Show Me the Bitcoin! By Meghan E. Ruesch The Costs of Cyber Risks and the Cyber- Coverage Landscape INSURANCE

On June 23, 2017, the media ple for a record $115 million. The Anthem tution, and even every individual will face breach was, at the time, considered one of at some point or another. Where once it was was abuzz with the news that the largest data breaches to date, and this merely an annoyance to download a virus settlement, if approved by the court, marks to your computer that might have rendered Anthem, Inc., the nation’s the largest data breach settlement in his- a few music files or Word documents obso- tory…or at least the history of major data lete, cyber risks today present real threats second largest health insurer, breaches over the past five years. It is an not just to personal privacy, but to national incredible thing to consider that, in just five and international . Acts of cyber- settled a class action lawsuit arising out years’ time, the cyber risk landscape has terrorism and espionage are no longer the of the 2015 data breach that exposed per- not merely changed and evolved, but it has subject of political thrillers, fiction, or fan- sonal of nearly 79 million peo- exponentially grown to be one of the pri- tasy—they are real events that are impact- mary risks that every company, every insti- ing our daily lives and daily conversations. At the forefront of the cybersecurity ■■ Meghan E. Ruesch is an associate of Lewis Wagner LLP in Indianapolis. As discussion is the insurance , and a member of the firm’s litigation group, she represents businesses and indi- how it is responding and evolving with the viduals in all aspects of complex civil litigation involving catastrophic injuries, cyber risk landscape. While many insurers insurance coverage disputes, and general litigation matters involving transpor- have been offering cyber insurance for over tation, , and premises liability. 20-plus years, the past five years alone have seen a rapid increase in the companies pro-

66 ■ In-House Defense Quarterly ■ Fall 2017 © 2017 DRI. All rights reserved. viding such products. Despite this, many What Is a Cyber Event? rity incidents that are reported to various major corporations did not start purchas- When it comes to talking about cybersecu- sources each year. See 2017 Data Breach ing cyber insurance until just recently, and rity and cyber insurance, it is always best Investigations Report (10th Ed.), Veri- even now only 65 percent of “large compa- to start with the basics to understand what zon Enterprises, available at http://www. nies” have some cyber insurance in place. we are talking about when we talk about a verizonenterprise.com. Verizon identified ten However, as new cyber risks emerge and “cyber event.” The term “cyber event” is but incident classification patterns that the evolve, large corporations are not the only one term used to encompass an incident multitude of cyber events tend to fall into potential victims. Financial institutions that compromises a business’s data or dig- (with a tenth category set aside for events and in the healthcare indus- ital security. Such events are also described that do not fit any sort of pattern); for the try are widely targeted entities for a cyber as a “cybersecurity incident” or “cyber- first time, in its 2017 report (the 10th edi- event. Even more, the threat of a cyber threat.” The National Institute of Stand- tion), Verizon was able to map those pat- event to small businesses, boutique pro- ards and (NIST), an agency terns against industries that experienced fessional firms, and even personal homes within the U.S. Department of Commerce, these events: is increasing, and if not insured for cyber defines a “cyber incident” as “[a]ctions 1. Point of Sale Intrusions: “Remote attacks risk, could serve that business or home a taken through the use of computer net- against environments where card-pres- crippling blow. works that result in an actual or potentially ent transactions are conducted. While companies, businesses, and even adverse effect on an information system POS terminals and POS controllers are nations are having to find new ways to and/or the information residing therein,” the targeted assets.” (Stolen card respond to these potential (or inevitable) and an “incident,” generally, as a “violation information, use of backdoor/command threats, so too are insurance companies or imminent threat of violation of com- and control (C&C or C2) software, brute evolving in the products that they offer puter security policies, acceptable use pol- force, etc.) and the coverages that they provide. Given icies, or standard security practices.” See 2. Web App Attacks: “Any incident in the wide array of possible cyber events Kissel, Richard, ed., Glossary of Key Infor- which a web application was the vector that might occur, and the fact that partic- mation Security Terms, NISTIR 7298 (Rev. of attack. This includes exploits of code- ular entities, industries, businesses, and 2), available at http://nvlpubs.nist.gov. level vulnerabilities in the application as individuals face different and varied cyber So, what are the types of cyber events well as thwarting authentication mech- risks, insurers are having to evolve in how that exist? While the most