27th, 2022|Categories: Cyber Risk Litigation, Emerging Litigation & Risk, HB Emerging Law Notes, HB Risk Notes, Journal on Emerging Issues in Litigation, New Featured Post for Home Page|Tags: client data protection, corporate data, cyber insurance; cyber risk management; cyber hacking; data breach; university cyber attack; reverse underwriting, data breach, data insurance, emerging litigation, hb litigation, kennedys law, litigation articles, Target breach|

A Significant Deviation: Target v. Ace Finds Loss-of-Use Damages Included Post-Breach Card Replacement Analysis On March 22, 2022, the United States District Court for the District of Minnesota ruled that two ACE insurers were obligated to indemnify Target Corporation (“Target”) for the amounts it paid to settle claims related to replacement of payment cards impacted in a data breach, vacating an earlier decision in which the court found that Target was not entitled to coverage. Target Corp. v. ACE Am. Ins. Co., No. 19-CV-2916 (WMW/DTS), 2022 WL 848095 (D. Minn. Mar. 22, 2022), vacating 517 F. Supp. 3d 798 (D. Minn. 2021). The new decision deviates from how other courts have evaluated general liability coverage for damages because of “loss of use of tangible property that is not physically injured.” Insurers would do well to take notice. Background In 2013, Target was the victim of a massive data breach that occurred after hackers installed malicious software on its computer network, which enabled them to steal the payment card data and personal contact information of an estimated 110 million individuals with Target payment cards (the “Data Breach”). Multiple lawsuits were brought against Target, including suits by financial institutions (the “Issuing Banks”) that had issued debit and credit cards (the “Payment Cards”) affected by the Data Breach. The Issuing Banks filed class action [...]

The New York Privacy Act Would Allow Direct Action

The New York Privacy Act, introduced last month by state Sen. Kevin Thomas, advocates for consumer agency over their personal data and would give New Yorkers the right to sue companies directly for privacy violations. Thomas wants companies to put customer data protection ahead of their budgetary and business goals. The bill summary reads: "Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared; creates a special account to fund a new office of privacy and data protection." "Fiduciaries, like an attorney or a doctor, hold onto your information. They don't share it, unless there is a need for the purpose for which they collected it,” Thomas said. “That's not what's going on here with these data companies and these data brokers. They're sharing it, and we're getting targeted.” Pushback from the tech industry has been swift. John Olsen, Director of the Internet Association, said, “The NY Privacy Act, in its current form, is unworkable for businesses that want to comply and fails to provide New York residents meaningful control over how their data is collected, used, and protected." Facebook also chimed in saying they would have to shut down Facebook access [...]