Carlock Copeland Cyber Liability

logoCyber Liability

Copeland, Stair, Kingma & Lovell, a civil litigation firm, has a reputation for forceful, creative and cost-effective advocacy on behalf of its clients. Formed in 1970 with five attorneys operating out of a downtown Atlanta office, we now have over 80 civil litigation attorneys handling legal matters across the Southeast from offices in Atlanta, GA, Charleston, SC and Chattanooga, TN.

Cyber Security and Liability Insurance: Stand-Alone Cyber Policies On The Rise

After companies began electronically storing sensitive business and customer information, the insurance industry focused heavily on privacy protection.  Businesses began implementing breach defenses and response protocols in an effort to avoid or mitigate the effects of having personal health information, financial information, trade secrets, or intellectual property stolen or used without authorization.  In many cases, hackers held the information hostage and demanded payment of a ransom (“ransomware attacks”) in order to release the information and not expose it to the public.  Breaches in privacy protection cause other expenses related to notification, data recovery, public relations management, reputation damages, and others.  Thus, cyber insurance became a popular line of coverage offered by insurance companies.  Now, with cyber-attacks getting increased media attention, the insurance industry has broadened coverage for cyber security and cyber liability into more areas than just privacy protection.

Businesses are learning that cyber breaches do not just affect privacy protection; they can also interrupt business and cause property damage.  The most common course of action when a breach is noticed is to stop operations.  When systems shutdown, so does the flow of goods and services.  When the flow of goods and services stops, money stops coming in.  With regard to property damage, many, if not most, businesses now rely on some form of computer-controlled regulation in their buildings.  For example, it is common to have a building’s heating and air conditioning set on an electronically-stored schedule.  If, however, the heat does not turn on when it’s supposed to, water lines can freeze.  If there is water in the pipes, that too freezes and, when the ice expands, it can cause the pipes to break, releasing water into the building.  As another example, consider factories that rely on computer-controlled cooling fans.  If they are stopped, machines overheat and start fires.  These kinds of losses are notable particularly because they do not require activity on the part of a sophisticated hacker.  Rather, human error and technical glitches can cause these losses.

Hence, new lines of insurance coverage are popping up in the marketplace.  Cyber coverage for business interruption and property damage are starting to be offered as umbrella coverage over property, kidnap, and ransom policies.  Stand-alone cyber policies are also being offered.  However, the market is young and maturing.  Policyholders need to review and re-review their policies to ensure proper wording for issues such as cyber extortion, business interruption, contingent business interruption, and cyber property-related coverage.  To keep premiums low in a time when cyber breaches regularly make front-page news (Equifax, Home Depot, etc.), businesses should be ready to demonstrate breach-readiness, such as the establishment of incident response teams, as well as internal and external cyber security controls.

Cyber Attacks: Prepare, Prepare, Prepare

A cyber attack is any incident in which sensitive, confidential information is stolen or used by unauthorized individuals.  Cyber breaches may involve the theft or unauthorized use of personal health information, financial information, trade secrets, or intellectual property.  The consequences of a successful attack may include embarrassment, bad press, loss of business, loss of huge amounts of money – whether by theft or through the payment of ransoms (“ransomware attacks”), civil penalties, and even criminal prosecution.

When a breach occurs, companies spend enormous amounts of money hiring forensic investigators to figure out what was breached, who did it, the type of information accessed, and the extent of the damage.  They spend even more money determining how the breach happened, and what steps are needed to defend against future attacks.  Finally, they are forced to pay monitoring firms for years to come in order to protect customers from any future damage, protect the company brand, and reestablish trust with current and potential clients.

It is essential that corporate executives and owners make cyber security a priority in both planning and budgeting. While responding to a breach is expensive, the true cost to the company cannot be measured in dollars and cents. Tech-savvy customers want to know that their personal and/or financial information is safe from the rest of the world.

To instill confidence in potential customers (and avoid paying the costs associated with cleaning up a cyber spill), companies need to have a gameplan in place before a breach ever occurs.  The establishment of incident response teams is a vital first step.  The team should be made up of individuals that are team-oriented, detail-focused, and capable of sticking to the gameplan when stress levels rise.  These carefully-selected individuals must understand the importance of their roles and devote themselves to constant learning as cyber security issues evolve. Companies might also consider employing full-time services from outside providers.  In the end, it will be much more expensive to respond to a successful breach than to avoid one in the first place.