newsworthy anisms.” (botnet activities, use of stolen they treat and define old products, and incidents focus on largescale hacks or data cards, backdoor/C&C, forced browsing, how they create new products. In truth, the breaches that major companies have expe- etc.) emergence of cyber risks is changing how rienced (Sony, Target, Yahoo, Anthem), the 3. Insider and Privilege Misuse: “Any the insurance industry does business, and reality is that there are a multitude of cyber unapproved or malicious use of orga- will continue to do so for years to come. At events that exist and can occur, and the list nizational resources…This is mainly the end of the day, though, everyone has of incident types is growing and changing insider-only misuse, but outsiders (due (or should have) the same question when every day. The evolution of cyber threats is to collusion) and partners (because they it comes to issues of cybersecurity: How largely attributable to the rapidly evolving are granted privileges) show up as well.” much is this going to cost? nature of technology; major cyber threats 4. Physical Theft and Loss: “Any incident The following will look at some of the from last year even are decreasing as sys- where an information asset went miss- key issues businesses and insurers need tems and technology are created to com- ing, whether through misplacement or to be aware of when discussing insurance bat those threats. In response, hackers malice.” (Lost or stolen cellular phone, coverage for cyber events, including a brief and cyber criminals create new technol- laptop computer, computer, tablet, or overview of the various types of “cyber ogy and ways of using cyber infrastruc- other mobile device.) events” that can occur, and what cyberse- ture to perpetrate their crimes. According 5. Crimeware: “All instances involving curity analysts consider some of the pri- to one report by the Kaspersky Lab, a global malware that did not fit into a more mary cyber threats to particular industries. cybersecurity company, its antivirus and specific pattern….incidents that com- Then, this article will discuss the insur- security products detected an promise this pattern are opportunistic ance coverages that exist that may respond average of 323,000 new malware files per in nature and are financially motivated.” to a cyber event, and the extent to which day in 2016. This 2016 figure represents a (malware, ransomware, spyware, com- courts have interpreted those coverages dramatic increase of 70,000 files per day mand and C&C, backdoor viruses, etc.) (if at all). Finally, it will discuss what the from just five years ago, in 2011. Kaspersky 6. Payment Card Skimmers: “Incidents in primary costs associated with these cyber Labs, Press Release: “Kaspersky Lab Num- which a skimming device was physically events are, and where the majority of these ber of the Year 2016: 323,000 Pieces of Mal- implanted (tampering) on an asset that costs are being allocated, while identifying ware Detected Daily,” (Dec. 6, 2016). reads magnetic stripe data from a pay- the some of the issues insurers, businesses, For the past ten years, Verizon has ment card. (e.g., ATMs, gas pumps, POS attorneys, and courts are facing in discuss- released a Data Breach Investigation Report terminals, etc.).” ing the costs of a cyber event. (DBIR) that surveys data breach and secu-

In-House Defense Quarterly ■ Fall 2017 ■ 67 7. Cyber Espionage: “Unauthorized net- Verizon surveyed and the types of inci- • Retail: denial of , web application or system access linked to state- dents that were most frequently experi- attacks, and payment card skimming affiliated actors and/or exhibiting the enced within that industry in the past year: (81 percent of all data breaches) motive of espionage.” (phishing, back- • Accommodation and Food Services: The most significant takeaway from Ve- door viruses, C2, adminware, capture point-of-sale intrusions, everything else, rizon’s 2017 DIBR, particularly for insur- and export stored data, downloader, and privilege misuse represented 96 ers writing cyber insurance coverage, is not spyware, etc.) percent of data breaches within this just the recognition of the various types of 8. Denial of Service Attacks: “Any attack industry. cyber incidents that exist and the general intended to compromise the availabil- frequency at which they tend to occur. By INSURANCE LAW ity of networks and systems. Includes ■ breaking down and highlighting the par- both network and application attacks ticular threats within a particular indus- designed to overwhelm systems, result- For businesses assessing their try, Verizon provides particular guidance to ing in performance degradation or inter- businesses on what cyber threats are most ruption of service.” (Distributed Denial exposure to a cyber threat, likely to impact them. For insurers, this of Service (DDoS); Denial of can be a particularly useful tool, not just Service (TDoS)) knowing and understanding in underwriting, but also in assessing and 9. Miscellaneous Errors: “Incidents in responding to claims by insureds that ex- which unintentional actions directly the types of events for which perience a cyber event, and understanding compromised an attribute of a security the overall impact such events can have on