While many states are still struggling to enact comprehensive cyber/privacy laws and the federal government still lacks a uniform framework, Illinois data collectors have been working under the most advanced privacy statutes and common law in the United States. Specifically, the Illinois legislature has taken steps through the Personal Information Protection Act and the Biometric Information Protection Act (“Biometric Act”) that will put data collectors and courts at the forefront of privacy law for years to come.

The latest development in Illinois privacy law was seen last Friday when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) which provides insight on what is necessary to bring a cause of action under the Biometric Act.  In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of this case is a data collector can be liable without breaching any information.

• The Facts In Rosenbach

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data. Rosenbach claimed she was “aggrieved” under the Biometric Act without any allegation that Six Flags breached any data.

In Rosenbach, The Illinois Supreme Court provided the following analysis of the term “aggrieved” as in the Biometric Act:

More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.  ¶

• The Illinois Court Of Appeals’ Decision Is Reversed

The Illinois Court of Appeals held the allegations that Six Flags took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not “aggrieved” as required by the Biometric Act.  In reversing the Court of Appeals, the Illinois Supreme Court held:

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

• Potential Impact Of This Decision

The Rosenbach decision will undoubtedly cause ripples in privacy law for years to come as a party can conceivably maintain a viable cause of action without pleading any “actual injury or damage.”  This decision may close the door on data collectors being held liable only when they breach biometric data.  Rather, data collectors will need to review all processes that may collect biometric data to confirm they are complying with the Biometric Act.  For example, Six Flags may now need to revamp its use of thumbprints to make sure it obtains consent from a minor’s guardian and they make clear how the data will be used.

Further, this decision may undercut the usefulness of expensive equipment used to collect biometric data if a majority of people withhold their consent to have their information collected.  For example, many workplaces have started to track employees’ hours by using biometric data including fingerprints and thumbprints.  These new systems that rely on biometric data make “clocking in” more convenient than systems that may rely on employee numbers or time cards.  It will be interesting to see how employers will work with employees that refuse to consent to having their biometric information collected after the employer purchased the expensive equipment.  Suffice it to say, we can expect Illinois to continue to be the source of many influential developments in privacy law in the coming years.

The post Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach appeared first on Privacy Risk Report.

A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

Unfortunately, the law governing cyber security and privacy issues has not kept pace with the technology giving rise to these issues.   However, a recent decision applying existing law to Bitcoin and other virtual currencies provides insight on how we may expect the law controlling cyber security and privacy law to develop.

In Commodity Futures Trading Commission v. McDonnell, 2018 WL 1175156 (March 6, 2018), the District Court for the Eastern District of New York held the Commodity Futures Trading Commission (“CFTC”) “has standing to exercise its enforcement power over fraud related to virtual currencies sold in interstate commerce…”  The CFTC is tasked with stopping fraud or manipulation in derivatives markets by enforcing the Commodity Exchange Act (“CEA”).  The CEA requires “any commodity traded as a future” to be “traded on a commodity exchange approved by the CFTC.  Title 7 U.S.C. § 2.  In McDonnell, the threshold question was whether virtual currency may be regulated by the CFTC as a commodity.  And, after a lengthy analysis of virtual currencies, the District Court held the CFTC had authority over these markets and was entitled to enjoin the defendants from continuing to sell virtual currencies to the public.

The facts underpinning the McDonnell decision involve allegations that the Defendant, Patrick McDonnell (“McDonnell”), and his investment companies, “offered fraudulent trading and investment services related to virtual currency.”  Specifically, “[c]ustomers from the United States and abroad paid defendants for ‘membership’ in virtual currency trading groups purported to provide exit prices and profits of up to ‘300%’ per week.”  Unfortunately, the defendants disappeared by deleting company social media accounts and ceasing all communications with investors after receiving the initial payment and subsequent investments from members.

After hearing evidence concerning the defendants’ actions, the District Court granted a preliminary injunction to the CFTC when it found that the defendants committed fraud through false trading advice and “promised future profits.”  The District Court held that an injunction was warranted in light of the reasonable likelihood that the defendants would continue to violate the CEA.

• Virtual Currencies Are Here To Stay

Before arriving at its decision, the McDonnell Court conducts an in-depth analysis of Bitcoin and other virtual currencies.  After addressing the basics related to virtual currencies, the District Court  finds these currencies “serve the same purposes as gold in terms of a currency, but much more efficiently because it does not have any mass and can be sent easily from place to place.”  Further, the District Court acknowledges that virtual currencies may be here to stay because “online exchanges have become more accessible allowing more members of the public to trade and invest in virtual currencies.”  The District Court concludes there is a greater chance for fraud and criminal activity as these currencies grow in popularity.

