The St. Louis Post-Dispatch reports that more than a year and a half after its customers were first affected, the Midwestern grocery store Schnucks has settled its data breach lawsuit and will pay millions in fines and lawyer fees.
Though it didn't receive as much press coverage as other recent data breaches, the Schnucks data breach demonstrates how complicated, messy, and expensive data breaches can be. Let's look at what happened and what this means for IT contractors.
The Schnucks Data Breach: What Happened?
Here are the basic facts about the scope of the data breach at Schnucks:
- Information from 2.4 million credit and debit cards was stolen.
- Card numbers and expiration dates were compromised.
- The breach began in December 2012 and continued until March, when it was first noticed.
- A unique strand of malware infected the computer network, making it hard for data security investigators to pinpoint the security hole.
It took weeks for IT security analysts to figure out where the breach was occurring. Schnucks originally had its own IT department investigating the breach, but after three panicked days, the department couldn't find it, and Schnucks had to hire outside experts. After 10 days of searching, Mandiant's security team was able to repair the breach. Imagine being on a sinking ship but not being able to find the leak.
Details about the malware are still sketchy, but we know that unlike the Target data breach, this one did not affect a POS system. The suspicion among security experts is that this attack was more advanced. Hackers might have used custom-made malware to break into the Schuncks network.
How Much Did the Schnucks Data Breach Cost?
The total cost of a data breach can be hard to calculate because there are so many indirect expenses associated with it, but here are some of the costs we know:
- $2.1 million St. Louis Circuit Court settlement agreement (including $635,000 to be paid to the customers’ attorneys).
- The cost of hiring a tech security firm to identify the cause of the breach and repair it.
- PR costs and customer contact expenses.
- Related lawsuits and legal expenses.
You read that last one correctly. There are actually more lawsuits than the $2 million case that just settled.
More Lawsuits Than You Can Shake a Stick At: Why Data Breach Lawsuits Never End
The most astonishing thing about the Schnucks lawsuit is that the case still isn't over. Though it has settled in Missouri court, there could still be a federal case if some customers refuse to agree to the settlement. That federal case had been put on hold until the Missouri lawsuit came to a conclusion.
But that's not all. In addition to federal and Missouri lawsuits, there are more lawsuits, including one filed by Schnucks against its payment processing company.
Retailers sign service agreements with their payment processing companies. These agreements have indemnification clauses that stipulate who will pay for fraudulent charges in the case of a data breach. Banks and payment processers don't want to be on the hook for charges that cyber criminals make using stolen data.
After a data breach, banks might process payments, but not send the revenue to the retailer. They withhold a percentage of the retailer's revenue in case those charges turn out to be fraudulent and they have to reimburse customers.
As per its service agreement, Schuncks’s payment processor did just that, essentially freezing some of the grocery store's revenue. Schnucks filed a lawsuit against its payment processor, claiming it was withholding too much of its revenue.
Schnucks Data Breach Shows What Happens to Clients
If a client is hacked, they'll rack up expenses for lawsuits, disputes with their payment processing company, reimbursements, and breach investigations. These expenses can linger for well over a year. If you add it all up, the conclusion is simple: a data breach can end up costing your clients a lot of money for a long, long time.
After looking at how these expenses accrued in the year and a half after the Schnucks data breach, you should take away two lessons:
- Clients need to be prepared for the expense of a data breach. Many companies underestimate these costs because they don't realize that a breach can lead to multiple lawsuits, investigations, and other long-term costs. If your clients don't have Cyber Liability Insurance, they'll pay for many of these costs out of pocket and could sue you to recover the cost of a breach. Make sure your clients take these costs seriously and have a data breach response plan.
- IT contractors need to be prepared for client lawsuits. Of course, no contractor anticipates they'll be sued by a client. But you need to have a plan in place in the event that this happens. Errors & Omissions Insurance (also called Professional Liability Insurance) can pay for data breach lawsuits and other disputes about your IT work.
As we saw above, data breaches bring out the lawsuits. Say your client balks when their payment processor withholds a portion of their payment. A client could sue the IT contractor that set up their ecommerce or POS solutions, arguing that they didn't advise them on the risks of using these services. As an IT consultant, you can be liable for data security, service agreements, and other products and services you recommend for your clients.
For a free cost estimate on IT contractor insurance to protect you from these lawsuits, submit an online insurance application.