Understanding the Role of Connected Devices in Recent Cyber Attacks

Connected Devices On November 16, 2016 the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The hearing was in response to the unprecedented distribution denial of service (DDos) on October 21, 2016 which saw consumer websites such as Netflix, Twitter and CNN as well as others go down following a botnet attack directed from malware in millions of American devices. The hacked devices used maliciously, (known as bots or collectively as botnets) flooded these websites with junk traffic, overwhelming the sites and preventing them from being able to distinguish from legitimate traffic. The hearing focused on what vulnerabilities are present, possible solutions, possible ramifications of attacks on consumer devices, critical infrastructure and public safety mechanisms from a wide array of malicious actors.

The witnesses were industry experts, Dale Drew, of  Level 3 Communications; Kevin Fu, of  Virta Labs, and the University of Michigan; and Bruce Schneier, from the Berkman Klein Center, at Harvard University.

Chairman Greg Walden began the hearing highlighting the increasing use of technology in Americans daily lives, the dependence of Americans on the internet of things, devices that allow them to control elements of their lives, such as applications and devices that remotely unlock doors, baby monitors, and smart appliances. Many members of the subcommittee remarked how the DDoS attack stressed the importance to secure these devices without losing the benefits, the balance between functionality, innovation and security. Representative Marsha Blackburn made the important point that the internet of things is growing extremely quickly, the average American has more than three devices. This illustrates the widening gap of insecurity.

The expert witnesses were firm in their recommendations that while the DDoS attack in October 2016 was just on popular websites and not critical elements, that attacks towards critical apparatuses such as public safety mechanisms, hospital systems, and critical infrastructure points are highly likely. The internet of things devices have major security flaws that do not have built in security updates or patch mechanisms and consumers are greatly unaware of the threat posed by their devices. Mr. Schneier pointed out that many of these devices are the same, having the same basic configuration which, limits consumer control. He also pointed out the various elements that need to be secure, from software to hardware to internet communications. All three panelists discussed the lack of incentives for manufacturers to secure the devices or integrate security mechanism into the production. The panelist urged action for oversight due to the growth of the issue and inevitable nature of growth in vulnerabilities.

Mr. Fu added that regulations, standards and liabilities for security need to be “built in, not bolted on.” All panelists stressed the importance of addressing the vulnerabilities posed by the internet of things and the unprecedented threat that the United States faces. As in almost every cybersecurity field the government is clearly very far behind. As experts point out vulnerabilities in basic systems have and will only grow exponentially fast. The government is behind addressing these issues, these vulnerabilities. Greater oversight is called for because of the critical consequences attacks can and will have on both the public and private sectors.

Tagged with: ,
Posted in Cyberattack

Trump’s New Cyber Security Plan?

With the recent news regarding Yahoo’s massive data breach and the continuing posting of Clinton Foundation emails by Wikileaks, cybersecurity policy is beginning to get the discourse it is due. Secretary Clinton’s campaign was swift to publish a lengthy briefing on her cybersecurity policy agenda when she declared her candidacy. Much of it focuses on investment and development in science and technology. In a speech in August Clinton called for cyber-attacks to be treated as an assault on the country and should require “a serious political, economic and military response.” However, the plurality of Secretary Clinton cyber proposals would likely continue much of the Obama Administration’s own cybersecurity policy.

Mr. Trump had no cybersecurity platform available or had even discussed a policy platform until a recent speech to the Retired American Warriors PAC in Virginia in early October. Prior to the speech Trump had said little other than to admonish the failure of U.S. cybersecurity policy. In his speech, Mr. Trump outlined cybersecurity as “an immediate and top priority” for his administration and put forward his plan for strengthening American cybersecurity. At the core of Mr. Trump’s policy suggestions was a panel of “our best military, civilian and private sector cybersecurity experts.” This Cyber Review Team would undertake a “comprehensive review” of U.S. cybersecurity systems and technologies. Among its responsibilities would be to “establish detailed protocols” and “remaining current on evolving methods of cyber-attack.”

What’s the issue with this seemingly harmless and possibly efficient idea?

President Obama had the idea first and it’s already underway. In February of this year the White House issued the Cybersecurity National Action Plan. The first order of business was the creation of a “Commission on Enhancing National Cybersecurity.” Like Trump’s, this commission would also be formed of public and private sector thinkers and a bipartisan congressional delegation. The commission’s mandate is to “make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors.” The commission members who were announced in April 2016 include: Tom Donilon, former National Security advisor, General Keith Alexander, former Director of the NSA and former Director of U.S. Cyber Command, Joe Sullivan, Chief Security Officer of Uber and former Security Officer of Facebook, Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech, and Ajay Banga, President and CEO of Mastercard. These are only a selected few examples of the twelve member commission but the commission clearly represent military, civilian and private sector experts in cybersecurity.

Other than his Cyber Review Team, Mr. Trump hasn’t offered any other solid cybersecurity recommendations. Neither major party candidate is offering real solutions to a critical crisis that is unfolding. Hackings and intrusions will not dissipate but will only grow in size and aggression barring any serious attention by the federal government. At least in this element Secretary Clinton and Mr. Trump agree: cyber is of increasing importance for U.S. national security, infrastructure and business and should be taken much more seriously. This understanding is not enough to prevent potentially debilitating attacks in the future.

Cybersecurity is a dynamic and fast-paced policy realm. Technology is ever-changing and requires almost constant attention and modernization. The federal government’s bureaucratic nature prevents any meaningful progress, both in establishing policy and enacting it. Because of this much of federal level policy making is playing catch-up. Cybersecurity needs greater attention at the executive level. The federal government needs a greater understanding of cybersecurity’s ever evolving nature and a determination to lead the field. These principles apply to whomever becomes the next President.

Tagged with: ,
Posted in Data Security

Sixth Circuit Eases Plaintiffs’ Burden for Standing in Data Breach Claims

Insurance companies are susceptible to the same sort of data breaches as suffered by many other businesses, such as the recently reported theft from Yahoo of the personal data in half a billion accounts. In a major decision that may have widespread consequences, the Sixth Circuit Court of Appeals in Hancox v. Nationwide Ins. Cos.­, 2016 WL 4728027 (6th Cir. Sep. 12, 2016) recently held that plaintiffs do not have to allege actual identity theft in order to meet Article III’s standing requirements of injury in fact.

In Hancox v. Nationwide, the Court of Appeals reversed the Southern District of Ohio’s dismissal of class claims of negligence, Fair Credit Reporting Act violations, and other torts. The district court had concluded that the increased risk of future harm did not constitute injury in fact. The court followed the majority view, as exemplified in the U.S. Supreme Court’s statement in Clapper v. Amnesty International, 133 S.Ct. 1138, 1146 (2013) that plaintiffs cannot “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

In reversing the district court, the Sixth Circuit found that plaintiffs sufficiently pled cognizable injury in the possible mitigation costs that the plaintiffs might incur in the future, such as purchasing credit report and monitoring services, instituting and/or removing credit freezes, and/or closing or modifying financial accounts. The Sixth Circuit concluded that the plaintiffs’ allegations were sufficient because it would be unreasonable to expect plaintiffs to sit around and wait for the information to be misused in the future, and not to take proactive steps to ensure that their personal information and financial security would be protected. The court explained, “There is no need for speculation where plaintiffs allege their data has already been stolen and is now in the hands of ill-intentioned criminals.” That alone provides a basis for drawing a “reasonable inference…that the hackers will use the victims’ data for fraudulent purposes alleged in plaintiffs’ complaints.” Even though it cannot be “literally certain” that the data will in fact be misused in the future, there is nonetheless a “sufficiently substantial risk of harm that incurring mitigation costs is reasonable.”

The claims arose from a 2012 data breach whereby 1.1 million Nationwide consumers’ names, marital statuses, gender, social security numbers, driver licenses numbers, and other personal information was compromised. In response to the incident, Nationwide informed its customers of the breach in a letter that advised them to take steps to prevent or mitigate misuse of the stolen data. Nationwide also provided one year of free credit monitoring and further recommended that its consumers sign up for fraud alerts and set holds on their credit reports. In an example of “no good deed goes unpunished,” the Sixth Court highlighted Nationwide’s mitigation efforts and recommendations as justifying its finding that plaintiffs had adequately shown injury in fact.

The Hancox decision comes just a few months after the Supreme Court’s decision in Spokeo, Inc. v. Robins (May 16, 2016), in which the Supreme Court found that the Ninth Circuit failed to consider the fact that an injury in fact must be concrete as well as particularized. The Sixth Circuit found that plaintiffs met Spokeo’s two-part test: they alleged an injury that likely would be redressed by a favorable decision and their alleged injury was “fairly traceable” to Nationwide’s conduct. We hope that the court will take up this case to further elucidate the standing requirements. In the meantime, be aware that the Sixth Circuit is not a favorable jurisdiction for companies in data breach class action cases.

Tagged with: , , , ,
Posted in Cyberattack, Data Breach, Insurance, Litigation

“Full Employment for CISOs in New York”: New York Proposes the Nation’s First Cybersecurity Regulation

If you’re a CISO living in New York get ready for the phone calls!!! On September 13, 2016, Governor Andrew M. Cuomo proposed the nation’s first cybersecurity regulation. Starting on September 28, 2016 there is a limited 45 day window of opportunity for financial institutions and interested parties to submit public comments before the regulations become final.

Here are the top ten reasons why CISOs in New York will be busier than ever if the regulations are finalized:

10.       If you are a financial institution regulated by the New York Department of Financial Services (“NYDFS”), you are REQUIRED to comply with these new cybersecurity regulations. It is not a “reasonable efforts” or “best practices” standard; it is mandatory. This includes banks, insurance companies, mortgage companies, lenders, and money services companies.

9.         Regulated financial institutions must designate a qualified individual to serve as Chief Information Security Officer (“CISO”). The CISO must report directly to the Board at least two times a year (a) identifying cyber risks; (b) assessing confidentiality, integrity and availability of information systems; (c) evaluating the effectiveness of the cybersecurity program; and (d) proposing steps to remediate any cybersecurity inadequacies.

8.         Regulated financial institutions must develop written policies and procedures for third-party vendors with access to nonpublic information, very broadly defined under Section 500.01(g).

7.         Regulated financial institutions must establish a cybersecurity program and adopt a written cybersecurity policy which includes procedures for protecting: (a) information security; (b) data governance and classification; (c) access controls and identity management; (d) disaster recovery; (e) network security; (f) application development; (g) customer data privacy; (h) vendor management; (i) risk assessments; and (j) incident responses.

6.         CISOs are required to conduct due diligence on third-parties to evaluate whether they have adequate cybersecurity practices. CISOs are also required to perform periodic assessments, at least annually, of third parties.

5.         Regulated financial institutions must implement multi-factor authentication for individuals who have access to internal systems or to support functions.

4.         Annual penetration testing and vulnerability assessments must be included in the financial institution’s cybersecurity program.

3.         Encryption is required for all nonpublic information held or transmitted by the financial institution. For transit data, there is one year to implement the encryption safeguards. For data at rest, there is a five year window to implement the encryption safeguards.

2.         Regulated financial institutions must establish a written incident response plan which effectively responds to a cybersecurity event. Section 500.16 of the proposed regulations provides seven areas that must be included in the incident response plan, including remediation of any identified weaknesses.

1.         Finally, under Section 500.17, regulated financial institutions are required to notify the superintendent of any Cybersecurity Event that has a “reasonable likelihood of materially affecting the normal operation” or “that affects Nonpublic Information.” The notification must be made within 72 hours “after becoming aware” of such a Cybersecurity Event. Additionally, the regulated financial institutions must annually submit a written statement by January 15th certifying that the institution is in compliance with the Cybersecurity regulations.

There are limited exemptions to many of these requirements, such as having fewer than 1000 customers and less than $5 million in gross annual revenues, but given these regulations are directed at NYDFS regulated entities, it is unlikely that many financial institutions will fall within these exemptions.

For more information regarding the NYDFS proposed cybersecurity regulations or for assistance with preparing public comments or developing cybersecurity policies and procedures, please contact Ryan P. Blaney or a member of Cozen O’Connor’s multidisciplinary Privacy, Data & Cybersecurity group.

Tagged with: , , , , , , , , ,
Posted in Data Security, Legislation, Regulations

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

labMD security breachOn July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

Tagged with: , ,
Posted in FTC, HIPAA, OCR

Data Breach Plaintiffs Continue to Face Article III Standing Challenges

Standing remains a high hurdle for individuals whose personal information is compromised as a result of a data breach but who cannot establish that the stolen information was actually used improperly. Class action claims against CareFirst Blue Cross Blue Shield related to a 2014 breach were dismissed by D.C. District Court Judge Christopher R. Cooper last week after finding that they failed to meet Article III’s standing requirement. This ruling comes two months after a similar ruling by a Maryland district court judge in class actions claims related to the same CareFirst breach.

Judge Cooper’s decision does underscore the need to show harmful misuse of data to establish standing, but his opinion also raises the possibility that the type of information stolen may be important to determining the plausibility of alleged harm.

In the CareFirst breach, customers’ names, birthdates, email addresses, and subscriber numbers were compromised, but no social security numbers or credit card information. In his rejection of plaintiffs’ claims of injury, Judge Cooper specifically referenced the type of information that had been stolen in several instances. It is fair to ask: had either the social security numbers or credit card information of this plaintiff group been implicated, might the judge have seen a more plausible imminent harm?

Broadly speaking, Article III standing requires a plaintiff to show injury-in-fact, causation and redressability, and the alleged injury must be particularized, concrete or imminent. In the context of a class action, each named plaintiff must establish that he or she was personally injured.

The CareFirst plaintiffs’ class action complaint alleged various violations of state laws and breach of legal duties associated with protecting personal information. The claimed injuries included, inter alia, (1) an increased risk of identity theft; (2) identity theft in the form of a tax fraud; (3) economic harm through having to purchase credit-monitoring services; (4) economic harm through overpayment for insurance coverage; and (5) loss of intrinsic value of their personal information.

The district court found each claim without merit. Plaintiffs could not show how a hacker could steal their identities without their social security numbers or credit card numbers; could not claim the purchase of credit card monitoring services as an injury since that constitutes a “self-inflicted” harm; could not substantiate their claim that some portion of their insurance premiums are now allocated to paying for security measures; and could not show their personal information had been “devalued.”

With respect to the tax fraud claim, two named plaintiffs alleged that they suffered injury-in-fact because they had not yet received an expected tax refund. The court, however, found that the plaintiffs failed to show that their alleged injury was “fairly traceable” to the breach or how such tax refund fraud could have been carried out without their social security numbers and credit card information.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

OCR Announces New HIPAA Guidance on Ransomware

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Tagged with: , , , , , , , , , , ,
Posted in HIPAA, Privacy

Cyber Attacks Reach Subrogation

It was just a matter of time. As cyber-attacks rose and the data security breaches became increasingly devastating to businesses and individuals, cyber breach insurance became more prevalent. And where insurance appears, subrogation recovery follows.

We have not seen an overwhelming number of cyber claims or lawsuits filed – yet. One of the main lawsuits filed involves a claim for $154,711.34, brought by Travelers Insurance as the insurer of Alpine Bank. Alpine Bank incurred over $150,000 in costs associated with notifying its customers of a security breach that occurred while Ignition Studio, Inc. was under contract to design and service the bank’s security system. Travelers alleges that Ignition failed to perform basic updates to the security system or place basic anti-malware software on the bank system server. Following the security breach, Travelers paid Alpine Bank under its insurance policy.

Alpine Bank got off relatively easy, as did the defendant security provider that settled out on this claim well before this ever got to trial. Cyberattacks are becoming increasingly costly, with an estimated 300 million records leaked and over $1 billion stolen in 2015. Not surprisingly, this loss totaling less than $155,000 settled before really being litigated. The docket shows that the complaint was filed on January 21, 2015 and a motion to dismiss for failure to state a claim was denied as moot likely because the matter was settled for an undisclosed amount in April 2015. As a result, we unfortunately do not have much judicial reasoning to look to for future cases.

However, many of the same lessons found in a run-of-the-mill subrogation case for negligent service or a faulty product will apply in cyber cases. To secure recovery, an insurer will still need a defendant that has liability insurance to cover negligent cyber security service/software or has sufficient assets to pay for the damages arising out of the cyberattack. The insurer will also have to demonstrate that the cyber security company failed to follow the basic standard of care for the industry (which is continuously evolving) or otherwise breached the security contract.

Additionally, the insured have to be fault-free is some jurisdictions or at least less than 51% responsible for the harm in others. This means that an insured company that provides no training to its employees about the danger of opening spam or downloading malware may destroy its insurer’s subrogation case before the case even starts.

Had Travelers’ case been larger, the outcome may have been very different. On one end Travelers may have had to deal with a defense of an insured never telling bank employees not to open strange emails. Alternatively, Travelers may have secured a verdict for its damages, but faced the possibility that it would not collect because there was no insurance and the security company became bankrupt by the claim. We do not know for sure how this case would have turned out if there had been more at stake. But we do know with absolute certainty that more cases are coming.

Lastly, we would be remiss if we did not mention that the expected rise in cyber related losses will be influenced by the internet of things. Currently there are 8 billion devices connected to the Internet.  By 2020, that number will rise to over 20 billion and continue to grow exponentially. As more devices, computer, cars, homes, businesses, etc. become more interconnected, the potential for cyber related claims (and corresponding negligence lawsuits) will increase for a party’s failure to act reasonably to protect from a breach. Further, as the Internet of Things grows, we will owe a greater duty to our “network neighbors” to act reasonably to protect the network so others on the network don’t get hacked.

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Legislation, Litigation

Courts: We Hear No Suit Based on Cyber Crime Before its Time

Two recent decisions out of the U.S. District Court for the District of Maryland illustrate the difficulty that cyber breach victims can have in establishing standing to sue. In both cases, the court dismissed the cyber breach suits for lack of standing because the plaintiffs had not yet sustained actual damages. The decisions reflect that whether a cyber breach victim has suffered cognizable damages is extremely fact intensive. Notably, the cases were dismissed or remanded for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), which can be raised at any point and is never waived.

Chambliss v. CareFirst, Inc., 1:15-cv-02288, involved a well-publicized data breach at CareFirst, a health insurance provider. Data breaches of confidential personal information of CareFirst’s subscribers occurred in 2014 and 2015. The personal information included the names, birthdays, e-mail addresses, and subscriber identification numbers of 1.1 million people. Plaintiffs sought to bring a putative class action alleging that CareFirst should have known earlier that the breaches could occur, as the stolen information was “highly coveted by and a frequent target of hackers.”

Plaintiffs further claimed that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information, plaintiffs claimed that they “have lost or are subject to losing money and property.” However, as the Court noted, the plaintiffs did not allege that they had yet suffered any actual injury, and thus there was not yet a ripe controversy under Article III of the Constitution.

The facts in Khan v. Children’s National Health System, 8:15-cv-02125, were substantially similar. Mr. Khan filed a putative class action against Children’s National Health System, asserting that hackers had obtained access to certain employee e-mail accounts that contained subscriber personal data.

Judge Chuang considered the increased risk of identity theft to be plaintiff’s most promising argument that she had an injury that could support Article III standing. Judge Chuang noted that district courts and even circuit courts have differed on whether identity theft is a cognizable injury that can support standing. However, he noted that rather than applying a different legal standard, the difference in the courts’ treatment of these cases is largely determined by their unique facts.

Both courts noted that the plaintiffs had not alleged that their data had yet been misused in any way. In Chambliss, the court also observed that the breach compromised names, birth dates, email addresses and subscribed identification numbers, not their social security numbers, credit card information or any other similarly sensitive data that could heighten the risk of harm.  (The Court may have been overly optimistic about whether names, birth dates and subscriber identification numbers can be used in a nefarious way.)

Both judges also rejected the claim that the plaintiffs had suffered harm in the way of mitigation costs, such as expenses incurred from obtaining credit monitoring services. The Chambliss Court reasoned that a plaintiff cannot manufacture standing by inflicting harm on himself, and the Khan Court stated that incurring costs as a reaction to a mere risk of harm does not establish a standing if the harm to be avoided is not itself “certainly pending.” Both judges also disregarded claims for decreased value of personal information, especially since plaintiffs had not yet alleged that they attempted to sell their personal information and/or that they were forced to accept a decreased price for that information.

