The one certainty in cybersecurity is the new adage "Get Comfortable Being Uncomfortable" universally applies. 2017 was punctuated by infamous Ransomware attacks, like WannaCry, and ginormous cyberattacks at the likes of credit giant Equifax and rideshare behemoth Uber.  While management and corporate boards are grappling with the dizzying speed at which cybersecurity concerns arise, judicial and regulatory bodies are stepping up to meet the demand for guidance on the formulation of best practices that should underlie reasonable risk management strategies.
The Courts Speak on the Viability of Data Breach Class Actions
This year U.S. courts offered counterpoints to questions surrounding the viability of claims, mostly massive class actions, in the wake of a cyber event. As PLAN reported, the Eighth Circuit held in  Kuhns v Scottrade Inc. that victims of a securities brokerage firm data breach had Article III standing for their contract-related claims. The court nonetheless affirmed dismissal with prejudice because the class action complaint failed to plausibly allege the actual damage element of the breach of contract claim. The court could not see its way clear to allowing massive class action litigation based on nothing more than "allegations of worry and inconvenience."
The injury element, which is often simply the possibility of future harm such as identity theft, is the most significant impediment to plaintiffs' class actions. In In re SuperValu, Inc., the Eighth Circuit stayed true to itself and the Second and Fourth Circuits, finding the threat of fraud from the theft of grocery store customer's credit card information did not meet the standing requirements that an injury must be concrete, particularized and actual or imminent.
Advancing an opposing view and one that expands the risk landscape, earlier this year PLAN reported the D.C. Circuit reinstated a class action against health insurer CareFirst. In  Attias v Carefirst Inc., the court found substantial risk that an imposter could impersonate an individual who fell victim to the CareFirst breach and obtain medical services in his or her name. This, the court reasoned based on experience and common sense, was true even if the impostor only had access to the victim's non-financial information. These substantial risks of harm exist simply by virtue of the hack and the nature of the stolen data. However, the law in the D.C. Circuit is still evolving as demonstrated by the court's refusal to extend CareFirst in In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1 (D.D.C. 2017) appeal to the D.C. Circuit filed November 15, 2017.
Major Settlements and Data Breach Responses
The company at the center of one of the most famous health insurer breaches, Anthem, kicked off the summer with a $115 Million settlement of the claims that resulted from a computer hacking incident exposing the personal information of nearly 79 million consumers. The settlement has been preliminarily approved and awaits final approval this February. The Anthem settlement followed the $18.5 million Target data breach settlement in May. In each case, the companies offered the remedy of long term fraud and identity theft protection to victims.
With actual harm being at the center of post-data breach disputes, the prompt offer of fraud and identity theft protection to victims has emerged as the prudent, "go-to" response. While the irony of the Equifax breach is not lost in this regard, this practice appears to reduce exposure as well as undermine, if not completely prevent, subsequent claims for damages.
2017 Regulatory Initiatives
No one had to hack the New York Department of Financial Services to learn it has taken the lead in the nation's cybersecurity regulation. Effective in March, it instituted first-of-its-kind rules for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities that implicate the undertaking of operational, compliance, and risk management measures. The agency also suggested these rules may serve as a compliance guideline for entities not covered by them, but that seek to tighten their own cybersecurity measures.
The National Association of Insurance Commissioners also got into the act by adopting the Insurance Data Security Model Law this summer. The model law creates rules for insurers, agents and other licensed entities, and covers data security, investigation and notification of breach, including maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cyber security event. Even if enterprises do not find they are covered under these rules and regulations, cybersecurity experts recommend adherence as the most tangible example of best practices as formulated by leading regulators.
Final Note
Lest we think we are starting to see some semblance of certainty, 2018 opened with news of what is believed to be the most pervasive threat to global cybersecurity to date: the world's computers contain hardware security flaws that "could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks." These defects are not amenable to a remedial software fix or "patch" leaving even the most sophisticated vulnerable to data breach.