• While The Regulations Are Slightly Unclear, There Is No Doubt That Virtual Currencies Are Regulated By Some Governmental Agency.

After taking a closer look at how virtual currencies could potentially be regulated by the Department of Justice, the Security and Exchange Commission, the Treasury Department, the IRS, private exchanges or through state regulations, the District Court settles on the CFTC as the administrative body that is “currently exercising partial supervision of virtual currencies.”  The District Court’s analysis of these regulations provides further support for the finding that the CFTC has standing to seek injunctive relief against anyone violating the CEA.

• Virtual Currencies Are “Commodities” That Can Be Regulated By The CFTC

The McDonnell court must also address whether virtual currencies are “Commodities” as defined under the CEA. Therefore, the District Court must analyze whether virtual currencies fall within the definition of Commodities as defined in the CEA which protects agricultural products and all other goods and articles…and all services, rights, and interests…in which contracts for future delivery are presently or in the future dealt in.”  After a lengthy analysis of this issue, the District Court ultimately concludes “[v]irtual currencies can be regulated by CFTC as a commodity.”  In short, the District Court finds “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value.”

• The CFTC Is Entitled To An Injunction When The Fraud Is Not Directly Related To The Sale Of Futures Or Derivative Contracts

After finding the CFTC has standing to seek an injunction against the defendants, the McDonnell court next determines there is sufficient evidence that the defendants “committed fraud by misappropriation of investors’ funds and misrepresentation of trading advice and future profits promised to customers.”  On this issue, the District Court concluded that a preliminary injunction in favor of the CFTC was warranted in light of the finding that a fraud had been committed.

• The Scope Of This Decision May Reach Beyond Virtual Currencies

First, the McDonnell decision makes clear that it is time for insurers to start considering whether virtual currency presents losses covered under traditional insurance policies or if new products should be developed.  Over the last few months we have seen more people invest in virtual currencies.  The McDonnell court quotes the December 1, 2017 Bloomberg Businessweek which sheds more light on virtual currencies: “The initial price of bitcoin, set in 2010, was less than 1 cent.  Now it’s crossed $16,000.  Once seen as the province of nerds, libertarians and drug dealers, bitcoin today is drawing millions of dollars from hedge funds.”  (While the price in December 2017 was $16,000, the price has since dropped). The McDonnell decision acknowledges that as the pool of investors increase, we can expect to see an increase in the potential for losses, theft and all the other things the defendants in this case are accused of doing.  Consequently, as virtual currencies become more ingrained in our daily lives, it may be time for insurers to start taking a closer look at losses involving virtual currencies.

Additionally, the McDonnell decision discusses a number of issues currently facing cyber and privacy law.  First, while the District Court finds virtual currencies fall into the definition of “commodities,” the Court has to work to get there.  In the end, the District Court finds that the same law can protect agricultural products and virtual currencies at the same time.  We face many of these same issues in cyber security and privacy law as we try to fit these emerging issues into laws and regulations that may have been on the books for decades.

Finally, the section of the McDonnell decision entitled “concurrent oversight from Other Agencies” discusses how a number of governmental agencies could regulate virtual currencies.  Likewise, cyber security and privacy faces a similar situation as a number of state and federal agencies fight to regulate this emerging area of law. Therefore, while the McDonnell decision provides insight into the regulation of virtual currencies, it also provides guidance for cyber security and privacy law.

The post Court Finds Virtual Currencies Are “Commodities” Subject To Existing Laws appeared first on Privacy Risk Report.

The best strategy for data collectors to prepare a breach response plan may be to look at what others did right and wrong in response to a cyber incident.  After reviewing a number of responses to large-scale data breaches, it has become clear that some responses are better than others. It is also clear that all large-scale breaches and the responses have a number of moving parts.  Therefore, in order to analyze all these moving parts to prepare for an incident, the best method for data collectors may be to break their strategy into the following three phases:

• Pre-Breach Preparations should include discussing breach scenarios in the abstract. This timeframe should be dedicated to identifying an internal and external response team and create a general roadmap for a response.
• Post-Discovery Preparations should include refining the roadmap to address the specific breach facing an entity. By this point, a data collector will have more information on the incident and should be able to prepare for the announcement of the incident.
• Post-Announcement Response should include re-working any portion of the response plan that is not going as intended and responding according to the roadmap created in the earlier phases.

While it is still early in Equifax Inc.’s response, Equifax’s recent breach provides the perfect backdrop to take a closer look at these three phases for preparing for and engaging in a successful breach response.  Admittedly, we are just learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may be impacted.  Suffice it to say, this was a huge data breach.  The FTC’s website provides the following facts:

The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

The analysis of this latest breach can be expected to go down the well-worn path of other large-scale breaches seen at Target, Home Depot or Yahoo.  And, over the coming months, we can expect to see more information concerning Equifax’s breach.  For example,  Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach seeking “a detailed timeline of the breach, information about the company’s efforts to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.”  This information, and being able to analyze this information, will be key for any data collector to review their own breach response plans.

