Cybercrime

There is little case law on this point, as the law is nascent and continues to be developed. Even less case law exists on the exact question of whether banks can pursue retailers for alleged losses resulting from a cyberattack and data privacy incident involving payment card numbers. Unfortunately for Target, however, the court ruled that the banks could proceed with their action. There can be little doubt that Target's defense costs will continue to mount.

Second, the losses that Target has suffered already are noteworthy. Target disclosed in its Form 10-Q for the quarterly period ended Nov. 1, 2014, that it already had “incurred $248 million of cumulative expenses” as a result of the cyberattack and data privacy incident. Target, Form 10-Q, at 9 (Nov. 26, 2014), http://ti nyurl.com/qco8shj.

Third, Target is just one example in a continuing stream of news regarding retailers that have had payment card information stolen. In early December 2014, Brian Krebs reported that international retailer Bebe Stores Inc. was another victim of a criminal cyberattack. Krebs wrote that Bebe had confirmed “[t]hat hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.” Brian Krebs, “Bebe Stores Confirms Credit Card Breach,” Krebs on Security (Dec. 5, 2014).

Fourth, retailers are not the only victims in the news. The world's largest gaming company allegedly fell victim to a criminal cyberattack in late 2014. During the cyberattack, reportedly, “[c]omputers were flatlining, e-mail was down, most phones didn't work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt,” according to Bloomberg Businessweek . See, Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hacker in Every Server,” Bloomberg Businessweek: Technology (Dec. 11, 2014).

Fifth, DDoS attacks are on the rise. Large-scale DDoS attacks reportedly grew by nearly 40% compared with 2013. See, Jeff Goldman, “Verisign Warns of Surge in Large-Scale DDoS Attacks,” eSecurity Planet (Nov. 24, 2014). What's that cost? One analyst explains that a company with “$1 billion in annual revenue amounts to $114,155 per hour”; a 24 hour outage, under that analysis, would be over $2.7 million. See, Adam Greenberg, “DDoS Attacks Cost Organizations $40,000 Per Hour, Survey Finds,” SC Magazine (Nov. 13, 2014).

Is there any silver lining to offset this sky full of gray clouds? Yes. One positive piece of information for Target, for example, is that Target's losses were “partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $158 million.” Id. Target's cyber insurance program also reportedly has “a $50 million sublimit for settlements with the payment card networks.” Id. Coverage for those losses is crucial for retailers, as I have written previously. See, Scott Godes, “If Your System Was Attacked by 'Backoff' Malware, Would Your Insurance Cover A Data Breach Involving Credit Card Numbers?” BT Policyholder Protection Blog (Aug. 28, 2014).

What Corporate Insureds Need to Know

What does this all mean for corporate insureds considering their cyber risks and insurance programs going forward? Ultimately, it means that insureds should take a hard look at their insurance programs to evaluate what coverage they have for these risks. We've been saying for years that cyber insurance has long been described as “the Wild West of insurance.” Bibeka Shrestha, “Cos. Eye Data Breach Policies As CGL Exclusions Multiply,” Law360 (Mar. 13, 2012). (quoting Scott Godes). That means companies would be well-advised to analyze cyber insurance policies closely.

What should companies look for? Here are four tips for evaluating an insurance program in connection with cyber risks.

Developments in the law suggest that companies should reevaluate whether they are carrying sufficient limits. Keep in mind that defense costs usually erode the limits of a cyber insurance policy. When lawyers are called upon to defend against claims in developing areas of law, legal bills add up quickly. After the company pays defense costs, will there be money left for settlements with plaintiffs, regulators, or anyone else?

Think about business interruption coverage. If your company suffered a computer shutdown from a denial of service attack or from a hacker destroying servers, how much revenue would your company lose? Would your insurance cover the losses?

Think about data replacement costs. If your company suffered an attack that “wiped out about three-quarter of the company's ' computer servers,” as reportedly happened to Las Vegas Sands, how much would that cost your company? One report states that an estimate to “recover[] data and build[] new systems could cost [Las Vegas Sands] $40 million or more.” Elgin and Riley, “Now at the Sands Casino,” supra . Would your insurance cover the costs to replace equipment and for the costs of the lost data?