asset.” (excludes lost or stolen devices) their business can be a a particular business. For businesses assess- (misdelivery, error, disposal ing their exposure to a cyber threat, know- error, misconfiguration, omission, pro- target also helps in assessing ing and understanding the types of events gramming error, malfunction, data for which their business can be a target also entry error, etc.) exactly what risks that helps in assessing exactly what risks that 10. Everything Else: phishing, footprint- business faces, and finding the right cyber ing, pretexting, use of stolen cards… business faces, and finding insurance product for that business. pirates?! [In 2016, Verizon reported that As companies and businesses develop pirates hacked and downloaded the right cyber insurance strategies for detecting, preventing, and and vessel shipment information of a responding to cyber events, the types and “global shipping ,” and product for that business. magnitudes of threats are evolving and were able to use that information to changing, too. In looking ahead, cyberse- board a shipping vessel in transit and ■ curity and cyber risk professionals across target specific crates and containers to the board are trying to predict what cyber steal and pillage the contents thereof in • Educational Services: cyber-­espionage, risks are on the horizon. The first half of a swift amount of time. Rogers, James, miscellaneous errors, everything else 2017 alone saw a dramatic increase in what “From High Seas to High Tech: Pirates (67 percent of all data breaches) have been described as “cybersecurity melt- Hack Shipping Company,” FoxNews • Financial and Insurance Services: denial downs” that stretch beyond the standard Tech (Mar. 2, 2016), available at http:// of service, web app attacks, and payment corporate data breach. State-­sponsored www.foxnews.com. DISCLAIMER: Pirate card skimming (88 percent of all data ransomware attacks like Wannacry made attacks may not be the most pressing breaches) major headlines, and although the finan- concern when it comes to cybersecurity • Healthcare: privilege misuse, miscella- cial impact of Wannacry was not as severe threats. However, this incident high- neous errors, physical theft and loss (80 as media speculation believed, it was a pow- lights the fact that when we think about percent of all data breaches) erful infection that was able to shut down cybersecurity and cyber risks, the risk • Information Industry (software publish- National Health Service and facil- of damage is not limited to just the ers, telecommunication carriers, cloud ities in the United Kingdom temporarily. access and use of digital information, providers, social media and internet Shortly after Wannacry, another similar but it can, and will (to the extent it has , etc.): denial of service, web app ransomware infection spread under var- not already), have the effect of causing attacks, and crimeware (90 percent of all ious names, including Petya, NotPetya, physical harm to property and persons.] data breaches) Nyetya, and Goldeneye, and infected the As noted, Verizon also broke down these • : cyber-­espionage, privi- networks for major companies in multiple events by major industries in its 2017 DBIR, lege misuse, and everything else (96 per- countries, including Merck (U.S.), Maersk and highlighted the frequency with which cent of all data breaches) (Denmark), and Rosnoft (Russia), before certain types of events occurred within a • Public Administration: cyber-­espionage, hitting what is believed to be its ultimate given industry in the past year. The follow- privilege misuse, and miscellaneous target—Ukraine’s , causing ing identifies some of the major industries errors (81 percent of all data breaches) disruptions at power companies, the cen-

68 ■ In-House Defense Quarterly ■ Fall 2017 tral , and public transit. See Newman, injury” claim might ever arise out of a v. ReDigi, Inc., 934 F.Supp.2d 640 (S.D.N.Y. Lily Hay, “The Biggest Cybersecurity Disas- cyber event, but upon closer examination, 2013); NMS Servs. Inc. v. The Hartford,62 ters of 2017 So Far,” Wired Magazine (July it is not inconceivable. For example, vic- F. App’x 511 (4th Cir. 2002). 1, 2017), available at, https://www.wired.com. tims of a cyber event such as a data breach, However, the ISO form for the CGL pol- where personal financial, and identifying icy was amended in 2001 specifically to Insurance Coverage for a Cyber Event information has been breached and used exclude “electronic data” from “tangible While many insurers, small and large, have to perpetrate identity theft, could claim property” under the definition of “property begun writing insurance coverage specifi- emotional distress as a result. See, e.g., TL damage.” In addition, the ISO forms now cally for cyber risks, these policies are still Sharp, et al., Exploring the Psychological include an exclusion for electronic data “new” (relatively speaking), but given the and Somatic Impact of Identity Theft, 49 J. that specifically applies to exclude - increasing acknowledgment amongst var- Forensic Sci. 131 (2004). ages “arising out of the loss of, loss of use ious industries about not the possibility of, Additionally, while no information has of, damage to, corruption of, inability to but