Earlier this year, Schnuck Markets Inc. announced that it had been the victim of a data breach that potentially affected 2.4 million customers. Since that time, the company has been awash in lawsuits and other legal claims arising from the breach, including at least seven federal or state class actions filed on behalf of customers and demands by various banks seeking reimbursement for costs incurred as a result of the breach. This despite the fact that in July, following an extensive investigation, the Missouri Attorney General announced that Schnucks had not violated any state laws regarding data security, but rather had been a mere victim of criminal wrongdoing.
Last week, Schnucks found itself in litigation yet again – this time with its insurance company. Liberty Mutual filed an action in federal court in Missouri seeking a declaratory judgment that its general liability policy with Schnucks does not cover the costs of defending the lawsuits arising from the breach. Liberty Mutual previously advised Schnucks of its position that the policy covers personal injury and property damage, and not losses stemming from the theft of data. Thus, Schnucks may have to bear the costs of defending this flood of lawsuits, in addition to the many other costs of responding to the breach.
Schnucks is the latest, and in some ways the greatest, cautionary tale for all companies at risk of a data breach. With alarming frequency, companies that suffer a data breach are being blamed – by regulators and class-action plaintiffs – for not doing more to prevent the breach. And Schnucks demonstrates that even when regulators say a company is just a victim, that won’t prevent the company from being victimized again by class-actions and other lawsuits.
Schnucks also illustrates the critical importance of making sure that companies purchase the proper insurance coverage for a breach before the breach occurs. No cybersecurity is perfect, and the costs of a breach can be catastrophic, so purchasing adequate insurance coverage, if available, is important, including protection against remediation and litigation costs.
Most importantly, in this “blame the victim” environment, companies have to move aggressively and proactively to prevent – and mitigate the consequences of – a breach. The single most important step a company can take is to engage in a comprehensive review of the company’s information governance before a breach occurs. Not only will this type of proactive review help reduce the risks of a breach, but it also will be an important part of your company’s defense in the litigation and enforcement proceedings that are likely to follow a breach.