Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
In June 2014, health insurer CareFirst’s network was hit with a cyber attack. CareFirst customers later brought the proposed class action lawsuit Attias v. CareFirst, Inc., alleging that the attack resulted in the unauthorized disclosure of customers’ names, addresses, subscriber ID numbers, credit card numbers, social security numbers, birth dates, and email addresses. The plaintiffs made various claims, including for breach of contract, negligence, and violations of consumer protection statutes, even though they had not yet suffered any identity theft as a result of the breach.
At first, the district court dismissed the case for lack of standing because the plaintiffs did not allege a present injury or a high enough likelihood of future injury, reasoning that an increased risk of future identity theft was too speculative. But the D.C. Circuit reversed on August 1st. The appellate court reasoned that the plaintiffs plausibly alleged a risk of future injury—identity theft and medical identity theft—that is substantial enough to create standing allowing them to bring their claims. The court ruled the complaint was sufficient at the pleading stage because it alleged that CareFirst stored sensitive information like credit card numbers and social security numbers, such data was disclosed in the breach, and CareFirst customers were placed at a high risk of financial fraud. The court also concluded that the complaint alleged a risk of medical identity theft—when someone impersonates a breach victim and obtains medical services in his or her name. Finally, the court explained that injury arising from the breach—i.e., use of the stolen data—was not too speculative because the hacker has already accessed the data and is likely “to use that data for ill.”
The D.C. Circuit’s decision joins a growing list of decisions by federal appellate courts across the country addressing what type of harm data breach plaintiffs must allege to have standing to assert a claim. Some courts like the D.C. Circuit in Attias have issued pro-plaintiff decisions holding that mere exposure of personal information is enough for standing, while other courts have imposed a higher threshold requiring actual, concrete injury. Given this divide, it would not be surprising if the Supreme Court took up this issue in the data breach context sometime soon.
You may be wondering, what does this have to do with insurance? Fair question. Well, a company that faces a class action in the aftermath of a data breach is going to incur costs to defend the suit. Such a lawsuit is almost a certainty when a substantial amount of personal information is disclosed. If the company can’t get the case dismissed early, it faces a protracted litigation that will be much more expensive to defend. The Attias decision and cases like it weaken one path to an early dismissal, which could result in higher legal costs for data breach defendants. Standard cyber liability policies generally provide coverage for third-party liability arising out of a data breach (like a class action), including the cost of defense and a judgment or settlement. Pro-data breach plaintiff decisions like Attias increase the importance of cyber insurance, as a data breach case that gets past the pleading stage (1) will result in much higher legal fees to defend the case, and (2) very well may result in a settlement or judgment.
In short, companies that face higher levels of risk of third-party liability in the event of a cyber attack, given the type and/or amount of personal information they possess, should ensure they have adequate cyber liability coverage. It can provide essential protection against breach class actions, particularly in jurisdictions with more relaxed standing requirements.