A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty was breached in a data breach case if there is no standard to determine what the duty is, what a breach is, or what constitutes data. Likewise, a legislature will not be able to create a statutory framework to protect its citizens if it does not speak the “language” of data protection.  Further, even if a court can understand the fundamentals related to a particular cyber issue, a court may find a patchwork of state and federal law may govern the analysis of that issue.

A recent example was seen when the United States District for the District of Columbia was called upon to address questions related to a search warrant issued for electronically information stored on the “cloud.” Specifically, in In Re Search Of Information Associated With [Redacted]@gmail.com That Is Stored At Premises Controlled By Google, Inc., 2017 WL 3445634 (D.C. Cir. July 31, 2017 D) the D.C. District Court analyzed whether the government was entitled to data held by Google on its cloud. (“The basic legal question confronting us is not a total stranger to this Court. [citation omitted] With the growing interdependence of world trade and the increased mobility of persons and companies, the need arises not infrequently, whether related to civil or criminal proceedings, for the production of evidence located in foreign jurisdictions.”) In Google, the D.C. District Court summed up this issue as follows:

As a result, the judiciary and legislature have been challenged to keep up with precipitous advancements in technology and global interconnectedness. Traditional notions of “territoriality” and “jurisdiction” have been muddied, especially when it comes to determining the scope of statutes governing access and disclosure of electronic records and communications. The picture is murkier still with the advent of so-called “cloud” computing, which is “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.”

And, while grappling with these new technological concepts, courts are beginning to look to the few common standards available, such as those created by National Institute of Standards and Technology (“NIST”) to form the structure for their decisions. For example, the D.C. District Court relied on a definition of “cloud computing” found in the NIST standards.

In its simplest terms, as the NIST standards gain acceptance, we may soon see a court find liability for a cyber incident when a litigant fails to meet the NIST standards to safeguard data. Therefore, it is even more important to keep current on the NIST standards, which are constantly in transition, as these standards continue to be relied upon to determine legal duty and responsibility.

On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”  The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provides the following “key questions that should be answered by organizations when addressing their security and privacy concerns:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”

At this point, NIST is seeking public comment from August 15, 2017 through September 12, 2017. NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.

While the NIST Standards are intended to create “minimum requirements for federal information systems,” these standards have proven to be the most-comprehensive set of standards for industries that have not adopted their own standards.  Consequently, we can expect to see courts and legislatures continue to borrow terms and concepts from NIST when there are no other standards to rely upon.   Further, insurers may soon require their insureds show they meet NIST standards during the application process as well as through the effective dates of coverage.

The post New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data appeared first on Privacy Risk Report.

Last week, the parties in Remijas v. Neiman Marcus, Case No. 14-cv-1735, a class action lawsuit related to a data breach at retailer Neiman Marcus was settled in the Northern District of Illinois.  The Seventh Circuit’s reversal of the District Court’s decision to grant Neiman Marcus’ motion to dismiss was widely considered to be a favorable decision for data breach plaintiffs because it showed that plaintiffs may be able to adequately allege damages to demonstrate they had standing to bring suit.  Even though we may not get to see how discovery and further motion practice may play out, the settlement provides a significant amount of guidance on the value of damages for data breach cases and the securty measures companies are expected in the short time since this breach occurred.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper  “that injury either already [has] occurred or [was] ‘certainly impending.’”  After the Seventh Circuit reversed the District Court’s decision, the case was remanded back to the District Court for further proceedings before the parties settled the matter.

The Plaintiffs’ Amended Motion for Preliminary Approval of Class Action Settlement and Certification of Settlement Class (“Motion for Preliminary Approval”) filed with the District Court filed with the District Court last week indicates a Settlement Fund will be created in the amount of one million, six hundred thousand dollars $1,600,000 which will be used to pay “ eligible claimants who submit valid and timely Claims.”   The Motion for Preliminary Approval also includes statements that this settlement will allow “Settlement Class Members and other customers shopping at Defendant’s stores since this action was filed also benefit from changes to Defendant’s business practices designed to further strengthen its information technology security.”

