The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.

After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

The U.S. District Court for the District of Utah recently issued an opinion construing cyber insurance coverage — one of the first cases of its kind. The court determined in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. that there was no cyber insurance coverage under a technology errors and omissions policy, because the allegations against the insured included only claims of intentional misconduct. Similar to traditional forms of liability insurance, the errors and omissions cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.

As data security breaches have become commonplace, many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion about cyber insurance generally, few courts have yet construed cyber insurance policy terms.