Technologists fondly assert that the Internet is the most complex system ever devised by humankind. This thesis rests on the acknowledgment and acceptance of the ever-expanding and evolving interconnectedness of people, enterprises and things. Recent trends in technology like software as a service (SaaS), cloud-based data storage and the Internet of Things (IoT) contribute to this constant expansion of interconnectedness.
Now then consider the following items in the cyber-risk context that have occurred since the beginning of 2014.
On an unusually mild February day in what was longest winter in memory, reserved New York Judge Jeffrey K. Oing ruled from the bench in favor of Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. of America, finding that these general liability (GL) insurers had no duty to defend the Sony Corporation in connection with at least 55 underlying class-action lawsuits relating to the infamous April 2011 occurrence of unauthorized access of millions of online video game users’ personal information and credit card numbers from Sony’s PlayStation product.
Zurich and Mitsui each issued primary GL policies to Sony that included coverage for “personal and advertising injury” defined relevantly as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”.
In determining whether to dismiss the declaratory judgment action, the New York court found that while there was, in fact, a publication, coverage was only afforded to the extent Sony was responsible for the publishing and not, as was the case at hand, due to the actions of the third-party hackers. In so ruling, the court stated that to find otherwise would improperly expand the policies’ coverage grants.
Sony argued that the policies lacked clear language excluding this type of cyber attack from coverage and had no provision requiring it to be the policyholder that publishes the data. However, the court sided with the insurers finding that none of the suits brought against Sony assert claims for bodily injury, property damage or personal and advertising injury that would afford Sony coverage under the GL policies.
Note the following comments from Judge Oing:
We are talking about the Internet now. We are talking about the electronic age that we live in… [B]y just merely opening up that safeguard or that safe box where all of the information was, in my mind…a publication.
One month later, on March 28, 2014, the FTC publically announced settlements with two fairly well-known companies, Fandango and Credit Karma, relating to allegations that those companies misrepresented the security of their mobile applications. The thing is … neither company had actually experienced a data breach or cyber occurrence.
Regardless, the FTC asserted that the companies’ mobile applications failed to reasonably protect their consumers’ personal private information. In particular, the FTC cited the applications’ lack of appropriate data encryption and concluded that an unreasonable risk of a “man-in-the-middle” data intercept existed. No privacy data was actually compromised. The FTC’s cases merely argued that there could have been a breach and both companies settled the charges.
Exactly one week following that announcement, in FTC v. Wyndham Worldwide Corp., U.S. District Court Judge Esther Salas unequivocally confirmed the FTC’s authority to investigate and prosecute companies that fail to protect consumers’ privacy by failing to maintain appropriate data security standards.
The FTC brought suit against Wyndham alleging violations of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” The regulators alleged that Wyndham’s electronic reservation payment system was hacked on three separate occasions between April 2008 and January 2010. Each breach used similar techniques to access personal information, including customers’ payment card account numbers, expiration dates and security codes. The FTC alleged that Wyndham did not take appropriate steps after the first two breaches to prevent any further breaches of its network.
Wyndham filed a motion to dismiss the government’s complaint, arguing that the FTC lacks appropriate authority to assert an unfairness claim for data-security. The court denied the application in its entirety, finding that the FTC Act read in conjunction with the alphabet soup of other data and privacy laws (e.g., the Fair Credit Reporting Act (FCRA); the Gramm-Leach-Bliley Act (GLBA); the Children’s Online Privacy Protection Act (COPPA); and the Health Insurance Portability and Accountability Act of 1996 (HIPPA), and several others) supplemented the authority that the FTC already possessed under Section 5.
The court also rejected Wyndham’s other arguments, namely that the FTC had to formally promulgate further regulations and standards before being able to prosecute claims relating to data breach or that there were not sufficient allegations of actual damages.
Two days later, on April 10, Kentucky became the 47th state in the Union to enact a data breach notification law. The new Kentucky law applies to any “Information Holder,” defined as a person or business entity that conducts business in Kentucky, including both those that own the personal information they maintain and those that maintain personal information for third parties.
The law requires notification of the affected class of a data breach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement”. While the new law does not require notice to the Kentucky Attorney General or other any other state regulator, it does require notification to the consumer reporting agencies, again, without unreasonable delay if more than 1,000 Kentucky residents are affected.
New Mexico is not far behind Kentucky. The State Legislature’s H.B. 224, mandates that organizations notify the affected class of a data breach within 10 days of discovering the breach. The law also requires notification to the state attorney general if more than 50 residents of the state are affected.
Finally, on April 23, Verizon issued its 2014 Data Breach Investigations Report (DBIR). Fifty organizations, both public and private, contributed information to the 2014 DBIR, compared to the 19 that contributed to the 2013 report. The dataset comprises over 63,000 confirmed data security incidents. The 2014 report features breaches affecting 95 different countries, an increase of 350 percent over the 2013 DBIR’s 27.
The DBIR researchers found that out of the 100,000 incidents analyzed in the last 10 years, 92 percent can be categorized into nine different patterns. Importantly, this report clearly demonstrates that cyber-loss — all kinds of cyber loss is dramatically on the rise.
Denial-of-service attacks, web application attacks, corporate espionage, insider espionage and even physical theft and/or loss have all seen sharp increases reporting and cost.
This is all just in 2014.
Like the Internet itself, the above items, while occurring individually in their own respective spaces, pursuant to their own organic processes, are very much interconnected with one another and the rest of the cyber-risk world. It is this interconnectedness that is expanding and maturing the cyber-risk industry itself. If the first part of this year is any indication, the cyber-risk world will continue this expansion and maturity into the foreseeable future.