the inevitability of a security breach, been released of whether and, if so, how access, or inability to manipulate electronic it is a product that is rapidly proliferating. personal medical information was used by data.” Many insurance companies have One study issued by Advisen, Ltd. and Zu- hackers, if at all, in the wake of the 2015 updated their standard CGL forms specif- rich American Insurance Company indi- Anthem data breach, such breaches in the ically to exclude coverage for cyber risks, cates that in the span of just five years, the are another conceiv- or have excluded cyber risks by endorse- percentage of large companies (defined as able source of potential “bodily injury” ment. The inclusion of the exclusions and having revenues in excess of $1 billion) that claims that might arise based on the breach limitations to “property damage” coverage purchased cyber insurance increased from and release of personal health and medi- indicates a clear intent by the insurance just 35 percent in 2011 to 65 percent in 2016. cal information. Notably, however, in the industry not to cover data breaches under See Information Security and Cyber Risk Anthem data breach class action litigation, traditional Coverage A policies. : Sixth Annual Survey (Oct. the district court in California dismissed 2016), available at https://www.zurichna.com. with prejudice the class members’ claims Coverage B: Personal and For those companies that do not have cy- of negligence under Indiana law, finding Advertising Injury ber insurance in place, they will likely look that a private right of action arising out of Coverage B under the traditional CGL pol- to other existing insurance for coverage in a security breach was not cognizable under icy form provides coverage for “personal the event that they experience a cyber event. Indiana’s data breach statutes, based upon and advertising injury,” which is defined at least a failure to notify. Rather, the Indi- as “injury…arising out of one or more Commercial General Liability Coverage ana data breach statute provides that the enumerated offenses.” One such offense There is some case law that has considered Attorney General has exclusive authority triggering coverage is “oral or written pub- the extent to which coverage for a cyber to bring claims against a business based lication, in any manner, of material that event may exist under traditional commer- upon violation of the Indiana data breach violates a person’s right of privacy.” Courts cial general liability (CGL) policies, as such statute’s notice requirements. In re Anthem, addressing this offense generally agree policies are the most widely distributed Inc., Data Breach Litigation, 162 F.Supp.3d that a data breach constitutes a violation among every industry. Most CGL policies 953, 974–78 (N.D.Cal. 2016). of a person’s “right of privacy.” See Big 5 utilize the standard ISO form, which pro- Whether a cyber event might trigger Sporting v. Zurich American Ins. vides two types of liability coverage: Cov- CGL coverage as a claim for “property Co., 957 F.Supp. 2d 1135 (C.D.Cal. 2013); erage A—damages for “bodily injury” and damage,” which can include either “phys- but see Galaria v. Nationwide Mut. Ins., “property damage” caused by an “occur- ical injury” or “loss of use” of “tangible 998 F.Supp.2d 646 (S.D.Ohio 2014) (holding rence”; and Coverage B—damages for “per- property,” was questionable, as the cases “mere loss or theft of personal identifica- sonal and advertising injury” arising out of addressing this were split as to whether tion information alone does not constitute an enumerated offense. By and large, issues “data” qualifies as “tangible property.” The an invasion of right of privacy”). The more of insurance coverage for data breaches majority of cases addressing this issue have concerning issue in these cases is what under these traditional liability policies found that “data” does not constitute “tan- constitutes “publication” in the context remains unsettled among the courts of the gible property” capable of sustaining dam- of a data breach or cyber event, which has various jurisdictions. age. See, e.g., America Online, Inc. v. St. been addressed by courts in the context of Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. some of the more widely publicized data Coverage A – Bodily Injury 2003). By contrast, some courts have rec- breaches. In Zurich American Ins. Co. v. and Property Damage ognized that stored data that is “magneti- Sony Corp. of America, 2014 WL 3253541 To date, no court has meaningfully cally encoded on a segment of [ ] hard disk” (N.Y.Sup. Feb. 21, 2014), which concerned addressed the extent to which “bodily constitutes “tangible property” capable of Sony’s demand for insurance coverage injury” caused by a cyber event may trig- being damaged. See London-­Sire Records, arising out of the Sony data breach that ger coverage under a CGL policy. On its Inc. v. John Doe, 542 F.Supp.2d 153 (D. resulted in hackers stealing personal infor- face, it seems implausible that a “bodily Mass. 2008); see also Capitol Records, LLC mation of nearly 77 million users, the New

