No Duty to Defend in Sony’s Cyberattack Suits

Posted on April 01, 2014 by Michael D. Handler, Kenneth C. Hong
No Comments ↓

A recent decision by a New York state trial court judge has the potential to spark an enormous expansion of the data breach coverage marketplace. Until now, many policyholders have been reluctant to buy additional insurance under the assumption that data breach losses would be covered under existing commercial general liability policies. The decision in Zurich American Insurance Company v. Sony Corporation, among the first to address coverage issues for large-scale data security breaches, brings that assumption into serious doubt.

On February 21, 2014, a judge ruled that Zurich American Insurance Company has no duty to defend Sony Corporation in lawsuits relating to a 2011 cyberattack on its PlayStation network. At the time, that attack was among the largest such events in history – nearly $2 billion in losses were claimed after hackers stole personal information from millions of PlayStation users including names, addresses, birthdates, credit card numbers, and bank account information.

Zurich, Sony’s general liability insurer, brought a declaratory action to determine coverage for approximately 60 underlying lawsuits arising out of the PlayStation cyberattack. The Coverage B (personal injury coverage) provision at issue in Zurich’s policy covered “oral or written publication in any manner of material that violates a person’s right of privacy.”  The fundamental question was whether this grant of coverage required Sony to commit the breach-causing act, or if third parties’ acts sufficed. The court emphasized that Sony was not at all involved in the “publication,” but that criminal hackers illegally intruded the PlayStation sites, breaching Sony’s security. The court concluded that “in any manner” referred to “any manner” of dissemination, and not “by any actor.”

Sony asserted that the policy lacked clear language to exclude this type of cyberattack from coverage. Zurich countered that every tort claim within the purview of the personal injury coverage required an intentional act or affirmative conduct by the policyholder.  The court further noted that the insurers were bargaining with only the policyholder, and not with any third parties, when issuing the liability insurance. The court would not agree to further expand the coverage being issued to include the hackers responsible for the data breach.

Although subject to appeal, the recent PlayStation cyberattack decision is likely to be a frequently cited decision going forward and will likely impact the realm of liability insurance and cyber insurance significantly.  Companies susceptible to data breach claims would be wise to have a mitigation-of-risk program in place that includes, but certainly is not limited to purchasing insurance that safeguards against these specific risks.

Posted in Cyberattack

Something for (Almost) Nothing

Posted on March 10, 2014 by Matthew Siegel No Comments ↓

A federal judge in Florida granted final approval of a $3 million settlement in a data breach class action with AvMed, Inc., an integrated managed care organization.  The settlement agreement is unique in that it allows affected plaintiffs to recover even if exposure of their data did not result in identity theft.

The data breach resulted from the theft of two laptops from AvMed’s Florida facility in December 2009. Although they recovered one laptop, the laptop at large contained unencrypted information, including the names, addresses, dates of birth, Social Security numbers, and personal health information of customers and former customers. AvMed initially divulged that the security breach compromised the personal information of 208,000 people in February 2010, before twice revising that number to eventually conclude that it affected 1.2 million.  They notified those affected, and offered two years of credit monitoring.

The plaintiffs who did not suffer from identity theft rode into this settlement on the coattails of those that did.  The district court originally dismissed plaintiffs’ claim because they failed to satisfy the pleading standard under Twombly by not alleging actual identity theft.  Plaintiffs then dropped those whose personal information was merely exposed, and added a named plaintiff whose identity was stolen, amending their complaint accordingly.  The district court again granted AvMed’s motion to dismiss for failure to state a cognizable injury.

The Eleventh Circuit Court of Appeals reversed in part, and remanded the action to the district court. It determined that the plaintiffs who suffered identity theft had Article III standing.  Their economic injuries constituted a cognizable injury as a matter of law.  Further, it was “fairly traceable” to the breach in AvMed’s data security, and a monetary award of compensatory damages would redress plaintiffs’ grievances.  The Eleventh Circuit also found that plaintiffs met the pleading standards under Twombly, rebuffing AvMed’s argument that they failed to allege a cognizable injury because they plead losses without noting that they were unreimbursed.

Mediation that followed led to the settlement recently approved by the district court. It remains to be seen how much of the $3 million settlement will go to each of the 1.2 million customers affected by the breach, considering the various guaranteed costs from this amount.  From this settlement, the plaintiffs’ attorneys netted $750,000.  The two named plaintiffs win $5,000 each for their perseverance, in addition to whatever else they receive under the settlement.  Costs related to settlement notices and administrative fees are also deducted from the award.  The remaining funds will be provided to the identity theft victims in the amount of their unreimbursed losses, and to customers whose data was exposed in the amount of $10 per year—up to $30.  Two hundred and fifty thousand dollars is set aside exclusively for the identity theft victims.  If the claims exceed the remaining amount, then the amount paid to each plaintiff will be reduced pro rata.  Additionally, AvMed agreed to implement security measures and training.

Although this case is unique in that plaintiffs will recover some amount of money despite not suffering from identity theft, this is a settlement and not a ruling.  There is no indication of how this settlement will affect future data breach plaintiffs, if at all.  These types of plaintiffs will still need to establish standing by demonstrating that they suffered a cognizable injury that is fairly traceable to the defendant’s actions, and that can be redressed by a favorable court action.  Whether this settlement will encourage courts to allow data breach plaintiffs to overcome some of their largest hurdles, or encourage similar payouts remains to be seen.

The action is Resnick et al. v. AvMed Inc., Case Number 1:10-cv-24513, in the U.S. District Court for the Southern District of Florida.

Posted in Data Breach

Voluntary But Valuable: Using NIST’s New Cybersecurity Framework

Posted on February 20, 2014 by Matthew Siegel No Comments ↓

On February 12, 2014, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, or more simply, the Cybersecurity Framework. The Framework is the culmination of a year-long process set in motion by the Obama Administration’s February 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity.” That Order charged NIST with the task of developing voluntary cybersecurity standards for organizations that are considered part of the country’s “critical infrastructure.”

“Critical infrastructure” is defined as “systems and assets, whether physical or virtual, so vital to the United States that incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters.” So, while it doesn’t apply to everyone, it is very broad. When you think “critical infrastructure,” think defense, energy, finance, healthcare, transportation. Odds are, even if an organization doesn’t fall directly within the definition, it does business on a daily basis with an organization that does. More importantly, while technically written for critical infrastructure organizations, the Framework is crafted such that anyone can benefit from its guidance. The bottom line is: everyone needs to know the Framework exists. Going one step further, we should all be familiar with its recommendations and to try to put them into practice.

The ideas in the Framework are not unique and, in fact, they draw heavily on resources that have been available and in use for years. By working with private sector experts and seeking input from thousands of contributors, NIST has organized these resources into a comprehensive, yet user-friendly roadmap that companies can easily follow. It is intended for high-level executives and risk managers. It broadly addresses cybersecurity policies, practices, and goals, but also provides references to dozens of resources for implementing the nitty-gritty of an organization’s security measures. It is designed to complement existing risk management and cybersecurity programs; help assess current cybersecurity posture; identify and prioritize opportunities for improvement; monitor progress towards new targets; and facilitate communication internally and externally about cybersecurity risk.

The Framework consists of three components: (1) the Framework Core; (2) Tiers; and (3) Profiles. The Framework Core provides companies with a series of activities and resources that they can use to manage their risks. The activities are broken down into five key functions:  Identify, Protect, Detect, Respond, and Recover. In other words, identify the risks and vulnerabilities, develop systems to protect against cyber intrusions, detect any such intrusions or cybersecurity events, respond to a breach of security, and recover from the attack.

