aug/ sept 2015 today’s gener al Counsel
Cybersecurity
Litigation Wave Coming Cybersecurity Breaches Are the Trigger By Kenneth N. Rashbaum
C
26
ybersecurity has spawned many cottage industries, such as security firms and “white-hat” hackers to test system vulnerabilities and now it may reinvigorate the litigation industry, which has been somewhat moribund since the Great Recession. Myriad legal theories could apply to a breach claim, and these will be discussed below. General counsel, chief information officers and chief financial officers would be well advised to prepare for the coming litigation wave and review all insurance coverage applicable to information security litigation. They’ll need every dime of it. They will also need to familiarize themselves with their organizations’ information systems and safeguards, if for no other reason than to understand the competency of outside litigation counsel to defend these matters and to understand the services and value counsel will provide in defending cyber breach litigation. Media outlets have reported on the largest cases that have arisen from breaches: class actions against Target; shareholder derivative litigation and the pending action brought by the Federal Trade Commission involving Wyndham Worldwide Corporation; litigation brought by employees of Sony Pictures with regard to the cyber attack that led to disclosures of their personal information; and class actions
involving loss of healthcare information against United Healthcare, Sutter Health and many others. But the degree of difficulty in defending against these “dreadnought” (very large battleships, for those not of a nautical bent) matters is not great. It’s the small-boat, less-common claims that, when they appear in large numbers, can overwhelm a law department’s resources and slip through defenses to get to the organization’s coffers. Knowing about these risks can prepare the law department for them, and preparation is crucial because some of the legal theories they rest on are counter-intuitive, and others may not be covered by applicable Commercial General Liability, Errors and Omissions or Cyber Risk Insurance. That means additional coverage or endorsements to existing policies may be worth considering. 1. Negligence: Like new wine in old bottles, negligence theory underlies much of current cyber litigation because of that hoary standard, duty of care. Many cyber attacks and breaches are the result of employee negligence.
Negligent acts of employees can include clicking on “phishing” attachments that allow malware into the system, failures of the IT department or its subcontractors to update the latest security patches, or inadvertently taking down security controls during system maintenance. Occasionally, these acts also allow the system’s computers to be used by the malware developers as part of a botnet, which then invades other systems. The primary organizations and/or their third-party subcontractors may be liable in negligence for failure to utilize known and reasonable security practices and/or failing to follow accepted information security standards of care. And, given the increasingly interconnected nature of information systems, jurisdiction cannot be presumed, since the harm may occur anywhere the plaintiff has an internet connection. These claims may reach beyond traditional insurance coverage under Commercial General Liability or Errors and Omissions policies because these policies often have explicit exclusions for cyber incidents. Even if there is coverage for such events in states