A threat to the insurance industry
Legislators and regulators around the world are enacting data breach notification laws and the trend toward imposing industry-specific cybersecurity standards is expected to continue. The EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), as well as various state insurance data security laws, include key provisions requiring data breach reporting and cybersecurity obligations.
It has been reported that 2020 witnessed a 358% increase in malware and a 435% increase in ransomware attacks, as compared to 2019, with phishing holding steadfast as the “go to” infiltration point by many hackers. The need for better cyber hygiene, including stronger passwords, patching software, and multifactor authentication, has been a lesson learned slowly, and often only after having suffered a cyber incident.
Countering cyberattacks
As the threat of cyberattacks continues, nearly every insurer will be faced with a serious cybersecurity incident. Organizations that have plans in place to mitigate the risks will be better positioned to survive and thrive. Insurers are well advised to have an Incident Response Plan (IRP) ready and rehearsed.
It may be advisable to maintain playbooks for various stakeholders that address particular threat scenarios (such as ransomware). Effective preparation for managing a data breach helps ensure a swift and coordinated response that can minimize harm to victim organizations and reduce reputational impact and potential legal liability.
Awareness of courts’ diverging views on Article III standing requirements under the surge of cyberattacks
As more companies are attacked, more individuals are being notified under U.S. data breach notification laws that their personally identifiable information may have been accessed or exfiltrated. In the United States, the position taken by the courts is complicated. The plaintiffs’ bar has been active nationwide in suing companies for alleged violations of their clients’ rights. But there is a significant circuit split regarding the level of harm that must be shown to establish in the U.S. Article III injury for standing purposes in data breach class cases, namely, whether alleged injuries relating to an increased risk of future identity theft are sufficient to satisfy the “injury-in-fact” prong of the standing test.
To date, the Third, Fourth, Eighth, and Eleventh Circuits have held that plaintiffs may not establish Article III injury-in-fact based solely on an increased risk of future harm. On the other hand, the Second, Sixth, Seventh, Ninth, and DC Circuits have all found that an increased risk of future identity theft may be sufficient to establish Article III standing in data breach litigation, with the Second Circuit only wading into the debate this past May.
Authored by Peter Marta, Paul Otto, and Jasmeet Ahuja.