By Craig Dunn, Cyber Analyst
Last Friday (10 March 2017) Home Depot agreed to pay $25 million to issuing banks for damages resulting from the 56 million payment card data breach it suffered in 2014. The settlement comes in addition to $134.5 million in card brand assessments already paid to issuing banks. As part of the settlement, Home Depot has also agreed to improve their level of cyber security and tighten its oversight of vendors.
In comparison with consumer class action lawsuits, which often fall flat due to a lack of standing, issuing banks seemingly face an easier task of proving they have suffered actual damages as card brand assessments seldom cover all the breach related costs they incur.
However, to date we have seen only a handful of such lawsuits. For example, in December 2015 Target settled a similar suit with MasterCard issuing banks for $39 million. Then in August 2016 Kmart, which suffered a breach in October 2014, settled with issuing banks for $5.2 million, despite already paying $13.3 million in card brand assessments.
So while it doesn’t appear that smaller retailers currently need to worry about the potential for these types of lawsuits, larger organisations should be wary of these numbers when determining what cyber insurance limits are required.
Original post published on LinkedIn: