CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

How the Cyber Insurance Market is Changing

Posted in Coverage

The cyber insurance market has been around since the 1990s.  It started to pick up steam in 2003 after California passed the nation’s  first privacy law.  Now 48 states have privacy protection laws – New Mexico joined the groupin April 2017, leaving Alabama and South Dakota as the remaining hold-outs.

For the past several years, the cyber insurance market has grown, although the rate of growth slowed in 2016 to “only” 7%, compared to a 18% increase between 2014 and 2015.

So what does the future of the cyber insurance market look like?  First, insurers will look beyond traditional risks such as health care and retail services to emerging risks such as manufacturing and homeowners coverage, two areas that  are solidly connected to  the Internet of Things.  Second, traditional privacy protection coverage is fairly standard now: its pricing is predictable and the claims handling is good.   But business interruption losses are going to ramp up.   These types of losses will involve time delays, forensic accountants and maybe on-site inspections for insurers.  Third, reinsurers are going to start to feel the cyber market and begin to look more closely at claims.

A brave new world.  Again.

Why Ransomware and Bitcoin Go Together

Posted in Bitcoin, Ransomeware

Continuing from our earlier post, it is no surprise that hackers demand that ransomware be paid in Bitcoin.    Since wallets do not require users to share their identities, Bitcoin is untraceable so long as a hacker keeps his ransom in Bitcoin form.  And since the blockchain only shows amounts and wallet account numbers, there is no way to tell why Bitcoin was paid for any given transaction.  The appeal to  criminals is obvious:  simply viewing the blockchain does not reveal whether Bitcoin was paid for a legitimate reason or for illegal purposes like purchasing drugs, funding terrorist activities or paying off a ransomware attack.

Other appealing features of Bitcoin for criminals include:

•lack of central authority overseeing the transactions.  This means that Bitcoin can be used in any country without fear of authorities attempting to freeze Bitcoin accounts that may be suspected of funding illegal activities; 

•even though the blockchain is public, the lack of a central authority means only the user with a private key matching a specific wallet can access the Bitcoin;

•because Bitcoin transactions are processed without a bank or other authority–all that is required is the ten-minute verification process by miners; 

•each transaction is non-reversible and final so a hacker is guaranteed to keep any ransom payment without fear of confiscation.

•”Bitcoin-to-other” currency exchanges are paid to launder Bitcoins.  They convert hundreds of Bitcoin transactions to other forms of currency while ignoring the identity of the criminal seeking the exchange.

Bitcoin was not created for criminal enterprise, but it is clear why it has become a perfect vehicle for ransomware attacks.  Bitcoin has many benefits, but as long as it remains untraceable, ungoverned by a central authority and with irreversible transfers, ransomware hackers will continue to exploit its virtues.


Bitcoin: What Is It and Why Do Hackers Love it?

Posted in Bitcoin, Ransomeware

With 2014 coined “the year of the retail breach” and 2015  “the year of the health care breach,” the trend looks to tag 2016 “the year of ransomware.” 

In a typical ransomware attack, hackers use software to block access to a computer system until party pays a ransom amount, usually in the form of “Bitcoins.” 

But what is a Bitcoin and why is it so popular in ransomware attacks?   Bitcoin has two hacker-friendly features:  (1) transfers are anonymous and (2) no central bank or agency oversees the transactions.

For starters, Bitcoin is digitally created currency that exists  electronically.  Unless it is converted into another form of currency through an exchange, Bitcon only exists on-line.  Unlike currency which is printed by a government, Bitcoin is created through a process called “mining.”  Bitcoin “miners” solve complex math problems with randomized input data, and when the problem is solved and verified by other miners, the miner who solved the problem is rewarded with Bitcoins (usually 25, but the number can vary).

 A Bitcoin miners’ work serves another function: it verifies each Bitcoin transaction.  In other words, the “complex math problem,” that a miner solves is the verification of prior transactions.  As a result, the verification process necessarily involves prior Bitcoin transactions as part of the data needed to solve the problem.  When a series of transactions (called a “block”) occur, miners put the information in that block through a publicly available mathematical formula to convert it into a more compact, random series of numbers and letters called a “hash.”  A critical portion of each hash is produced using the hash of the block that preceded it.  This allows miners to track the history of transactions back to the very first Bitcoin transaction. 

This entire history of Bitcoin transactions is called the “blockchain,” a public ledger for the whole Bitcoin system.  Since miners can look at each block and check it against each preceding block as well as the entire block chain, they can confirm that each transaction is legitimate.  Otherwise, it could not be reconciled with the  blockchain. 

A miner who verifies a block submits his solution (called a “proof of work”) to other miners who essentially double check the result.  The other miners stamp the proof of work as a notary would stamp the recording of a deed, publicly verifying that each transaction, and therefore the whole blockchain, is trustworthy.  It takes only about ten minutes for a miner to submit a proof of work and for other miners to verify it, thus finalizing the Bitcoin transaction.

