Cybersecurity Litigation and Insurance Coverage

cybersecurity

Organizations of all kinds use systems to store the personal and financial information of third parties, and some have become the target of data breaches. From major infrastructures to small companies, the growing number of cyberattacks against all industries shows no signs of slowing down.  There has been a significant increase in governmental investigations into organizations in both the public and private sectors that have experienced cyberattacks.  Often there are parallel legal proceedings in cases brought against these organizations that are alleged to be responsible for failures in security and data protection.  Governmental investigations and civil or administrative proceedings typically go hand in hand, in an attempt to effectuate civil remedies.

Due to the increasing occurrence of data breaches, companies are under legal obligations to secure their clients’ personal information and have a plan in place to safeguard this information from being compromised.  This plan should include having insurance coverage for cyber-related risks.

Many companies are now finding themselves the target of investigations into their failure to implement secure system controls and safeguards, putting them at risk for potentially millions of dollars in damages, attorneys’ fees, and costs.  The right cyber insurance can provide coverage for: 1) breach response (legal costs incurred, technology forensic services, public relations, as well as the costs associated with notifying affected individuals), 2) losses incurred by the business or organization (including business interruption loss, ransom costs, data recovery, and associated liabilities), and 3) third party liabilities (defense against a government action and some associated penalties, payment card liabilities and costs, and media liability for example).

The Legal Team at Herold Law, P.A., Advocates to Protect Private and Public Entities

The dedicated team of insurance coverage attorneys at Herold Law, P.A., can help in assisting a company or organization to proactively protect against future cyber risk-related losses by identifying the proper insurance coverage for a business to ensure against cyberattack exposure.  For businesses which have experienced cyber risk-related losses and are facing a denial of coverage from the cyber risk insurance carrier, we can assist in obtaining insurance coverage by attempting to negotiate with the cyber risk insurance carrier, since we view litigation as an avenue of last resort due to the overwhelming costs that can be incurred.  We provide experienced and highly skilled representation to all our clients to ensure the best possible outcome for their cases.  Our firm has a reputation for success in a wide range of litigated matters.  To schedule a consultation with one of our highly skilled attorneys, call us at 908-647-1022 or contact us online.  Located in Warren, New Jersey, we serve clients in New Jersey, New York, Pennsylvania, Florida and other states.

Cyber-related risks can affect a broad range of businesses that handle sensitive information, which is why cyber risk-related coverage should be vigorously explored by a business under the skilled guidance of one of the experienced insurance coverage attorneys at Herold Law.  The businesses that can be affected range from health care providers and hospitals (with extremely personal information, including Social Security numbers and other personally identifying information), retailers (with payment card information that is a prime target for identity theft), and Certified Public Accountants (with highly sensitive and valuable financial information that is also a prime target).

Relevant Cases

Last month, Wawa, Inc. reached a multi-million, multi-state resolution related to a data breach that compromised the credit and debit cards of over 34 million consumers.  The State of New Jersey co-led the $8 Million Dollar settlement and will receive approximately $2.5 Million Dollars of the overall payout.

The resolution further includes the requirement that Wawa, Inc. take steps to improve network protections and better safeguard consumer payment data.  Wawa, Inc. is now mandated to create a comprehensive information security program within the next six months, which is to be overseen by a credentialed expert.  The program is also required to include security awareness training for company personnel and incorporate best practices to help deter criminal hackers.  Within a year, Wawa, Inc. must additionally obtain a Security Compliance Assessment and Report to be shared with the New Jersey Attorney General’s Office.

The data breaches at Wawa, Inc. took place between April and December of 2019, and involved the extraction of consumer payment methods, including cardholder names, credit card and debit card numbers, and expiration dates.  The breach affected consumers in New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida, and Washington D.C.  Investigators believe these breaches occurred after criminal hackers gained access to Wawa Inc.’s network through malware opened by a company employee.  Through their respective Attorneys General, New Jersey and Pennsylvania alleged that Wawa, Inc. failed to maintain adequate data security systems and to train their employees to recognize suspicious web activity, thereby violating state consumer protection laws.

Wawa, Inc. has made no admissions of liability or wrongdoing in the settlement, which notes that the company responded promptly and followed all notice requirements with relevant authorities.  The company also pointed out that it fully cooperated with the Offices of the Attorneys General and all law enforcement officials to assist everyone impacted by the incident, and that it continues to take the necessary steps to safeguard their information security systems.

In October of last year, the New Jersey Attorney General’s Office and the Division of Consumer Affairs came to a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that occurred between 2016 and 2017.  An unauthorized intruder accessed Diamond Institute’s network several times, compromising the personal information of thousands of patients, including 11,071 New Jersey residents.  The Division of Consumer Affairs alleged that the fertility clinic enabled the breach and violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information safeguards.

Diamond Institute denied the allegations, but agreed to settle the matter by paying a monetary penalty, which included $412,300 in civil fines and $82,700 in investigative costs and attorneys’ fees.  The settlement also included specific security measures that Diamond Institute must take, including developing, implementing and regularly updating a comprehensive information security program.  The Division of Consumer Affairs noted that hackers target companies that fail to comply with basic security requirements, and that they will not allow these companies to violate consumer laws and expose clients’ sensitive information, thereby making them vulnerable to identity theft.

The settlements in the Wawa, Inc. and Diamond Institute cases send a message: The government will continue to investigate businesses and hold them accountable for failing to maintain or strengthen their data protection systems which protect consumers’ privacy.  The government’s vigorous probes into cybersecurity breaches and the subsequent costs to businesses is only growing in intensity.

This unwavering message is being heard by organizations in all sectors.  Currently, the Department of Justice (DOJ) is investigating a major cybersecurity breach that involved the Judiciary’s electronic filing and case management system.  In January of last year, the United States Administrative Office of the Courts (AO) announced extra steps the Judiciary was taking to protect court records, in light of the SolarWinds hack in 2020 that was carried out by Russian agents against federal agencies.  It was opined at that time that the court management system was likely compromised.

The DOJ recently discovered more information with regard to the extent of the security breach.  They have voiced alarm about its impact on pending civil and criminal litigation, as well as ongoing national security or intelligence matters.  Given the nature of information that is held by the courts, it is not surprising that the Assistant Attorney General of National Security expressed similar concern in response.  The National Security Division pointed to their ongoing investigation into the potentially compromised public judicial docket and assured that it is working closely with the Judicial Conference and judges across the country to address the issue.

Cyber Claim Trends and CPA Firms

The majority of cyberattacks currently experienced by healthcare firms, CPA firms, accountants, and tax professionals involve two common cybersecurity risks:

  • Social engineering: Social engineering cyberattacks trick users into inadvertently providing security access.  It is one of the most dangerous types of cybersecurity threats to CPA firms due to the type of information these businesses store.  “Phishing” is one of the more widespread social engineering schemes, which involves information in an email designed to convince the user that it is from a legitimate source.  The user is often an employee that may respond to the email by simply clicking a link.
  • Security misconfigurations: Security misconfigurations are often basic human error.  Best practice measures are crucial when addressing the human element of data security, including cybersecurity awareness training, using multi-factor authorization, strengthening passwords, requiring regular data backups, and reinforcing cyber protocols for hybrid employees.

There are several scenarios that lead to claims filed against CPA firms, including:

  • “Man in the middle” cyberattack:  A hacker commandeers the email account of the CPA firm’s client and sends requests to the firm to wire money to a new account.
  • Cyber extortion:  Cyber extortion using ransomware is a type of attack that victimizes CPA firms of all sizes.  It involves hackers getting into computer systems and encrypting files, and later demanding payment for promises to decrypt said files.
  • Downloaded viruses:  Hackers exploit CPA firms facing tax deadlines with outdated tax software and unaware employees who download viruses onto computers, often resulting in electronically filed fraudulent tax returns.

A single cyber incident may give rise to the first-party damages experienced by the CPA firm, as well as third-party losses for damages alleged to be suffered by others.  These tend to be high-dollar claims that typically include allegations such as the firm’s failure to detect the red flags associated with hacker communications, falling beneath the standard of care by initiating fraudulent wire transfers without proper client authorization, and failure to advise clients of the potential cyber threats and risks.

The widespread cybersecurity attacks coupled with recent government intervention has led countless companies and individuals to need the legal representation of attorneys knowledgeable with data breach laws and notification obligations.  Fortunately, there are ways they can protect and defend themselves with the guidance of an experienced attorney.  When these parties are denied coverage for cybersecurity or government investigation insurance, claims can be filed on their behalf against the appropriate insurance companies.

Companies that are the target of a government investigation after a cyberattack should retain the assistance of the experienced attorneys at Herold Law, P.A.  Our firm represents many accountants and tax preparers, and can advise any business, organization, or individual on how best to avoid exposure to the ramifications of a cyberattack on their clients’ personal and financial information.  We know the data breach laws and understand the risks and damages involved with exposure to cyberattacks and related investigations.

The legal team at Herold Law, P.A., can provide knowledgeable and experienced assistance in this important risk management obligation, not only to companies and their general counsel, but also to the public entities that are charged with failing to protect consumers’ privacy and financial information.  We offer a full range of litigation services to clients throughout the United States.