It was a quaint, innocent time before social engineering scams, ransomware or any of the other threats had evolved to hassle both large and small data collectors. In 2014 and 2015, large-scale data breaches at Home Depot, Best Buy and Target roamed the Earth. While all that has changed drastically in the last five years, we still have a few fossils providing insight on a time when huge data breaches caused huge damages to companies with huge insurance policy limits.

Five years, ago, on September 19, 2014, we posted about Target Corporation’s motion to dismiss a lawsuit filed by a number of banks that claimed they incurred costs to reissue credit/debit cards compromised in Target’s December 2013 data breach.

A year later, on September 16, 2015, we posted about the class action litigation brought by financial institutions related to the Target data breach. This litigation involved class action litigation brought by banks that had to reissue credit and debit cards that were compromised in Target’s massive data breach. We had been monitoring this litigation for months in 2014 and 2015 as Target and the Banks issuing cards caught in the Target’s breach slugged it out in court.

Almost four years later, the insurance coverage issues related to Target’s litigation with financial institutions is just reaching the courts. On November 15, 2019, Target Corporation (“Target”) filed a complaint seeking damages for breach of contract claims and seeking a declaratory judgment concerning insurance coverage in the United States District Court for the District of Minnesota against its insurer, ACE American Insurance Company (“ACE”).

The Complaint generally alleges the following facts gave rise to Target’s tender for insurance coverage:

In December 2013, Target discovered that a hacker had installed malicious software on its computer network (“Data Breach”). The Data Breach enabled the attacker to steal payment card data and personal contact information, thus rendering the related physical payment cards unusable. As a result, numerous banks were required to dedicate substantial resources to canceling and reissuing physical payment cards. These costs include, for example, the cost of producing the plastic card, mailing the card to consumers, and otherwise reissuing the physical card. Those banks subsequently sued Target for their losses, including the losses directly caused by the replacement of the physical cards.Target was able to settle all of the claims, including the claim for the replacement of physical payment cards.

More specifically, Target claims ACE had a duty under two general liability insurance policies that provide coverage for “Property Damage” defined to include the “loss of use of tangible property that is not physically injured.”  In particular, the banks claimed, “that, as a result of the Data Breach, they were forced to dedicate significant resources to canceling and reissuing these physical payment cards.”  Target claims it is entitled to coverage because it was found liable “for the loss of use of plastic payment cards that were not physically injured.”  The Complaint alleges the parties litigated the underlying class action brought by the banks to the point that the matter was ultimately settled for approximately $58 million. Target also settled with Visa, Mastercard, American Express and Discovery for approximately $138 million. The Complaint alleges that approximately $74 million went to the Banks for costs related to replacing cards compromised by the breach.

Target seeks coverage under two primary policies and an excess policy by asserting the Banks “sought damages for, among other things, loss of use of tangible property (i.e., physical plastic payment cards) that, while not physically injured, counsel not be used without risk to the customer and the bank.” The Complaint about Declaratory Judgment alleges ACE breached its duty when it refused to indemnify Target for damages incurred to reissue the compromised cards and seeks a judicial declaration that ACE owes coverage under all the policies.

In addition to serving as a reminder of a bygone era, the Target data breach provides insight into the unique issues data breaches cause under traditional lines of insurance for both large and small data collectors.  While this declaratory judgment matter is only in the initial pleading stages, Target is already making a unique argument that costs related to reissuing credit/debit cards by Banks fall into the definition of “property damage” in the CGL policies. Further, Target will need to show the retained limits of the policy, which is essentially a deductible, was exhausted solely on costs from reissuing the “physical plastic payment cards.”  This case may develop to provide some much-needed authority concerning breach claims under CGL policies. Either way, we can count on this case adding to the substantial body of privacy law in general created by the Target breach in 2013.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Courts Are Still Picking Over The Bones From The 2013 Target Data Breach appeared first on Privacy Risk Report.

There should be little question that data breach litigation will continue to present unique issues for courts.  However, we are also starting to see a trend showing settlements in data breach litigation may present novel issues.  For example, the documents publicly available related to the settlement of the Anthem breach shows plaintiffs, in addition to money, may be looking for a commitment from the breaching party to repair the damaged caused by a breach.

