Cybersecurity Insurance – Part 2: Major Corporations Are Paying the Price for Inadequate Cybersecurity

September 22, 2015

Data privacyA number of well-known multi-billion dollar companies have suffered major data breaches recently, resulting in hundreds of millions of dollars in losses. It is alarming how unprepared many of these companies were for cyber-attacks, highlighting the need for cybersecurity insurance. The following is an overview of the more high-profile cybersecurity breaches that have occurred in the last few years.

  • In April of 2011, a cybersecurity breach in Sony’s Play Station Network cost Sony an estimated $171 million. A lawsuit was brought against Sony on April 27, 2011 in Alabama, by Kristopher Johns, a Play Station user, on behalf of all Play Station users, alleging Sony “failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back online.” In July 2014, the court approved a settlement granting about $15 million in compensation to affected users.
  • Between November and December 2013, Target’s computer system was hacked, and credit and debit card information was stolen, in addition to the names, mailing addresses, email addresses and phone numbers of over 40 million customers. Target reported that it lost $148 million due to the breaches and their insurance covered 25% of this cost. Last month U.S. District Judge Paul Magnuson of Minnesota ruled that consumers can move forward with their nationwide class action against Target.
  • West LegalEdCenter CLE WebinarIn May 2014, it was first reported that eBay suffered a data breach in which identity information, including customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth for 145 million customers was exposed and stolen. In July 2014, a $5 million consumer privacy class action was filed against eBay in federal court in Louisiana, alleging that the security breach was the result of eBay’s failure to properly provide cybersecurity to protect the identity information of its customers. The proceedings are still ongoing with eBay recently moving to dismiss the proposed class action.
  • Home Depot announced in September 2014 the results of an investigation into a cyber-attack estimated to have put payment card information at risk for 56 million payment cards. While there is no evidence that debit PIN numbers were compromised, the attack is likely the largest breach of a retailer’s computer system to date.
  • In late November 2014, Sony Pictures was hacked, exposing a huge and wide ranging amount of sensitive information including employee passwords and medical information as well as movie scripts and unreleased films. Former employees filed multiple lawsuits alleging inter alia that Sony was negligent in not being more prepared for the attack despite warnings and prior breaches.

These incidents highlight how even major companies are vulnerable to cyber-attack.  No company can be confident that it can escape the pitfall of a large scale data breach without adequate cybersecurity and the protection of cybersecurity insurance.

In the next installment of this article I will examine the scope of coverage for cybersecurity incidents under general liability policies and some recent case law on the issue.

Titles by Daniel Garrie