An insured’s prompt detection of data breaches and deployment of countermeasures can serve to reduce potential liability by rebutting assertions that continued compromise of personally identifiable information was the result of negligence. Recent data breaches present a wake-up call for those whose systems and procedures are not designed and operated in way to detect such breaches in a timely manner.
In June 2015, the federal government’s Office of Personnel Management (OPM) announced that the personally identifiable information of more than four million federal government employees had been breached in December 2014. The compromise of the department’s systems was not discovered until April 2015. The delay in discovering the breach was attributed to a failure to configure security settings as strictly as they could have been. OPM officials advised that it was adopting additional procedures to guard against remote access and expanding the use of anti-malware software across the system. In other words, when someone decided more was needed to keep the barn doors closed, it was discovered the horses were already gone.
The five-month delay between the breach and its discovery at OPM mirrors delays reported in other cases. In July 2015, banks discovered a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels. Forensic investigators found that undetected malware allowed access to payment card information between May 19, 2014 and June 2, 2015, as that data was input into the payment card system used by the hotels. On Oct. 2, 2015, brokerage firm Scottrade Inc. announced that a data breach targeted the names and street addresses of more than four and half million clients. Scott Trade advised that the breach occurred between late 2013 and early 2014. Unlike the OPM breach, neither the Trump Hotels nor Scottrade discovered the breaches in their systems. Instead, the Trump breach was discovered by the banks that issued the compromised cards, and the Scottrade breach was brought to the company’s attention by the FBI.
These recent cases appear to illustrate the risk posed by a failure to adopt measures that aggressively monitor systems that collect and store sensitive personal information. Criminals deploying malware adapt and modify their tools to evade the commercial software used to protect data systems. As a consequence, the standard of care that will apply to the defense of breach claims is constantly evolving with the nature of the technology employed by criminals and those who seek to thwart them. One thing is clear, however. Organizations that address the potential liability posed by a breach of cybersecurity as an “IT” issue limited to buying and installing software and periodic upgrades are unlikely to know it is time to upgrade their software, procedures, and practices until after a breach occurs
In April 2015, version 3.1 of the Requirements and Security Assessment Procedures for the Payment Card Industry Data Security Standard (PCI-DSS) were promulgated. The PCI-DSS applies to all entities involved in payment card processing and all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. However, portions of the standards illustrate expectations that have a potentially wider application as a reasonable exercise of the care that should be employed by those who collect and store personal information. These published standards require that all systems be protected against malware with regularly updated anti-virus software or programs; that secure systems and applications be developed and maintained; that all access to network resources be tracked and monitored; and, perhaps most important to those who wish to lower their risk of liability for breach and subsequent allegations of negligence, that security systems and processes be regularly tested.
Taken together, these standards go to the heart of the need to treat information security as an ongoing, daily effort that includes constant monitoring of information systems and regular tests of the security that has been employed. For risk managers looking at potential exposure for claims based on the loss of personally identifiable information and insurers that are underwriting that risk, the danger posed by a lack of measures that can detect a breach when it occurs and respond should be a warning bell that is already ringing.