On June 23, 2017, the parties involved in the 2015 Anthem data breach brought the matter closer to a resolution when they filed documents with the District Court for the Northern District of California to settle the matter. This litigation involved seventeen class action lawsuits alleging Anthem failed to properly protect the plaintiffs’ personal information and Anthem delayed notifying impacted individuals of the breach. The Settlement Agreement and Release indicates that parties engaged in mediation sessions over the first half of 2017 before finally agreeing to settle the matter for $115 million. The Settlement Agreement contains a “Settlement Fund” provision providing exactly how the $115 million settlement payment will be allocated. First, the Anthem entities are required to deposit $25 million into a Qualified Settlement Fund ten days after the Court enters the Preliminary Approval Order to cover the costs for administrative experiences set-up costs for a “Credit Services” vendor which provides credit services monitoring for the plaintiffs, reasonable costs for providing notice of the terms of this Agreement and “Out-of-Pocket” costs as defined under the Agreement.  Next, the Anthem Entities are required to deposit the balance of the settlement payment in a Qualified Settlement Fund ten days after the Court enters the Final Approval Order and Judgment.  While the settlement amount is staggering, the commitment that Anthem has to make to protect and re-establish the plaintiffs’ credit after the settlement is also worth considering.

The Settlement Agreement contains detailed provisions concerning notice, credit services and “Alternative Compensation” for impacted individuals:

Notice

The Settlement Agreement provides precise requirements concerning how the plaintiffs are to be notified of the settlement. The “Notice Plan” provides details on how plaintiffs are to be located and how options are to be presented for the plaintiffs.

Credit Services Provisions

The section of the Settlement Agreement addressing Credit Services requires the Anthem Entities to arrange for Experian to provide for credit monitoring services to the plaintiffs. In addition to credit monitoring, the parties agreed that plaintiffs would be provided with:

• “ID Theft Insurance” which would provide insurance for theft related expenses up to $1 million;
• “Internet Surveillance” which including monitoring the “dark web” for plaintiffs’ personal information;
• “Identity Restoration Services” that would provide plaintiffs with “fraud resolution assistance,” and
• “Minor Plus” which provides added protection for plaintiffs that are minors

The Credit Services provision makes it clear that the plaintiffs are going to look to Anthem to make arrangements to put them back to where they were prior to the breach.  This provision will not allow Anthem to simply pay its money and move on.  Rather, Anthem will need to act as an administrator to make sure it meets all obligations to the plaintiffs.

Alternative Compensation

The Settlement Agreement also provides for “Alternative Compensation” for those plaintiffs that already have some form or credit monitoring and do not enroll in the Credit Services offered under the Settlement Agreement.  Here, Anthem will need to confirm each plaintiff that makes the necessary election qualifies for the Alternative Compensation.

Out-of-Pocket Costs

The Agreement defines “Out-of-Pocket” costs as “expenditures that a [plaintiff] actually incurred that are fairly traceable to the Data Breach.” These costs may include unreimbursed fraud charges, professional fees incurred from identity theft or falsified tax returns, credit freezes or credit monitoring that was ordered after January 2015. These costs may also include reimbursement for time spent attempting to remedy issues related to the data breach at a rate of $15 per hour. The Agreement states that $15 million will be reserved from the Settlement Fund.  And, once again, Anthem will need to a system in place to review these costs.

Documents Filed Under Seal

Another interesting aspect of this settlement is seen in the parties’ Joint Administrative Motion To File Under Seal Portions of Plaintiffs’ Memorandum in Support of Motion for Preliminary Approval of Action Class Settlement And Exhibits to Settlement Agreement. In particular, the parties sought to redact sensitive information found in the Memorandum including “detailed and confidential information about Anthem’s information security.” Anthem claims this information, if publicly disclosed, could cause further harm “by giving potential cyberattackers insights into Anthem’s cybersecurity practices and protocols.”

