Prior to yesterday’s news cycle, I was going to simply discuss the legal standards the court should use when determining negligence under cyber insurance claims. This discussion would focus on cases where the cyber insurance company denies a costly claim because the coverage holder failed to install or utilize a necessary update that had been on the market for a while. While this topic will still be discussed, the Equifax data breach has reared its ugly head again.

If you somehow missed yesterday’s (2 March 2018) news cycle, you would not know that Equifax released a statement alerting the media and public that an additional 2.4 million people were affected by the data breach they alerted the public to in September 2017. Equifax did make sure to point out that unlike the previous 143 million previously disclosed that had their social security numbers, drivers license numbers, and addresses taken, these 2.4 million only had the names and drivers license numbers (much better…). Also, to potentially circumvent the outcry that followed Equifax’s initial data breach statement and notification measures (remember that Equifax’s own Twitter account sent worried customers to phishing websites instead of Equifax’s own website to check and see if their private information was stolen), Equifax has foregone the online check tool, and it is resorting to sending out letters via the postal service to alert customers if their information was in the second data breach.

Data breaches are an ever-present problem for companies, regardless of their size. While there has not been notice of a major data breach since the release of information surrounding the Equifax breach. The magnitude of the Equifax breach and the fact the fallout is continuing, effecting over 2 million more people than they originally thought. It is clear that data breaches are messy and companies will want to have cyber insurance to help mitigate their risks in what seems like an inevitable data breach. Additionally, companies may be wary or simply do not report all instances of cyberattacks including hacks and ransomware because they are more willing to bear the monetary cost than the “reputational” costs that tend to follow the announcement of a breach.

What is cyber insurance? According to the International Risk Management Institute, cyber insurance, which also includes privacy insurance, is “[a] type of insurance designed to cover consumers of technology services or products.” The Institute goes on to say that:

[C]yber and privacy policies cover a business’ liability for a data breach in which the firm’s customers’ personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

Equifax has cyber security insurance according to some sources which covers between $100 million to $150 million. In November, Equifax reported costs of $87.5 million due to the data breach, and Wall Street forecasts another $60 to $75 million in the Fourth Quarter, making the costs to be between $147.5 and $162.5 million. These costs likely do not take into account future lawsuits or even potential government fines due to Equifax’s handling of the breach.  However, even with an additional $20 million in fees associated with lawsuits and fines, the maintenance of a cyber insurance policy would alleviate a portion of the massive liability of this data breach on Equifax. It is also evidence that cyber security insurance can be a benefit for companies, particularly if the policy covers many aspects of the costs surrounding the breach beyond simply notification.

But, how does this relate to the original topic I was going to write on, legal standards for negligence for cyber insurance claims? According to some news sources, including CNN, “Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.” Based upon reports as stated above, Equifax knew of the flaw in the system that eventually allowed the hackers to access the data. However, it is not clear whether Equifax ever did anything to remedy the flaw, particularly prior to finding out about the hack and breach. This issue will likely be a major component of any lawsuits or fines brought against Equifax. Equifax and its knowledge of the flaw may also be the basis for future legislation or requirements on companies to maintain a certain level of data protection measures and cyber security to protect data and customer information.

Now, we will be entering the hypothetical realm, but the following hypo will address an interesting area of scholarship that might well be in an insurance provider or company’s future. What if Equifax’s insurance policy with cyber insurance provider “X” included a clause that required Equifax to maintain a specified level of care based upon a negligence standard? If Equifax tries to submit an insurance claim, could X, the insurance provider, refuse to cover the $150 million claim amount because Equifax breached its duty under the policy in being negligent in the maintenance of its security software? While cybersecurity insurance executives expressed willingness to provide coverage to a customer even after not installing a security patch for weeks or even months, there will likely come a time where an insurance provider balks at a particularly costly claim where similar to Equifax, basic sound security measures were not taken.

We can also continue this hypo to court. What if Equifax brings a claim against its insurance provider for not covering the claim, arguing that it was not negligent in its practices? The court would have to determine the standard to apply in these types of negligence claims. There are of course four main elements to claim of negligence including that the defendant had a duty to the plaintiff, that the defendant breached that duty, that the defendant’s negligent conduct was the cause of the harm to the plaintiff, and that the plaintiff was actually harmed by that conduct. It will be up to the court in this case to determine how long between when there is knowledge of a security flaw or if a security patch is on the market to correct a flaw and the flaw is actually corrected by the company. Courts will have to look at company’s cybersecurity procedures and software to making these determinations. This will not be an easy process, but we may see cases like this in the future, particularly where a company’s lax cybersecurity measures are exploited.

As an aside, the individual or potentially class action claims will bring about interesting case law. In order for a claim against negligence to succeed, the plaintiffs in these cases would have to be able to show that the allegedly breaching party had a duty of care to the plaintiff, in this case the consumer. The duty hurdle will likely be easily surpassed, though in Equifax’s case, it may not be so easy. Generally, in these data breach cases, a consumer has bought something or interacted with the company in a direct way. Thus, a duty between the company and the customer can easily be identified. However, in Equifax’s case, consumers did not have a direct interaction with Equifax in most cases. Equifax got the individual’s information from other companies in which the individual had interacted with. While there will of course be many other issues and arguments brought in these cases, this is an interesting area to highlight.

In conclusion, cybersecurity insurance, like other types of insurance, will have different criteria based upon each individual policy on what the insurance company will and will not cover. Often times with other types of insurance, this coverage does not extend to situations where the policyholder acted in a way so far out of the norm that the actions were no longer covered by the insurance policy and the insurance company could decide to reject this claim. Ultimately, cyber insurance is a new realm that companies should invest in within their larger cybersecurity investments because hacks and data breaches will happen. — Jenae D. Ward









Comments are closed.