The Tiers characterize how individual companies view their level of risk and divide companies according to the degree of rigor in their risk management practices. They range from “partial” (Tier 1) to “adaptive” (Tier 4).  The goal is to be adaptive, but the Framework contemplates that everyone has work to do to get there.

In that vein, the Profiles help companies identify where they are and where they want to go in terms of cybersecurity by creating “current” and “target” profiles. Organizations can see how well they align with other entities within their sector, whether they comply with applicable state and federal laws and standards, and how they can maintain industry best practices.  The Framework even offers a helpful seven-step program that an organization can follow to create a new cybersecurity program or improve an existing one.

While the standards are currently voluntary, they will likely becomes the de facto standard of care by which lawyers and regulators will judge all organizations, not simply those who are technically part of the critical infrastructure. Even if a company isn’t considered vital to national security, we all need to be smarter about cybersecurity. To protect the private information of customers, clients, employees, and business partners, and to ensure continuity of company operations, the Framework is an excellent place to start.

Find the Framework here.

Posted in Standards

Decision in Nationwide Case – What Constitutes “Injury” from a Data Breach?

Posted on February 19, 2014 by Matthew Siegel No Comments ↓

In Galaria v. Nationwide Mutual Insurance Company, an Ohio federal judge dismissed claims stemming from a large scale data breach because plaintiffs failed to demonstrate an injury sufficient to confer legal standing. The judge found their data was not misused and that any threatened harm was not “certainly impending.” The court rejected plaintiffs’ arguments that they had standing based on an increased risk of identity theft, loss of privacy, and deprivation of value of personally identifiable information.

The class action litigation arose from an October 2012 breach in Nationwide’s data security that exposed the personally identifiable information of an estimated 1.1 million Americans. The cyber thieves made off with names, Social Security numbers, driver’s license numbers, and birthdays of Nationwide customers as well as those seeking insurance quotes. In response, Nationwide notified those affected and offered free credit monitoring and identity theft protection services for a year. It is important to note that the named plaintiffs did not allege that their personally identifiable information was actually misused or that they suffered from identity theft resulting from the data breach.

In dismissing these claims, the court relied heavily on the Supreme Court’s decision in Clapper v. Amnesty International, which held that a “threatened injury must be ‘certainly impending’ to constitute injury in fact” sufficient to confer Article III standing. While the Galaria court was not the first to apply the year-old decision to bar claims arising from a large-scale data breach, it is the latest example of the difficulties data breach plaintiffs face in surviving a motion to dismiss based on a lack of Article III standing.

Increased Risk of Harm

Similar to other data breach plaintiffs, the Galaria plaintiffs attempted to establish standing by arguing that their increased risk for identity theft and related mitigation costs caused them injury in fact. The court disagreed, finding that the subsequent harm depended on the criminal actions of independent decision makers. The Galaria court likewise found that mitigation costs did not confer standing. Citing Clapper, it reasoned that, “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

Loss of Privacy

Plaintiffs also argued they had standing because Nationwide publicly disseminated their personally identifiable information. The court, however, ruled that plaintiffs failed to allege adverse consequences aside from increased risk. The alleged loss of privacy did constitute an injury in fact for plaintiffs’ state invasion of privacy claim, but plaintiffs failed to establish a causal connection between Nationwide’s actions and plaintiffs’ injuries. That is, plaintiffs lacked standing because they failed to properly allege that defendants disclosed their private affairs where the data were stolen rather than published, and because any public dissemination would result from independent hack activity.

Deprivation of Value of Personally Identifiable Information

Finally, plaintiffs claimed that deprivation of the value of their personally identifiable information constituted an injury in fact. They reasoned that because personally identifiable information has value on the black market, Nationwide injured them by exposing their information and therefore depriving the plaintiffs of the information’s value. The Galaria court disagreed, holding that regardless of the information’s value, plaintiffs did not demonstrate they had access to this black market, nor that third parties deprived them of profits by selling their information there.

Posted in Data Breach
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs