As is often the case in the world of Cybersecurity, Privacy and Data Protection, the past few weeks have brought new breaches, interesting case law and no lack of newsworthy happenings. Below are a few notable items of interest.
D.C. Circuit Becomes Eighth to Weigh In On Data Breach Standing
We previously wrote here, here and here about the Circuit Split regarding the issue of whether an increased risk of future identity theft is sufficient to confer constitutional standing on a plaintiff seeking to bring an action arising from a data breach in which personal information was stolen. In an August 1, 2017 decision, the D.C. Circuit (which many believe to be the second most influential court in the United States after the Supreme Court) weighed in on the issue, siding with the Sixth, Seventh, and Ninth Circuits in recognizing that, at the pleading stage, a plaintiffs can establish an injury-in-fact based on threatened injury. See Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694– 95 (7th Cir. 2015);Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010) and; Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632–34 (7th Cir. 2007).
In the matter of Chantal Attias et al. v. CareFirst Inc. et al., an unknown intruder breached twenty-two CareFirst computers in June 2014 and reached a database containing its customers’ personal information. CareFirst did not discover the breach until April 2015 and notified its customers in May 2015. Shortly after the announcement, seven CareFirst customers brought a class action against CareFirst and its subsidiaries. The District Court dismissed the Complaint, finding that it was based on statutory violations and not concrete harm because the as the stolen information hadn’t actually been misused.
The D.C. Circuit reversed, finding that the injury which the plaintiffs alleged was not speculative: “Here…an unauthorized party has already accessed personally identifying data on CareFirst’s servers, and it is much less speculative—at the very least, it is plausible— to infer that this party has both the intent and the ability to use that data for ill. The CareFirst Court specifically cited the Remijas holding, noting that “[a]s the Seventh Circuit asked, in another data breach case where the court found standing, ‘Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.’” The D.C. Circuit went on to note that [n]o long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
That last line is one that should be remembered; it will be the key to a potential future Supreme Court decision.
Maryland Amends Personal Information Protection Effective January 1, 2018
Maryland recently amended its Personal Information Protection Act (HB0974) in a number of important ways that organizations should be aware of. First, the amendment expands the definition of personal information to include: passport numbers and other identification numbers issued by the federal government; state identification card numbers; certain health information; a health insurance policy, certificate number, or health insurance subscriber identification number, in combination with a unique identifier that permits access to the information; biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to uniquely authenticate a person’s identity upon accessing a system or account; and a user name or e-mail address in combination with a password or security question and answer that permits access to the account.
In addition, the amendment adds a firm timetable to breach notification of not later than 45 days after an entity concludes that the breach has created a likelihood that the personal information has been or will be misused. The law also expanded the type of information subject to Maryland’s destruction of records laws, from only customer records that contains PII to also include employee and former employee information.
Anthem Reports Second Major Brief in Two Years
On June 26, 2017, it was reported that Anthem had agreed to a record $115 million settlement to resolve a class action lawsuit over a 2015 data breach in which hackers accessed the personal information 80 million people. Just one month later, on July 27, 2017, Anthem notified the U.S. Department of Health and Human Services Office of Civil Rights that a data breach may have exposed personal health information of 18,580 Anthem Medicare enrollees, after one of its consulting firms discovered that one of its employees had been involved in identity theft and had had emailed a file with information about Anthem companies’ members to a personal email address a year ago. This breach serves as an important reminder that although hackers still remain a primary threat to data security, malicious employees are still out there, and organizations should take necessary steps to prevent, detect and respond to all types of data breaches, including those that may arises due to the bad acts of employees or vendor employees.
At Mid-Year, Data Breaches Continue At Record Pace
According to recent numbers released by the Identity Theft Resource Center (ITRC) and CyberScout, the number of U.S. data breaches tracked through June 30, 2017 hit a half-year record high of 791, representing a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016, when breaches reached an all-time record high of 1,093. According to ITRC and CyberScout, hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017. To date, 63 percent of the overall breaches involved hacking as the primary method of attack, an increase of 5.0 percent over 2016 figures. This was followed by Employee Error/Negligence/Improper Disposal/Lost at 9.0 percent and Accidental Web/Internet Exposure at nearly 7 percent, both reflecting decreases from 2016 figures. Within the hacking category, phishing was involved in nearly half (47.7 percent) of these attacks. Ransomware/malware, newly added in 2017, was present in 18.5 percent of the hacking attacks.
There is little doubt that data breaches will continue at a record pace. We remind you of our Five Key Points to an Effective Employee Data Security Policy, encourage you toListen to Cyber Security Best Practices, and take a look at ourKeys to Beating Ransomware. We also brought you some additional steps that can be taken as part of an effective cybersecurity policy in a blog posthere.
Michigan Judge Finds No Coverage For E-mail Spoofing Loss; N.Y. Judge Found Opposite
In our July 28, 2017 MM Insurance News, we reported on the matter of Medidata Solutions, Inc. v. Federal Ins. Co., 15‑907 (S.D.N.Y. July 21, 2017), in which a Southern District of New York Court found that Chubb must reimburse a cloud computing company for $4.7 million that it lost when it was tricked into effecting a wire transfer to a third party who had “spoofed” the on-line identity of the insured’s CEO. Federal had disputed this claim arguing that the loss did not constitute covered “computer fraud” because the emails had no required access to the insured’s computer system or manipulation of those computers or input of fraudulent information. The Court ruled, however, that “computer fraud” did not require actual hacking.
On August 1, 2017, barely a week after the Medidata decision, a Judge in the Eastern District of Michigan reached the opposite conclusion. In American Tooling Center Inc. v. Travelers Casualty and Surety Co., Case No. 5:16-cv-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017), a hacker, via email, purported to be a vendor of the American Tooling Center and requested that payments due under a contract be sent. The money was sent and American Tooling Center sought coverage under its Travelers’ crime policy as computer fraud. Travelers denied the claim, arguing that there was not a “direct loss” that was “directly caused by” the use of acomputer. The Court agreed, finding that the term “direct loss” means immediate, and here, there were actions taken in between the fraudulent emails and the wiring of money. As we reminded you when the Ninth Circuit addressed this very issue in March 2017 (finding no coverage), policy language matters, and even then, as these cases reflect, that language is often open to different interpretations.
U.S. House of Representatives Holds Hearing on Cyberinsurance for Small Businesses
On July 26, 2017 the U.S. House of Representatives Small Business Committee held a hearing titled “Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option. At the hearing, Chairman Rep. Steve Chabot (R-Oh.) noted that cyber threats have become a critical concern for the country’s 28 million small businesses, with the Justice Department recording nearly 300,000 cybersecurity complaints in 2016 alone. A representative of the Reinsurance Association of America and the Property Casualty Insurers Association of America also noted that the cyber insurance market is still in its infancy, that small businesses in particular have been slow to realize the need for cybersecurity protections, and that small business owners also struggle to devote resources to this looming threat. The 90-minute hearing is available for viewing on the House Small Business Committee’s YouTube channel, and is worth a view.
