Target is suing its insurer for costs of up to $74M that were incurred as a result of a data breach.
America's eighth-largest retailer claims ACE American Insurance Co. failed to pick up the tab for issuing customers with new plastic payment cards after their existing cards were compromised in the November 2013 incident.
New cards had to be issued after a hacker installed software on Target's computer network and gained access to the personal information of 60 million customers and the payment card information of 40 million customers in November 2013.
Target filed the lawsuit against Pennsylvania-based ACE, which is now part of Chubb Corp, on Tuesday in the US District Court in Minnesota.
In the suit, according to the Star Tribune, the Minneapolis-based retailer states that it has paid out a total of $138 million (including attorney's fees) to banks to settle claims related to the data breach.
Some costs associated with the breach have been picked up by insurers. However, Target states that at least $74M, paid out by the retailer to settle claims related to the costs of replacing payment cards, has not been covered by insurers.
The cost of the new cards was footed by banks, who then started suing Target for payment in January 2014. According to the lawsuit, it was then that Target contacted ACE to cover the cost of issuing the new cards, which ACE refused to do.
Banks brought a class-action lawsuit against Target, which was settled for about $58 million in 2016. Target also reached confidential settlements with major card issuers such as Visa, Mastercard, American Express, and Discover.
In total, the breach is reported to have cost Target about $292 million in expenses, of which roughly $90 million were offset by insurance.
Target argues that since its general liability policy with ACE defines property damage as including "loss of tangible property that is not physically injured," the insurer should foot the bill for the replacement cards.
A spokesperson from Target told Infosecurity Magazine: "Target has been in discussions with the American Insurance Company (ACE) for over a year and recently filed a lawsuit against ACE to recoup costs Target had to pay banks for printing and mailing replacement payment cards after the 2013 data breach. We believe the costs are covered within the scope of the insurance policy Target has with ACE and are focused on resolving the outstanding claim."
Steve Durbin, managing director of the Information Security Forum, commented: "Cyber risk is unquestionably one of the biggest challenges facing the insurance industry today and the knock-on effect will be with us for some time as claimants continue to try to lodge claims on policies that were not specifically designed to cover all the intricacies of cyber risk.
"Insurance policies are traditionally written around past precedent and in such a fast-moving environment as cyber I expect to continue to see such cases arising where courts will be asked to set precedent in the absence of historical reference points."