This is not the first time parties have been concerned about information that could be extracted from court documents.  During the settlement negotiations related to its breach in 2015, Target Stores contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.  Following Target’s lead, a number of courts around the country have started to consider what information they are making available online.

Lasting Commitment

As the Anthem litigation draws to a close it is clear that a cyber security incident can have a lasting impact.  Even at this point when the parties have agreed to settlement terms, Anthem will be responsible over the next few years to make sure the Settlement Fund is being properly adminstered over, the Settlement Fund is being funded and the plaintiffs are being made whole.  The Anthem Breach and Settlement makes it clear that entities cannot simply pay damages related to a breach and walk.  Rather, Anthem and the plaintiffs are now partners in addressing any fraudulent acts that arise out of the Anthem Breach, re-establishing plaintiffs’ credit and getting plaintiffs assistance to address any credit or tax issues that arise from the breach.

The post Through Thick And Thin: Anthem Breach Shows Lasting Commitment For Data Breach Cases appeared first on Privacy Risk Report.

The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims.  The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.

Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network.  Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.”　 Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013.　 The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013.　 Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).

In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law.  Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500).  The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.”　 (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”)　 The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”

After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship.  (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005).  The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”

The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation.  The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”

The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security.  Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach.  Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.

The post Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action appeared first on Privacy Risk Report.

The threshold question in data breach lawsuits has been whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.   As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7^th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Recent developments in this case should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count”. (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage.  The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

The Seventh Circuit reversed the District Court’s dismissal of the plaintiffs’ complaint based on Remijas v. Neiman Marcus Grp., LLC., 794 F.3d 688 (7^th Cir. 2015), another Seventh Circuit data breach case.  In particular, the Seventh Circuit reversed the District Court’s findings based on the following:

• The Seventh Circuit held in Remijas that the plaintiffs met their burden in showing their “injuries were concrete and particularized enough to support Article III standing. Likewise, in P.F Chang’s, the Seventh Circuit found allegations of an increased risk of fraudulent charges and identity theft met the plaintiffs’ burden.
• The Seventh Circuit also found the plaintiffs in P.F. Chang’s met their burden to show causation and that a favorable judgment would redress those injuries. Here, the P.F. Chang’s Court held Plaintiffs alleged sufficient facts to plausibly show their information was likely included in the hack at P.F. Chang’s. And, the plaintiffs were able to establish their financial injuries, which include lost opportunity to accrue points on his credit card while waiting for a replacement and time and resources spent to track any fraudulent charges, were sufficient to show a favorable judgment could redress plaintiffs’ alleged injuries.

Since the Seventh Circuit’s decision, the P.F. Chang’s case has been remanded back down to the trial court and the parties have continued to litigate issues related to P.F. Chang’s motion to dismiss. For example, On December 13, 2016, the District Court entered an order stating that because plaintiffs’ complaint was dismissed by the District Court for lack of standing, the District Court did not address P.F. Chang’s additional arguments for dismissal.  The District further ordered the parties to submit briefs discussing the issues that remained unresolved after the Seventh Circuit found plaintiffs had standing to bring suit. Last February P.F. Chang’s filed a motion for leave to file additional briefs in support of its motion to dismiss. In its briefs, P.F. Chang’s argued plaintiffs’ complaint should be dismissed because the plaintiffs’ purchases formed express contracts rather than implied contracts and plaintiffs’ allegations did not support allegations that P.F. Chang’s violated the Illinois Consumer Fraud Act.  Plaintiffs filed a brief in opposition which argued that P.F. Chang’s “filed a new, full-throated motion to dismiss.”

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss.  It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.

The post P.F. Chang’s Leftovers: District Court Refuses To Address Motion To Dismiss Again After Seventh Circuit Finds Plaintiffs Have Standing In Data Breach Case appeared first on Privacy Risk Report.

On February 10, 2017, Midwest America Federal Credit Union (Midwest America) filed a class action complaint in the U.S. District Court for the Northern District of Georgia against Arby’s Restaurant Group, Inc. Midwest America’s complaint alleges that defendants failed to comply with Card Operating Regulations issued by the payment card industry (MasterCard, VISA, Discover, and American Express), allowing a major data breach to occur between October 25, 2016, to January 19, 2017. Midwest America’s complaint alleges that this breach affected thousands of issuers of credit and debit cards nationwide.