Office of Civil Rights Issues Phishing Email Alert

On November 28, 2016, the Office of Civil Rights of the Department of Health and Human Services, the entity responsible for HIPAA administration, issued an alert about a potential “phishing” email scam. The email purports to come from OCR’s Director, Jocelyn Samuels, and targets employees of covered entities and business associates. The email appears legitimate and includes a link concerning the audit program. By clicking on the link, the user is redirected to a cybersecurity firm marketing website.

For those who may not be familiar with the term, “phishing” refers to an email that looks official or legitimate, but then redirects the person to an unaffiliated website. Common “phishing” emails mimic requests from credit card companies for personal information, auction sites for login information, and banks for updated privacy information. As always, if you have received an email that you did not expect and have questions about it, contact the alleged source directly to verify before opening.

Sixth Circuit Lowers the Bar for Standing in Data Breach Suits

Galaria v. Nationwide Mutual Ins. Co., U.S. Court of Appeals, 6th Cir. (September 12, 2016)

This case arises out of an October 3, 2012 hack into Nationwide Mutual Insurance Company’s computer network, which exposed the personal information of the putative class action Plaintiffs and 1.1 million others.  Nationwide informed the Plaintiffs of the breach by letter, advising that they should take steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity.  Nationwide offered a year of free credit monitoring and identity fraud protection of up to $1,000,000 through a third-party vendor.  Nationwide also suggested that victims set up a fraud alert and place a security freeze on their credit reports.  Nationwide acknowledged that such a security freeze could, however, impede consumers’ ability to obtain credit and could cost between $5.00 to $20.00 to place and/or remove.  Nationwide did not offer to pay for expenses associated with a security freeze.

Multiple putative class action complaints were filed, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy by public disclosure of private facts, and bailment.  Plaintiffs contended that the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to identity fraud.  As risk, Plaintiffs referenced the illicit international market for stolen data used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards.  Plaintiffs also pointed to the potential that a victim’s identify could be used by identity thieves when arrested, resulting in warrants issued in victim’s name.  Plaintiffs cited a study purporting to show that in 2011, recipients of data breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incident rate of 19%.

Plaintiffs further alleged victims of identity theft and fraud typically spend hundreds of hours in personal time and hundreds of dollars in personal funds, incurring an average of $354.00 in out- of- pocket expenses and $1,513.00 in total economic loss to mitigate the risk.  Plaintiffs alleged that they had suffered and would continue to suffer both financial and temporal costs to continue monitoring their credit information.

Nationwide filed a Motion to Dismiss, which was granted by the district court. The lower court agreed with Nationwide’s arguments that Plaintiffs did not have statutory standing under the FCRA and thus dismissed those claims for lack of subject matter jurisdiction.  The district court also dismissed the negligence and bailment claims, finding that Plaintiffs did not have Article III standing because they had not alleged a cognizable injury.  Lastly, the district court held that Plaintiffs had standing to bring their invasion of privacy claim but failed to state a claim for relief and dismissed that claim with prejudice.  Plaintiffs appealed the dismissal of all counts except for the invasion of privacy claim.

Article III of the U.S. constitution limits the jurisdiction of federal courts to Cases and Controversies.  The doctrine of standing gives meaning to these constitutional limits by identifying those disputes which are appropriately resolved through the judicial process.  Constitutional standing consists of three elements: (1) Plaintiff must have suffered an injury in fact; (2) that is fairly traceable to the challenged conduct of a Defendant; and (3) that is likely to be redressed by a favorable judicial decision.

To establish injury in fact, a Plaintiff must show he or she suffered “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.  When standing is based on an imminent injury, the Supreme Court has explained that threatened injury must be certainly impending to constitute injury in fact and allegations of possible future injury are not sufficient.  However, standing can be based on a “substantial risk” that harm will occur, which may prompt Plaintiffs to reasonably incur cost to mitigate or avoid that harm, even where it is not “literally certain the harms they identify will come about.”

In this case, the Court of Appeals found that Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.  The Court held there was no need for speculation where Plaintiffs alleged their data had already been stolen and was now in the hands of ill-intentioned criminals.  Indeed, the Court pointed to the fact that Nationwide seemed to recognize the severity of the risk, given its offer to provide credit monitoring and identity theft protection.  Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, there was sufficiently substantial risk of harm that incurring mitigation cost was reasonable. The 6th Circuit held that all of the required elements were met, and thus, the Plaintiffs adequately alleged Article III standing.

