Ping Service
Feedback Forms

Ilinois Federal Court Grants Neiman Marcus’ Motion

Standing-Icon-269431Once again, a court finds that data breach plaintiffs do not have the requisite Article III constitutional standing to pursue civil action against a retailer – itself the victim of a cyber attack. Last month, the United States District Court for the Northern District of Illinois, Eastern Division granted high-end retailer Neiman Marcus’ 12(b)(6) motion to dismiss a law suit arising out of a data breach the company suffered in 2013.

In Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sept. 16, 2014), Plaintiffs brought an action against Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violations of several state data breach acts.

In 2013, hackers breached Neiman Marcus’ computer network, resulting in the potential disclosure of 350,000 customers’ payment card data and personally identifiable information. Of the payment cards that may have been affected, it appeared that about 9,200 were subsequently used fraudulently elsewhere. Plaintiffs were among the 350,000 customers and alleged that Neiman Marcus failed to adequately protect customer data from breach, and failed to provide timely notice of the breach after it occurred.

Read the rest of this entry »

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

The Target Breach: Show Me The Insurance

The following article was first published by the Advisen Cyber Risk Network. If you haven’t checked it out, you should. Its extremely informative. And I’ll be a regular contributor.

Cheers.

Rick

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply?  And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

The Hospitality Industry Revisited: Does Your Company Have Proper Coverage?


101387303-a0006-000338.530x298In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

And Now, the Maine Event: Mitigation Costs Constitute Damages in Data-Breach Case

Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for “mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).

In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.

Read the rest of this entry »

Identity Theft: Our Children At Risk

Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.

Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.

The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.

Read the rest of this entry »