Donate   |   Search   |   Contact Us   |   Sign In
Community Search
Data Breach, Privacy & Cyber Insurance Law Content
Share |


 

 

AUGUST 2017

The FDCC’s newest section—Data Breach, Privacy, and Cyber Insurance—has planned an active year for 2017-18. Our section is led by Chair Steve Embry and Vice Chairs Chris Holecek, John Sinnott, and Marshall Wall. Feel free to contact any of the section leaders throughout the year to offer input or get involved.

 

We are planning a plenary presentation for the winter meeting in Amelia Island on cyber threats. Stay tuned for more information about this as the date approaches. The winter meeting is February 24-28, 2018 at the Omni Hotel and Resort in Amelia Island, Florida.

 

Here are some recent developments in the data breach, privacy, and cyber insurance:

  • The Internet of Things to Come in Cybersecurity: The Internet of Things is fraught with risk. The monetization of health care data has been a significant threat since as early as 2015. We are all endangered by such exploitation because pieces of anyone’s information can be sold for a handsome profit on the Dark Web.
  • Outsider or Insider: Who Will Cause Today’s Data Breach?: In today’s cybercrime landscape, threats come not only from all sides, but also from within.
  • How a Potent Defense Can Stifle Data-Breach Lawsuits by BusinessesConsumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too. When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified. This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.
  • What to Know About Risk, Coverage Before You Buy Cyber Insurance: If a healthcare organization decides to insure itself against cyber-attacks, how do C-suite executives and others go about evaluating potential cybersecurity risks and insurance coverage in today’s chaotic threat landscape?
  • Data Breach Class Action Reinstated: Must plaintiffs allege actual identity theft from a data breach to avoid dismissal of their class action lawsuit? No, according to a recent opinion from a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit. 

One way to stay up to date on these issues is to participate in our section’s Slack page.

 

 

JULY 2017

The Anthem $115 Data Breach Settlement: A Tipping Point?

Seven years ago, a Texas jury awarded a woman name Melinda Ballard $32 million in what was touted as a toxic mold lawsuit. Almost overnight, a cottage mold litigation industry sprang up. Seminars on how to litigate a mold case from plaintiffs’ and defendants’ perspectives proliferated and were standing room only (I know, I spoke at some). Plaintiffs lawyers advertised their mold expertise in a massive hunt for clients. Lawsuits galore. Experts and consultants came out of the woodwork as moon suits and containment centers like those used for asbestosis abatement became the norm for wiping down common mold with bleach from ordinary walls. Never mind that the Ballard case was really an insurance bad faith case. Never mind that mold was and is ubiquitous. Never mind that the causal relationship between mold and serious illness is, at best, sketchy. Millions of dollars spent in costs and legal fees until the hysteria burned itself out.

Have we reached a Melinda Ballard moment with data breach litigation?  Last month, Anthem agreed to settle a class action over the health insurer’s massive January 2015 data breach. In that breach, hackers obtained and compromised the data of some 78.8 current and former Anthem insureds and employees that led to a probe by the Federal Bureau of Investigation and massive publicity. The information compromised included names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income.

After the predicable litigation commenced and ran its course, Anthem agreed to pay $115 million to resolve consumer claims over the attack in the largest data-breach settlement in history. As part of the proposed settlement, Anthem agreed to set aside some $15 million to pay for out-of-pocket expenses incurred because of the data breach and to establish a fund to buy at least two years of credit monitoring services for the class to help protect them from fraud. For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member.

The proposed accord, which would end class-action lawsuits filed in several states, requires approval from a federal judge in San Jose, California.

Data breach suits have had mixed success in the courts. Substantial Article III standing issues exist since often the damages are only possible or threatened, not actual. Where the breach is compromised financial information, fraudulent changes resulting from compromised account information are reversed by card issuing banks, and only a small percentage of people are actually victimized by identity theft. And even if plaintiffs get past a motion to dismiss for lack of standing, there remain lots of procedural and substantive hurdles. So while other breach cases have outright failed in proving standing (as with Barnes & Noble’s data breach), others have settled for relatively modest sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers.


But some believe the announcement of a $115 million settlement could suggest to the plaintiffs bar that these cases are now lucrative, initiating a feeding frenzy similar to that which occurred after the Ballard case. After all, data breach cases are costly to defend and, if successful, could pose significant exposure particularly if the numbers involved are large. And there are regulatory and attorney general potential liabilities. Not to mention the publicity and complicated nature of responding to data breaches prelitigation and the multitude of often inconsistent state laws which make the chance for errors in the initial handling process possible.

But before we all gear up for another wild litigation ride, there are several points to keep in mind. First, the Anthem breach involved a huge number of people and tons of data. Much of the data was health records, some of the most sensitive and valuable information on the black market. The possibility for mischief with a person’s health records is pretty significant. The regulatory framework involving health records is daunting. So from a standing perspective, it would be easier for a court to conclude that the data has value and/or the threat of harm is “imminent”.  Stolen health records increase the “anger factor” that often drives huge verdicts. These factors all make the Anthem case pretty unique.