The data breach was first reported last week by cyber security expert Brian Krebs, who said in an online report that he was alerted to problems by banks and credit unions affected. Arby’s subsequently acknowledged the breach, telling him it involved malware on payment systems of its restaurants. In a statement on its website, Arby’s said it immediately notified law enforcement when it become aware of the breach and removed the malware.

The class action complaint alleges that the payment card industry issued Card Operating Regulations that mandate that Arby’s comply with industry standards. These standards require that all businesses upgrade to new card readers that accept EVM chip technology. EVM chip technology uses embedded computer chips to store payment card data. Every time an EVM card is used, the chip creates a unique transaction code that cannot be duplicated.

EVM technology increases payment card security, because, if stolen, the unique number cannot be used by hackers. The deadline for the installation of such systems was October 1, 2015. The class action alleges that Arby’s did not meet this deadline, as it has not installed chip card readers in its stores. The Card Operating Regulations dictate that businesses that continue to accept payment cards without chip readers will be liable for any damages as a result of data breaches.

The complaint alleges that Arby’s knew of the danger of not safeguarding its terminal network because Target, Home Depot and Wendy’s suffered similar data breaches. In 2015, Target agreed to pay $39.4 million to banks and credit unions in a suit relating to a 2013 data breach. Proposed class actions by banks and credit unions over Home Depot’s 2014 breach and Wendy’s 2015 breach are still pending in federal courts.

This recent breach demonstrates how difficult cyber security can be for large businesses that have seen a number of their competitors deal with large breaches and may have the resources to properly address cyber security concerns. This case, and other large scale breaches, may explain why smaller targets may dismiss cyber security safeguards based on the misconception that breaches only take place when there is a large amount of data at risk. However, it is important to keep in mind that many hackers have found smaller targets have lighter security than larger targets. Therefore, while large scale breaches are still taking place, there have been a number of recent examples of why smaller targets should continue to prepare for a cyber incident.

The post Class Action Suit Filed by Credit Union over Arby’s Data Breach appeared first on Privacy Risk Report.

In August 2015, Privacy Risk Report published a post regarding Target sealing its documents associated to the massive 2013 data breach in order to protect itself from hackers. Target contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to “detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.” Following Target’s lead, there is more litigation stemming from the inadvertent disclosure of private information on a court’s online website.

In its October 18, 2016, decision, a court in McCoy v. Fisher dismissed a plaintiff’s complaint against a law firm that failed to redact personal information in a court document that ended up on the court’s website for a short time. In April 2015, defendants Jeffrey B. Fisher and The Fisher Law Group (Fisher Law), initiated a foreclosure action against plaintiffs Antonio McCoy and his former wife after they defaulted on their Maryland home loan. During the foreclosure action, Fisher Law filed a document that McCoy claimed included his loan number and his social security number. In May 2015, Fisher Law sent McCoy a letter notifying him of the inadvertent disclosure of personal information and further stated that the unredacted documents may have included McCoy’s loan number and his social security number.

As is the case in many jurisdictions, Maryland Rule 1-322.1 states, “the filer of any paper or electronic filing with a Maryland court must redact or omit certain ‘personal identifier information’ from the document before it is filed, including an individual’s social security number.”

On February 4, 2016, McCoy, a pro se litigant, filed his complaint seeking recovery under the Gramm-Leach-Bliley Act for the alleged disclosure of private information, the Ninth Amendment of the U.S. Constitution and negligence theories.

In its motion to dismiss, Fisher Law argued first that McCoy failed to establish he had standing to bring the action. Specifically, Fisher Law asserted McCoy’s action should be dismissed because McCoy merely claimed he could be the victim of identity theft in the future. And, as seen on a number of other occasions,  under the Clapper decision, the U.S. Supreme Court has held that “standing must be based on the ‘substantial risk’ that harm will occur, so long as the future injury is ‘certainly impending.’” That is, “allegations of ‘possible future injury’ are not sufficient” to sustain a cause of action.

