Cybersecurity litigation is currently at a crossroads. Courts have struggled in these cases, coming out in wildly inconsistent ways about whether a data breach causes harm. Although the litigation landscape is uncertain, there are some near certainties about cybersecurity generally: There will be many data breaches, and they will be terrible and costly. We thus have seen the rise of cybersecurity insurance to address this emergent and troublesome risk vector.
I am delighted to be interviewing Kimberly Horn, who is the Global Focus Group Leader for Cyber Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions. She also has extensive experience managing class action litigation, regulatory investigations, and PCI negotiations arising out of privacy breaches.
Kim also manages claims arising out of technology E&O, intellectual property, and media liability. Kim has spoken at numerous national and regional forums on issues of privacy, computer security and insurance. Prior to joining Beazley in 2010, Kim spent over eight years as a practicing attorney in New York City at a large international law firm and a national litigation boutique, specializing in complex commercial litigation.
I’m especially interested in the issues Kim deals with because I wrote about cybersecurity litigation in an article with Professor Danielle Citron called Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018).
SOLOVE: You’ve been involved with cybersecurity litigation for a long time. What changes have you seen in the law and in litigation strategies over the past five years?
HORN: In my nearly eight years at Beazley, I have witnessed the maturation of the data breach class litigation landscape, though the law remains as unsettled as ever. Not all data breaches are created equal, and the facts that form the foundation of some of the most widely publicized breaches do not easily lend themselves to cognizable damages, yet there is a great deal of variation in how the federal judiciary applies the litmus test for Article III standing in data breach class action litigation.
The diverging conclusions drawn by the circuit courts in recent years, with respect to when the risk of future harm confers Article III standing, has not only created a circuit split, but to some degree it has had a chilling effect on defendants’ desire to litigate beyond an unsuccessful motion to dismiss.
While some organizations successfully appeal adverse rulings on standing, and others are successful challenging complaints that fail to state a claim pursuant to FRCP 12(b)(6), some organizations opt to settle data breach litigation before engaging in costly discovery. Certainly, these cases can and have been won beyond the initial motion stage, with defendants litigating through discovery and seeking summary judgment or opposing class certification.
It should be noted that collective actions in international jurisdictions are also on the rise, especially in Canada and the United Kingdom. We will continue to watch legal developments in these jurisdictions closely as the international cyber market matures.
SOLOVE: What trends are you seeing in the settlement of cybersecurity litigation?
HORN: The structure of data breach settlements has evolved beyond the traditional class action settlement model, in which a large fund is divided evenly among class members. Gone are the days of paying the entire putative class pennies on the dollar, or setting up cy pres funds that see unused settlement funds revert to a charitable organization. In the alternative, experienced defense counsel have found creative ways to offer plaintiffs tangible benefits that will pass court muster, without creating un-capped exposure in a drawn out settlement administration process.
To that end, recent settlements create a model that actually addresses the chief concerns promulgated in the complaint, namely data security measures and protecting consumers against the future risk of harm, no matter how far-fetched. Depending on the type of data compromised in the underlying breach, and the manner in which it was exposed, these settlements have ranged from agreed-upon network security enhancements only, to establishing a claims process to compensate class members for documented damages and/or out of pocket expenses. The total amount recoverable through this process is often capped and, in cases where sensitive personal information was potentially compromised, the affected class members are typically offered credit or identity monitoring.
SOLOVE: The SCOTUS Clapper case seemed at first to undermine many class action data breach lawsuits. But cases since Clapper seem to be just as inconsistent than as before. What is the impact has Clapper made at this point?
HORN: While SCOTUS has never reviewed a true data breach case, the court’s decision in Clapper v. Amnesty International (2013) clarified the standard for the most litigated prong of the litmus test for Article III – namely, what constitutes injury in fact?
To establish injury in fact, plaintiffs are required to show concrete and particularized harm. Clapper clarified that concrete harm is actual or imminent, not conclusory or speculative, and it must have already occurred or be “certainly impending”. To be particularized, the harm must impact the plaintiff in a personal and individual way. Despite SCOTUS’s guidance, since Clapper, there has been a fair amount of inconsistency in the way the district and circuit courts have interpreted the injury in fact requirement. The question of exactly what type of harm must be plead in a data breach case to sufficiently allege injury in fact is certainly ripe for SCOTUS review, and the court will have another opportunity to consider this question if it grants certiorari in Stevens v. Zappos.
The concern, of course, is that we’ll never have a one size fits all roadmap for cognizable harm, because each data breach case is so factually unique. But, if SCOTUS goes beyond reiterating the litmus test, and opines on whether the specific facts of a data breach case overcome the standard, the impact will be immense.
SOLOVE: What are the major trends and new developments in cyber insurance that you’ve seen over the past five years? What is your view of what the future will look like for cyber insurance?
HORN: I have seen the exponential growth of the cyber market, a significant expansion of cyber coverage, and the evolution of cyber threat vectors. While Beazley still sees data breaches arising from unintentional disclosures and lost electronic devices, the vast majority of events stem from intentional criminal activity designed to either steal sensitive data or divert money from unwitting organizations. I think the future will see an increase in the already alarming number of cyber extortion events, as well as more of a focus on business interruption, data destruction, supply chain issues and other systemic risks. The result will be a shift in cyber policies to focus on more bespoke catastrophic coverage which accounts for gaps in traditional property and casualty programs.
