Sexy title, I know.  Here’s the thing – this is a big deal.  Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.

First, a bit of law 101.  The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract.  Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage.  Example:  You pay a painter to paint your house.  He doesn’t.  You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.”  But you (probably) can’t.  Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort.  You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house.  There are exceptions and nuances, but that’s all you need to know for this post.

Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches.  And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action.  The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania.  As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.

Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio.  If you couldn’t tell, I didn’t agree with the result.

The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018).  An American manufacturer received an email purportedly from its Chinese subcontractor.  The sub said that the next payment should be wired to a new bank account due to an ongoing audit.  The company wired the money.  The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account.  This happened four times.  $834,000 later, the real sub started asking where its payment was…

The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage.  It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.”  The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.

It’s (approximately) the ides of National Cybersecurity Awareness Month.  Yes, it’s a thing.  A 15-year old thing.  Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way).  It sparked this first of a two-part blog post about the “voluntary parting” exclusion.  Get your popcorn ready.

First, the scene.  We’re at the Union League in Philadelphia.  It’s kind of dark, because it’s always kind of dark in there.  Everyone is wearing coats, because everyone has to wear coats there.  Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional.  An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second.  A valuation expert explains the process of quantifying cyber incident losses.  Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).

Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims.  So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”

This month, the Department of Justice issued a fairly comprehensive set of pre and post cyber security incident recommendations.  For all you total geeks, you can get the whole thing here.  For those of you preoccupied with, well, other news, here’s some highlights.

Pre-incident, the DOJ recommends having a breach response plan.  We’ve all heard this repeatedly at this point, and many companies and firms still do not have actionable response plans.  Some of the important components of these plans highlighted by the DOJ include: (1) identifying your most vital resources and prioritizing their protection; (2) having a clear internal and external reporting structure that focuses on containing the incident, mitigating its effects and preserving information to later understand the scope and source of the incident; (3) identifying and establishing relationships with applicable law enforcement authorities and regulators who have jurisdiction in your industry or jurisdiction; and (4) finally hammering out appropriate policies and procedures for the use of and access to key information assets, as well as investing in appropriate technical protections.

Post incident, DOJ basically recommends – wait for it – following the plan you established pre-incident.

The war to find data breach coverage under commercial general liability (CGL) policies continues to wage.  In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017 (M.D. Fla. 6:17-CV-00540), an insurer is seeking a declaration that neither the insured’s 2014-15 nor its 2015-16 CGL policy cover data breach costs and a couple million dollars worth of PCI fines.

In 2016, the insured, a hotel, discovered that its payment network had been compromised by malware between September 2014 and February 2016, resulting in the disclosure of customer credit card information.  The hotel first tendered to Beazley, its cyber insurer, but Beazley denied coverage on the ground that the “occurrence” happened prior to the applicable retroactive date of the hotel’s 2015-16 policy.  More on those notorious retro dates here.

The hotel turned to its CGL carrier, St. Paul, which denied coverage for a variety of reasons.  Two are especially noteworthy.  First, St. Paul argues that the ready and known availability of cyber insurance for data breach losses is itself an indication that CGL policies are not intended to cover those losses.  Second, St. Paul points out that the insured actually purchased cyber insurance since 2015-16.  Relying on cases holding that courts should construe insurance policies so as not to find duplicative coverage, St. Paul argues that the CGL policies must be interpreted so as not to provide coverage for data breach losses because the insured’s Beazley policy did provide that coverage.

Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’  You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law.  I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive.  And when you ask for everything, you get, well, everything.  Most days I can tell from the caption of the attachment whether it’s a case I should read.  Most days, it isn’t.

But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context.  The fact pattern is common.  Retailer hires credit card processor.  The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’  The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts.  Then the data breach…

Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements.  The processor passes both along to the retailer.  The retailer is in the hole, big time.

The 2018 Verizon Data Breach Investigations Report indicates that in the education industry (yes, it’s an industry), the most prevalent type of data breach is “social attacks.”  What’s a social attack?

Phishing is a social attack.  That’s when you get an email with a link or attachment that just begs to be clicked.  And clicking is the functional equivalent of leaving your front door open when you go on vacation.

A more nuanced social attack is now referred to as “pretexting.”  This is sort of like phishing, though it involves more detailed back-and-forth dialogue with the malicious actor, who often takes on a specific persona to facilitate the scheme.  As Verizon more eloquently explains, pretexting is the “creation of a false narrative to obtain information or influence behavior.”  Think impersonating executives or your Facebook friends.

Since 2016, Verizon has annually declined to estimate the average cost of a data breach.  Verizon reasons that since there are many variables that can determine breach cost, there is no reliable “average” data point.  There are, however, identifiable factors that we know impact breach cost, like industry sector, threat actor, number of records, impacted data type etc.  So, the more we know about a particular entity’s risk profile, there better equipped that entity is not only to protect itself but also to predict the potential cost of a breach.

Enter Chubb’s Cyber Risk Index.  It’s 20 years of claims data, organized by industry, annual revenue and time period.  Since industry sector and company size are significant differentiators in the context of data breach analyses, this tool lets companies hone in on meaningful data about the nature and extent of their data breach risk.  And it’s free, whether you’re insured by Chubb or not.

I played with the interactive index a bit and here are a few interesting data points:

On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution.  The bill is one of a number of recent efforts by states to respond to a slew of high profile breaches announced this year, including Equifax, Facebook, Panera Bread, Under Armour and – well, you get it.

The bill mimics a trend of inching toward the heightened and more specific standards employed by the EU’s General Data Protection Regulation.  For example, HB-18-1128 replaces an ‘as soon as practicable’ breach notification requirement with a deadline of not later than 30 days from the date a breach is determined to have occurred.  That’s more latitude than GDPR’s seemingly impossible 72-hour time limit (where feasible, of course), but it is another indication of regulators’ insistence on firm, identifiable timelines.

Also like the GDPR, the Colorado bill explicitly mandates that data is maintained “no longer than needed,” an example of the growing trend toward data minimization.  With respect to security measures themselves, the bill requires “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations,” a ‘commercially reasonable’ standard of sorts that also mirrors the GDPR (appropriate technical and organizational measures in light of a host of factors).  Want one more similarity?  The bill requires covered entities to mandate implementation of reasonable security measures by third party service providers, another trend reflected both in the GDPR and newer legislation being passed or proposed around the country.

In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card processor contracts and the infamous contractual liability exclusion that is still present in many cyberinsurance policies.

You can read about the first court to do so here.  Spoiler: also no coverage.

Spec’s, a family-owned retail chain, suffered two data breaches of its payment card system resulting in the loss of customer information and credit card numbers.  Spec’s processed its credit transactions through a third party, First Data Merchant Services.  Following the breaches, First Data was fined almost $10 million by MasterCard and Visa.  First Data invoked the indemnification provision in its processor agreement and demanded that Spec’s pay the fines.