The Growing Exposure Caused by Dangerously Creative Cyber Hackers
In November 2015, U.S. prosecutors filed a 23 count indictment against three Israeli men. These men are accused of launching a large cyber-attack against JPMorgan Chase & Co. and eight other financial institutions, generating hundreds of millions of dollars in illegal profits. Part of their alleged scheme was to use clients’ email addresses they had stolen from the financial institutions and convince those clients to invest in penny stocks, which the hackers had previously purchased while the price was low. The institutional clients’ investments pumped up the value of the stocks so that the hackers could cash out and make a profit. Also, in 2013 one of these hackers perpetrated an account fraud takeover of Scottrade’s trading accounts and stole Scottrade’s customers’ logins and passwords. The hacker had invested in a penny stock and then used the trading accounts to pump up the value of the stock before he cashed out and made a profit.
These two incidences show how cyber hackers are becoming increasingly creative to manipulate electronic information for their own gain. In doing so, they are increasing the risk exposure of businesses that electronically store customer data.
Hence, these newest cyber attackers and their fraudulent profit schemes should put insurers on alert for future claims and suits. For instance, on a smaller scale, any business that retains customers’ email addresses could be exposed to a hacker that steals customers’ email addresses and then sends a fraudulently manipulative email to the customer, resulting in the customer’s loss for the hacker’s gain. Just think of all of those phishing emails that get caught in your spam filter. Further, a hacker could produce an outgoing email that looks like it was sent from the business the customer had used, causing the customer to trust the source. A customer’s lack of recourse against the allegedly responsible party is a prime example of why a company is wise to obtain insurance coverage for losses caused by data breaches.
This scenario may be the golden key the plaintiff’s bar has been looking for to establish standing and an “injury in fact”. Previously, plaintiffs in federal courts have struggled to establish a sufficient concrete injury required to prove standing (this is very similar to a plaintiff's failure to state a claim in Pennsylvania courts). In 2011, the Third Circuit held that alleged damages of an increased risk of identity theft, costs to monitor credit activity, and emotional distress were not injuries in fact and were insufficient to satisfy the standing requirement. Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In that case, a payroll processing firm that served as a third party payroll manager for businesses, suffered a security breach when an unknown hacker infiltrated the firm’s system and potentially gained access to personal and financial information belonging to over 27,000 employees. The court ruled against plaintiffs because their allegations were hypothetical and the prospect of future injuries was insufficient to establish standing. The court’s decision mirrored similar decisions from other districts where courts have found “the risk of future harm” posed by data security breaches does not confer standing on persons whose information may have been accessed.
Putting aside the typical inquiry in negligence cases of the precautions taken by the business, it is the causation chain that is worrisome. This is because the issues that now arise are (1) whether a business is liable for the fraudulent manipulation of the customer when the hacker obtained the customer’s email from the business; and (2) whether this loss is covered by the business’ CGL and/or cyber policy/endorsement. Both issues essentially simmer down to the same analysis: causation.
Under any negligence theory, a plaintiff must prove that the business’ actions were the “proximate” or “legal” cause of the losses. This requires that the losses could have been foreseen by an ordinary person as the natural and probable outcome of the business’ actions and that the business’ negligent act or failure to act was a substantial factor in bringing about the plaintiff's harm. Allen v. American Airlines, Inc., 301 F. Supp. 2d 370 (E.D. Pa. 2003), Polett v. Public Communications, Inc., 2013 PA Super 320, 83 A.3d 205 (2013), appeal granted, 2014 WL 2116549 (Pa. 2014). While the business' failure to protect their customers’ email address initiated the scheme that lead to the damage, it is arguable that it is not foreseeable that the customer would trust the source of the fraudulent email.
Further, under Pennsylvania law, to prove coverage, an insured must show that the risk insured against was the proximate cause of the loss. According to the efficient proximate cause doctrine, a loss is covered under the insurance policy when the loss is caused by a covered peril, even though other excluded perils contributed to the loss. Marks v. Lumbermen's Ins. Co. of Pittsburgh, 160 Pa. Super. 66, 49 A.2d 855, 856 (1946). Current industry standard-form CGL policies cover “sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury,” which includes: “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” In the aforementioned small business hypothetical, it is arguable that a standard CGL policy would cover the losses suffered by the customers as a violation of the customer's right of privacy.
However, in defending a hypothetical customer's claim, the issue of comparative negligence and failure to mitigate damages must be extensively investigated. There are also a number of proactive steps a business can take to mitigate the harm to the customer. First, the business should have a system that provides immediate notification of a cyber-breach. Second, the business should promptly notify its customers of the breach and possible suspicious activity. Thus, while these new schemes present new opportunities for litigation, they are not definite victories and the facts of each case will need to be explored. Further, insureds should be advised and explore cyber security polices and/or endorsements to obtain protection beyond their CGL policies.
Questions about this article can be directed to Elizabeth L. Melamed, at (717) 255-7234 or firstname.lastname@example.org.