As the East Coast closely watches meteorologists’ models and predictions to prepare for Hurricane Joaquin, it may be a good time to consider the role of using statistics and models to predict the next data breach.

A recent study entitled Hype And Heavy Tails: A Closer Look At Data Breaches uses statistics and modeling to call into question how we view data breaches. Despite the increase in media reports on data breaches since 2005, the statistical models in this study suggest large-scale data breaches, such as those seen with Anthem and Home Depot, may actually be decreasing. Additionally, this trend may continue as the study found the chances of seeing two large-scale data breaches the size of the Home Depot breach (September 2014) and the Anthem data breach (January 2015) occurring within four months of each other is unlikely.

Based on data taken from the Privacy Rights Clearinghouse (“PRC”), the study also concludes:

• Breach Size: The statistical modeling indicates “there is a 1.2% chance of another Anthem-sized breach occurring between February 19, 2015 and…June 2015.” On the other hand, there was a 70% probability that there will be a breach of at least one million records during the same timeframe.
• Predictions: The statistical modeling also indicates that over the next three years there is a 7.8% chance of a breach equaling the size of the Anthem breach. There is only a 0.4% chance of two data breaches equaling Anthem and Home Depot occurring within a year of each other.

Commentators interpreting the results of this study indicate that large-scale data breaches may not be on the rise “precisely because computer security experts have been vigilant in the face of these risks.” This study also supports the theory that there is a “cybersecurity arms race” taking place between hackers and security experts. The number of breaches may be staying consistent because security measures and hacker’s techniques are evolving at an equal pace.

In discussing these results, the researchers warned: “Our results aren’t necessarily aimed at individual organizations, and may be more relevant to policymakers who make decisions based on media and industry reports.”

This is not the first time statistical modeling has been used in an effort to gain a better understanding of data breaches. Catastrophe modelers have considered using modeling for data breaches similar to that used to predict hurricanes. Therefore, even if there is not sufficient historical data to predict the next data breach with precision, statistics and modeling provide valuable insight into the risks associated with cybersecurity. Any method that allows us to gain a better understanding of this risk should not be ignored.

The post Can Statistics Be Used to Predict Data Breaches? appeared first on Privacy Risk Report.

The post Following 2014’s “Year of the Breach,” 2015 is Shaping Up to Be the “Year of Data Breach Litigation” appeared first on Privacy Risk Report.

Early reports indicate that Sony Corp. of America and Zurich American Insurance Company (along with other insurers) have reached settlement terms today in their data breach case involving a hack of the online services for the Sony PlayStation in April 2011. These data breaches, which were unrelated to the Sony Pictures cyber attack, resulted in hackers accessing personal information for nearly 100 million individuals. The PlayStation hacks gave rise to at least 55 putative class-action lawsuits filed against Sony in the U.S with expectations that the breaches would cost Sony nearly $180 million in the next year.

This insurance coverage case, which many anticipated would be one of the most important decisions in 2015, gave rise to a ruling by a New York trial court that Zurich had no duty to defend under a commercial general liability policy issued to Sony. The New York trial court held Sony’s insurers did not owe a defense to Sony under CGL policies because there was no “publication” under Coverage B of the CGL policy. Specifically, the court held that while a wide-scale data breach represents a “publication” of private information within the meaning of the “personal and advertising injury” coverage, the PlayStation  breach did not fall within coverage of Sony’s CGL policy because the policy covered only publications by the insured itself—not by third-party hackers. That is, while the trial court held the breach was arguably a publication under Coverage B of the Zurich policies, it was not a “publication” by Sony, the insured under the policy.

This decision was widely considered to be the best opportunity to get a glimpse into how appellate courts would treat data breach claims under CGL policies. Unfortunately, as data breaches and cybersecurity issues become more prevalent, we can expect to see litigation of these issues continue despite this settlement. Coincidently, this settlement comes on the heels of another important potential settlement in the Target litigation. Nevertheless, the need for guidance on this issue may be diminished as more CGL policies include cyber liability exclusions.

The post Sony and Zurich Settle Data Breach Case Before Appellate Court Can Decide Coverage Issues Under CGL Policy appeared first on Privacy Risk Report.

Lawyers for a portion of the Financial Institution Plaintiffs in the Target class action litigation (including smaller financial institutions Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain) filed a motion for preliminary injunction to block Target’s proposed $19 million settlement with MasterCard based on claims that it would undercut their positions in the Target litigation.

Referring to the proposed settlement as a “sweetheart deal,” the lawyers for the smaller institutions argued “[t]he agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history.” In their memorandum filed in support of their motion, the smaller institutions claim Target is attempting to use the MasterCard settlement to completely release all of the Financial Institution Plaintiffs’ claims through a measure that was originally intended to protect card issuers against data breaches.

