: data loss lawsuits : Connecticut Business Litigation Blog

Home > data loss lawsuits >

Will Your Data Loss Be Covered By Insurance?

Posted on June 14, 2010 by N. Kane Bennett

I always recommend that businesses implement a plan for data loss, security breach, and privacy related to electronically stored information. As additional protection, I also typically recommend that businesses investigate additional insurance coverage. In particular, business owners with risk should investigate insurance coverage for first and third party claims arising out of a loss of data, security breach, or technology errors. These insurance plans are sometimes referred to as cyber liability or technology errors insurance. I have posted about these insurance plans in the past.

By obtaining the proper data loss insurance coverage, a business should be able to make an insurance claim for its own losses and, at the same time, have protection from lawsuits following a data loss incident. However, after reading a recent article by Jaikumar Vijayan from Computerworld.com, I suppose the critical words here are "should" and "proper" as it relates to insurance coverage for a data loss incident.

Jaikumar wrote an article about a Colorado insurance company that filed a lawsuit to deny responsibility for the University of Utah's 2008 security breach and data loss totaling $3.3 million in costs. Colorado Casualty Insurance filed a declaratory judgment lawsuit in the United States District Court of Utah (Download complaint here).

The University of Utah utilized a third party vendor, Perpetual Storage, Inc., for data storage concerning data on 1.7 million patients over 16 years at university hospitals and clinics. According to the lawsuit, the University of Utah incurred 3.3 million in costs to remedy the security breach and made a claim for reimbursement to Perpetual Storage. In turn, Perpetual Storage referred the matter to Colorado Casualty, its liability insurer.

In response to Perpetual Storage's claim, Colorado Casualty filed the lawsuit seeking a ruling that it did not have to provide Perpetual Storage with a defense to any claims brought by the University or reimburse the University for its damages. Perpetual Storage filed a motion to dismiss the complaint claiming that Colorado Casualty did not plead specific facts or mention particular insurance policy provisions. At this point, the outcome of the lawsuit is not clear.

The takeaway here for Connecticut business owners is that not every insurance plan will provide the proper coverage for a data loss, security breach, or technology errors. Whether Perpetual Storage had the "proper" coverage in place is not clear as the specific policies were not referenced in the lawsuit or the motion to dismiss. Nevertheless, the lawsuit serves as a reminder that business owners need to make sure the proper insurance coverages are in place. Do not assume that a general commercial liability policy will cover the specific risks of data loss, security breach, or technology errors. In fact, in most instances, a general commercial liability policy will not cover such risks.

Tags: Data Loss & Security Breach, cyber liability, data breach, data loss lawsuits, security breach, technology errors

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

Posted on January 5, 2010 by N. Kane Bennett

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace. RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords. The suit alleges violations of California Civil Code, breach of contract, and negligence.

Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..." As such, RockYou may face liability for data exposures across other platforms.

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers. I agree with Mr. Remillard that avoiding storage of such personal data in the first place is often the best way to prevent liability exposure for both loss of data and a security breach. If a business must store PII in its systems then a data loss and security plan must be in place to protect the data. In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System. The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords. The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes. He noted that RockYou stored the information in plain text words. In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text.

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords. Encryption is the method used to make the passwords unreadable once the hacker gains access to the system.

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan.

Tags: Data Loss & Security Breach, PII, Privacy Laws, Rock you, RockYou, RockYou security breach, Technology, Unfair Trade Practices, data breach, data loss lawsuits, personally identifiable information, security breach

Health Net's Data Loss In Connecticut Was Theft

Posted on December 9, 2009 by N. Kane Bennett

Attorney General Richard Blumenthal issued a scathing press release related to Health Net's recent data loss and security breach. Blumenthal called Health Net's story on it "sanitized" and its six month delay in reporting "unconscionable." Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members. A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted. Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed. Thus far, there has been no report of identity theft or misuse of the information.

Tags: Data Loss & Security Breach, Privacy Laws, attorney general, data breach, data loss, data loss attorneys, data loss lawsuits, net health, security breach

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

Posted on September 23, 2009 by N. Kane Bennett

On Monday, I attended the Connecticut Privacy Forum hosted by Travelers. This Forum was a well attended inaugural meeting of privacy and data security professionals. I came away from the meeting very impressed with the panel of speakers and topics on the agenda. I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers.

In one of my earlier posts, I touched on some of the risks involved for businesses related to data loss and security breaches. I also offered some potential solutions. At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses. Here is a sample of some of the statistics from 2008 alone:

80 million records were compromised
580 data loss or breach incidents were reported
$202 per record was the average cost to business for loss or breach
47% of the incidents involved corporations or businesses
33% involved compromised social security numbers

The speakers also offered some of the solutions for businesses in terms of risk management and planning. The seminar further included a detailed overview of federal and state laws covering privacy rights and data security. You can access the presentation materials at ctprivacy.com

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years. Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Tags: Data Loss & Security Breach, Social Security Numbers, connecticut privacy forum, connecticut privacy laws, cyber liability, data breach, data loss attorneys, data loss lawsuits, privacy rights, security breach

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Posted on July 21, 2009 by N. Kane Bennett

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security. As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages. Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures. To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common. Obtaining insurance to cover losses from data loss can potentially save your business. Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases. Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania. The lead theory of recovery in the complaint against Aetna is negligence.

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases. However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy. If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim. Legal costs alone could be enough to sink a business, let alone the damages.

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach. How can you estimate the cost? One way to estimate the cost is to use a data loss calculator. You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising.

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach. In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower. Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today. Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors.

Technology 404 by Darwin.

CyberChoice by The Hartford

CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

Tags: Business Tech Tips, Class Action, Data Loss & Security Breach, Insurance, Technology, cyber liability, data breach, data loss, data loss attorneys, data loss lawsuits, security breach

Connecticut Business Litigation Blog

Raymond & Bennett, LLC

90 national drive

| Glastonbury, CT 06033 |

Phone:

860.633.0415

| Fax:

860.633.0438

Raymond & Bennett - Attorneys at Law

Connecticut business litigation lawyer & attorney Neyah Kane Bennett of Raymond & Bennett Law Firm, offering services for non-compete agreements, breach of contract, interference with contracts, severance packages, home improvement lawsuits, partnership and business disputes, cyber liability, privacy laws, data loss, technology errors, domain name disputes, defamation, slander, trade secrets, non-disclosure agreement, copyright infringement, software licensing, shareholder rights, business fraud, uniform commercial code, serving Hartford, Middletown, Glastonbury, East Hartford, Manchester, Wethersfield, Windsor, South Windsor, New Haven, Waterbury, Meriden, Rocky Hill, Berlin, Enfield, Bloomfield, New Britain, Southington, Bolton, Vernon, Rockville, New London, Milford, Bridgeport, West Hartford and the state of Connecticut.

Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

Published By
N. Kane Bennett of Raymond & Bennett LLC

Commentary on lawsuits and legal issues impacting Connecticut businesses