This scenario has more than likely happened to all of us: You are quietly working on your computer, when all of a sudden a screen pops up, “Your computer has been infected.”
“Last year the cost of global cyber crime was estimated to be 388 Billion USD – with an individual falling victim to a form of online crime every 19 seconds.” Lockton UK recently released a report, “Cyber Risk Decoded,” where they provide an in-depth analysis on cyber risks, a problem that is on the rise with the ever-increasing need to go digital.
The report indicated what are the main cyber risks today, showing that the majority of the data breaches were from Human Error or from a glitch in the system, most commonly stolen laptops, flash drives, emails with sensitive customer data, databases not being protected or loss of unencrypted data in transit from one organization to another. Theft, spear phishing, Hacktivism, Denial of Services (DOS), cyber-extortion, cloud computing and emerging themes were also trends in how businesses and individuals are being susceptible to cyber threats.
Cyber crime is costing Americans millions of dollars; in fact, the study showed that in the past three years, cyber risk has affected the average organization 7.2 million dollars in associated data breach costs.
How is the law changing to protect our businesses? In the past couple weeks, the Stop Online Piracy Act (SOPA) has gained much attention and controversy. The SOPA Bill would “Authorize the Attorney General (AG) to seek a court order against a U.S.-directed foreign Internet site committing or facilitating online piracy to require the owner, operator, or domain name registrant, or the site or domain name itself if such persons are unable to be found, to cease and desist further activities constituting specified intellectual property offenses under the federal criminal code including criminal copyright infringement, unauthorized fixation and trafficking of sound recordings or videos of live musical performances, the recording of exhibited motion pictures, or trafficking in counterfeit labels, goods, or services.”
For now, this bill is still under consideration and mark-up session is being held. Otherwise, according to the report, “the vast majority (46) of the states have law which imposes mandatory data breach notification on organizations.”
Cyber risks have prompted insurance companies to offer liability coverage to help companies when cyber threats occur. When asked what were the key elements of a loss that clients were looking to cover, most underwriters agreed that brand reputation is a key element. Cyber risks are a problem across the board from healthcare, financial and retail companies.
What does this mean for litigation? Trends shows Plaintiffs have become more successful as state and federal regulations hold companies accountable for breaches. For example, a leading case in the First Circuit interpreting Maine law found an implied contract, reasoning that when “a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data.” Anderson v. Hannaford Bros. Co., 659 F.3d 151, 158-59 (1st Cir. 2011); see also In re Michaels Stores PIN Pad Litigation, 2011 WL 5878373, at *10 (N.D. Ill. Nov. 23, 2011) (following Hannaford). Additionally, some cases are proceeding under a States’ consumer protection laws*. As the laws in this area have emerged, Plaintiffs are now able to move their cases to the discovery stage of litigation which has had the net result of substantially increasing Defendants’ litigation costs. This trend will likely continue to grow as Plaintiffs continue to carve out ways to bring these claims under the existing laws.
*[footnote] See, e.g., In re Michaels Stores, at *5 (permitting claim to proceed under Illinois Consumer Fraud and Deceptive Business Practices Act) (citing In re TJX Cos. Retail Sec. Breach Litigation, 564 F.3d 489 (1st Cir. 2009) (Massachusetts law); see also In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2011 WL 6012598, at *22-*33 (dismissing claims under several States’ consumer protection statutes).