Specifically, the smaller institutions claim MasterCard’s Account Data Compliance (ADC) program is being used to force them into a settlement that does not make them whole. The ADC program is the process used by MasterCard and issuing banks to determine liability and payment of damages related to a data breach. Specifically, through the program, “MasterCard allows financial institutions to recover certain, limited portions of their losses from data breaches if numerous criteria are met.” The smaller institutions contend that the ADC program is not intended to fully reimburse but rather involves MasterCard unilaterally determining whether any recovery is necessary after it investigates a breach. The card issuers can engage this process without releasing their claims against a merchant or other entity responsible for a breach.

In its memorandum in support of the motion, the smaller institutions claim Target and MasterCard “conspire[] to extinguish the financial institutions’ claims against Target for extremely low amounts…” The smaller institutions claim that, while Target and MasterCard may negotiate an agreement to release Target from its liability to MasterCard, the current settlement does more when it completely eliminates Target’s class action liability. The crux of the smaller institution’s argument is that the issuing banks “already have the right to participate in the [ADC] program without agreeing to a release” of Target.

Moreover, the smaller institutions claim that Target and MasterCard failed to disclose “that they were negotiating a settlement that would completely eliminate class action liability against Target…” The smaller institutions assert they would have made it a priority to participate in the settlement negotiations if they knew this was the case. These institutions also argue that the settlement requires the litigation proceed only in New York state court or the District Court for the Southern District of New York, stripping the court of its jurisdiction.

The smaller institutions also claim they would be forced to potentially waive their rights of recovery if the settlement is permitted by the court. The smaller institutions argue that when Target’s counsel informed them of the potential settlement with MasterCard, it was their understanding that Target may receive an offset or credit for the settlement amount. However, the settlement now includes a “requirement of a full release of all issuers’ claims against Target.”

On April 24, 2015, Target filed its Opposition to the Motion for Preliminary Injunction arguing that card issuers may choose to participate in the settlement and receive 71.4% of the “maximum amount recoverable on the claim MasterCard made against Target on the their behalf, and in return they will release Target from any and all claims they have against Target relative to the Target Intrusion, including those claims being asserted on their behalf in this litigation.” Target also states that card issuers that decide not to participate will receive nothing in the settlement, “but all of their existing recovery rights in regard to the Target Intrusion, including their rights under the ADC program and the claims being asserted on their behalf in this litigation, will be fully preserved notwithstanding the settlement.”

The court has scheduled a hearing on this motion for April 27, 2015.

The smaller institutions’ motion for preliminary injunction demonstrates how quickly friends can become foes in litigation related to data breaches. At the onset of the litigation, the smaller institutions and MasterCard were aligned against Target. By the time the smaller institutions filed their motion, it was necessary for them to request the court suspend the deadline to file an Amended Complaint “or add parties so that Lead Counsel may add MasterCard as a Defendant, if appropriate, in the current action pending the outcome of discovery efforts not directed at these issues.” That is, while the smaller institutions and MasterCard started out on the same team, the smaller institutions now claim “MasterCard has unabashedly carried Target’s water to suit itself at the bank’s expense.”

The post Put Away The Champagne: Smaller Banks Try to Block the Target/MasterCard Settlement appeared first on Privacy Risk Report.

Last week, Target announced a $19 million settlement with MasterCard, a “Financial Institution Plaintiff,” as a result of the 2013 data breach at its stores.

The terms of the settlement agreement are rather complex and call for Target funding “alternative recovery offers” made by MasterCard to companies that issue MasterCards. Target’s press release further indicates that “[t]he settlement is conditioned on issuers of at least 90% of the eligible MasterCard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers, by May 20, 2015.”

Plaintiffs’ lead counsel has made statements objecting to the MasterCard settlement and stated the settlement amount “appears to only cover a ‘minimal portion’ of the actual damages suffered by financial institutions…”. He is urging the financial institutions not to sign onto the MasterCard settlement.

Even if the settlement goes through with MasterCard, Target will have to negotiate separate agreements with financial institutions that issued Visa or Discover cards. With so many moving parts in the Target data breach case, we can see how difficult it is to assess the risk related to a data breach.

Based on the Target litigation, the risk analysis by policyholders or insurers for a data breach cannot be limited to the potential for damages to consumers involved. Rather, the major hurdles in this case appear to be related to the damages sought by various financial institutions. Consequently, any risk analysis must include the potential damages suffered by credit card issuers. As illustrated by the Target litigation, these damages can be substantial. Lastly, any difficulty in assessing the risk prior to a breach is understandable when there is this much trouble assessing damages after a breach.