While the McCoy court found it had no controlling law in the 4th U.S. Circuit Court of Appeals on this standing issue, it relied on the holding in Khan v. Children’s Nat’l Health Sys., where the court found the named plaintiff could not prove injury in fact because the plaintiff failed to allege “facts indicating that the hackers have attempted to engage in any misuse of [the hospital] patients’ personal information since the breach was discovered.” In Khan, the court held “the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute any injury sufficient to confer standing.”

In dismissing the complaint, the McCoy court found McCoy’s claims of future injuries to be speculative at best. “At most, Plaintiff alleges that his information was accidentally made publicly available for a period of time, introducing the risk that a bad actor could obtain such information.” The McCoy court found no evidence that McCoy’s information was accessed or misused during the six days it was viewable by the public on PACER, the court’s online website.

There should be no doubt that the potential use of information found in documents maintained on court websites by criminals should be a concern. Consequently, Target’s argument to file documents under seal to protect private information from hackers may be justified in certain situations. However, the McCoy decision demonstrates that when private information inadvertently ends up on court websites, a person will need to meet the same standards as any litigant in a data breach case. That is, a litigant will need to demonstrate that harm was done by the disclosure with more than speculation.

The post Failure to Redact Personal Information from Court Document Does Not Result in Private Cause of Action appeared first on Privacy Risk Report.

On July 7, 2016, Judge Paul Magnuson of the United States District Court for the District of Minnesota granted several motions to dismiss by Target directors and officers seeking dismissal of derivative suits filed by various Target shareholders. The derivative suits stem from the 2013 data breach at Target stores where hackers stole private data from an estimated 70 million customers, including credit and debit card information, names, mailing addresses, phone numbers and e-mail addresses.

Of the bevy of litigation that stemmed from the breach, a total of six derivative suits arose from Target shareholders. One of those was filed by shareholder Maureen Collier, wherein she alleges Target’s board of directors and top executives bear the responsibility for the financial and reputational damages to the company as a direct result of the data breach (Collier v. Steinhafel et al.). In her suit, Collier brings claims for breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control.

In order to assess the allegations, a special litigation committee (SLC) was appointed by the company, including a former Minnesota Supreme Court justice and a University of Minnesota law school professor. In March 2016, after a nearly two-year long investigation, the committee issued a 91-page report concluding that Target should not pursue claims against the directors and officers.

In May 2016, after completion of the report, the SLC filed its Motion for Approval and Dismissal moving to dismiss the derivative actions. As outlined in the SLC’s Motion, courts do not question a SLC’s conclusions or re-examine the merits of its decisions, rather the court’s evaluation is limited to determining whether the SCL’s members are disinterested and independent.

By Order on July 7, 2016, Judge Magnuson granted the SLC’s Motion for Approval and Dismissal as well as Motions to Dismiss brought by three other individual defendants. While the instant motion was granted, the Plaintiffs did retain the right to move the court for legal fees and expenses from Target.

This dismissal comes as yet another hit to Plaintiff litigation in cybersecurity derivative lawsuits. In addition to the Target litigation, several other cases have also failed to advance past a Motion to Dismiss. In December 2009, a derivative suit against Heartland Payment Systems, its CEO and CFO was dismissed by the United States District Court for the District of New Jersey. In October 2014, the same court dismissed a similar lawsuit against Wyndham Worldwide and its directors and officers.

While, to date, Plaintiffs have not had much success with this issue, cybersecurity derivative litigation is still within its infancy. As technology advances so too does the proclivity for such data breaches, wherein the necessity falls upon top executives and directors to handle these matters accordingly to avoid derivative litigation.

The post Shareholders’ Derivative Suit Misses Target, Still Offers Warning to Directors & Officers appeared first on Privacy Risk Report.

Data indicates that large-scale data breaches in 2015 alone resulted in the exposure of approximately 429 million personal records. However, these estimates are too low because many data breaches are not reported. In fact, the “real number” of exposed personal records is estimated to exceed more than a half billion. While the reasons for not reporting a data breach have been understood for some time (e.g. reputational harm), how the underreporting of cyber incidents impacts cyber security and cyber insurance is just starting to be discussed.