Retailers should pay close attention to what losses they would suffer after a cyberattack involving payment card numbers. Would your company's insurance cover tort claims by banks made in court? And all losses to payment card brands and payment card processors?

Beyond Cyber Insurance

If facing a loss or a claim, think broadly about whether potential coverage for data breaches under other insurance policies, such as CGL and crime insurance policies. See, e.g., Scott Godes and Jennifer Smith, “Insurance Coverage for Cyber Risks: Coverage Under CGL and 'Cyber' Policies,” ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (Mar. 5, 2012); Bibeka Shrestha, “6th Circ. DSW Ruling Reveals New Data Breach Coverage Path,” Law360 (Aug. 24, 2012) (registration req'd) (quoting Scott Godes).

The question of whether Commercial General Liability (CGL) insurance policies provide coverage for data breaches continues to be litigated. One key question for coverage under CGL policies is whether there was “publication” of information that violates a person's right of privacy when the data was breached. That is because many CGL policies include coverage for “personal injury,” a term that frequently is defined as including the oral or written publication in any manner of material that violates a person's right of privacy.

Some courts have agreed that a data breach does satisfy those requirements, and have imposed at least a duty to defend those claims. See, e.g., Travelers v. Portal Healthcare Solutions, No. 13-917, slip op. (E.D. Va. Aug. 7, 2014) (“exposing confidential medical records to public online searching placed highly sensitive, personal information before the public. Thus, the conduct falls within the Policies' coverage for 'publication' giving 'unreasonable publicity' to, or 'disclos[ing]' information about, a person's private life, triggering Travelers' duty to defend”) (currently on appeal); Hartford Casualty v. Corcino & Associates, 2013 WL 5687527 (C.D. Cal. 2013) (private information that ended up being published on a website after being stolen constituted “publication” such that there was coverage). Another decision reveals that some insurance carriers had recognized that there were coverage obligations under CGL policies for data breaches. See, Retail Ventures v. National Union, 691 F.3d 821 (6th Cir. 2012) (noting that CGL carrier defended certain data breach-based class actions).

Keep in mind, however, that insurance carriers have been known to fight against providing coverage for cybersecurity-based claims under non-cyber insurance policies. See, e.g., Bibeka Shrestha, “Sony Coverage Denial Could Be Boon for Cyber Insurers,” Law360 (Feb. 25, 2014) (registration req'd). Nonetheless, it is a good practice, after a data breach or cybersecurity incident, to review all insurance policies within the company's portfolio to see if there is the potential for coverage.

Conclusion

The takeaway for cyber insurance policyholders is that the world of cyber risk continues to evolve and become a more significant risk for companies of all kinds. With this risk becoming higher profile, companies should review their entire insurance portfolios to understand what coverage may be available if a claim hits. And when the company does face a claim, provide notice to those insurance carriers whose policies may provide coverage and be prepared to seek the full value of the insurance assets that the company purchased.

Scott N. Godes is a partner in Barnes & Thornburg LLP's Washington, DC, office and is a member of the firm's Litigation Department, the Policyholder Insurance Recovery and Counseling Group, and the Internet & Technology Law Group. Mr. Godes works with corporate policyholders to pursue coverage for cybersecurity-, privacy-, and technology-based claims.

Just when you thought that it could not get worse for companies in the context of cybersecurity and privacy issues ' it does. Perhaps most significant, a court recently allowed banks to proceed against a retailer to pursue damages allegedly flowing from a cyberattack and data privacy incident involving payment card numbers. That same retailer disclosed hundreds of millions of dollars in losses as a result of the cyberattack and data privacy incident. Another retailer fell victim to a cyberattack and data privacy incident involving payment card numbers. Major entertainment businesses suffered cyberattacks, with one reportedly involving information about celebrities, corporate IP, and user names and passwords for social media accounts of the company. Distributed denial of service attacks (DDoS) are also on the rise. Below, we review the sobering news about cyberattacks and provide some tips when considering insurance for cyber risk.

How Bad Is It?

