Digital Transactions Authoritative, insightful and timely information for payments professionals
Schnuck Markets Inc. found itself in a bit of a pickle recently when it learned that its insurance company is refusing to cover losses from a data breach at the regional grocery store chain that compromised up to 2.4 million debit and credit cards. The Schnucks incident and other recent breaches highlight why demand for such insurance is growing.
Liberty Mutual Insurance Co., which insures suburban St. Louis-based Schnucks, filed a federal lawsuit in mid-August against Schnucks for the purpose of obtaining a court judgment declaring that it is free from liability stemming from the data breach, which Schnucks disclosed in mid-April. Schnucks said that about 2.4 million payment cards used at 79 of its 100 stores between December 2012 and late March 2013 may have been compromised.
Exactly what Schnucks will do next is unclear. The company issued a statement this week expressing, not surprisingly, that it is unhappy with the situation. “The Liberty Mutual situation is disappointing, even surprising, as we never expected a lawsuit from our insurance company,” the statement says. “We bought a policy and they are attempting to walk away from their obligations under that policy. We were proactive in obtaining that insurance and we expect them to honor their commitment.”
But Liberty claims that, under terms of one part of the excess commercial general-liability policy that it issued to Schnucks in July 2012, it is only responsible for covering bodily injury or physical damage in excess of a self-insured amount. The policy references physical injury to tangible property, the insurer says. “For purposes of this insurance, electronic data is not tangible property,” the lawsuit says. Another part of the policy addressing “personal and advertising injury liability,” which can cover everything from false arrest to copyright issues, also does not apply to the data breach, the company says.
Boston-based Liberty is seeking to avoid payments that could arise from eight lawsuits shoppers filed against Schnucks that the grocery chain sought coverage for, as well as claims from Schnucks itself. The public version of Liberty’s complaint does not disclose financial terms of the policy or how much Schnucks is seeking in reimbursements.
Insurers began sensing a market for payment-card-related data-breach coverage at least four years ago. A spokesperson for the New York City-based Insurance Information Institute, an industry group, declined to comment to Digital Transactions News about the Liberty-Schnucks matter, but passed along an article from a January 2012 publication by A.M. Best Co., the big insurer-rating company. That article said more than 50 insurance companies now offer data-breach coverage to small and mid-size businesses.
Merchant processor Global Payments Inc. had a $30 million insurance policy covering computer network security and technology-based services, with a $1 million deductible per claim, in force when it reported a data breach in March 2012, according to Global’s filings. Total expenses from that breach amounted to $121.2 million, Atlanta-based Global said. A forensics company hired by Schnucks after its breach determined card data were stolen from payment terminals, according to the St. Louis Post-Dispatch.