Reporting Cyber Incidents May Be Hazardous to Your Career

There is little dispute that disclosing cyber security incidents can be detrimental to the discloser. Target’s CEO resigned in 2014 after it suffered its historic data breach. The CEO of the adult website, Ashley Madison, was forced into early retirement after his company was hacked and breached the personal information of its users. In short, regardless of whether it is justified, the tendency to point the finger at the CEO after a data breach does not encourage CEOs to report cyber security incidents.

The Evidence Shows Cyber Incidents are Underreported

The report, “How Many Cyber-Heists go unreported?,” published in IT-Online, provides further evidence that a large number of cyber security incidents are not being reported. The report finds:

[t]he problem is that we don’t have transparency; few cyber heists are reported. Only the biggest data breaches capture enough attention to make headlines. The rest get to suffer quietly away from the public eye. We just don’t get to the facts, or the admissions, from banks.

The report is based on statements taken from cyber security specialists that financial institutions “do not want to let the public know about any security breaches” because “[i]t can have a profound impact on their reputations.” In essence, the report finds “there is little information for cyber journalists to work with to adequately report on these occurrences.” Without having information concerning breaches and the current methods used by hackers, the report concludes that cyber security measures are stunted when cyber security professionals cannot study the hackers’ methods.

The recent Symantec report, Internet Security Report 2016, echoes this finding:

The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend. Transparency is critical to security. While numerous data sharing initiative are underway in the security industry, helping us all improve our security products and postures, some of this data is getting harder to collect.

Other reports concerning the underreporting of cyber incidents indicate the many cyber security incidents may be deliberately withheld from the public:

…just under a fifth (19%) said they do have [formal processes in place to notify data protection authorities (within 72 hours) and the public] but deliberately avoid telling their customers. This percentage grows in industries such as financial services (22%) , large businesses (33%), and construction and engineering companies (50%).

Underreporting of Cyber Security Breaches Directly Impacts Cyber Insurance

Underreporting cyber security incidents makes determining the value of cyber insurance difficult for both insurers and insureds. From an insurers’ standpoint, they are not be able to provide a useful cyber insurance product if there is a lack of information concerning fundemental issues concerning number of breaches, number of victims, hackers’ successes/failures, type of targets and methods to attack those targets. Insurers also cannot properly assess their risk related to cyber insurance products without proper data. When only the largest cyber security incidents are reported, insurers cannot determine what types of businesses are being targeted by hackers and adjust the premium according to that risk.

From an insured’s standpoint, they may question the need for cyber insurance or may get less coverage than what is recommended if the company is considering not reporting the cyber incident in the first place. The value of cyber insurance may be undercut if a company enters the cyber insurance market while knowing that it will most-likely not make a claim on its cyber insurance policy even if it has a breach merely to avoid negative publicity or reputational harm.

At present, insurers and insureds must approach the cyber insurance marketplace with an understanding that there are a number of cyber events that never receive publicity.  Hopefully at some point in the near future, underreporting cyber security issues becomes less of an issue as people accept cyber incidents as a cost of doing business.

The post Nothing to See Here: Underreporting Cyber Security Incidents Impacts Cyber Insurance appeared first on Privacy Risk Report.

Over the last couple of years, courts have struggled with whether cyber claims could trigger coverage under commercial general liability (CGL) insurance policies. While courts have found most cyber claims will not be covered as “bodily injury” or “property damage” under the typical CGL policy, some courts have struggled with whether cyber claims constitute “publication” under the advertising and personal injury coverage of a typical CGL policy.

Travelers Indemnity Co. v. Portal Healthcare Decision

On April 11, 2016, the 4th U.S. Circuit Court of Appeals issued its unpublished decision in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C. In Portal, the 4th Circuit held medical records posted on the Internet could potentially give rise to coverage under a CGL policy.

