CYBER CORNER

The European Union (“EU”) affirmed the adequacy of the EU-US Data Privacy Framework (the “DPF”) and rejected the belief that the DPF lacked adequate protections for the transferred personal data of EU citizens. The DPF is the latest arrangement between the EU and the US to aid in the facilitation of a seamless flow of data across both regions.

The DPF was finalized in the summer of 2023 and was designed to address concerns around government surveillance by the US, as well as provide avenues of consumer redress for citizens of the EU. Currently, thousands of companies rely on the DPF for data transfer. Compliance is being monitored by the US Federal Trade Commission (the “FTC”). Opponents of the DPF have focused on the current US’ administration’s firing of several key members within the FTC who were responsible for addressing surveillance concerns and have called into question the independence of the Data Review Court and whether it is currently free of any outside political influence.

In response, the US has stated that the DPF is operating as intended and the FTC continues to protect European consumers’ data. Despite the likelihood that the DPF will be challenged once again, it is critical that US companies continue to comply with the DPF and maintain cyber insurance that offers protection for potential claims that may arise. 

An appeals court affirmed a lower court’s decision and held that a cyber policy must afford coverage for an insured’s loss that resulted from a post-breach fraudulent transfer because the preposition “for” was broad enough to afford coverage for a third party claim that resulted from a security breach.

In the underlying action, a threat actor (the “Actor”) gained access to an insured’s computer system and email. Once in the system, the Actor obtained and altered an invoice from a third-party vendor (the “Vendor”) and changed the account numbers on the invoice to fraudulent account numbers. The Actor posed as a senior account manager of the Vendor and sent the fraudulent invoice to the insured for payment. After receiving the fraudulent invoice, the insured wired the Actor millions over five different transfers. As a result of the fraud, the insured never paid the Vendor, and the Vendor sent a letter to the insured demanding payment pursuant to their contract.

The insured reported the claim to its cyber carrier, requesting that the carrier “investigate, defend, and indemnify” the insured for this third-party claim. The carrier denied coverage because the unpaid invoice did not trigger coverage. Even if there were coverage, the “loss of money” exclusion (the “Exclusion”) barred coverage for “any loss, transfer or theft of monies, securities or tangible property of the insured or others in the care, custody or control of the insured organization” and “the monetary value of any transactions or electronic fund transfers by or on behalf of the insured which [was] lost, diminished, or damaged during transfer from, into or between accounts.”

Relying on the policy’s third-party liability coverage which specified that “coverage is provided for damages; and claims expenses that [the insured] is legally obligated to pay because of a claim against [it] during the policy period for . . . a [s]ecurity [b]reach.” The carrier argued that the policy’s third-party coverage applied only to claims directly “for” the security breach itself. The carrier further argued that the underlying claims were for breach of contract that was “caused by” a security breach, which, according to the carrier was not a claim “for” a security breach.

The lower court, siding with the insured, held that the underlying claim was “for . . . a security breach” covered by the policy because the claim “arose from a security breach and flowed from a security breach.” The lower court also rejected the carrier’s argument as to the Exclusion, noting the funds were in the care, custody, and control of the insured’s bank and not the insured. The appeals court affirmed and relied on the definition and use of the word “for” and found the phrase “for a security breach” to be ambiguous. Thus, the court construed the language in the insured’s favor, finding coverage. The court also agreed that the Exclusion did not bar coverage because a reasonable insured could conclude that the Exclusion did not apply to funds held at a bank and the money transferred did not lose value during the transfer.

A federal court of appeals held that a subset of individuals in a proposed data breach class action have standing to continue litigating their claims over the alleged publication of their personal information on the dark web.

In the underlying matter, an insurance company (the “Company”), designed an online quoting platform that auto-populated certain personally identifiable information (“PII”), such as driver’s licenses numbers, names, addresses, and date of birth. Unfortunately, an unnamed hacker breached the Company’s network and compromised the driver’s license numbers of millions of people. Following notifications to the millions affected, several individuals (the “Individuals”) brought a putative class action against the Company. It was ultimately decided that only some of the Individuals were able to show that not only had their data been stolen, but that their driver’s license information had been posted on the dark web.

The court relied heavily on the fact that some PII was published on the dark web following the breach. Specifically, the court held that some of the Individuals failed to demonstrate they suffered any actual harm because the information was only accessed during the breach and not published on the dark web. Thus, the Individuals whose PII was published on the dark web have standing to sue and may continue to litigate their claims.

This decision highlights the importance of cyber insurance and the potential coverage for privacy liability and network security liability. Businesses are not only susceptible to data breaches, but their clients and potential customers are also in danger of having their personal information disseminated to the masses. 

In a consolidated class action stemming from events beginning in 2021, one of the most widely used health and wellness applications (the “App”) was sued by a class of users (the “Users”) for multiple privacy violations. The lawsuit alleged common law invasion of privacy, including intrusion upon seclusion, breach of contract, and violations of California statutory protections. Alongside the App itself, several technology companies were also named (the “Tech Companies”).

Prior to using the App, the Users had to answer a series of highly personal questions related to their gender identity, sexual and gynecological health, menstrual cycles, and pregnancy goals. The purpose of this intake process was to enable the App to deliver personalized health and wellness guidance. The Users were explicitly assured that their responses would remain private and confidential, and that no information would be shared with third parties without their consent.

Contrary to these representations, the App contained embedded code—software development kits—that transmitted the Users’ sensitive health data to the Tech companies without the knowledge or consent of the Users.

One of the Tech Companies chose to proceed to trial, where the jury sided with the Users and found that the Tech Company had violated the California Invasion of Privacy Act commonly referred to as CIPA, which prohibits unauthorized interception of confidential communications. This verdict marked a significant affirmation of digital privacy protections under California law, especially in the context of health-related mobile applications.

Following the trial, the App and the remaining Tech Companies entered into a settlement agreement with the Users. Although the full details of the settlement are unknown the settlement is expected to approach $60 million. In addition to financial compensation, the App agreed to implement enhanced privacy protections and will display a prominent notice on its website affirming its privacy practices for one year following final approval of the settlement.