GROWING SUCCESS IN COMBATTING RANSOMEWARE ATTACKS PAYOUTS AND BREACH COSTS GOING DOWN
Efforts to protect against ransomware attacks have proven to be successful for companies’ cyber defense strategies. According to an annual study conducted by a law firm practicing in the cyber arena, companies’ current cyber defense efforts and the work of supporting forensic investigators, threat consultants, and law enforcement agencies have proven to be successful, leading to an overall decrease in attacks, faster network and database restoration, and a dramatic drop in forensic investigation costs associated with ransomware attacks.
The success of these companies in combatting cyber-attacks has been the result of efforts to strengthen internal access controls, including breach detection systems, which have allowed these companies to respond swiftly to a potential attack and mitigate any potential damage.
Despite this success, cyber-attacks remain an ongoing threat. More importantly, the risk of litigation relating to the companies’ potential violation of privacy statutes remains constant. The recent enactment of new state privacy laws has made companies suffering from a data breach susceptible to further legal exposure.
THREE CLASS ACTION LAWSUITS FILED AGAINST HERTZ RELATING TO 2024 CLEO FILE TRANSFER PLATFORM DATA BREACH
In April 2025, a large rental car company, (the “Company”) announced that it had completed its data analysis relating to a data breach involving software communications company (the “Vendor”) that occurred between October and December 2024. The Vendor provided the Company file transfer services that were exploited by the Cl0p ransomware group through zero-day vulnerabilities within the platform. The Company concluded that personal information was taken due to the breach including names, contact information, dates of birth, credit card information, driver’s license information, and information related to workers’ compensation claims. The Company also concluded that a “very small number of individuals” may have had other information taken including Social Security or other government identification numbers, passport information, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims.
Subsequently, three class action lawsuits were filed against the Company in Florida and Illinois. Two of the lawsuits also bring claims against the Vendor. The complaints allege that Company had a duty to secure customer private information and failed to do so. The plaintiffs bring several claims against the Company including negligence, invasion of privacy, unjust enrichment, breach of implied contract, and violations of California law relating to the handling of customer records.
These lawsuits emphasize the need for companies to evaluate their use of file transfer platforms and the security provided by such platforms. The circumstances surrounding the litigation highlight the risks of using file transfer platforms to handle confidential personal data and corporate information. Most notably, the breach of a single file transfer platform could give the threat actor access to the confidential data and information of numerous companies at once. This fact makes file transfer platforms attractive targets for cyber criminals. We recommend caution for all companies using file transfer platforms and a general review of IT service providers for adequate security.
COVERAGE OVERLAP: WHICH POLICY SHOULD RESPOND?
Certain Underwriters at Lloyd's London v. Columbia Cas. Co., 2025 U.S. Dist. LEXIS 84346 (S.D. Cal. May 2, 2025).
In a dispute between three insurers, a federal judge granted in part and denied in part the motion to dismiss filed by the insurers who issued a healthcare umbrella and a follow-form excess policy in a lawsuit where the cyber insurer had sought contribution from the umbrella insurer.
The underlying claim involved a healthcare facility which had failed to disclose the presence of hidden cameras in operating rooms that were installed for drug theft investigation purposes. The facility was sued for fraudulent concealment, breach of fiduciary duty, invasion of privacy, and other violations and it tendered the matter to its cyber and umbrella policies. The cyber insurer exhausted its limits up to the second layer excess policy and then sought contribution from the umbrella policy.
The umbrella insurer argued that its obligations would only trigger after the limits of the cyber tower had been fully exhausted because the cyber policy was defined as “unscheduled underlying insurance” within the meaning of the umbrella policy. In turn, the cyber insurer argued that the umbrella policy was triggered by the acts or omissions and no exhaustion of the underlying insurance was needed to trigger that policy.
The cyber insurer argued that the umbrella policy’s retention definition required it to serve as a primary carrier despite the presence of a captive. The court agreed with the cyber insurer and denied the umbrella insurer’s request to dismiss this argument. The court explained that the cyber policy wording was sufficiently unclear to support the theory that the umbrella policy could serve as co-primary insurer.
Finally, the court was not persuaded by the cyber insurer’s assertion that, in alternative of being co-primary insurer, the umbrella policy shared the same level of liability as the first excess policy, making it a co-excess insurer. Conversely, the court rejected the umbrella insurer’s argument that, by nature of an umbrella policy, such policy was always inherently excess over all other excess policies. The court noted that the cyber insurer did not articulate their argument with enough support.
In sum, the court allowed the lawsuit to survive the motion to dismiss stage on one of the cyber insurer’s assertions, which leaves uncertainty in how this litigation will unfold. Predictability around how coverage will operate requires good coordination between other insurance and retention clauses across various policies.
COURT’S RULING ON WEBSITE TRACKING BROADENS “PRIVATE RIGHT OF ACTION” BEYOND DATA BREACHES
Shah v. Capital One Financial Corp., No. 24 CV 5985, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025).
A federal court has denied a motion to dismiss a claim under the California Consumer Privacy Act (“CCPA”) in a class action against a bank alleging unlawful disclosure of customers’ personal information to third parties via tracking technologies. The court’s ruling could potentially expand the CCPA for consumers allowing for a private right of action beyond traditional data breaches.
Credit card users and applicants (the “Class”) brought a class action against a major financial institution (the “Bank”) alleging it violated the CCPA by allowing third parties to embed tracking technologies that transmitted users’ personal data without consent. The Bank argued that dismissal was appropriate because private actions under the CCPA have traditionally been limited to data breaches where unauthorized third parties steal information.
The court sided with the Class, broadly interpreting the CCPA’s reference to “unauthorized access and exfiltration, theft, or disclosure” of personal data to include unauthorized disclosure to third parties, even when there is no data breach. The court found that the Class had sufficiently alleged harm, as the website tracking led to the unauthorized disclosure of their personal information. This ruling is a departure from others limiting the private right of action to data breaches and could allow for a private right of action for disclosures of personal information without clear consent.
It bears noting that many cyber policies now contain express exclusions for wrongful data collection practices or website tracking. However, insurers still have a duty to provide a defense up and until a final, non-appealable, adverse adjudication is reached. Although this decision addresses the private right of action, it highlights the importance of cyber policies having language in third-party insuring agreements that trigger defense coverage which is not predicated on the occurrence of a breach.