This coverage action originates with a class action complaint filed against Travelers’ insured, Portal, alleging that Portal’s conduct resulted in the underlying plaintiffs’ medical records being posted on the Internet for more than four months. Travelers initiated the declaratory judgment action seeking a determination that there was no coverage for the class action complaint under two CGL policies it issued to Portal.

In affirming the decision by the U.S. District Court for the Eastern District of Virginia, the 4th Circuit held “that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The 4th Circuit further held “[s]uch conduct, if proven, would have given ‘unreasonable publicity to and disclose[d] information about patients’ private lives,’ because any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Based on this reasoning, the 4th Circuit held Travelers had a duty to defend Portal in the class action. This decision highlights the importance of what happens to the sensitive information and whether there is a “publication” as that term is defined under the typical CGL policy.

Putting the Portal Decision in Context

In contrast, on May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision finding there was no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees. In Recall Total Info. Management, Inc. v. Federal Ins. Co., the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell off the back of the insured’s van and it was believed that about 130 of the tapes were taken from the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the Recall Total court first held there was no dispute that the information on the tapes was private, and, second, that the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While these decisions may arguably not involve a data breach or a classic cyber claim, many commentators believed that the Recall Total court’s reasoning would shed light on how data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties.

Portal’s Contribution to Current State of the Law

Undoubtedly, the Portal decision provides significant guidance on the issue of whether data breaches will be covered under traditional CGL policies. Prior to this decision, the body of law was limited to the reasoning of the Recall Total decision, which was in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In the Sony case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy.

When the dust settles, we may see that the Portal decision has little impact with extent to medical records placed on the internet. Not all cyber claims result in information or data posted on the Internet, or in another manner, to third parties. Rather, many cyber claims involve information being taken and used for criminal acts. That is, a court may not find the information taken in the Target breach (credit card information stolen) or similar cyber incidents includes this “publication” element required to trigger CGL coverage.

The post Early Observations in Portal Healthcare Decision: CGL Coverage for Cyber Claims? appeared first on Privacy Risk Report.

As the East Coast closely watches meteorologists’ models and predictions to prepare for Hurricane Joaquin, it may be a good time to consider the role of using statistics and models to predict the next data breach.

A recent study entitled Hype And Heavy Tails: A Closer Look At Data Breaches uses statistics and modeling to call into question how we view data breaches. Despite the increase in media reports on data breaches since 2005, the statistical models in this study suggest large-scale data breaches, such as those seen with Anthem and Home Depot, may actually be decreasing. Additionally, this trend may continue as the study found the chances of seeing two large-scale data breaches the size of the Home Depot breach (September 2014) and the Anthem data breach (January 2015) occurring within four months of each other is unlikely.

Based on data taken from the Privacy Rights Clearinghouse (“PRC”), the study also concludes:

• Breach Size: The statistical modeling indicates “there is a 1.2% chance of another Anthem-sized breach occurring between February 19, 2015 and…June 2015.” On the other hand, there was a 70% probability that there will be a breach of at least one million records during the same timeframe.
• Predictions: The statistical modeling also indicates that over the next three years there is a 7.8% chance of a breach equaling the size of the Anthem breach. There is only a 0.4% chance of two data breaches equaling Anthem and Home Depot occurring within a year of each other.

Commentators interpreting the results of this study indicate that large-scale data breaches may not be on the rise “precisely because computer security experts have been vigilant in the face of these risks.” This study also supports the theory that there is a “cybersecurity arms race” taking place between hackers and security experts. The number of breaches may be staying consistent because security measures and hacker’s techniques are evolving at an equal pace.

In discussing these results, the researchers warned: “Our results aren’t necessarily aimed at individual organizations, and may be more relevant to policymakers who make decisions based on media and industry reports.”

This is not the first time statistical modeling has been used in an effort to gain a better understanding of data breaches. Catastrophe modelers have considered using modeling for data breaches similar to that used to predict hurricanes. Therefore, even if there is not sufficient historical data to predict the next data breach with precision, statistics and modeling provide valuable insight into the risks associated with cybersecurity. Any method that allows us to gain a better understanding of this risk should not be ignored.

The post Can Statistics Be Used to Predict Data Breaches? appeared first on Privacy Risk Report.