the changing landscape of cyber liability
DESCRIPTION
ACI’s lauded Cyber & Data Risk Insurance conference is the highest-level event that provides maximum opportunities to learn from and network with underwriters, brokers, claims managers and industry leaders, and helps you keep pace with the ever-changing cyber insurance market. It’s also the only conference that brings you regulatory and enforcement priorities straight from the federal and state government themselves.TRANSCRIPT
#ACIRisk
ACI’s 9th National Advanced Forum on Cyber & Data Risk Insurance
Salvatore Sama David J. Shannon
Head Professional Underwriting Desk US Shareholder
Swiss Reinsurance America Chair, Technology, Media & Intellectual Property
Co-Chair Privacy & Data Security
Cathleen Kelly Rebar Marshall Dennehey Warner Coleman & Goggin
Partner and Shareholder
Stewart Bernstiel Rebar & Smith Mathew H. Meade
Shareholder
John A. Yanchunis Buchanan Ingersoll Rooney PC
Attorney, Lead of Consumer Class Action and
False Claims Practice Act
Morgan & Morgan Complex Litigation Group
The Changing Landscape of Cyber Liability
September 29-30, 2014
Tweeting about this conference?
#ACIRisk
Hurdles and Theories
Standing
Amended Complaints
Statutes and Common law Claims
Privacy Policies/Representations
User Agreements
#ACIRisk
Trends & Statistics: Some Empirical Data The odds of lawsuits occurring following a data breach are: • 3.5 times greater when individuals suffered financial harm; • Over 6 times lower when free credit monitoring is offered; and • 3 times greater for cases involving improperly disposing data than for
cases involving stolen data. • Defendants settle 30% more often when plaintiffs allege financial
loss from a data breach, or when faced with a certified class action suit.
• The odds of a settlement are 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware.
• The compromise of medical data increases the probability of settlement by 31%.
Source: Romanosky, S., et al. “Empirical Analysis of Data Breach Litigation”, Journal of Empirical Legal Studies, Vol. 11, Issue 1, pp. 74-104, March 2014
#ACIRisk
20 Most Common Causes of Action Pleaded in Federal Data Breach Cases State (Unfair Bus. Pract.)
• Fair Credit Reporting Act
• Breach of Contract
• Negligence
• Privacy Act
• Privacy Tort
• FTC Act
• Elec. Comm. Privacy Act
• Drivers Priv. Prot. Act
• Breach of Duty
Unjust Enrichment
• Gramm Leach Bliley Act
• Const. Amend. (4,5,9,14)
• Misrepresentation
• Conversion
• State SBN
• Breach of Good Faith
• Comp. Fraud and Abuse Act
• Breach of Warranty
• Emotional Distress
#ACIRisk
Standing – Where are we?
Obstacle – Article III Standing.
Status – Article III remains a significant stumbling block for Plaintiff’s.
#ACIRisk
What does Standing mean?
A Plaintiff has to show a legal right to bring a lawsuit.
3 Requirements: Injury in fact;
Causation; and
Redressability
Prior to 2013, a split among the circuits.
#ACIRisk
Pre 2013 – Where you filed mattered First and Third Circuits held that threat of future harm was insufficient to show an injury in fact – Dismissed
Seventh and Ninth Circuits held that threat of future harm was sufficient to show injury in fact - Standing
#ACIRisk
Post 2013 – Landmark Decision
Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013). No injury in fact, because the claims too speculative and not fairly traceable to wrongful act.
#ACIRisk
Clapper v. Amnesty International
• U.S. Supreme Court, Feb. 2013
• Challenging the Foreign Intelligence Surveillance Act
• Plaintiffs can’t “buy” their own injury.
Justice Alito: • “[R]espondents cannot
manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm . . . .”
• “[O]therwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
#ACIRisk
Law of the Land, almost . . .
No misuse of data = no standing, almost . . . In re Science Applications Int’l Corp. (SAIC) Backup
Tape Data Theft Litig., MDL No. 2360, 2014 WL 1858458 (D.D.C. May 9, 2014)
Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014)
Galaria v. Nationwide Mut. Ins. Co., Nos. 2:13-CV-118, -257, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014)
Polanco v. Omnicell, Inc., No. 13-1417 (NLH/KMW), 2013 WL 6823265 (D.N.J. Dec. 26, 2013)
In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013).
#ACIRisk
Where is Standing now?
Speculation does not = Standing If you have to allege a series of future possible occurrences to get
harmed, Clapper demands a dismissal.
Casualties of Clapper • In re Barnes & Noble Pin Pad Litigation
• N.D. Illinois, Sept. 2013 • Polanco v. Omnicell
• D. New Jersey, Dec. 2013 • Galria v. Nationwide • S.D. Ohio, Feb. 2014
#ACIRisk
Circumventing Clapper
Amended Complaint State Consumer Protection statutes Statutes that do not require proof of damages Misrepresentations in a company's privacy policy Reasonable security for users Industry standard encryption Omitted information in policy Policy lead to purchase of consoles Florida, Michigan, New Hampshire Consumer Protection Statutes Missouri Merchandising Practices Act California Consumer Protection Statutes
#ACIRisk
Next big thing
End User Agreements and Privacy Policies What do they promise?
How far do they reach?
Are they accurate?
Was there reliance?
Fraud by omission?
