ABA Banking Journal - September/October 2016 - (Page 18)

> LEGAL BRIEFS Data Theft Damages: Who Pays? BY DAWN CAUSEY, THOMAS PINDER AND ANDREW DOERSAM WHEN IT COMES to data breaches, the hack of the archaic Myspace-the failed social media platform that was rendered obsolete by Facebook-proves nothing is safe. After Time Inc. acquired Myspace earlier this year, it discovered that in June 2013, a hacker named "Peace" stealthily stole username and password information from 360 million accounts. The question posed by this particular breach is simple: did it matter? Was anyone injured as a result of the breach and, if so, did Time Inc. have cyber insurance that covered it? These are the same questions financial institutions of all sizes should ask themselves when confronted with a data compromise, whether it their own data or that of some other vendor or merchant. Companies spend approximately $2 billion annually purchasing cyber insurance premiums with varying degrees of success, as reflected in current case law. For example, Medidata, a research technology company, sued its insurer for failing to cover $4.8 million in losses caused by an email scam that impersonated the company's CEO. The email included the CEO's picture and a "cc" to a pseudo attorney. After several email exchanges and phone calls with the scammers, a Medidata employee transferred $4.8 million to an account in China. The insurer argued that its $5 million policy only covered hacking, not voluntary transfers of money. In March, the judge ordered more discovery and refused to issue a ruling, claiming the record was insufficient regarding the manner in which Medidata's database was compromised. 18 ABA BANKING JOURNAL | SEPTEMBER/OCTOBER 2016 P.F. Chang's 2014 data breach resulted in a mixed outcome from its insurer. While P.F. Chang's recovered $1.7 million for claims directly resulting from the data breach, the insurer refused to reimburse an additional $2 million in fees and assessments charged back by MasterCard to its payment processor, BAMS. An Arizona federal court sided with the insurer and denied P.F. Chang's claim for reimbursement. The court ruled that the contractual liability exclusion barred recovery because P.F. Chang's agreed that its credit card acquirer could charge back the credit card brand costs and assessments. Depending on the nature of the breach, victims may find it difficult to demonstrate any actual harm resulting from their compromised information. Potential data breach plaintiffs, such as the former Myspace users, commonly claim they have standing to sue based on the risk of possible injury and expenses incurred dealing with that risk. Although most of the Myspace accounts were dormant, many of the users may still be using the same or similar username and password combination on other websites. However, the Supreme Court's recent decision in Spokeo v. Robins made clear that plaintiffs who claim statutory violations but have not suffered any real harm do not have standing. Although Spokeo did not involve a data breach, the Court examined the level of harm required for a successful pleading. The Court held that a plaintiff must allege an injury that is both concrete and particularized-in other words, real and tangible. Although the risk of real harm may satisfy the concreteness requirement, the Court explained that bare allegations of a statutory violation, such as the publication of an incorrect zip code, would not qualify as a concrete injury. This new standard was recently applied by a Maryland federal court in Khan v. Children's National Health System. That court ruled that plaintiffs must allege an injury showing actual or intended misuse of personal data for identity fraud in order to sue. Case law is evolving concerning data breaches. Insurance coverage cases are becoming more frequent and suggest needing a clear understanding of what is and what is not covered. On the other hand, just because a breach occurs, it is not an automatic payday for plaintiffs. Real, demonstrable harm is required. Are we Myspace accountholders truly injured consumers or just remnants of outdated technology? Time will tell. DAWN CAUSEY is general counsel at ABA, where THOMAS PINDER is SVP for litigation and ANDREW DOERSAM is a paralegal.

Table of Contents for the Digital Edition of ABA Banking Journal - September/October 2016

PRESIDENT'S VIEW
UPFRONT
LEGAL BRIEFS
PICTURE THIS
COVER STORY
CECL FROM THE INSIDE: A CONVERSATION WITH FASB’S RUSSELL GOLDEN
WHERE ‘HABITS OF ECONOMY’ WERE SHAPED
HAT TIPS
CARD-LINKED REWARDS GIVE BANKS A COMPETITIVE EDGE
MARKETING
CYBERSECURITY
BANK-INSURANCE SALES
ABA COMPLIANCE CENTER INBOX
FROM THE STATES
CORPORATE SOCIAL RESPONSIBILITY
INDEX OF ADVERTISERS

ABA Banking Journal - September/October 2016

https://www.nxtbook.com/naylor/BAKS/BAKS0318
https://www.nxtbook.com/naylor/BAKS/BAKS0218
https://www.nxtbook.com/naylor/BAKS/BAKS0118
https://www.nxtbook.com/naylor/BAKS/BAKS0617
https://www.nxtbook.com/naylor/BAKS/BAKS0517
https://www.nxtbook.com/naylor/BAKS/BAKS0417
https://www.nxtbook.com/naylor/BAKS/BAKS0317
https://www.nxtbook.com/naylor/BAKS/BAKS0217
https://www.nxtbook.com/naylor/BAKS/BAKS0117
https://www.nxtbook.com/naylor/BAKS/BAKS0616
https://www.nxtbook.com/naylor/BAKS/BAKS0516
https://www.nxtbook.com/naylor/BAKS/BAKS0416
https://www.nxtbook.com/naylor/BAKS/BAKS0316
https://www.nxtbook.com/naylor/BAKS/BAKS0216
https://www.nxtbook.com/naylor/BAKS/BAKS0116
https://www.nxtbook.com/naylor/BAKS/BAKS0615
https://www.nxtbook.com/naylor/BAKS/BAKS0515
https://www.nxtbook.com/naylor/BAKS/BAKS0415
https://www.nxtbook.com/naylor/BAKS/BAKS0315
https://www.nxtbookmedia.com