First of its Kind: Yahoo Settles Securities Litigation for $80 Million

Yahoo’s recently-announced $80 million settlement of its data breach-related securities lawsuit may be a signal that the plaintiffs’ bar is going to pivot away from pursuing these claims in the form of shareholder derivative lawsuits. In their ongoing effort to capitalize on large-scale data breaches, to date, plaintiffs have struggled to survive motions to dismiss in data breach-related derivative lawsuits (e.g. Target and Wyndham Worldwide). Although the plaintiffs in the Home Depot derivative litigation were able to extract a $1.125
Continue reading...

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing
Continue reading...

Insurers May Need a Doctor’s Note: Data Breach of Medical Records Triggers Coverage, Says Fourth Circuit

On Monday, April 11, 2016, the Fourth Circuit handed down a notable, albeit unpublished, decision with regard to an issue that has vexed the insurance industry, namely, do data breaches trigger a CGL insurer’s duty to defend under Coverage B? In Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C., the Fourth Circuit determined, under Virginia law, the underlying class action lawsuit, indeed, triggered Travelers’ duty to defend. The underlying lawsuit was a class action complaint filed against, in
Continue reading...

Not If, But When: Another Health Insurer Hacked

In mid-September, it was reported that hackers hit another set of health insurance companies. In this case, the hackers hit The Lifetime Healthcare Companies and its affiliates including Excellus BlueCross BlueShield, Univera Healthcare, and The MedAmerica Companies. A full list of plans affected can be found on the press release outlining the details of the attack. Hackers took information on approximately 10 millions customers including seven million from Excellus and three million from associated entities. Company IT officials first discovered the intrusion
Continue reading...

NAIC Tackles Cybersecurity Including Proposed Consumer Cybersecurity Bill of Rights

In the wake of recent cyber breaches against major health insurance companies, the NAIC is undertaking three initiatives designed to “protect consumer information and educate the public about cyber risks.” First, on July 28, 2015, the NAIC’s Cybersecurity Task Force issued a proposed Consumer Cybersecurity Bill of Rights. This Bill of Rights contains 12 specific rights for consumers including: Know what type of personally identifiable information is being collected by the insurer and how long that information is being kept
Continue reading...

Federal Cyber Legislation – Hurry Up and Wait

In recent months, two more companies in the healthcare industry have been hacked. UCLA Health announced on July 17, 2015 that it was the victim of a “criminal cyber attack” and “as many as 4.5 million individual potentially may have bene involved in the attack.”  This comes on the heels of another attack in May 2015 against Medical Informatics Engineering whose subsidiary is NoMoreClipboard, an online medical information sharing service used by patient and physicians alike.  Both of these episodes
Continue reading...

Connecticut Supreme Court Makes Significant Ruling in Data Breach Case

The Connecticut Supreme Court made a very significant ruling yesterday in Recall Total Information Management, Inc. v. Federal Insurance Co., adopting wholesale the Appellate Court’s well-reasoned ruling that an insured’s loss of sensitive records, without more, does not constitute a “publication” of material that violates a person’s right of privacy. Notably, the Appellate Court held that absent proof of an unauthorized third party’s access to the personal identification information, the “publication” element of the Privacy Offense (under the definition of
Continue reading...

Cyber Breaches Prompt Government Action

The recent data breach at health insurer Anthem has sparked new legislation in Connecticut.   During the breach, at least 80 million records were stolen.  According to NBC News, among the 80 million victims, tens of millions of American children had their Social Security numbers, dates of birth, and health care ID numbers stolen.  In response, Connecticut state legislators are proposing legislation that would require health insurance companies to encrypt their customers’ data.   Connecticut’s proposed legislation is similar to recent legislation
Continue reading...