#ACIRisk
Case theories post Clapper
LinkedIn Class Action Lawsuits
Second Amended Complaint
Privacy and User Agreement
"FRAUD" – California Unfair Competition Law
#ACIRisk
Case theories post Clapper
Apple Class Action Lawsuit
Putative Class Action
Collected and disseminated personal information (PI)
Policy Misrepresented Practice
Summary Judgment Granted
No standing under California Unfair Competition Law
Plaintiffs need actual reliance
#ACIRisk
Case theories post Clapper
GOOGLE'S Cookies Class Action Lawsuit
Google placed some cookies on user's hardware
No standing without proof of statutory violation
Also dismissed claims under
Electronics Communication Privacy Act
Stored Communication Act
Computer Fraud and Abuse Act
Also dismiss various state laws
#ACIRisk
Case theories post Clapper
Bell v. Blizzard Action Video game manufacturer
Hacker access to user accounts
Dismissed unjust enrichment
Dismissed negligence per se
Dismissed contract and negligence claim
Proceed on consumer fraud claims
Delaware Consumer Fraud Act
#ACIRisk
Case theories post Clapper
AvMed Class Action Lawsuit Health insurance provider
Theft of two laptops with 1.2 million consumer's PI and PHI
Customers paid premium in part to keep data secure
Unjust enrichment alleged
Negligence, breach of contract and breach of implied contract alleged
Originally dismissed
Circuit Court reinstated and found standing
Settled - $3 Million
Settlement was for customers who suffered identity theft and those who did not
#ACIRisk
More next big things
Shareholder Derivative Suits
WYNDHAM Breach of fiduciary duty for failure to implement
appropriate security measures even though defendants knew customers were vulnerable to attack
Waste of corporate assets by failing to implement adequate internal controls to prevent breaches
Unjust enrichment for compensation received while breaching fiduciary duties
#ACIRisk
More next big things TARGET
Breach of fiduciary duty for failure to implement appropriate internal controls to protect customer data, detect and prevent breaches and timely report has damaged Target
Privacy Policy rep that Target will “maintain administrative, technical and physical safeguards to protect your personal information
Waste of corporate assets by failing to implement adequate internal controls to prevent breaches
#ACIRisk
Underwriting Concerns: Accumulation We live in a connected world
Cyber risk can accumulate in first party similar to contingent business interruption.
Cyber risk can also accumulate on the third party side due to following elements:
Computer virus of global nature , causing broad denial of services, hitting both first and third party coverages.
A total shutdown of the internet is unlikely, but there may be significant impacts locally.
Global Telecoms and Cloud Providers lead to additional accumulation
Generally, there are two types of threat "Sabotage" – a business interruption type of loss
"Breach" – a information disclosure and misuse type of loss
21
#ACIRisk
Underwriting Concerns: Monitor Highly Exposed Industries
Highly concerned
industries for Cyber Attacks
Industry specific
regulations
Handling of sensitive
information
Handling of large data
volume
22
Examples Highest rate of data breach cases • Healthcare providers / health insurers • Financial Institutions Heavy use of credit/debit card transactions • Retailers • Hotels/ restaurants and food retailers Other industries with the experience of large personal information security breaches: • Universities / other educational institutions • Payment Processors • Law Firms • Real Estate Agents • Insurance companies
#ACIRisk
Underwriting Concerns: Outlook and Trends Monitor new and changing exposures affecting one or
more lines of business, such as Stuxnet
Bodily injury potential, for example, Cyber attacks against healthcare facilities
Coverage grants related to brand protection and first party intellectual property
Insurability of large retailers?
Coverage Trigger
23
#ACIRisk
What is helping Plaintiffs?
• Was data stolen intentionally, or was there simply a security breach?
• How long until company disclosed the breach? • What kind of encryption did the company use? • Did the company gratuitously keep others’ data? • Are class members employees or consumers? • Was the company a poor custodian of its
customers’ data? • What kind of PII – how personal was it? • Was the PII used or “published”? Any
documented identity theft?
#ACIRisk
The government sets the stage
As government investigations continue expect an increase into the discoveries of companies that were aware of breaches and chose not to report them
#ACIRisk
Government enforcement
FTC will continue on the march Unless stopped by Wyndham or LabMD
HHS and SEC stepping it up
More action by state regulators Breaches
Failure to notify
NIST Cybersecurity Framework will serve as new “standard of care”
#ACIRisk
Things to be exploited
Network security
Authentication and firewalls
Passwords
Access controls
Purging accounts of former employees
Intrusion detection and prevention
Encryption
Logging
Records retention policy
Data stored too long, not needed
Employee training
Privacy notices and practices Do what you say, and
say what you do
Access controls
#ACIRisk
How does this affect Claim Value? Fear of the unknown
Pay to resolve
Treble damages
Post-judgment interest statutes
Bad press
Equals Higher Claim values
#ACIRisk
Things to assess
Type of breach
Number of affected
individuals
PI and/or PHI
Location
Bad Facts
Standing
Negligence
Privacy Policy
Statutory Claims
Statutory Damages
Attorney Fees
#ACIRisk
Settlements
#ACIRisk
In Re: Heartland Payment Systems, Inc. Customer Data Security Breach Litigation
#ACIRisk
In Re: TJX Companies Retail Security Breach Litigation
#ACIRisk
In Re: Department of Veterans Affairs (VA) Data Theft Litigation
#ACIRisk
In Re: Sony Gaming Networks and Customer Data Security Breach Litigation
#ACIRisk
Schnucks Markets Data Breach
#ACIRisk
Resnick v. AvMed, Inc.
#ACIRisk
Burrows v. Purchasing Power
#ACIRisk
Lim v. Vendini
#ACIRisk
In re: Countrywide Financial Corp. Customer Data Security Breach Litigation