First, the decision involving banks and retailers is significant. In In re Target Corp. Customer Data Breach Security Litigation, MDL No. 14-2522, slip op. [Dkt. 261] (D. Minn. Dec. 2, 2014), the court refused to dismiss a complaint in the “Financial Institution Cases.” The refusal to dismiss a putative class action complaint against a corporate defendant in connection with a data privacy incident is not the eye-opening part. Rather, it's the identity of the plaintiffs. “Plaintiffs here are a putative class of issuer banks whose customers' data was stolen in the Target data breach.” Id. at 2. Those banks have sued Target Corporation, alleging that Target was negligent in failing to secure payment card numbers, that Target violated Minnesota's Plastic Security Card Act, that there was negligence per se (because of the alleged statutory violation), and that the failure to tell the banks of Target's allegedly insufficient security practices was a negligent misrepresentation by omission. Id.

There is little case law on this point, as the law is nascent and continues to be developed. Even less case law exists on the exact question of whether banks can pursue retailers for alleged losses resulting from a cyberattack and data privacy incident involving payment card numbers. Unfortunately for Target, however, the court ruled that the banks could proceed with their action. There can be little doubt that Target's defense costs will continue to mount.

Second, the losses that Target has suffered already are noteworthy. Target disclosed in its Form 10-Q for the quarterly period ended Nov. 1, 2014, that it already had “incurred $248 million of cumulative expenses” as a result of the cyberattack and data privacy incident. Target, Form 10-Q, at 9 (Nov. 26, 2014), http://ti nyurl.com/qco8shj.

Third, Target is just one example in a continuing stream of news regarding retailers that have had payment card information stolen. In early December 2014, Brian Krebs reported that international retailer Bebe Stores Inc. was another victim of a criminal cyberattack. Krebs wrote that Bebe had confirmed “[t]hat hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.” Brian Krebs, “Bebe Stores Confirms Credit Card Breach,” Krebs on Security (Dec. 5, 2014).

Fourth, retailers are not the only victims in the news. The world's largest gaming company allegedly fell victim to a criminal cyberattack in late 2014. During the cyberattack, reportedly, “[c]omputers were flatlining, e-mail was down, most phones didn't work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt,” according to Bloomberg Businessweek . See, Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hacker in Every Server,” Bloomberg Businessweek: Technology (Dec. 11, 2014).

Fifth, DDoS attacks are on the rise. Large-scale DDoS attacks reportedly grew by nearly 40% compared with 2013. See, Jeff Goldman, “Verisign Warns of Surge in Large-Scale DDoS Attacks,” eSecurity Planet (Nov. 24, 2014). What's that cost? One analyst explains that a company with “$1 billion in annual revenue amounts to $114,155 per hour”; a 24 hour outage, under that analysis, would be over $2.7 million. See, Adam Greenberg, “DDoS Attacks Cost Organizations $40,000 Per Hour, Survey Finds,” SC Magazine (Nov. 13, 2014).

Is there any silver lining to offset this sky full of gray clouds? Yes. One positive piece of information for Target, for example, is that Target's losses were “partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $158 million.” Id. Target's cyber insurance program also reportedly has “a $50 million sublimit for settlements with the payment card networks.” Id. Coverage for those losses is crucial for retailers, as I have written previously. See, Scott Godes, “If Your System Was Attacked by 'Backoff' Malware, Would Your Insurance Cover A Data Breach Involving Credit Card Numbers?” BT Policyholder Protection Blog (Aug. 28, 2014).

What Corporate Insureds Need to Know

What does this all mean for corporate insureds considering their cyber risks and insurance programs going forward? Ultimately, it means that insureds should take a hard look at their insurance programs to evaluate what coverage they have for these risks. We've been saying for years that cyber insurance has long been described as “the Wild West of insurance.” Bibeka Shrestha, “Cos. Eye Data Breach Policies As CGL Exclusions Multiply,” Law360 (Mar. 13, 2012). (quoting Scott Godes). That means companies would be well-advised to analyze cyber insurance policies closely.

What should companies look for? Here are four tips for evaluating an insurance program in connection with cyber risks.