SOLOVE: Does cyber insurance cover regulatory costs, such as the cost of investigations, fines, and compliance with consent decrees? If so, what would you recommend for companies to do to avoid regulatory entanglements (beyond not having breaches, of course)?
HORN: Yes, cyber policies such as Beazley’s cover the costs to defend against a regulatory inquiry or more formal investigation in connection with certain types of privacy incidents or events, as well as the monetary fines associated with a civil monetary penalty or resolution agreement/consent decree. Cyber policies typically do not cover the costs to implement and/or comply with corrective measures set forth in a resolution agreement/consent decree.
Avoiding regulatory scrutiny in the wake of a well-publicized event can be hard, but the organizations that traditionally fare the best comply with relevant notification requirements, carefully craft public statements, and work cooperatively with regulators. It also beneficial when organizations have robust risk management policies and procedures, conduct regular risk assessments, and work diligently to address inadequacies – whether it is physical or cyber security, employee training, or vendor management procedures.
SOLOVE: To what extent does privacy factor into cyber insurance? Do you cover costs of privacy violations? If so, which costs? Are you seeing claims based on privacy?
Privacy violations arising from the alphabet soup of consumer protection statutes, a company’s lack of regulatory compliance, and/or intentional business practices are typically not covered, though in some cases the duty to defend may be triggered.
SOLOVE: What are some things that professionals should know about cyber insurance? Are there some myths that should be dispelled? Are there some things that are covered and are not covered that people aren’t often aware of?
HORN: Cyber insurance is not your typical insurance. Cyber carriers like Beazley offer comprehensive solutions to complex problems, and partner with policy holders to provide strategic, practical advice. Cyber policies do much more than pick up the tab when the dust settles at the end of a cyber incident. There are 24/7 breach reporting hotlines, an in-house team of privacy professionals who provide guidance through incident investigation and response as well as offer pre-incident risk management tools and post-incident remedial assistance, and the collective experience of a cyber claims team in managing multi-district class action litigation, regulatory investigations, and providing real time assistance negotiating cyber extortion threats and getting policy holders back up and running after an interruption in their business.
The exponential growth in the cyber insurance market over the past decade has led to an expansion in coverage, with many policy holders not realizing that their cyber policy provides coverage for: data breach investigation and response; third party liability; regulatory liability; PCI fines and assessments; cyber extortion, data restoration; business interruption; and, in some cases, losses arising from social engineering.
Policy holders should welcome, not resist, recommendations from their cyber carriers, because we harness our experience to provide practical advice, and leverage our international network or experts to provide global solutions. At Beazley, we have managed over 10,000 cyber incidents since 2009 alone, including many of the most severe events in the past decade.
SOLOVE: Have the risks and costs of cyber incidents become more predictable over the years? Is underwriting easier these days than before? Is underwriting for cyber any more or less challenging than underwriting for other kinds of risks and losses?
HORN: While the risks associated with cyber incidents are ever evolving and often difficult to predict (though doomsday scenarios are widely discussed), certain costs associated with cyber incidents have become somewhat formulaic due to negotiated rates with expert vendors who provide incident response services to our policy holders. It’s become much easier to predict the costs associated with data breach investigation and response, though the liability costs associated with a cyber incident (litigation, regulatory, PCI assessments) vary widely depending on the factual circumstances of the event. Finally, the costs associated with the interruption of a company’s business operations depend on the type of company and number of hours the company is down.
Underwriting cyber risks continues to pose challenges because increased competition has resulted in an expansion of coverage, and there is little historical precedent for how this will ultimately impact profitability. While cyber risks can be harder to underwrite to than other more mature lines of business because the data analytics continue to evolve, the baseline metrics for evaluating any one specific organization’s cyber risk – types of data, information security training, tools, process, and culture – are generally more similar than technology E&O risks, by way of comparison.
SOLOVE: You used to be a litigator and now are a Global Claims Team Leader at Beazley. How are these roles different? What kind of legal careers are available at insurance companies in the area of cybersecurity?
HORN: While I still advocate, strategize and read legal memoranda on a daily basis, I am not as often in the trenches with the details; rather, big picture strategy is where I add more value, and my in-house role at Beazley has given me a much better appreciation for the commercial aspects of doing business. My eight and half years as a big firm litigator prepared me to identify issues, think strategically, write persuasively, and break big concepts down into decipherable sound bites, all things that are critical to working in the ever-evolving and fast paced environment that is cyber insurance.
Beazley regularly hires attorneys to manage claims, act as team counsel to advise on policy wordings, underwrite risks and provide cyber-related risk management and incident response services. Insurance brokers also regularly hire former coverage lawyers as claims advocates and policy wording specialists.
SOLOVE: Thanks, Kim, for your interesting and insightful answers.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the International Privacy + Security Forum (April 3-5, 2019 in Washington, DC), an annual event designed for seasoned professionals.
This post was originally posted on LinkedIn.