In-House Defense Quarterly ■ Fall 2017 ■ 69 York trial court held that there was no losses and third-party liability for cyber • Business Interruption: First-party “publication” for the purposes of trigger- incidents. In general, insurers are under- expenses for lost income caused by an ing Coverage B because such “publication” writing and making available the follow- interruption or data breach. was perpetrated by a third party, and not ing categories of cyber insurance coverage: • Data Recovery/Restoration: expenses by any act or conduct of the policyholder. • Liability: broadly categorized, this incurred to recover data damaged on an Similarly, in Recall Total Information Man- insurance provides coverage for defense insured’s system. agement, Inc. v. Federal Ins. Co., 147 Conn. and settlement of third-party claims • PCI () Credit App.450 (App.Ct.Conn. 2014), the Connec- arising out of a cyber event. Liability Card Fines and Penalties: as may be ticut appellate court held that the insured owed under the terms and conditions of INSURANCE LAW was not entitled to coverage for more than ■ a merchant services agreement. $6 million in damages paid to IBM follow- See, e.g., Betterley, Richard S., CMC, The ing the loss of 130 computer tapes, which The majority of cases Betterley Report: Cyber/Privacy Insurance contained personal information of more Market Survey – 2016 (June 2016), available than 500,000 IBM employees (past and addressing this issue have at https://www.irmi.com; Arthur J. Gallagher & present). The court rejected the plaintiff’s Co., Cyber Risk Exposures and Solutions, assertion that “mere loss of the tapes con- found that “data” does not (2015), available at https://www.ajg.com. stitutes a publication,” holding that there The procurement of cyber-insurance was no “publication” because there was no constitute “tangible property” products is increasing rapidly, and in par- evidence to suggest that “personal infor- ticular in those industries that are seeing mation actually was accessed” and that the capable of sustaining damage. the most exposure to cyber threats, such lack of such evidence “failed to take their as in the healthcare, , allegation beyond the realm of specula- ■ and industries. One fac- tion.” By contrast, in Travelers Indem. Co. tor that is pushing the increased need for of America v. Portal Healthcare Solutions, cyber insurance has been broken down cyber-­insurance products is the demand by LLC, 2014 WL 3887797 (E.D.Va. 2014), the to identify and cover the following types third-party contracts requiring such cover- court held that “exposing material to the of exposures: age be in place, such as where required for online searching of a patient’s name” con- • Network Security Liability: general cov- vendors in the information and technology stituted “publication” sufficient to trigger erage where insured’s data security sys- services industry. the insurer’s duty to defend. Significantly tem fails to prevent a data breach. Given the relative “newness” of these though, the underlying personal injury • Privacy Liability: coverage where in- products, and the wide variety of poli- action at issue in the Portal case was ulti- sured fails to protect confidential data cies and products being written by various mately dismissed, because the plaintiffs, within its care, custody, and control. insurers, there is very little development whose personal health information was • Media Liability: in the area of case law or judicial interpre- allegedly “publicized” online, could not and personal injury resulting from tation of the terms and conditions of these assert any cognizable damages. release of protected information. policies. Experience dictates that these As with Coverage A, many insurers have • Remediation/Breach Response Costs: policies are generally written on a claims- begun including endorsements in their costs incurred by a company associ- made basis, and are triggered, in general, CGL policies that specifically limit the ated with responding to a data breach, by a reported failure to secure data, mon- scope of coverage for data breaches as “per- including forensic investigation, public etary loss caused by an employee, acts by sonal and advertising injury.” It is no great relations, legal fees and expenses, cus- persons other than the insured, and loss surprise, with the ever-­increasing inevita- tomer notification expenses, credit mon- resulting from the theft or loss of pri- bility that a business will experience some itoring, etc. vate property. Most policies provide for an kind of cyber incident (whether great or • Regulatory Fines and/or Penalties: costs extended reporting period. small), that insurers are seeking to exclude incurred by a company to investigate, Most cyber-insurance policies, both such exposure under CGL policies. This defend, and settle fines and penalties first-party and third-party, are written coverage, as evidenced by the split in judi- assessed by regulatory or administra- with a self-insured retention, which raises cial authority, is uncertain and undeter- tive entities. interesting questions as to issues like the minable, and insurers are opting instead • Cyber Extortion: Payments made to a selection of legal counsel; the retention of for more clearly identifiable coverages pro- party that ransomed or threatened to outside firms to handle the insured’s public vided by cyber-­insurance. attack an insured’s computer system. relations; forensic investigations; consumer • Fund Transfers Fraud: loss incurred when notices; and determinations regarding set- Cyber-insurance Coverage money or securities are transferred, paid, tlement of liability claims within the self- Cyber-insurance encompasses a wide vari- or delivered from the named insured’s ac- insured retention. In most circumstances, ety of insurance products that insurers are count at a financial institution based on these issues should be addressed by the beginning to offer to cover both first-party fraudulent instructions. insurer and insured during the underwrit-