—

Last month, Target settled the portion of the class action lawsuit with the “Consumer Plaintiffs.” See related posts:

Target and Consumer Plaintiffs Nearing Settlement of Class Action Suit Related to 2013 Breach

Tressler Attorneys Analyze the Recent Decision in Target Financial Institution Cases for Advisen’s Cyber Risk Network

District Court Allows Parties to Proceed in Banks’ Class Action Suit Arising Out of Target’s December 2013 Data Breach

Target Seeks Dismissal of Action By Banks in Data Breach Case

The post It’s Complicated: Target Settlement With Banks Hits a Snag appeared first on Privacy Risk Report.

Early news reports indicate that Target will pay $10 million to settle a class action lawsuit with the “Consumer Plaintiffs” related to the 2013 data breach at its stores.

The consumer plaintiffs will be paid settlement proceeds through a dedicated website. The proposed settlement also includes a provision requiring Target to adopt new security measures including appointing a chief information security officer, implementing a written information security program and providing additional security training to its employees.

Consumer plaintiffs will be able to submit claims for their damages which can include the following:

• Documentation for losses that they can reasonably attribute to the data breach. For example, this may include a credit card statement, invoice or receipt showing an unauthorized charge related the breach.
• Documentation for losses that include two hours of lost time at $10 per hour for each “documented loss they incurred.” For example, this would include time spent correcting unauthorized charges or obtaining a new driver’s license.

The settlement also requires Target pay the consumer plaintiffs’ attorneys’ fees. Target cannot contest any amount of attorneys’ fees exceeding $6.75 million. The Class Action Plaintiffs’ Memorandum In Support of Motion for Certification of a Settlement Class and Preliminary Approval of Class Action Settlement provides further details of the proposed settlement.

This settlement comes after a U.S. District Court judge rejected Target’s argument that the consumer plaintiffs lacked standing because they could not establish that they suffered an injury from the December 2013 breach of their personal information.

The Memorandum submitted to the District Court is a worthwhile read with a significant amount of valuable information. For example, in a discussion on Page 9 about the class action plaintiffs’ investigation of the breach, the following sources are identified:

Statements Target made on its website and in communications to its customers;

• Examining iterations of Target’s privacy policy over a number of years preceding and during the period of the breach;
• Analyzing testimony before the breach and reports issued by Congressional committees;
• Reviewing news articles, including investigative reports, examining the causes of the data breach;
• Evaluating analysts’ reports;
• Reviewing Target’s annual reports and submissions to federal agencies;
• Conducting factual research into Target’s data security practices, including public information about past breaches of Target and other retailers’ systems;
• Researching warnings and alerts issued by credit card issuers;
• Studying industry standards governing data security;
• Evaluating studies examining data security practices, breaches, risks and the impact of breaches; and
• Communicating with knowledgeable consultants and experts on data security.

This list, drawing from resources existing both before and after Target’s data breach, provides further evidence the importance of preparing for a breach before it happens.

Tressler will continue to provide updates regarding the litigation involving the consumer plaintiffs as well as that involving the financial institution plaintiffs.
__

This settlement does not include the “Financial Institution Plaintiffs” in the suit. Target sought to dismiss banks claims, but the District Court allowed the banks to proceed. Tressler will continue to follow the proceedings regarding this matter.

The post Target and Consumer Plaintiffs Nearing Settlement of Class Action Suit Related to 2013 Data Breach appeared first on Privacy Risk Report.

On June 6, 2012, LinkedIn announced it had a data breach that involved hackers taking 6.5 million passwords from March 16, 2006 through June 7, 2012. The passwords were ultimately published on a Russian hacker website. A class action lawsuit was filed by one of LinkedIn’s paying members based on allegations that LinkedIn violated an agreement with its paying subscribers that it would keep their personal information protected. The class action plaintiffs alleged that they would have viewed LinkedIn services as having less value if they knew LinkedIn had “lax security practices” in place. This class action lawsuit was resolved this week when LinkedIn paid $1.25 million to settle the lawsuit.

The class action Settlement Agreement contains two separate provisions related to “Settlement Relief.” First, under a section entitled “Monetary Payments to Settlement Class Member,” the agreement provides that all class members can submit a claim for $50 by May 2, 2015. Any portion of the settlement amount left over after all payments are made will be distributed between the Center for Democracy and Technology, the World Privacy Forum, the Carnegie Mellon CyLab and the CyLab Usable Privacy and Security Laboratory. Information related to the class action settlement will be provided through direct e-mails sent to LinkedIn paying members and a settlement website that allows for claims to be filed electronically.

Under a section of the Settlement Agreement entitled “Prospective Relief,” LinkedIn agreed to increase its security measures to protect users’ password information in the future.

While the Settlement Agreement provides insight into the relief plaintiffs are seeking in these various class action lawsuits, this settlement brings closure to another significant data breach case without a court determining the merits of the parties’ positions. While the settlement may have resulted in a fair resolution for the parties involved, it is unfortunate that the court did not get the opportunity to render a decision on liability.

The post LinkedIn Settles Data Breach Class Action With Its Paying Members appeared first on Privacy Risk Report.