Shining a Light on Cyber Claims

The release of the NetDiligence® 2015 Cyber Claims Study, the only one of its kind, reveals the most current data on cyber security events and their true costs. NetDiligence President Mark Greisiger shares the latest findings, including the top areas of concern for both insurers and the C-Suite.

Continue Reading

The MIE Breach: Business Associates and Data Security Risks

A Q&A with J.T. Malatesta of Maynard Cooper & Gale
Medical Informatics Engineering and subsidiary NoMoreClipboard revealed a breach last month affecting up to 3.9 million Americans which has now resulted in a series of class action lawsuits on behalf of victims. The incident is causing headaches for risk managers in the healthcare sector, including their cyber liability insurers. This event underscores how a catastrophic breach for one dominant service provider (in this case, Medical Informatics Engineering, the software company that provides the NoMoreClipboard service) can create a domino effect that impacts multiple organizations. Many insurers are also rightfully concerned about aggregated risk, since they could have multiple insureds and claims stemming from a single event such as this one. I spoke with J.T. Malatesta, chair of the cybersecurity practice of Maynard Cooper & Gale, about the implications of this event and how organizations can better prepare for vendor breaches.

Continue Reading

What Does the Neiman Marcus Ruling Mean for Data Security Law?

A Q&A with Ben Barnow of Barnow Associates PC
The decision in the recent Neiman Marcus case was a game changer for the swiftly evolving legal climate around data breach events. By establishing the theory of “likely future fraud or injury” the court recognized that plaintiffs no longer have to prove the “impending certainty” of potential injury (as was previously established by the 2013 decision in Clapper v. Amnesty International). To find out more about its impact we talked to Ben Barnow of Barnow Associates PC.

Continue Reading

Recent Developments in Canadian Privacy and Cybersecurity Law

Q&A with Alex Cameron
In Canada, litigation and regulatory activity regarding privacy and data breaches have increased dramatically. I spoke with Alex Cameron of Fasken Martineau, a leading attorney in this area in Canada, about the factors contributing to the increasing risk and potential liability for organizations doing business in Canada. With the recent landmark changes to Canadian privacy law, discussed here, including mandatory breach notification, record keeping for all breaches, and fines, the trends identified below are sure to continue.

Continue Reading

Data Breach Events: A Plaintiff Perspective

Email Computer Key For Emailing Or ContactingA Q&A with John Yanchunis of Morgan & Morgan
The legal landscape around data loss is rapidly evolving, and with major events such as the Anthem breach changing the game on a daily basis, it can be a challenge to keep up with the courts’ current thinking. I spoke with plaintiff attorney John Yanchunis of Morgan & Morgan about some of the most recent developments he’s observed.

Continue Reading

Data Breach Liability from a Class Action Trial Lawyer’s Standpoint

A Q&A with Jay Edelson of Edelson LLC
With court attitudes around privacy issues constantly evolving, it can be a challenge to understand what constitutes a significant data breach case and the consequences liable organizations face. I asked counsel Jay Edelson about how he chooses his class action cases and how the current legal climate is treating them.

What are some traits or hallmarks that you look for when determining whether a data breach case might be ripe for a class action proceeding?
The first thing we look for is the degree of sensitivity of the information that was left unguarded. We are more likely to choose something that seems like a serious breach, like those involving health records or private information of children.  For a suit to be successful, it needs to connect with the judge and jury on an emotional level—in short, they must be convinced that the loss of information truly matters to people. The reason that this is such an important hurdle to clear comes from the fact that data breach litigation is an emerging issue of the law. Courts don’t have the extensive precedent to look to, as in other consumer cases. If we can’t sell the case on an emotional level then it will be significantly harder to get them to be receptive to our broader arguments. Next, we will look at why or how the breach occurred. If it was something we think was preventable—for example, misplaced laptops that didn’t have basic encryption, as opposed to, say, a sophisticated hack from Eastern Europe—then we are more likely to take it on. The key that many plaintiffs’ attorneys unfortunately sometimes aren’t attuned to is that simply because a breach occurred does not automatically mean that the company acted negligently. Hackers and thieves are increasingly more sophisticated and there are certain times that it would be unreasonable for a company to have done more to guard their consumer data. Most data breach cases tend to be large so the size of the class doesn’t tend to be a determining factor, though of course the larger number of people involved the easier it is to justify putting more resources to the case.

In the past, it seems many plaintiffs/victims were only offered a year of free credit monitoring, which, arguably, is of little value to them. What are some additional settlement remedies your team (or your peers) are now pursuing to compensate victims?
Prior to a few years ago, the law was fairly settled and the thinking was that the fact that your information was out there in and of itself wasn’t enough to harm you—you’d have to show something more to the court to demonstrate harm. But that’s changed recently with decisions such as Resnick v. Avmed from the United States Court of Appeals, Eleventh Circuit. In Avmed, the court recognized that if people are paying the defendant money and they have a reasonable expectation that part of that money will go towards protecting their information, they have been essentially “overpaid” for their goods or services if the company was not following through on its promises. Due to cases like this, we’re starting to see settlements move away from the “free credit monitoring” deals to monetary compensation.                      

What regulations do you call on to bring a case, and what is a typical negligence claim you’ve made?