Damages in most run of the mill data breach cases not involving health data, though, remain hard to show with any certainty. Given the number of data breach incidents that have already occurred, more and more people already have credit monitoring in place reducing the value of this as damage element. In financial breaches, consumers at least are fairly well protected and knowledgeable.

And unlike the mold situation, the threat of data breach is not one to a person’s health as much as it is to their convenience, making individual damages in most cases pretty low. So that means to succeed, plaintiffs must pursue class actions with uncertain recoveries in an area the law relating to which is still uncertain. From the plaintiffs perspective, a proverbial long shot that could be expensive to bet on.

 

 

JUNE 2017

WannaCry: An Aptly Named Beginning to Large-Scale Ransomware Attacks?

 

On Friday, May 12, 2017, the ransomware attack known as WannaCry began.[1] Within a day, the malware infected more than 230,000 computers in over 150 countries.[2] Thankfully, on May 15, 2017, a web security researcher discovered a mistake in the malware’s code.[3] The web security researcher was then able to disable the further spread of the malware by exploiting the coding mistake. But future cyberattackers may not make the same mistake that WannaCry’s coders did.

 

WannaCry is classified as a ransomware attack. It was unique in that it spread in a devastating fashion. All ransomware attacks target vulnerabilities in a victim computer’s software. Through those vulnerabilities, attackers then spread malware that scrambles and encrypts the victim’s computer. The attackers then offer to unscramble and decrypt the victim’s computer for a fee/ransom. Many ransomware attacks are limited in scope because when software developers become aware of vulnerabilities in their programs, they issue patches that eliminate those weaknesses. However, every so often, cyberattackers discover a vulnerability in software that had never been found before so when the cyberattackers target that vulnerability, everyone who uses that software is at risk. These vulnerabilities are known as zero-day vulnerabilities because there is no time to patch the vulnerability prior to an attack. The WannaCry attack targeted a zero-day vulnerability in Microsoft’s software. Therefore, all computers that ran Microsoft were at risk until Microsoft could issue a patch.

 

Usually ransomware spreads through phishing—fraudulently sending emails with infected attachments which when opened target a software vulnerability and thus encrypt the computer. WannaCry, however, was so effective because the vulnerability it targeted was Microsoft’s Server Message Block (SMB) protocol.[4] The SMB is an application-layer network protocol, meaning that it is the mechanism by which networked computers share access to files, printers, etc.[5] Thus, WannaCry was not dependent on phishing in order to spread, but rather spread automatically to all computers in a network. In other words, the vulnerability WannaCry targeted made it spread quickly, and uncontrollably.

 

Fortunately, WannaCry was not as devastating as it could have been. However, there is no reason to believe that similar cyberattacks will fail like WannaCry. There are many ways that law firms and businesses can reduce the likelihood of being the victims of cyberattacks, ranging from buying cyberattack insurance to hiring outside firms to supply security. In the meantime, it’s important to update your computers’ software when available, because those patches can prevent you from being the next ransomware WannaCry victim.



[1] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[2] “Unprecedented” cyberattack hits 200,000 in at least 150 countries, and the threat is escalating,” CNBC, May 14, 2017.

[3] Elizabeth Weise, “How a 22-year-old inadvertently stopped a worldwide cyberattack,” USA Today, May 13, 2017.

[4] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[5] “Microsoft SMB Protocol and CIFS Protocol Overview,” Microsoft, October 22, 2009.


MAY 2017

Data breach, privacy, and cyber insurance continue to be hot topics in the news. Here are some recent headlines:

We discuss these and other topics of interest to our section on our Slack page. Please join the discussion. Check your email for the invitation to join our Slack team or email one of the section leaders for more information.

 

 

APRIL 2017

IBM recently released its “X-Force Threat Intelligence Index” for 2017.  The report addressed security breaches during 2016 and noted that more than 4,000,000,000 records were leaked in 2016 – more than the total from 2014 and 2015 combined.  This number was influenced by the massive breach disclosed by Yahoo but even excluding that event, the volume of breaches continues to increase.

 

Distributed denial of service (DDoS) attacks continue to increase in size and in many cases the bots leading these attacks prey on unsecured Internet of Things (IoT) devices.  Malware attached to spam email continues to increase and ransomware, which can result in the infected system being locked until the target pays a ransom to the hacker, makes up a large majority of the malware.  2016 also ended with a record number of disclosures of software vulnerabilities by developers.

 

The top five industries breached in 2016 were: (1) Information and communications; (2) Government; (3) Financial services; (4) Media and entertainment; and (5) Professional services.  The last category serves as a reminder to attorneys of their obligations to clients to take care of the information entrusted to them. 

 

If you have an interest, the report can be accessed here:

https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325

 

 

 

more Calendar
Featured Members
Melinda S. KollrossDefense Counsel, Clausen Miller PC, Chicago, IL
J. Eric MilesDefense Counsel North, Pursell & Ramos, PLC, Nashville, TN

Special Thanks

Membership Software Powered by YourMembership  ::  Legal