Specifically, Neiman Marcus’ Memorandum filed in support of the settlement agreement states that in addition to the settlement amount, Neiman Marcus has taken the following security measures to protect customer information:

• Chief Information Security Officer. Neiman Marcus created and filled the position of Chief Information Security Officer (CISO), an executive position with responsibility to coordinate and be responsible for Neiman Marcus’s program(s) to protect the security of customers’ payment card data including account numbers, expiration dates, card verification values, and cardholder names;
• Information Security Organization. Neiman Marcus created a new organizational unit responsible for information security and has hired employees to fill the organization, including a Director of Security Operations and a Director of Security, Risk Management and Compliance;
• Senior Leadership Reporting. Neiman Marcus increased the frequency and depth of reporting to its executive team and members of its board of directors about its cybersecurity efforts and the cybersecurity threat landscape;
• Chip-Based Payment Card Infrastructure. Neiman Marcus equipped all of its stores with devices that allow customers to pay for purchases using payment cards containing embedded computer chips;
• Employee Education. Neiman Marcus expanded its program to educate and train its workforce on methods to protect the privacy and security of its customers’ information;
• Information Sharing. Neiman Marcus joined several public-private partnerships that facilitate information sharing concerning cybersecurity and threat awareness.

Even though it would have been interesting to see how the parties would have handled discovery and further motion practice, this settlement is still important for the following reasons:

First, the small settlement amount indicates that even if plaintiffs survive a motion to dismiss and a court is willing to find allegations may give rise to the potential for damages in data breach cases, plaintiffs still may have a substantial hurdle to show they are entitled to a substantial damage award. Here, with allegations of 350,000 customers being impacted the settlement amount of $1.6 million may not provide an incentive for plaintiffs to bring these actions.

Next, the non-monetary portion of the settlement agreement is worthy of examination because it shows the shift in how companies approach data protection since the breach at Neiman Marcus in 2013.  At the time of the breach in 2013, the fact that corporation did not have a Chief Security Information Officer and train employees on these issues may not have been surprising. Of course, a corporation that is not implementing such procedures today is operating at its own peril.

Finally, the Seventh Circuit’s reversal of the District Court’s decision granting Neiman Marcus’ motion to dismiss was often cited by plaintiffs attempting to demonstrate they had standing to bring these actions. The Neiman Marcus case could have provided even more solid ground for plaintiffs if the class action plaintiffs continued their success through discovery and into trial.  Of course, it could have also shown plaintiffs’ allegations may survive a motion to dismiss, but would struggle supporting those allegations as the case proceeded through discovery.

We will discuss this settlement and more at Horton Group’s Anatomy Of A Cyber Attack: Risks And Threat Mitigation this Thursday, April 6, 2017 at the Hilton Chicago/Oak Brook Hills Resort & Conference Center.

The post Neiman Marcus Case Settles After Years Of Haggling Over Price Of Data Breach Cases appeared first on Privacy Risk Report.

This article originally appeared in Advisen’s Front Page News, Cyber Edition, on March 16, 2017.

Over the last few months, there have been a number of news stories concerning allegations that the Russians may have hacked US political parties and the US intelligence community.  It is easy to dismiss these national and international stories as being too big to provide any real insight into our domestic cyber insurance market.  However, it may be too soon to write off all news of government or political cyber attacks and leaks.

Last week, WikiLeaks published a substantial amount of data hacked from the CIA, showing the agency’s hacking and cyber warfare techniques. While no one would reasonably want to see a leak that could compromise national security, this leak provides valuable information for the insurance industry to evaluate its cyber insurance products. And, with the information already being leaked, the insurance industry should use this information to examine current and future cyber threats.

Initial impact

In its largest leak ever, WikiLeaks dumped data and information showing the classified hacking activities and other cyber weapons of the CIA. The document dump showed the CIA created software code to hack smart technology in the following manner:

• Smart Phones: The CIA developed code to allow it to track an individual’s geolocation and allow remote access to audio, text communications, camera, and microphone features on a target’s smartphone before the data could be encrypted.

• Smart TVs:  The CIA’s code was able to transform a smart TV into a “covert microphone” capable of sending conversations occurring near the television through the internet to a CIA server while the television appears to be off.
• Smart Vehicles:  The WikiLeaks’ release showed that “[a]s of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks” which may be used to complete “nearly undetectable assassinations.”

Current cyber threats

This leak is important because it shows how the CIA and, presumably, other sophisticated hackers are trying to access various consumer products. In this first dump alone, WikiLeaks leaked 8,761 documents with more documents on the way. It is rare that the insurance industry would have access to such a huge amount of information concerning the threats that give rise to cyber risks.  This information can immediately be put to good use.  For example, the information dumped in this leak provides substantial data for automobile insurers to determine the threat posed by hackers compromising smart cars.  And, the data comes from sophisticated, real-world hacking attempts rather than controlled experiments.