We don’t look to regulations so much as the common law. We’re looking at the types of express or implied promises made to consumers.  In terms of negligence, our theories are pretty simple: We’re bringing cases when we believe that the defendant wasn’t following industry security standards.

Which security shortcomings of breached organizations drive you nuts?
I think that corporations are not really asking the right questions internally about where the data is stored and how it’s being protected. Sometimes they’ll hire an outside consultant and they think because they’re paying someone money, they’re being responsible. The problem is that the companies aren’t thinking through these issues in a truly robust way. They’re often not asking the basic questions: Who has access to our data? Where is it being stored? What do we do with the laptops that we take out of circulation?

What steps would you recommend to limit exposure in a class action lawsuit?
Well, as a plaintiff’s attorney, I’m not generally in the business of giving advice to the defendant. But the way to limit exposure is to have really terrific protections so that the data isn’t hacked or stolen or lost. Protect— don’t harm—your client.

Which courts are the most sympathetic to these issues? 
A few years ago I would say there were none. Few if any courts were receptive to privacy cases. But there’s been a huge shift in the landscape, partly due to the increased sensitivity of the public. Issues such as the government spying program have changed the view of the judiciary as well, and we are now seeing great decisions coming from all over the country—in Chicago, where I’m located; in California; in Florida. At this point, I’d say there’s not a location in the United States where I’d be hesitant to bring a case.

In summary…
We invited Mr. Edelson to speak at our Marina del Rey Cyber Liability conference (attended by majority of P&C insurers in the industry that offer cyber/privacy liability coverage) and he and his colleague were both very forthcoming and effective in educating the audience about the plaintiff’s (victim’s) perspective—something that often gets lost in the quantum of cyber risk. Hopefully, risk managers are paying attention to these emerging theories of liability from the front lines of class action litigation. As a final comment, I’ll add that Jay and his fellow panelist received some of the highest praise from the hundreds of attendees, which is especially remarkable when you consider that some of those same audience members could be his future adversaries.

See this session recording on the eRisk Hub.

What’s Happening in the World of Data Breach Litigation?

A Q&A with Sasha Romanksy, Ph.D. Candidate, Carnegie Mellon University
For organizations dealing with a data breach, legal liability is one of the first questions that arises. But are some data breaches more likely to result in lawsuits than others? Sasha Romanosky, a Ph.D. candidate at the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, studies the legal and economic issues around data security and consumer privacy. In a recent study he coauthored, “Empirical Analysis of Data Breach Litigation,” he found that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit. We spoke with him about his findings.

Can you explain the importance of your study for a risk manager or an Insurer?
Basically, we were looking at what kind of breaches are being litigated and what kind of variables are strong predictors of lawsuits. The second question is what are the variables and conditions that make a plaintiff more likely to win? This information can help risk managers and insurers have a better sense of how to protect themselves and for assessing and pricing cyber insurance policies.

What were the biggest takeaways from the study?
Very simply it seemed that only 4 percent of reported breaches are being litigated at the federal level—we make a distinction between the federal and the state level. We also found a huge variation in the causes of action, which included unfair business practices, negligence, breach of contract, breach of duty, and various state and federal statutes. A new cause of action is the unauthorized disclosure of personal information.

What you can draw from all of this, it seems to me, is that attorneys are trying different approaches. If there is no evidence of financial loss, the case is usually dismissed. We found that those organizations that offered credit monitoring were 6 times less likely to be sued—those that didn’t were thought to have behaved carelessly. We also found that financial information as opposed to other personal information or medical information is more likely to lead to lawsuits. When individuals suffered financial harm the odds of a firm being sued in federal court were 3.5 times greater. As such, firms dealing in financial information should take more care not to disseminate it.

About half of the cases settle, which is a useful finding, and very often for a nominal fee for the named plaintiff. There can be a substantial award or lump sum for people who suffered identity theft to pay specifically for losses. Defendants settle 30 percent more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.

So far we can’t tell what other factors or characteristics might influence lawsuits and settlements. We need to do more research to find out if the prominence and size of the company, the presence of liability insurance coverage, jurisdiction of event, the timing or quality of notice to victims, and/or media coverage have an impact.

What else do you see on the horizon as far as trends in data breach litigation?
One thing we saw with the Sony breach is that after 30 people filed class action suits, the insurance company would not pay out the damages. In response, Sony changed their end user agreement license to prevent users from suing—instead they must now agree to arbitration. That might be something to keep an eye on going forward—it will be interesting to see if other companies do the same thing.

In conclusion…
This study conducted by Mr. Romanosky and his colleagues (see study) is a great step towards helping corporate insurance risk managers and cyber risk underwriters  better understand the reality of the class action litigation costs exposure that many organizations are facing. Lawsuits can be time consuming and very expensive. The 2011 NetDiligence® Cyber Claims Study found the average loss paid out by insurance carriers for a data breach event was $2.4 million, a good portion of that devoted to legal defense and indemnification. Moreover, we believe that emerging precedents from plaintiff-friendly cases might reduce the number of future cases dismissed for lack of damages, one of those being the RockYou lawsuit (see summary) which found that personally identifiable info has inherent value.

No more posts.