Pre-Breach Preparations Allow A Stress-Free Review Of Safeguards And The Response Game Plan

During the Pre-Breach Preparations, a data collector will have the opportunity to confirm that it has taken all steps necessary to safeguard information and have a roadmap in place if there is an incident.  Once an incident occurs, it may be too late to thoroughly review the roadmap and the general structure must be created in order to fill in the details as the breach unfolds.

First, Equifax’s breach, involving a credit reporting agency, is different than a prior breaches which took place at retailers, financial institutions or medical care providers. That is, Equifax is often called on to provide credit monitoring to individuals that may be caught up in a cyber incident at a retailer, financial institution or medical care provider.  For example, the Illinois Personal Information Protection Act states that any breach notification shall include “the toll-free numbers and addresses for consumer reporting agencies.” See, 815 ILCS 530/10  Therefore, notification letters prepared in accordance with Illinois law would most-likely direct Illinois residents to Equifax.  Equifax and the other credit reporting agencies build their entire business on keeping information safe.  At present, there is no information concerning what Pre-Breach Preparations Equifax had in place but there will undoubtedly be a substantial amount of information disclosed over the coming months.

Post-Discovery Preparations Allow A Response To Address The Specific Facts Of The Incident

Post-Discovery Preparations allow a data collector to address the specific information it has learned from its initial investigation into its response roadmap.  That is, the roadmap can now be revised and supplemented because the investigation will show if this is a case of ransomware, a data breach or some other cyber attack.  The data collector can also determine whether it will notify any individuals and if so, what law governs that notification.  The decision to contact law enforcement should be made during this phase as well.  This phase may be the last time the data collector has full control over the incident.

News reports indicate Equifax discovered the breach on July 29, 2017.  Therefore, Equifax had more than a month, post breach, to formulate a response to this particular breach before it was announced to the public.  However, there is still little information concerning Equifax’s Post-Discovery Preparations at this time.

Post-Announcement Response Allows An Entity To Address Issues That May Have Been Missed In The Other Breach Response Phases

Hopefully, the response plan will only need to be slightly tweaked by the time a data collector reaches the Post-Announcement Response.

Equifax’s breach response at this point includes offering one free year of its credit monitoring service and providing information via its website created just for this breach.  However, over the last week, Equifax has faced a backlash including the following complaints related to its response:

• News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fix problems with its website.
• Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”
• Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
• More than 20 proposed class-action lawsuits have been filed around the country in less than a week since the breach was announced.
• Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
• SEC filings show that three Equifax executives sold nearly $2 million in shares in the company days after the cyberattack was discovered.   Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”

Unfortunately, Equifax’s various supplemental announcements after the initial announcement have placed Equifax’s response under further scrutiny. Equifax is now being called on to respond to a variety of issues since its announcement of this breach.  The Equifax breach makes it clear that the Post-Announcement Response phase can be the most stressful phase and will require a solid roadmap formulated in the earlier breach response phases.

As we learn about the Equifax breach (or any other data breach) it will be key for data collectors to look at all the information related to the breach response to determine if their own brief response roadmap is sufficient.  Analyzing the various phases of a response and how those phases are connected will be necessary to continuously improve their own response plans.

The post Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In “Phases” By Data Collectors appeared first on Privacy Risk Report.

High profile data breaches are inevitably followed by a flurry of lawsuits, including derivative lawsuits filed by those companies’ shareholders. However, derivative suits have not found success and are frequently dismissed at the early stages of the lawsuit. Earlier this year, Judge Paul Magnuson of the U.S. District Court for the District of Minnesota dismissed the derivative lawsuit against Target’s directors and officers, and this week, the court in the Home Depot shareholder derivative action reached a similar conclusion as Judge Magnuson.

On November 30, 2016, Judge Thomas W. Thrash, Jr. of the U.S. District Court for the Northern District of Georgia granted the motion to dismiss filed by Home Depot’s directors and officers in a shareholder derivative suit. The derivative suit arises out of the 2014 data breach in Home Depot’s stores, which resulted in the theft of financial data of 56 million customers. Following the breach, multiple shareholders filed derivative complaints against Home Depot, which were eventually consolidated. In the consolidated lawsuit, the shareholders claim that Home Depot’s directors and officers breached their duties to the shareholders by failing to take the risk of a data breach seriously and failing to implement sufficient security measures prior to the breach. The shareholders allege causes of action for breach of fiduciary duty, waste of corporate assets and violation of the Securities Exchange Act.

