[BreachExchange] Cyber insurance: If you don’t have it, the latest ruling on a data breach class action might have you thinking twice.

[Audrey McNeil]

http://blog.willis.com/2017/09/cyber-insurance-if-you-
dont-have-it-the-latest-ruling-on-a-data-breach-class-action-might-have-you-
thinking-twice/

Last month, the D.C. Court of Appeals lowered the standing threshold
established by Spokeo, holding that the mere allegation of an increased
risk of identity theft as a result of a data breach was sufficient to prove
standing to claim injury, regardless of whether sensitive information had
been compromised.

In Attiass et al. v. CareFirst, plaintiffs claimed injury as a result of a
2014 hack by an unknown intruder of the defendant insurer’s servers, which
compromised the names, birth dates, email addresses and subscriber
identification numbers of roughly one million policyholders. The District
Court granted CareFirst’ motion to dismiss, holding that without
allegations that the personal information was actually misused or could be
misused, plaintiffs could not establish a concrete, particularized, and/or
“actual or imminent” injury, as required by Spokeo.

On August 1, the District of Columbia Court of Appeals reversed the
District Court’s decision, looking to Clapper and Neiman Marcus for
guidance. The Court found that since the hack was conducted by an unknown
person, the risk that it would be used for “ill” was sufficient to
establish an “injury in fact.”  Additionally, the Court assumed for the
standing analysis that plaintiffs could prove CareFirst failed to properly
secure its network, and thus their injuries would be “fairly traceable” to
CareFirst.

CareFirst adds to the growing number of recent Federal Court decisions
holding in favor of data breach plaintiffs alleging risk of future harm as
sufficient to establish standing, deepening the circuit split on the issue
and increasing the likelihood of review by the US Supreme Court.  A link to
the full opinion can be found here.

As courts continue to expand consumer rights by lowering the bar to claim
cyber injury, costs associated with the typical data breach will see
exponential growth. In addition to implementing pre-claim cyber risk
mitigation strategies, a robust cyber insurance program with adequate
limits and broad protection for network security third-party liability
should be a top priority for clients across all industries, especially in
the healthcare, retail, and hospitality sectors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/68edad11/attachment.html>