In reaching its decision, the 6th Circuit pointed to two recent 7th Circuit cases with similar findings and a 9th Circuit case finding Article III standing as well.  However, the Court (and the dissent) noted the current split between these decisions and other Circuits.

The precedential effect of this opinion will be difficult to tell for some time.  As an unpublished, divided opinion, its citing authority may be limited.  However, its discussion and analysis of Article III standing may well signal that the bar has been lowered for future claims and defense of these claims will have to shift to other grounds.

Tennessee Modifies Breach Notification Statute

The Tennessee legislature recently amended that state’s data breach notification statute. Tennessee now requires information holders to disclose any security or data breach to Tennessee residents “immediately, but no later than fourteen (14) days from the discovery or notification of the breach.” There is an exception if more time is needed for a legitimate law enforcement reason.

Also, the Tennessee legislature changed the rule regarding disclosure of access to encrypted data as well as unencrypted data. Finally, the legislature broadened the definition of “unauthorized user” to include employees of the information holder.

The Governor signed the bill and the law becomes effective July 1, 2016.

FBI Issues Warning for Ransomware Malware

The Federal Bureau of Investigation is warning all businesses about the risks of “ransomware.” Ransomware is malware – a malicious program embedded inside of a message or web page. The message may come in the form of an innocuous message directed towards a specific person in the organization, such as a controller, accountant, or risk manager. The message typically includes an attachment, like document (.pdf), text file (.txt), or spreadsheet (.xls) that appears legitimate, such as a bill or a letter. Alternatively, the message may direct the user to a website that appears valid. When the user opens the attachment or goes to the website, the malicious program encrypts – that is, hides – files and folders containing the user’s information and data. The person or organization who sent the message then contacts the user and demands a ransom – money for the return of the information and data.

There has been an increase in the number of ransomware attacks. The FBI does not advocate paying a ransom for the return of data. The FBI has set up a Cyber Task Force to assist in the event of a ransomware attack ( The FBI recommends employee training, keeping all operating systems, software, and antivirus/malware protection systems up to date, and maintaining robust file access privileges across an organization.

If a health care provider, covered entity, or business associate is hit with a ransomware attack, there may be additional reporting requirements under HIPAA, depending on the circumstances. Remember, many insurance policies provide data breach services that include assistance with reporting and remediation.

Home Depot Settles Data Breach Claim

Home Depot settled a class action lawsuit based on a massive data breach involving private information of up to 56 million people who used the self-check kiosks at the company stores. According to published reports, Home Depot is paying $13 million in damages, including out of pocket expenses and substantiated losses up to $10,000 per claimant. In addition, Home Depot will pay qualified claimants up to $75 for time spent remedying any identity theft issues. Home Depot agreed to remediate with new security measures. Lastly, Home Depot agreed to pay the lawyers involved in the multi-district litigation nearly $8.5 million in legal fees and $300,000 in expenses. The settlement is unique in that it included compensation for time spent by the claimants to undo the damage.

Welcome to the Blog!

Welcome to the blog for the Data Privacy and Breach practice group of Copeland, Stair, Kingma & Lovell!  Our experienced attorneys handle data breach responses, coverage issues, and risk management consulting for companies of all sizes.

In our first installment of the blog, we are reporting on legal developments arising out of a massive data breach involving health insurer Anthem. Multiple lawsuits were filed alleging putative class action claims against Anthem.  The multi-district litigation was consolidated and transferred to the Northern District of California. On Sunday evening, Judge Lucy Koh entered an order dismissing several claims brought under various state and federal laws, including common-law negligence claims.  Notably, Judge Koh ruled that Indiana does not recognize a private right of action for negligence arising in a data breach situation.  In addition, Judge Koh conditionally dismissed a claim based on Georgia’s Insurance Information and Privacy Protection Act (O.C.G.A. §33-39-14) with leave to replead the claim.

The order is significant because it continues the trend of rejecting attempts to turn data breaches into damages claims. While data privacy and protection is a heavily regulated part of doing business, most claimants have not been able to develop theories of liability that enable them to collect tort damages in breach cases.

The case is In Re Anthem Inc. Data Breach Litigation, U.S. District Court, Northern District of  California, No. 5:15-MD-02617.