70 ■ In-House Defense Quarterly ■ Fall 2017 ing process, so that an understanding of Its 2016 Cost of Data Breach Study: individual business or insurer can vary and what may and/or should occur in the event United States (the “Ponemon Study”) exam- are subject to multiple variables, including of a cyber incident is understood between ined the costs incurred by 64 U.S. compa- in large part, the size of the data breach the companies. However, given the wide- nies in 16 industry sectors that reported or event, the number of records compro- ranging possibilities of cyber risks, it is experienced loss or theft as a result of a data mised, as well as the amount of time that impossible to contemplate every poten- breach. The Ponemon Study found that passes before a breach or incident is iden- tial risk or exposure. In time, our use and the number of breached records per inci- tified, investigated, and remedied. By far, development of these insurance products dent ranged from 5,125 to 101,520 records the biggest expense associated with a cyber will evolve and will be exposed to judi- event is the cost of forensic investigation to cial interpretation, which will lead to some ■ identify and remediate the cyber breach. In amount of certainty and consistency in the practice, these costs can accumulate rap- realm of cyber-­insurance products. Given the relative “newness” idly, and if covered by a cyber policy, can deplete the self-insured retention quickly. Other Coverages of these products, and the One way that businesses and companies Other companies are finding alternative can curb the forensic response costs in ways of underwriting and providing cyber-­ wide variety of policies and the wake of a cyber event is to have a well-­ insurance coverage by extending such cov- established data breach response program erage via endorsement for pre-existing products being written by in place. Also, running frequent security coverages. Those types of policies onto checks can ensure that a data breach is which a cyber endorsement are tradition- various insurers, there is discovered sooner, as the costs of a cyber ally added include the following: event increase significantly the longer it is • Errors & Omissions; very little development in the left undetected. • Directors & Officers/Employment The costs discussed in the Ponemon Practices Liability; area of case law or judicial Study are generally only associated with • Businessowners; first-party cyber claims, as noted by the • Lawyers Professional; interpretation of the terms and risks and exposures discussed in the • Other Professional; above-section. But, what are the costs for • General Liability; conditions of these policies. actual damages under cyberliability cov- • Healthcare/Medical Malpractice; erage and, specifically, what damages are • Crime; and ■ insurers exposed to for claims by individ- • Property. ual victims of a data breach? The answer: per breach, with an average number of it is unclear. A significant issue that com- The Costs of Cyber Events breached records per incident of 29,611. In panies and insurers face in assessing cov- For some cyber events, calculation of cov- 2016, the average cost associated with each ered damages arising out of a breach are ered losses is readily identifiable. For exam- lost or stolen record was $221/record. The the intangibles, such as lost profits, , ple, when faced with a fund transfer fraud total average cost of a data breach in 2016 goodwill, and business interruption costs. claim, where an employee is fraudulently was $7.01 million (an increase from $6.53 While these losses tend to be more spec- induced to make a financial transfer or million/breach in 2015). ulative in nature, they are not completely payment by way of some email phish- The Ponemon Study noted that approxi- outside the realm of evaluation by insur- ing or other scam, the damages are easily mately 65 percent of these costs accounted ers and companies alike, as evidenced by identifiable—the loss is the amount of the for indirect losses, such as abnormal cus- the long history of companies providing funds lost in the fraudulent transfer. Other tomer turnover, business interruption, and insurance coverage for business interrup- cyber event losses, however, are not so eas- business/customer loss, whereas only 35 tion losses as a result of first-party prop- ily defined. percent were for direct costs incurred, erty loss. For example, Target reported For the past eleven years, the Ponemon such as remediation, legal fees, and other that the 2013 data breach it experienced Institute, in collaboration with IBM, has breach-related