A federal judge recently dismissed a proposed class action brought by customers of a bank following a breach of customer login credentials, ruling the lead plaintiff failed to put forward any allegations that would give him “standing to sue.”
The bank had notified its customers that it had inadvertently exposed account usernames and passwords to some of the bank’s business partners. The bank maintained the disclosure was “immediately patched” and that it had seen "no indication of fraudulent activity." The bank’s business partners agreed to delete the information mistakenly furnished to them, and affected customers were offered two years of free credit monitoring.
Although the plaintiff alleged he had to spend time changing login credentials to his other accounts and thwarting attempts to hack into his email, the judge found nothing in the allegations amounting to an “actual or imminent injury” necessary to establish standing to bring the lawsuit. The judge also said the plaintiff’s allegations, taken as true, failed to assert “any plausible link” between the coding error and the attempted hacks of the plaintiff’s email.
In dismissing the complaint, the judge concluded the plaintiff had failed to suffer any tangible harm. Although the plaintiff had argued that the value of his private data had been diminished as a result of the breach, the judge disagreed, reasoning that login credentials can be easily changed and lack "independent economic value," unlike Social Security numbers, birthdates, and other “high risk” private information.
Courts continue to place a high hurdle in front of plaintiffs seeking to establish standing to sue in data breach litigation, but that does not negate the fact that these cases are costly for businesses to defend.
The coverage dispute arose after the company’s CEO received spoofed emails containing vendor invoices, which he ultimately paid after attempting (and failing) to voice verify the invoices with the vendor. The company sought coverage for the loss under its crime policy, which contained a sub-limit for “social engineering fraud” that was smaller than the limit available for “computer fraud.” The company sought to avail itself of the broader computer fraud limits, and ultimately sued its insurer for coverage.
The primary dispute in the matter was over what constitutes a "direct" loss, as defined in the crime policy’s computer fraud insuring agreements, and whether intervening actions, such as employees responding to fraudulent communications, break the causal chain and bar coverage. The court looked at the bad actor’s actions in isolation, and disagreed that those actions (i.e., “pressing send on spoofed email messages”) “directly” caused the loss. As a result, the court held that the loss did not meet the definition of computer fraud, and any entry or change to the computer system in reliance on a fraudulent instruction was specifically excluded under the computer fraud coverage. Rather, the loss fell squarely within the social engineering fraud coverage and its applicable sub-limit.
While this latest move by Lloyds is hardly a welcome development for insureds, not every cyberattack that contains a hint of state sponsorship is going to fall under the new exclusion. The attack has to significantly impair either the ability of the state to function or its security capabilities. And that is just within the territory of the intended target of the attack. Lloyds appears to be giving its syndicates latitude to decide whether to even apply the exclusion to computer systems outside that territory.