cyber liability

Subscribe to cyber liability

You may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the crunch of handling an actual data security incident, your company’s HR policies will either pave or block the road to a nimble, successful response.

Of course, various policies are important for prevention of data security breaches, including policies for such matters as authorized computer systems, e-communications, and Internet use; authorized data and system access; strong passwords; use of encryption and encryption keys; mobile device safeguards; precluding or limiting storage of company data on home or other personal devices; and the like. But other policy provisions are essential for effective security breach response:
Continue Reading Your HR policies should help, not hinder, data breach response

The Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to take advantage of Title I of the Cybersecurity Act of 2015 – the Cybersecurity Information Sharing Act of 2015 (“CISA”).

It’s been clear for many years that greater information-sharing between companies and with the government would help fight cyber threats. The barriers to such sharing have been (1) liability exposure for companies that collect and share such information, which can include personally identifiable information, and (2) institutional and educational impediments to analyzing and sharing information effectively.

CISA is designed to remove both of these information-sharing barriers. First, CISA provides immunity to companies that share “cyber threat indicators and defensive measures” with the federal government in a CISA-authorized manner. Second, CISA authorizes, for a “cybersecurity purpose,” both use and sharing of defensive measures and monitoring of information systems. CISA also mandates that federal agencies establish privacy protections for shared information and publish procedures and guidelines to help companies identify and share cyber threat information. Notably, companies are not required to share information in order to receive information on “threat indicators and defensive measures,” nor are entities required to act upon information received – but this won’t shield companies from ordinary ‘failure to act’ negligence claims.
Continue Reading What’s new with the Cybersecurity Information Sharing Act?

For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.
Continue Reading I’m making a list, securing it twice…

Yesterday the FTC announced it has settled its claims against Wyndham for inadequate data security, with Wyndham signing on to essentially the same consent order used by the FTC in most of its more than 50 concluded data security enforcement matters. The settlement marks the end of a three-year legal battle in which Wyndham attempted, unsuccessfully, to restrict the FTC’s authority to pursue companies for inadequate data security as an ”unfair” business practice under Section 5 of the FTC Act.
Continue Reading Wyndham checks out of FTC dispute

Talk about a “bank holiday” – under a settlement deal filed in court yesterday, Target will pay $39.4 million  to a litigation class of banks and credit unions to settle financial institution claims related to the retailers’ massive 2013 data breach, which compromised at least 40 million credit cards. The preliminary settlement is the first time a retailer has agreed to directly absorb financial institutions’ costs from a data breach, such as fraud losses and the expense of issuing new debit and credit cards.

Under the terms of this settlement, Target will pay up to $20.25 million directly to the settlement class and $19.1 million to fund MasterCard’s Account Data Compromise Program relating to the breach. The settlement will apply to all U.S. financial institutions that issued payment cards identified as having been at risk from the breach and that did not previously release their claims against Target by signing on to separate deals. A final approval hearing on the settlement is set for next year.
Continue Reading Target update: Happy holidays for banks

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.
Continue Reading Target update: still shopping, but no end in sight

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.
Continue Reading Gilding, gelding, & cyber insurance applications

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.
Continue Reading Breach litigation standing — the bell tolls for Clapper

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
Continue Reading Words from the wolf at the door

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.
Continue Reading The 10 key activities for effective data breach response – Are you prepared?