CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘cyberattack’

City Hacks – Atlanta’s 2018 Cyberattack and the Growing Need for Cyber Liability Insurance

Posted on: February 12th, 2019

By: Matthew Weiss

Already a growing area of liability insurance for businesses, the importance of cyber insurance for local governments came to the forefront last March when the City of Atlanta suffered a malware attack in which its computer networks were hijacked by hackers seeking a ransom equal to $51,000 in bitcoin. The cyberattack left the City unable to perform basic services, including processing tickets in municipal court and providing Wi-Fi service at Hartsfield-Jackson International Airport. At one point, city employees were advised not to even turn on their computers.

While Atlanta’s cyberattack made national headlines, the role that cyber insurance played in its response has been largely undocumented. The City holds a cyber insurance policy with AIG, and the total cost associated with the cyberattack is believed to have approached $5 million.

Although Atlanta redacted key details of its cyber insurance policy, including its coverage limits, in response to press inquiries, the State of Georgia has acknowledged that it holds a $100 million cyber insurance policy, the largest of any state, covering more than 100 state agencies including every branch of state government except higher education. The policy was put to use when the Georgia Department of Agriculture’s computer system was infected by malware in December 2017, compromising the department’s computer system, including employee email and internal operation servers. The cost of the state’s response to the malware attack exceeded its self-insured retention of $250,000.

The recent experiences of the City of Atlanta and the Georgia Department of Agriculture exemplify the growing importance of cyber insurance for state and local governments. Governments are frequently considered prime targets for cyberattacks due to a lack of synchronization of government systems, the lack of harmonization among third-party vendors rendering services to those governments, and a dearth of qualified professionals employed by governments due to the fact that more lucrative careers are available in the private sector. Indeed, governments frequently assign cybersecurity to their IT departments, which are already overburdened and under-resourced. At the same time, as local governments become more digital, the impact of a cyberattack can become highly disruptive to the city’s operations, as the City of Atlanta’s experience showed. In fact, Forbes has reported that Lloyd’s City Risk Index estimates that the risk of cyberattack is the third most consequential threat to Atlanta and other North American cities, with a collective potential impact of more than $93 billion. Given these substantial risks, Lloyd’s concludes that cities and states should better utilize cyber insurance, with a 1% increase in insurance penetration resulting in a corresponding 22% decrease in the risk to taxpayers.

The growing need for cyber insurance among cities, counties, and states melds both the areas of local government law and insurance coverage and is certain to be a major growth area in the near future. Hopefully, Atlanta’s painful learning experience will better prepare other local governments in the months and years to come.

If you have any questions or would like more information, please contact Matthew Weiss at (678) 399-6356 or [email protected].

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].