The shareholders made no demand on Home Depot’s board that it file suit against the directors, which is generally a prerequisite to filing a derivative suit unless the demand is excused. The court’s analysis accordingly focused on whether the demand requirement was excused. As to the breach of fiduciary duty claims, the court found that the shareholders faced an “incredibly high hurdle” to demonstrate particularized facts beyond a reasonable doubt that a majority of the board faced substantial liability because it consciously failed to act in the face of a known duty to act. The court noted that it was “not surprising” that the shareholders failed to meet this burden. The gist of the shareholders’ complaint was that the board improperly exercised its business judgment, which was simply not sufficient to show the bad faith necessary to excuse demand.

The court held that the demand was not excused as to the corporate waste claims on similar grounds, finding that the shareholders’ claim was fundamentally a challenge to the board’s business judgment for delaying the update of Home Depot’s security systems. Finally, the court held that the demand was not excused as to the shareholders’ securities claims because the shareholders failed to point to specific statements in Home Depot’s proxy statements that were rendered misleading or false by the alleged omissions concerning security threats. The shareholders therefore did not meet their burden to demonstrate particularized factual allegations that raise a reasonable doubt that directors were disinterested and independent.

The dismissal of the Home Depot derivative litigation is the latest in a long line of unsuccessful attempts by shareholders to file derivative lawsuits against corporations that experience data breaches. It remains to be seen whether shareholders can satisfy the “incredibly high hurdle” for excusing the demand requirement, or, alternatively, can surpass the findings of a special litigation committee, like the committee appointed in the Target litigation. Based on court rulings to date in these types of actions, however, it seems more likely than not that where a board implements a security plan, even if it is not a perfect security plan, it will be protected by the business judgment rule.

The post Fallout From Home Depot Breach Continues to Cause Concern for Corporate Officers appeared first on Privacy Risk Report.

On September 15, 2015, Bitpay, Inc. filed a lawsuit against its insurer, Massachusetts Bay Insurance Company, related to a hack at the company that resulted in an unauthorized transfer of bitcoin valued at more than $1.8 million. In its Complaint filed in Atlanta, Bitpay refers to itself as a “global bitcoin payment processor.” Bitpay’s Complaint and other reports provide the following timeline related to the alleged unauthorized transfer:

• On December 11, 2014, Bitpay’s CFO received an e-mail from a hacker claiming to be David Bailey with yBitcoin, a digital currency publication, asking the CFO to comment on a document.
• Unfortunately, the email to Bitpay’s CFO was sent by an unknown person that had hacked Mr. Bailey’s e-mail account.
• By following instructions provided in the hacker’s fake e-mail from Bailey, Bitpay’s CFO ended up providing his e-mail credentials to the hacker.
• After having the CFO’s e-mail credentials, the hacker gained access to the CFO’s computer, reviewed the CFO’s e-mails to learn how transfers were made within the company.
• Bitcoins were transferred when Bitpay’s CEO received e-mails that appeared to be from the CFO requesting bitcoins from customers’ “digital wallets.” As he had done on many occasions, the CEO made the transfers as requested by CFO.
• On one transfer the CEO copied Bitpay’s customer on the e-mail confirming the purchase of bitcoins and the customer sent an e-mail back that they did not purchase the bitcoins.

The Complaint alleges that after investigating the claim, Massachusetts Bay denied Bitpay’s claim for coverage. Bitpay’s lawsuit seeks damages based on a claim for breach of contract and bad faith under Georgia law. Bitpay attached a copy of Massachusetts Bay’s denial letter to its Complaint which states, in part, the following reason for denial of Bitpay’s claim for coverage:

As noted in Insuring Agreement 6 cited above, the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious e-mails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.

Furthermore, there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious e-mails. The loss incurred by Bitpay was not a direct loss.

While the insurance policy at issue in the Bitpay litigation was a Commercial Crime Policy and not a cyber insurance policy, this case still serves as an example of the unique insurance claims presented by technology. Just a few years ago there was virtually no market for insurance coverage for bitcoin operations. Further, as this technology progresses a certain amount of confusion is expected. For example, based on the allegations in Bitpay’s Complaint, some technology commentators have questioned the value of cyber insurance based on Massachusetts Bay’s denial under a Commercial Crime Policy. (See “Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack“). Whether there is coverage under this policy will be determined by the court. However, while this case is worth monitoring, the court’s determination on the Commercial Crime Policy should not necessarily be used to determine the value of cyber insurance.

The post Bitcoin Hack Triggers Litigation Under Commercial Crime Policy appeared first on Privacy Risk Report.