The Maryland District Court in these two cases joined other courts across the nation in holding that there is no standing to sue, and thus no subject matter jurisdiction, until there has been actual misuse of data. In layman’s terms, the message to those affected by cyber breaches is, “Come back when you have a real problem.”

The judges in Chambliss and Kahn probably got this right. Still, it seems like only a matter of time before the hackers in those cases misuse the stolen data and, unwittingly, convey standing on their victims.

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Litigation, Privacy

Chinese Leftovers: P.F. Chang’s Not Entitled to $2 Million in Breach Costs

In what is thought to be the first published decision in a cyber insurance coverage case, popular Chinese restaurant chain, P.F. Chang’s, was denied coverage for certain costs incurred as a result of a 2014 data breach. Unfortunate as it may be for P.F. Chang’s, this court ruling offers a valuable object lesson for others with respect to cyber policies. Namely, be aware of the full extent of potential cyber liabilities and know what your policy covers.

P.F. Chang’s initial breach occurred in June 2014, when hackers stole approximately 60,000 credit card numbers from 33 different P.F. Chang’s locations. When the breach was discovered, the restaurant chain already had a cyber policy in place. It maintained a $5 million “CyberSecurity by Chubb” policy through Federal Insurance Company.

Ultimately, Federal evaluated the cyber coverage and paid nearly $1.7 million of P.F. Chang’s claim for forensic investigation and litigation costs. However, that wasn’t the full extent of P.F. Chang’s liability. MasterCard charged P.F. Chang’s credit card service company (Bank of America Merchant Services) almost $2 million in fees and assessments, pursuant to the services agreement between the restaurant and Bank of America.

When P.F. Chang’s received notices of these charges, it promptly paid Bank of America to maintain the parties’ relationship and to maintain banking service without disruption. P.F. Chang’s then made an insurance claim for those fees and assessments with Federal. Federal analyzed the claim and determined that the policy did not cover those costs; accordingly, it denied coverage, prompting P.F. Chang’s to file suit.

The U.S. District Court for the District of Arizona granted summary judgment to Federal. The court found that, while the fees and assessments may fall within the scope of the insuring agreement, the “contractual liability” exclusion barred coverage. In the alternative, P.F. Chang’s argued that the “reasonable expectations” doctrine should apply – i.e., even not expressly covered under the policy, it “possessed the expectation that coverage existed under the Policy for the assessments.” Under the reasonable expectations doctrine, a contract term may not be enforced if one party has reason to believe that the other would not have consented to the contract’s terms had it known the term was present. Where appropriate, it provides some leeway to the general rule that contract terms trump all.

The court found that the doctrine would only apply in this case if two conditions were met: (1) the insured’s expectation as to coverage was reasonable and (2) the insurer had reason to believe that its insured would not have agreed to the policy terms if it had known of the now-challenged provision. Emphasizing that both parties (P.F. Chang’s and Federal) were experienced corporate actors, the court found no evidence that the restaurant chain believed it would be covered for such assessments following a breach and that P.F. Chang’s merely attempted “to cobble together such an expectation after the fact, when in reality no expectation existed at the time it purchased the Policy.” The court concluded, “[P.F.] Chang’s and Federal are both sophisticated parties well-versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended.”

Essentially, P.F. Chang’s got into trouble for knowing too much and too little. It was arguably ahead of the curve in its acknowledgement of risk and the need for cyber coverage. At the same time, it was not fully cognizant of the potential range of resultant breach costs nor the actual extent of its cyber policy. The takeaway here is obvious: a cyber policy is not designed to be a one-size-fits-all remedy all for every possible cost associated with a data breach. Historically, insurance policies were not designed to cover an insured’s contractual liabilities and, absent a specific policy provision or endorsement to the contrary, there is no reason to assume that a cyber policy is any different. Companies – especially those that process credit cards and are contractually bound to pay fees and assessments – should review their policies before a breach to understand what is covered and, maybe more importantly, what is not covered.

Tagged with: , , , , ,
Posted in Data Breach, Insurance, Litigation
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates


Cozen O’Connor Blogs