Judge Rules No Standing To Pursue Fear Of “Hacker Harm”

Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class action complaint Chrysler and Harman – the maker of the uConnect telematics system, which, among many things, pairs an owner’s smart phone to their car.  The plaintiffs allege that they suffer pangs of anxiety and fear because of the possibility that their cars could be ...
Continue Reading...


RAND Study Estimates Lower Cyber-Incident Costs

Stacks of 20 dollars banknotes According to a new study by the RAND Corporation, published in the Oxford Journal of Cybersecurity, the average cost of a typical cyber breach for an American company has been estimated at $200,000, significantly less than the $1,000,000 figure suggested by other organizations, such as the Ponemon Institute. The study analyzed a private data set of 12,000 cyber incidents over a decade based on corporate losses compiled for the insurance industry. “Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think,” said Sasha Romanosky, author of the study. The study concludes, among other things, that the average cyber event costs companies less than 0.4 percent of their annual revenues. A copy of the RAND article can be found here.
Continue Reading...

Plaintiffs’ Monitoring Activity to Mitigate Increased Risk of Identity Theft Sufficient for Article III Standing in the Sixth Circuit

iStock_000050437260_XXXLarge The Sixth Circuit, in a 2-1 majority decision, has reinstated a class action lawsuit against Nationwide Mutual Insurance Company, finding that the plaintiffs’ alleged “imminent, immediate and continuing increased risk” of identify fraud after hackers accessed personal data on Nationwide’s servers constituted a “cognizable injury” under Article III. The court’s unpublished decision cited a range of alleged damages from the plaintiffs’ complaint including the time and expense of monitoring their own credit, as well as a study “purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identify fraud, and had a fraud incidence rate of 19%.” Based on these allegations, the court held: “Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish ...
Continue Reading...

At FTC’s ransomware workshop, FBI says: Don’t pay

The first in its fall technology series, the FTC held a public workshop [September 7, 2016] on ransomware. According to experts on hand for the event, ransomware is the most profitable malware type in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, there are challenges associated with thwarting it, including its rapid proliferation, the many vectors of attack and the vast array of harms. It’s an issue of interest to the FTC in its pursuit to protect consumers, but also because, according to Ramirez, failure to address known vulnerabilities may violate the FTC Act. Read the full article at the IAPP website, by clicking here.  
Continue Reading...

Something to Keep an Eye On: Insurers and Insureds to Duke it Out in Data Breach Coverage Suit

lawsuit A new Indiana coverage litigation regarding a CGL policy (and umbrella policy) may provide more guidance about how courts will approach data breach coverage under traditional insurance products. In National Fire Insurance Company of Hartford v. Medical Informatics Engineering, Inc. et al. (N.D. Ind., No. 16-cv-152), two CNA companies initiated a declaratory judgment action seeking a ruling they do not have the duty to defend or indemnify Medical Informatics Engineering, Inc. or NoMoreClipboard, LLC (collectively Medical Informatics) in relation to lawsuits filed against Medical Informatics.  The underlying lawsuits allege Medical Informatics, a provider of medical record storage services, failed to protect its databases containing sensitive personal medical information of approximately 3.9 million putative class members.  The insurers allege the underlying lawsuits do not seek “bodily injury,” “property damage,” or “personal ...
Continue Reading...

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

463151329 In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available for purchase distinct cyber products and sub-products. As background, P.F. Chang’s suffered a data breach, resulting in approximately 60,000 customer credit card numbers falling into the hands of hackers. P.F. Chang’s notified Federal immediately. Federal reimbursed P.F. Chang’s for amounts in excess of $1.7 million as ...
Continue Reading...

Forty Percent Increase in New York State Data Breaches

On Wednesday, May 4, 2016, New York State Attorney General Eric T. Schneiderman announced a 40 percent increase in reports of data breaches during 2016 as compared with the same time frame last year. As in a growing number of states and federal agencies, New York’s Information Security Breach & Notification Act, enacted in 2005, requires all individuals and organizations conducting business in New York to report any unauthorized access to personal information to affected individuals, law enforcement and other government officials. According to the May 4 press release: The office has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices.  The office ...
Continue Reading...

Cybersecurity Down on the Farm

The FBI and Department of Agriculture have issued a Private Industry Notification to increase awareness among farmers that growing reliance on precision agriculture technology, aka “smart farming,” brings increased vulnerability to cyberattacks. While the notification did not suggest attackers could gain control of physical machinery, unauthorized access to farm-level data regarding crop availability and pricing could be used to exploit US agriculture resources and market trends. Earlier this year, for example, the USDA and Microsoft hosted a worldwide competition to design data visualization tools that will allow farms to make sustainable and efficient decisions that may impact the global food supply, based on the information gathered by “smart farm” sensors, drones and other technologies to measure factors contributing to crop growth. In addition to market manipulation, such data may be ...
Continue Reading...

Inadvertent Data Breach May Trigger Insurer’s Duty to Defend

Data Protection As previously posted, in many instances of data breach, information was exposed due to the negligent actions of someone within the organization, as opposed to an external and malicious cyberattack.  This week, the Fourth Circuit held that that the inadvertent disclosure of data from within the company can constitute a “publication” triggering an insurer’s duty to defend. Goldberg Segalla attorneys Colin B. Willmott and Jonathan L. Schwartz provide a complete analysis of the decision in Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. here.
Continue Reading...

A Strong Case for Mobile Device Management

The San Bernardino County government paid for, but never installed, a feature allowing employer access to any employee mobile devices. If the installation of the new feature was done, the current legal and philosophical battle between Apple and the FBI over how to access shooter Syed Rizwan Farook’s iPhone may have been avoided. What’s more, the county not only had the software, but also a longstanding policy eliminating any expectation of privacy by the employee: “No User Should Have an Expectation of Privacy.” Had the county simply installed the technology, public officials could legally and ethically access the relevant data from the mass murderer’s iPhone without court involvement. Two lessons are apparent. First, mobile device management (MDM) is an important part of any information technology system, allowing remote access to phones ...
Continue Reading...