Further, more than just the leaked data, the leak provides valuable insight into the current threat covered by cyber insurance.  The fact that this information may have been breached by a CIA employee or contractor shows the current threat of malicious insiders in determining cyber risks.  The insurance industry must wrestle with the fact that if the CIA cannot stop a breach of its most secretive data, there may be little chance for an insured to stop a determined hacker.

Future cyber threats

This leak also provides valuable information showing where cyber threats may be going over the next few years.  As stated in the WikiLeaks’ press release: “[o]nce a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.”  Therefore, in assessing future cyber risks, the insurance industry should consider the CIA’s current hacking capabilities in order to forecast where non-government hackers may be going in the coming years, especially now since this information is in the public domain.

For example, WikiLeaks’ data dump shows the CIA was not necessarily penetrating encryption applications on smart phones. Rather, the CIA was simply hijacking the entire device and gathering information before it was even encrypted. First, this may provide step-by-step instructions for hackers less sophisticated than CIA hackers.  It may be worthwhile for the insurance industry to start analyzing how this threat may impact cyber insurance policies in the near future.  Additionally, the insurance industry may look at whether stringent requirements requiring insureds encrypt their information would be useful in the future as such steps may not necessarily provide a safeguard or may take resources that could be applied elsewhere. The CIA’s technique to get around encrypted devices was not widely-known even two weeks ago.

Additionally, the WikiLeaks’ dump states the intention behind the hack was to have the public decide whether the CIA has too much power. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

Consequently, based on the stated intention of the hackers giving rise to the WikiLeaks’ leak, it may be worthwhile for the insurance industry to consider the place that “hacktivism” has for cyber insurance products in the future and whether there is an increased cyber threat to insureds that draw negative attention.

No such thing as “absolute privacy”

Finally, the public’s attitudes concerning privacy are an important component in assessing the risks for cyber insurance. The risks covered by cyber insurance and expectations for privacy can be better understood when events such as the CIA leak occur. For better or worse, after seeing their privacy compromised in large-scale data breaches at retailers and government institutions and after falling prey to ransomware and phishing scams, the public may start viewing their privacy differently than just a few years ago. Further demonstrating this point is the fact that after WikiLeaks’ leak, FBI director James Comey, stated “[t]here is no such thing as absolute privacy in America.” At a cybersecurity conference days after the hack, Comey further stated, “All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces.”

A few years ago, Comey’s statements would have caused waves in the news. Today, the public barely took notice of his statements. Therefore, while seeing our privacy being compromised may still be unacceptable, the insurance industry can begin looking at the risk associated with a breach of an individual’s privacy in a slightly different manner than how it viewed it just a couple of years ago. Not to mention the fact that many courts are finding plaintiffs lack standing to bring lawsuits unless they show they have suffered damages when they have their private information compromised. In a sense, the level of risk goes down for insuring cyber incidents as the public begins to accept their privacy may not be protected.

Even though they do not directly impact the insurance industry, cybersecurity issues facing government agencies and political parties should not be overlooked as a valuable resource for the insurance industry.  The insurance industry should take information from any source available, including WikiLeaks, to evaluate cyber products.

The post Rowe In Advisen: The WikiLeak’s Data Dump Cannot Be Undervalued By The Insurance Industry appeared first on Privacy Risk Report.

On February 10, 2017, Midwest America Federal Credit Union (Midwest America) filed a class action complaint in the U.S. District Court for the Northern District of Georgia against Arby’s Restaurant Group, Inc. Midwest America’s complaint alleges that defendants failed to comply with Card Operating Regulations issued by the payment card industry (MasterCard, VISA, Discover, and American Express), allowing a major data breach to occur between October 25, 2016, to January 19, 2017. Midwest America’s complaint alleges that this breach affected thousands of issuers of credit and debit cards nationwide.

The data breach was first reported last week by cyber security expert Brian Krebs, who said in an online report that he was alerted to problems by banks and credit unions affected. Arby’s subsequently acknowledged the breach, telling him it involved malware on payment systems of its restaurants. In a statement on its website, Arby’s said it immediately notified law enforcement when it become aware of the breach and removed the malware.

The class action complaint alleges that the payment card industry issued Card Operating Regulations that mandate that Arby’s comply with industry standards. These standards require that all businesses upgrade to new card readers that accept EVM chip technology. EVM chip technology uses embedded computer chips to store payment card data. Every time an EVM card is used, the chip creates a unique transaction code that cannot be duplicated.

EVM technology increases payment card security, because, if stolen, the unique number cannot be used by hackers. The deadline for the installation of such systems was October 1, 2015. The class action alleges that Arby’s did not meet this deadline, as it has not installed chip card readers in its stores. The Card Operating Regulations dictate that businesses that continue to accept payment cards without chip readers will be liable for any damages as a result of data breaches.

The complaint alleges that Arby’s knew of the danger of not safeguarding its terminal network because Target, Home Depot and Wendy’s suffered similar data breaches. In 2015, Target agreed to pay $39.4 million to banks and credit unions in a suit relating to a 2013 data breach. Proposed class actions by banks and credit unions over Home Depot’s 2014 breach and Wendy’s 2015 breach are still pending in federal courts.

This recent breach demonstrates how difficult cyber security can be for large businesses that have seen a number of their competitors deal with large breaches and may have the resources to properly address cyber security concerns. This case, and other large scale breaches, may explain why smaller targets may dismiss cyber security safeguards based on the misconception that breaches only take place when there is a large amount of data at risk. However, it is important to keep in mind that many hackers have found smaller targets have lighter security than larger targets. Therefore, while large scale breaches are still taking place, there have been a number of recent examples of why smaller targets should continue to prepare for a cyber incident.

The post Class Action Suit Filed by Credit Union over Arby’s Data Breach appeared first on Privacy Risk Report.

In January 2016, Affinity Gaming (Affinity), the owner of several casinos, filed a complaint in the District Court of Nevada against Trustwave Holdings, Inc. (Trustwave), a data security investigator, for Trustwave’s work in securing data after Affinity suffered a data breach.

Affinity’s Complaint contained allegations that after learning of the breach involving the use of stolen credit cards, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted Trustwave, one of the firms on the list, to investigate and remedy the data breach. Affinity’s Complaint further alleged that after investigating the breach, Trustwave “represented to Affinity that the data breach was ‘contained’ and purported to provide recommendations for Affinity to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

Trustwave filed a Motion to Dismiss Affinity’s Complaint, arguing that it “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Regardless of whether the allegations against Trustwave are proven, this case provides further evidence that not hiring a breach response team isn’t worth the gamble.

On September 30, 2016, the District Court  of Nevada dismissed in part and granted in part Trustwave’s Motion to Dismiss. The District Court’s Order provided the following reasoning for allowing Affinity to continue to pursue its claims for breach of contract, fraud and deceptive trade practices:

Motion to Dismiss Denied

• Breach of Contract: Regardless of whether Delaware or Nevada law is applied, the District Court held Affinity sufficiently alleged a breach of contract claim. In particular, the court found Affinity alleged that Trustwave breached its contract by failing to “perform a forensic investigation to identify, and remedy or contain, the causes of [Plaintiff’s] data breach, and to issue recommendations for measures [Plaintiff] would undertake to prevent further breaches in the future.”
• Fraud Counts: The District Court examined Affinity’s tort claims in the context of the economic loss doctrine, which “allows a party to recover in tort only if losses are accompanied by bodily harm or property damage; in other words, the doctrine prevents plaintiffs from recovering in tort for losses suffered that are solely economic in nature.” First, the court held Affinity had sufficiently pled its fraudulent inducement claim. Next, it found Affinity’s allegations that Trustwave “misrepresented its ‘capabilities and experience as a data security service provider,’ ‘that it had undertaken a proper investigation,’ that the breach had been secured, and that its recommendations ‘would help to prevent…further data breaches from occurring.’” Further, Affinity alleged these representations were untrue and it relied on these representations which, in turn, provided sufficient support for this cause of action.
• Deceptive Trade Practices: Affinity pled a claim under Nevada’s Deceptive Trade Practices Act, which prohibits a seller from making false statements or misrepresentations about his or her goods or services, or failing to disclose material facts about his or her goods or services. Here, Affinity alleged that Trustwave “engaged in deceptive trade practices by falsely representing that [Trustwave] had the capabilities to perform the obligations under the Agreement, that [Truswave] undertook a proper investigation to determine the cause of the data breach, that the data breach was “contained” and the backdoor was “inert,” when it was not, and that [Trustwave’s] recommendations would prevent further data breaches.” The District Court was not prepared to dismiss this claim because it could still be viable if the court found the contract between the parties was invalid.