incurred expenses, such cost the retailer more than $61 million in conducted an annual study on the cost of as victim identity protection services. out-of-pocket expenses. However, Target’s data breaches in the United States. In recent These direct costs, overall, experienced an financial statement revealed that the data years, the Ponemon Institute has expanded increase in 2016. While these costs expe- breach actually cost Target nearly $252 its scope to study the costs in other coun- rienced an increase in the past year, such million, with nearly $105 million in net tries, including the United Kingdom, Ger- costs are slightly lower than when the aver- losses for the company. many, France, Australia, India, Italy, Japan, age total costs of a breach reached its peak Defense costs in response to a data Brazil, the United Arab Emirates, Saudi in 2011 at $7.24 million. breach are also significant, as class action Arabia, Canada, and, most recently, South While these figures represent the aver- suits arising out of many of these data Africa. age costs across the board, the costs to an breaches have inevitably followed. But

In-House Defense Quarterly ■ Fall 2017 ■ 71 outstanding questions still exist whether pocket expenses (i.e., “damages resulting challenges in assessing these losses, partic- actual covered “damages” flow from these from [Plaintiffs’] attempt to ameliorate the ularly in the realm of liability. While cyber data breaches. The courts in some of these effect of the breach of contract and subse- risks are rapidly evolving, so too must com- suits have set aside class members’ claims quent Anthem Data Breach, including but panies, small business, insurers, and indi- for failure to assert any “injury-in-fact” not limited to purchasing credit monitor- viduals be prepared to evolve and respond necessary to maintain Article III standing, ing services or taking other steps to pro- to the changing cyber landscape. holding that allegations of “increased risk” tect themselves”). In re Anthem, Inc., Data that plaintiffs will be victims of identity Breach Litigation, 2016 WL 3027983, at *12 theft, fraud, or some other scam at some INSURANCE LAW indeterminate point in the future “does ■ not constitute injury sufficient to confer standing where…the occurrence of such With the evolution of claims future injury rests on the criminal actions of independent decisionmakers.” Galaria that can arise out of a cyber v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646 (S.D.Ohio 2014); see also Remijas v. event, and the various losses The Neiman Marcus Group, LLC,2014 WL 4627893 (N.D.Ill. 2014). By contrast, other and damages that can arise, courts have allowed such class action suits arising out of a data breach to continue, the insurance industry will recognizing that even the threat of “immi- nent” or “potential future” harm is suffi- be faced with a multitude cient to permit standing. Companies (and insurers alike) may be able to cover these of challenges in assessing damages by simply offering credit monitor- ing and similar services, but who can say these losses, particularly whether that will be enough? Likely not, particularly where cyber-­insurance cover- in the realm of liability. age is expanding to encompass claims for bodily injury, as well. ■ Other class plaintiffs are relying on the assertion of contract claims and damages (N.D.Cal. May 27, 2016). in connection with data breach suits that The actual scope of these damages insurance companies will have to inves- was not litigated, but of the $115 million tigate in connection with the scope of Anthem settlement, about $15 million of damages covered by cyber policies. For that settlement is being allocated to reim- example, in the Anthem data breach class bursing class plaintiffs for out of pocket action litigation, the court upheld their expenses actually suffered. The settlement standing to assert contract damages, based fund also requires two years of credit mon- upon arguments that class members suf- itoring for all class members, and nearly fered: (1) “benefit of the bargain” losses one-third of the settlement will go to attor- (i.e., “the difference in value between what ney fees and defense costs. At the end of the Plaintiffs should have received from De- day, the 79 million people impacted by this fendants when they enrolled in and/or breach will likely only receive about $35 to purchased insurance from Defendants $50 each in damages. that Defendants represented, contractu- ally and otherwise, would be protected Conclusion by reasonable data security, and Defend- The Anthem settlement likely will result in ants’ partial, defective, and deficient per- more class action suits arising out of cyber formance by failing to provide reasonable events and data breaches, and the discus- and adequate data security”); (2) “loss of sion the costs of cyber events will continue. value of personal identification informa- With the evolution of claims that can arise tion [PII]” (i.e., “damages to and dimi- out of a cyber event, and the various losses nution in value of their [PII] entrusted to and damages that can arise, the insurance Defendants”); and (3) consequential out-of- industry will be faced with a multitude of

72 ■ In-House Defense Quarterly ■ Fall 2017