New England Sys. Inc. v. Citizens Ins. Co. of Am., Case No. 3:20-cv-01743 (D. Conn. Mar. 3, 2022)

A federal court in Connecticut is considering an insurer’s request to toss out an IT service provider’s bad faith suit alleging the insurer improperly denied coverage under the company’s cyber policy for the loss of six customers following a data breach. 

The dispute stems from an incident in which the insured’s clients notified the company of suspicious activity on its servers, which was later identified as ransomware. The impact was confined to the company’s accounting department, and the company was able to restore the data that had been encrypted from backups. The insurer claimed its insured’s operations “continued unabated” following the breach and there was no impact on the company’s ability to service its clients during this time, thus precluding coverage for the loss of income afforded for business interruptions under its policy. The company, however, said that as a result of its decision to use its own staff to remediate the malware, rather than hire an outside firm, it was unable to serve some of its customers, which led to a loss of six accounts. In response, the insurer contended that the company’s hardship was not the result of a loss of functionality, but rather that “too many of [its] customers were having issues simultaneously.” A ruling is pending.

The Takeaway

Most cyber policies require the use of panel service providers to handle incident responses, and any remediation activities undertaken in house require the insurer’s prior consent. Taking client-facing staff offline to deal with a cyberattack is something companies do at their own peril.


Local 353, IBEW Pension Fund, et al. v. Zendesk, et al., Case No. 21-15785 (9th Cir. Mar. 2, 2022)

A federal appeals court recently upheld the dismissal of a shareholder suit alleging a software company misled investors about its cybersecurity measures prior to announcing a 2019 data breach. 

In their suit, the shareholders contended that previous statements by the company about its security being “of the highest quality” were deceptive and led to artificially inflated share prices. As a result, in the wake of the company’s announcement of the breach, the stock price dropped. In support of their claim, the shareholders pointed to cyber incidents in 2013 and 2016, the latter of which had gone undetected for three years and involved the compromise of at least 10,000 customer records.  

The Ninth Circuit, however, held the shareholders failed to plead that the company’s officers acted with fraudulent intent. The court also concluded the company’s statements would not have led an ordinary investor to draw incorrect assumptions about the risk of an undetected breach. Notably, the court held the shareholders failed to plead facts “supporting a reasonable inference that either of those hacks was a prominent enough milestone in the company history that the average investor would be led to believe that every data security improvement directly followed them.”


The Takeaway

Causation matters. It is not enough for shareholders to point to a drop in stock price following a cyberattack. Plaintiffs must show that a reasonable investor would have been misled regarding a company’s security measures, and that this misrepresentation was material enough to impact a decision to trade the stock.  


In a further indicator of stepped up enforcement efforts, the Federal Trade Commission (“FTC”) recently settled an administrative complaint it filed against the parent company of an e-commerce platform, alleging the company failed to safeguard consumer information and covered up multiple data breaches. The proposed settlement would have the company pay a fine and also bolster its information security practices.

Some of the worrisome practices the FTC cited included Social Security numbers stored in plain text and poorly encrypted passwords and password reset answers. The FTC also alleged the company failed to implement common security protections and failed to respond to security incidents when made aware of them. One particular breach highlighted in the complaint allegedly resulted in the disclosure of millions of names, physical addresses and passwords, over 180,000 Social Security numbers, and thousands of credit card records, with a portion of this information ending up for sale on the so-called “Dark Web.” The complaint further alleged the company repeatedly ignored warnings from a variety of sources, including one from a foreign government, and did not notify impacted customers of the breach until months later. Moreover, the FTC contended the company misled users regarding the use of their email addresses, stating they would only be used for order fulfillment while actually sharing them for marketing purposes.

The Takeaway

This case makes it clear that the Federal government will not be a passive observer when a company’s lack of cybersecurity amounts to an unfair trade practice.