Motion to Dismiss Granted

• Breach of Implied Duty of Good Faith and Fair Dealing: The District Court opined that to successfully plead a breach of an implied covenant of good faith and fair dealing, “a plaintiff must allege ‘a specific implied contractual obligation, a breach of that obligation by the defendant, and resulting damage to the plaintiff.’” The court also held Affinity’s cause of action should be dismissed because it failed to allege facts demonstrating a specific implied contractual obligation as required under controlling law.
• Gross Negligence: Affinity claimed Trustwave owed it a “duty of care in performing its data security services, and in providing information that was truthful and accurate regarding Trustwave’s investigation, the causes of Affinity’s data breach, and the remediation or containment of that breach.” Under controlling law, Affinity was required to establish that Trustwave failed “to exercise even the slightest degree of care” in its conduct. The court granted Trustwave’s motion because Affinity’s complaint failed to allege Trustwave breached any duty independent of its contractual duties.
• Negligent Representation: Affinity claims that Trustwave misrepresented its capabilities to protect against a breach. The District Court found this claim should be dismissed to the extent the complaint failed to allege that Trustwave’s alleged misrepresentation was made in the course of Trustwave’s business or “or that these representations were ‘for the guidance of others in their business transactions.’”

This litigation demonstrates the high stakes involved in responding to a data breach even for highly-sophisticated companies with a developed expertise in data security. That is, if Affinity is able to support its allegations against Trustwave, the scenario of hackers outmaneuvering the “good guys” would exist. Therefore, it is easy to see how the cards are stacked against those companies whose breach response team doesn’t include the expertise of a data consulting firm or other such professionals.

The post Casino’s Lawsuit Shows High Stakes for Breach Response appeared first on Privacy Risk Report.

Last week, Great Britain voted to leave the European Union (EU), a landmark move known as “Brexit,” with more than 17.4 million voting to leave while 16.1 million voted to remain. The vote resulted from a referendum put forth by Prime Minister David Cameron in response to a growing group of anti-EU sympathizers. As a result of the vote to leave the EU, Cameron resigned as the Prime Minister.

While Brexit will undoubtedly have an immediate impact on the UK’s place in the world, there are questions concerning the impact this vote will have on cyber security and insurance in the US and abroad.

Prior to Brexit, UK financial and technology leaders warned that leaving the EU would undermine the country’s tech sector and would mean firms and their customers face “significant and prolonged uncertainty and leave the UK side-lined.”

There are already inquiries as to whether this historic vote can be expected to have a similar effect on the UK and EU cyber insurance markets as is expected within the UK tech industry. Further, Brexit may have implications beyond the UK cyber insurance market because cyber risk management presents a unique “export opportunity for London” and that “the UK is the natural home for a growing global cyber insurance market.”

UK news outlets have been quick to address the impact of Brexit on the insurance market:

“In a statement released shortly after the result of the vote was revealed, Lloyd’s chairman John Nelson said that he was ‘confident’ the specialist insurance market would ‘stay at the centre of the global specialist insurance and reinsurance sector.’ Nelson added: ‘For the next two years our business is unchanged. Lloyd’s has a well prepared contingency plan in place and Lloyd’s will be fully equipped to operate in the new environment.’”

There is also concern that Brexit could have an impact on the US cyber insurance industry as many US insurers, including Lloyd’s, Munich Re and Swiss Re, base operations out of the UK. The concern is that with the financial implications of Brexit, it may limit the amount of risk these carriers are willing to assume. In turn, the development of cyber insurance products may be stunted if these companies are not prepared to take on the risk of the blossoming cyber insurance market.

The full consequences of Brexit are not expected to show for at least two years as the UK and the EU still have numerous issues to work out before the split. In the development of cyber insurance, two years is a significant amount of time. That is, over the last two years we have seen cyber insurance develop from a novel concept to a basic requirement for most companies.

While the UK’s eventual exit from the EU may be a factor in the development of cyber insurance, there is no reason to assume Brexit will be an overriding factor. The immediate impact of Brexit on cyber insurance should be limited to the extent that traditional lines of insurance coverage easily developed without any trouble regardless of tumultuous events throughout history. Simply, cyber insurance will continue to develop as long as there is a risk, and the risk of a cyber event will not decrease as a result of Brexit. Thus, the US cyber insurance industry should not see much change as a result of Brexit.

The post Brexit Vote Not Expected to Immediately Impact US Cyber Insurance Marketplace appeared first on Privacy Risk Report.