Cyber dating insurance
The conduct challenged in customer cases inevitably focuses on inaction by the hacked entity.
A litany of alleged failures to protect the PII, PFI, or PPI of the putative plaintiff class typically is at the forefront of the allegations in these cases.
TYPICAL CLAIMS FOLLOWING A CYBER-BREACH Following a hack of a company’s information system, litigation may come from seven primary sources: (1) customers of the company whose personally identifiable information (“PII”), personal financial information (“PFI”), or other private personal information (“PPI”) has been stolen by the hackers; (2) employees of the company whose PII, PFI or PPI has been stolen; (3) federal or state regulators bringing enforcement actions against the hacked company or its officers or directors for inadequate cyber-security measures, inadequate mitigation of harm, ineffective or untimely notification of persons affected by the breach, or false and misleading representations related to the foregoing; (4) financial institutions that issue credit and debit cards (together, “payment cards”) to the persons whose PFI has been stolen; (5) financial institutions that have contracts with the hacked company or other merchants to process payment card transactions, and thereby unwittingly clear fraudulent transactions effected with stolen PFI; (6) shareholders bringing derivative claims against the hacked company’s directors and officers for failing to implement adequate cyber-security measures, mitigate harm, or timely and effectively notify those affected by the hack; and (7) investors who purchased the hacked company’s stock at a time when the company’s inadequate cyber-security protections were misrepresented or not disclosed.
The first six categories of claimants have been established as real threats, as they have filed lawsuits against hacked companies, officers and directors in the wake of cyber-breaches.
The goal of this article is to call attention to this common feature in the hope that insurance buyers, brokers and cyber insurers will recognize and address its potential impact during the insurance placement process, thereby avoiding costly coverage litigation down the road.
Setting the stage for the coverage discussion, this article will first discuss the current state of cyber-breach litigation in order to identify key characteristics of claims against entities whose information systems have been hacked, as well as against their officers and directors.
Realizing this risk does not fit easily within protections afforded by traditional insurance, the insurance industry has created and brought to market a variety of cyber-risk policies providing both first-party loss and third-party liability coverage.
The insurance-buying community has responded enthusiastically, as noted in online reports of year-on-year growth of cyber-risk insurance premiums. But how much third-party liability protection are insureds really getting from these new cyber-risk insurance products?
These members are called “Issuing Banks” in the payment card industry. Other member financial institutions enter into separate contracts with merchants, agreeing to process the merchants’ transactions with consumers.In addition to the risk of loss associated with having to reimburse the Issuing Bank, the Acquiring Bank may also face the risk of fines and penalties assessed by Visa, Master Card, American Express or other credit card companies based on a merchant’s or the Acquiring Bank’s non-compliance with PCI DSS requirements. These fines and penalties can be hefty. Whether losses from fraudulent transactions fall on the Issuing Bank, Acquiring Bank, or both, the Banks may seek reimbursement from the hacked merchant where the merchant failed to comply with PCI DSS, as required by its contract with the Acquiring Bank.Several Issuing Banks sought to do just that following a cyber-breach at the discount retailer, BJ’s Wholesale Club, Inc.Pursuant to its mandate to prohibit “unfair or deceptive acts or practices in or affecting commerce,” the FTC has taken action against companies whose information systems were breached where it considered the companies’ privacy and data protection assurances misleading. Once again, the alleged failing was inaction—Jones’ failure to adopt the mandated policies and procedures.One of the most recent examples of such FTC action is the 2013 enforcement case it brought against hotelier Wyndham Worldwide Corporation following a 2008-09 hack into Wyndham’s computer system. In the action, the FTC alleged numerous cyber-security failures by the hotelier, including failure to use readily available security measures such as firewalls, failure to adequately restrict access of third-party vendors to Wyndham’s computer network, failure to adopt reasonable measures to detect and prevent unauthorized access to the network, and failure to follow proper incident response procedures. In the last several years, the Securities and Exchange Commission (“SEC”) has emerged as another regulator to be reckoned with in the cyber-security arena, vowing to be vigilant in policing cyber-risk disclosures by publicly-traded companies and financial institutions under its jurisdiction. In September 2015, the SEC made good on this promise, announcing its first cyber-breach enforcement action settlement. The defendant in that action was R. Payment-Card Financial Institution (Issuing Bank and Acquiring Bank) Cases Visa, Master Card, American Express and other payment card companies have formed extensive payment processing networks of banks, credit unions, and other financial institutions.