Class action lawsuits present numerous challenges for both defendants and harmed parties. The costs of such lawsuits and the situations in which lead plaintiffs bring them often mean the only ones that benefit from them are the attorneys on both sides of the aisle. While legislators seek to remedy some aspects of class litigation, these suits continue to expand. Recently, they have expanded into the area of cyber crimes and data breach litigation.
Many businesses remain hesitant to purchase cyber insurance policies. Studies show fewer than a third of a businesses within the United States have specific coverage for their cyber risks. Yet losses resulting from those risks can easily reach catastrophic levels. This has left underinsured companies searching for unique recovery theories under their traditional insurance policies when suffering the types of losses that cyber insurance would cover.
Whether to purchase cyber risk insurance remains a big question for many companies. Recent studies have shown that only a quarter of U.S. companies currently have cyber risk insurance despite more than half of companies stating they expect to suffer a breach within the next year. These positions seem inapposite, but they appear to stem from doubts about the effectiveness and the extent of cyber coverage given its price.
Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.
In the popular imagination, major cybersecurity events involve an elite hacker (or a group of them) employing a singular genius to crack complex computer codes and steal vital secrets or millions of dollars. The reality is that most hackers use a set of tools available for sale for shockingly small amounts of money. “Hacker schools” in places like Brazil and Russia can train someone who is relatively computer illiterate to use those simple tools to exploit vulnerabilities and gain access to sensitive information, whether it be trade secrets or personally identifiable information useful for committing identity theft.
The last few months have seen a series of high profile ransomware attacks strike businesses across Asia, Europe, and North America. Large numbers of businesses have seen significant losses as a result of these attacks. Losses have stacked up, and companies without cyber insurance are now facing hefty bills.
"When people consider cybersecurity, too often they think of high-level data encryption, secure sockets layers (SSL), and high powered firewalls and antivirus protection", says Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM. "Yet overlooking simple steps to protect a company’s information technology resources can prove just as costly." Thinking through issues like adequate backup systems, employee training, and network setups can save a company millions of dollars. A series of outages at major airlines over the past year have highlighted the specific importance of planning backup systems properly. Delta Airlines, United Airlines, and Southwest Airlines have all suffered major information technology outages that canceled hundreds or thousands of flights cost these companies millions of dollars in revenue.
Equifax faced criticism after how the company reacted to a hack that was announced in September 2017. When dealing with a cybersecurity event, a quick response is necessary to minimize damages from the event. Delays can cause continued interruptions in day to day business processes the damage or loss of vital information; they can also make it harder to track down perpetrators and recover both data and money from them. To this end, most cybersecurity experts recommend that businesses put in place an incident response plan so that teams can act as quickly as possible after an incident instead reacting with a frantic, disorganized frenzy of activity.
While the world focused on the WannaCry ransomware attacks in early May, a number of news stories broke highlighting a different kind of cybersecurity ransom. Ransomware such as WannaCry lock you out from accessing your own files and will not give access back until you pay the ransom. More industrious and targeted hackers however prefer to steal specific targeted files and threaten to either release them publicly or sell them to competitors if a company does not pay the ransom.
When thinking about the potential to be sued, many attorneys imagine the possibility of malpractice lawsuits - suit brought by former clients alleging they did not do their job well enough. Few consider the possibility of lawsuits by adverse parties for issues such as malicious prosecution or abuse of process, which in a sense allege that the attorney did their job too well. Despite this, twenty percent of lawsuits filed against attorneys are filed by adverse parties. These cases can pose interesting challenges for attorneys and raise difficult questions under professional liability insurance policies.