Judy Greenwald reports:
A federal appellate court ruled Thursday that shoe retailer DSW Shoe Warehouse Inc. was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest from a Chartis Inc. unit in connection with a 2005 computer breach.
In an incident widely reported at the time, DSW, a subsidiary of Columbus, Ohio-based Retail Ventures Inc., reported that data on transaction information involving 1.4 million credit cards had been stolen.
Read more on BusinessInsurance. The case is Cincinnati in Retail Ventures Inc. et. al. v. National Union Fire Insurance Co. of Pittsburgh Pa. According to the background provided in the Sixth Circuit’s opinion:
In the wake of the data breach, plaintiffs incurred expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven state Attorney Generals and the Federal Trade Commission (FTC). The FTC’s inquiry was resolved administratively with a consent decree requiring, inter alia, that plaintiffs establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In the Matter of DSW, Inc., No. C-4157, 2006 WL 752215 (FTC Mar. 7, 2006). The largest share of the losses—more than $4 million—arose from the compromised credit card information: namely, costs associated with charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. That amount was determined by the settlement of plaintiffs’ contractual obligations with credit card processor, National Processing Company, LLC (a/k/a BA Merchant Services, LLC).
Although DSW was hacked in 2005 and settled the FTC action in 2006, it did not notify affected consumers until August 2008. The delayed notification also occurred for customers of some other big firms hacked by Albert Gonzalez. In November 2008, California’s Assembly Judiciary Committee invited DSW and seven other companies to a hearing on the failure to notify. DSW and the others did not attend. It is not clear to me whether the government had asked the companies not to notify consumers or if the companies just elected not to.
As part of the 2009 sentencing of Albert Gonzalez, some of the court documents were made public. The pre-sentencing report indicated that DSW had reported $6.5 million – $9.5 million in losses as a result of the breach.