Bitcoin users store their Bitcoins in a digital “wallet” on a computer or mobile device.  The amount of Bitcoins in each wallet is visible to everyone since the blockchain (and every transaction within it) is public, but each user has a “private key” that only they know.  The private key is what allows users to exchange or transfer Bitcoins within their wallet.  Think of the wallet as a safety deposit box made of glass so everyone can see how much is in it, but only the safety deposit box owner has the key to access the contents inside.

Importantly, wallets do not require users to identify themselves by name or any other type of identifying information.  The wallet is simply an account identified by a series of random numbers and letters.  When a pure Bitcoin transaction is made, the real names of buyers and sellers are not revealed in the wallet or anywhere on the blockchain.  The exception to the anonymous exchange occurs if someone wants to exchange a Bitcoin for a good or service, or wants to convert the Bitcoin into another type of currency through an exchange.

In Part II, I will talk about why Bitcoin is a favorite form of ransom.  


DDOS Disruption: The Dreaded Aggregation?

Posted in Aggregation, DYN Attacks

Today a DDOS attack disrupted major websites reportedly including Twitter, Spotify, Reddit and even Major League Baseball on the U.S. east coast.   By mid-day a second wave of attacks appeared  underway against Dynamic Network Services, Inc. (Dyn), a domain host company or DNS server.   The first attack started at about 7:00am EST and lasted for more than two hours.  The source of the attacks is presently unknown.

A DNS server links a website address to the website’s domain name, so users can search for  a travel website by its name, not its 10-digit IP address.

This attack may signal a new approach.  Instead of shutting down one website, attackers   prevented end-users from reaching a wide swath of websites.

For insurers, this type of disruption heightens fears of an aggregated loss: one incident over a discrete period of time disrupts website traffic for multiple companies, any number of which may be insureds.  Business interruption for Amazon is bad enough unless you also insure Disqus’ technology risks.  And it appears that today’s attacks cut across all sorts of business lines.  The accumulation risk for insurers who endorse cyber risks to multiple lines of business is a genuine one.  Knowing your portfolio is key.


Data Breach Insurers: Learning from Product Recall

Posted in Attorney Client Privilege, Product Recall Similarities

Data breach claims are often referred to as the new EPL claims: high volume, high intensity, low impact on most insurers’ bottom line.  But a more apt analogy is product recall litigation.

Product recall and data breach claims have a lot in common:

  1. they involve a problem with a major “brand,” whether cars, food or confidential data;
  2. the problem is often discovered internally before it is known by the public;
  3. lawyers and third parties investigate immediately, leading to privilege issues later on;
  4. governmental agencies require prompt notification and can levy fines and penalties;
  5. state and federal laws apply;
  6. the company’s reputation takes a hit;
  7. class action litigation is nearly inevitable; and
  8. someone usually loses his job.

Product recall cases differ from data breaches because they may involve criminal prosecution and/or bodily injury claims, although IOT can implicate bodily injury.

But product recall litigation is ahead of privacy cases when it comes to privilege attaching to pre-suit investigation  by lawyers and third parties.  For an interesting opinion on privilege and work product in the pre-suit stage, take a look at this opinion in the GM ignition switch recall litigation.   GM Ignition Switch Litigation (01303157xAE57E)


Is Credit Monitoring a Step Towards Standing?

Posted in Damages, Data Breach, standing

On September 12, the 6th Circuit Court of Appeals concluded that members of a class action have Article III standing to sue Nationwide Insurance for negligence after hackers breached Nationwide’s computer network and stole personal information.  Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016).

As with the P.F. Chang and Neiman Marcus opinionsthis court found that plaintiffs alleged a substantial risk of harm and reasonable mitigation costs to satisfy the injury-in-fact standard.   And like those cases, Galaria noted that Nationwide’s offer to pay for credit monitoring and its recommendation (but not reimbursement) for other protective measures were evidence of concrete and imminent harm.

This rationale causes a dilemma for an entity that has a breach and is required to notify its customers or clients.  Most breached entities offer credit monitoring, although no state law requires credit monitoring (California law creates a duration for credit monitoring, but only if it is offered in the first instance).  Companies that offer protection typically do so out of a sense of responsibility or to regain customer loyalty or to mitigate long-term damages if credit monitoring works to reduce identity theft.

Companies may think twice about offering remediation services because the services may become evidence of concrete and imminent harm.  But whether the company offers mitigation relief or not, a customer’s reasonable belief that a breach threatens his financial identity may be proof enough of concrete and imminent injury.   A company’s notification requirements are governed by statute but it can still weigh for itself whether offering credit monitoring becomes too sharp of a double-edged sword.

New Delivery Mechanism: Voicemail Attachments

Posted in Hacking, Voicemail

Missed call notifications in Microsoft Outlook are the latest delivery mechanism for viruses.  Tricksters are using recorded voicemail messages that appear in emails as another route for ransomware and malware.

The attack email arrives with an attachment that seems to contain a voice message compressed in  a zip folder.  But the folder actually contains hidden malicious code that will install ransomware.  Once unzipped, ransomware will encrypt files on your computer, and maybe the entire network.  These attacks are also happening in residential systems, not just businesses.

Hacking voice mails is not new, and there have been voicemail notification breaches before, too.    Nor does this attack have to be limited to voicemail – why not phishing emails posing as legitimate notifications from printers and faxes?

How would a privacy policy respond to a hacked voice mail via the internet?  Chances are such a claim should be covered providing the definition of computer system or network is broad enough to include voicemail that does not originate on a cellular phone.  But coverage aside, it is one more example of social engineering that turns a routine task into a risk.

Protecting Financial Data No Slam-Dunk for NBA Team That Falls Victim to Phishing Scheme

Posted in credit monitoring, Cyber Breach, Hacking, Privacy

Professional athletes may be used to the public knowing the terms of their multi-million dollar contracts, but Milwaukee Bucks organization received a surprise when the team announced last week that it had fallen victim to a phishing scam.

On April 26, a hacker posing as the NBA team’s owner Peter Feigin e-mailed team employees and requested 2015 IRS documents for all the organization’s employees, including players.  An employee sent the requested documents, including W-2 forms containing names, addresses, social security numbers, compensation and dates of birth.  The Bucks did not discover that the request came from an impersonator until May 16, when they notified the IRS and FBI.

After the incident, the Bucks announced that they will “provide additional privacy training to our staff and implementing additional preventative measures.”  The team also will offer three years of credit monitoring and non-expiring identity restoration services.

One might expect a professional sports organization worth hundreds of millions or even billions of dollars to have better security measures in place.  But this incident shows that many businesses, large and small,  do not have internal security policies that might prevent these types of scams.

This incident is a good reminder that we all should pay attention to emails  requesting personal, sensitive, or financial information:

  1. Be sure you recognize the email address.  Most phishing scam artists do not create a fake email address, even if they change the sender’s name.
  2. Call the person who allegedly sent the email to verify the request.
  3. Use common sense – why would the person need the information requested?


7th Circuit Reverses, Finds Standing in P.F. Chang Data Breach Lawsuit

Posted in Neiman Marcus, P.F. Chang, standing

For the second time in less than a year, the 7th Circuit has found standing by plaintiffs seeking class certification for a data breach.

On April 14, 2016 the 7th Circuit issued its opinion in Lewert v. P.F. Chang’s China Bistro, Inc.  PF Chang Opinion (7th Circuit April 14, 2016) (01168901xAE57E)

P.F. Chang had a credit card breach in 2014 involving 33 restaurants in the Chicago area.  Customers affected by the breach sought class certification which the district court denied on grounds plaintiffs had no standing.

The Court of Appeals reversed the lower court, finding that class representatives alleged sufficient harm by way of fraudulent credit card charges, $106 in credit monitoring costs and time monitoring potential identity theft.

This is the second time the 7th Circuit has found standing for data breach claimants, the first being the Neiman Marcus decision issued last summer.   Rejimilas v Neiman Marcus 7th Circuit Opinion (2015) (01129892xAE57E)   P.F. Chang tried to distinguish Neiman Marcus because its breach involved only credit cards so there was no risk of wider identity theft.  In rejecting this argument, the court said that it is unknown whether a stolen credit card can lead to identity theft.

Plaintiffs argued that they were damaged in the amount of their meal because they would not have eaten at P.F. Chang’s had they known data security was ineffective.  The court’s response was tepid.

Plaintiffs also alleged that their identity has value, just as a stolen car has value.  The court stated that a court that previously found value in personal identity had limited scope.

P.F. Chang highlights (again) the importance of an insured’s first response to a breach.  The fact that Neiman Marcus offered credit monitoring helped persuade the court that the store anticipated harm to its customers.  And P.F. Chang’s suggestion that customers monitor credit reports also raised the specter of future

A Made for Hollywood Horror Story: Los Angeles Hospital Pays Cyber Hackers’ Ransom to Restore Access to Systems

Posted in Bitcoin, Ransomeware

On February 17, Hollywood Presbyterian Medical Center announced that it had paid cyber extortionists a ransom of 40 bitcoins in order to restore control over its systems and administrative functions.  While the number might not seem high at first glance, it equates to roughly $17,000.  The hospital first noticed malware on its system on February 5, but waited ten days before deciding that payment was the fastest way to regain control of their systems.  The hackers had introduced malware into the hospital’s system that encrypted the hospital’s files, making them inaccessible.  The FBI is still investigating how the hackers were able to install the malware.

Bitcoin is a completely digital currency that attracts cyber extortionists because bitcoin transactions do not go through any intermediary such as a bank.  There is a lower chance that an illegal payment can be tracked.  The extortionist usually sets the amount just low enough for the infected entity to consider payment.

While cyber extortion is popular among some criminals in eastern Europe, the Hollywood Presbyterian Medical Center episode is one of the higher profile examples in the U.S.   The publicity about the paid ransom may encourage others looking for a fast payout.  Cyber experts believe that about 3% of users with infected systems pay ransom.

It is difficult to say whether the rate of cyber extortion incidents will increase  in the US.  Not all cyber criminals are willing to shut down operations at a facility where access to files can mean the difference between life and death.  But the healthcare industry presents an easy target for attacks because its technology is often outdated and electronic medical records are available on laptops and I-Pads used throughout the hospital and often within easy reach.