Skip to Main Content
PCBB Banc Investment Daily September 21, 2017
Banc Investment Daily
September 21, 2017

New Class Action Ruling On Cyber Risk

The top 10 most expensive homes for sale in the US add up to almost $2B. The home that tops the list is worth $350mm in Bel Air, CA. It is on a sprawling 10.3 acres and its claim to fame is that it served as Jed Clampett's home in the television show The Beverly Hillbillies. But, one of the most interesting listings was a home in CO that boasted "real dinosaur footprints" on the property. No matter what size home you live in, you might need to move to something more expensive when it comes to protecting your bank against cyber risk these days.
We say this because even without the Equifax debacle, data breaches are running 29% above last year, according to a recent report by the Identity Theft Resource Center and CyberScout. At this pace, the ITRC expects the number of breaches could reach 1,500 by the end of the year. If so, this would represent a 37% increase over a record-breaking 1,093 in 2016.
We don't report this to scare you, but rather only to reinforce how important it is for all banks to set high cybersecurity standards. Setting the bar high could be even more important in the wake of a recent federal appeals court decision, which could set a precedent for other data breach litigation.
The case stems from a 2014 cyberattack against CareFirst Blue Cross Blue Shield, which affected the sensitive data of roughly 1.1mm people. Plaintiffs sued the insurance company, claiming CareFirst knew or should have known about the breaches earlier than it actually alerted customers and that class members lost - or stood to lose - money and property as a result.
The District Court in Washington, DC dismissed the case, ruling plaintiffs had not alleged either a present injury "nor a high enough likelihood of future injury," according to media reports.
Recently, however, a unanimous three-judge panel revived the lawsuit. The court ruled that a "substantial risk" of harm exists because the plaintiffs' information was hacked. This is true, even if no actual harm has ensued due to the breach. While there's no guarantee class members will win, attorneys suggest that the ruling sets a precedent for other data breach cases and could ultimately result in higher settlement amounts or more costly litigation defense.
While every breach situation is different, the CareFirst case is troublesome because it could signal companies will be on the hook for more money. This precarious situation highlights the need for banks to be even more vigilant about security efforts.
For starters, you need to make sure you have appropriate technology in place to be able to detect attacks. Second, the case reinforces the importance of performing regular and frequent security assessments. CareFirst spotted the issue and thought they had resolved it; but by the time the company performed its next assessment, several months had passed and only then did they realize they weren't really in the clear.
While it can feel like the hackers are always one step ahead, banks have to stay as current as possible in their defense systems. Consider that hacking (a broad category that includes phishing, ransomware/malware and skimming) was the leading cause of data breaches in the first half of 2017, according to the ITRC report. The findings show that 63% of the overall breaches involved hacking as the primary method of attack. Employee-related breaches were the second highest category and include purposeful and negligent actions leading to a breach.
The ways and means thieves use to snatch customer' data change constantly, so banks' methods have to shift as well. The price of not moving on up in cyber is clearly getting more expensive all the time.