Developments in the law suggest that companies should reevaluate whether they are carrying sufficient limits. Keep in mind that defense costs usually erode the limits of a cyber insurance policy. When lawyers are called upon to defend against claims in developing areas of law, legal bills add up quickly. After the company pays defense costs, will there be money left for settlements with plaintiffs, regulators, or anyone else?

Think about business interruption coverage. If your company suffered a computer shutdown from a denial of service attack or from a hacker destroying servers, how much revenue would your company lose? Would your insurance cover the losses?

Think about data replacement costs. If your company suffered an attack that “wiped out about three-quarter of the company's ' computer servers,” as reportedly happened to Las Vegas Sands, how much would that cost your company? One report states that an estimate to “recover[] data and build[] new systems could cost [Las Vegas Sands] $40 million or more.” Elgin and Riley, “Now at the Sands Casino,” supra . Would your insurance cover the costs to replace equipment and for the costs of the lost data?

Retailers should pay close attention to what losses they would suffer after a cyberattack involving payment card numbers. Would your company's insurance cover tort claims by banks made in court? And all losses to payment card brands and payment card processors?

Beyond Cyber Insurance

If facing a loss or a claim, think broadly about whether potential coverage for data breaches under other insurance policies, such as CGL and crime insurance policies. See, e.g., Scott Godes and Jennifer Smith, “Insurance Coverage for Cyber Risks: Coverage Under CGL and 'Cyber' Policies,” ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (Mar. 5, 2012); Bibeka Shrestha, “6th Circ. DSW Ruling Reveals New Data Breach Coverage Path,” Law360 (Aug. 24, 2012) (registration req'd) (quoting Scott Godes).

The question of whether Commercial General Liability (CGL) insurance policies provide coverage for data breaches continues to be litigated. One key question for coverage under CGL policies is whether there was “publication” of information that violates a person's right of privacy when the data was breached. That is because many CGL policies include coverage for “personal injury,” a term that frequently is defined as including the oral or written publication in any manner of material that violates a person's right of privacy.

Some courts have agreed that a data breach does satisfy those requirements, and have imposed at least a duty to defend those claims. See, e.g., Travelers v. Portal Healthcare Solutions, No. 13-917, slip op. (E.D. Va. Aug. 7, 2014) (“exposing confidential medical records to public online searching placed highly sensitive, personal information before the public. Thus, the conduct falls within the Policies' coverage for 'publication' giving 'unreasonable publicity' to, or 'disclos[ing]' information about, a person's private life, triggering Travelers' duty to defend”) (currently on appeal); Hartford Casualty v. Corcino & Associates, 2013 WL 5687527 (C.D. Cal. 2013) (private information that ended up being published on a website after being stolen constituted “publication” such that there was coverage). Another decision reveals that some insurance carriers had recognized that there were coverage obligations under CGL policies for data breaches. See, Retail Ventures v. National Union, 691 F.3d 821 (6th Cir. 2012) (noting that CGL carrier defended certain data breach-based class actions).

Keep in mind, however, that insurance carriers have been known to fight against providing coverage for cybersecurity-based claims under non-cyber insurance policies. See, e.g., Bibeka Shrestha, “Sony Coverage Denial Could Be Boon for Cyber Insurers,” Law360 (Feb. 25, 2014) (registration req'd). Nonetheless, it is a good practice, after a data breach or cybersecurity incident, to review all insurance policies within the company's portfolio to see if there is the potential for coverage.

Conclusion

The takeaway for cyber insurance policyholders is that the world of cyber risk continues to evolve and become a more significant risk for companies of all kinds. With this risk becoming higher profile, companies should review their entire insurance portfolios to understand what coverage may be available if a claim hits. And when the company does face a claim, provide notice to those insurance carriers whose policies may provide coverage and be prepared to seek the full value of the insurance assets that the company purchased.

Scott N. Godes is a partner in Barnes & Thornburg LLP's Washington, DC, office and is a member of the firm's Litigation Department, the Policyholder Insurance Recovery and Counseling Group, and the Internet & Technology Law Group. Mr. Godes works with corporate policyholders to pursue coverage for cybersecurity-, privacy-, and technology-based claims.