Litigation and insurance coverage for cyber fraud
February 2016 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
Tracing the origins of cyber crime, including hacking and distributed denial of service (DDoS) attacks where legitimate sites are bombarded by access requests, can be difficult if not impossible. Often the trail ends at a server farm in a difficult jurisdiction such as Russia or the Middle East or comes from infected computers around the world. This makes determining the culprits through forensic electronic analysis almost impossible. Despite the high tech nature of cyber fraud, often more traditional investigative, reasoned deduction and litigation methods, not elaborate new theories, are needed to bring cyber attacks under control and to seek remedies for corporate victims. Insurance that would cover litigation related to cyber fraud should reflect traditional litigation risks.
While some phishing (email scams to get relevant personal information that can be used to make more credible approaches to unwitting customers of a legitimate company) and cyber attacks may be random, others are targeted at a company for a specific reason and are much more focused on injuring the company-victim. Malware and account takeovers often occur where a business dispute or feud is brewing. It is often possible to determine the origin of these focused attacks through more traditional legal analysis and investigation.
One recent example involves an internet based business that had been in a dispute with a competitor in an Eastern European country. The internet business was shut down by DDoS attacks on several occasions over the span of several months. The exact origin of the attacks was impossible to determine, even for the business’s sophisticated IT department. Ultimately, however, individuals controlled by the competitor approached the attacked business to, depending on how it is viewed, mediate a dispute or extort money, and the origin of the attacks became clear. Through careful preparation for the various meetings with the competitor, evidence was obtained that not only resulted in a conviction of the criminals who were acting on behalf of the competitor but ultimately linked the competitor to the attacks.
Victims of hacking attacks often wonder why, when the hackers had access to the company’s computers, they stole nothing more that customer lists. While these lists could be used for more nefarious purposes, such as selling the credit card numbers of the customers, often the attack is much more focused. For example, we have had clients who have had their customer lists stolen, only to find that their competitors had used more detailed information obtained in the breach to target more specifically with credible details these customers with internet advertising or spamming. Criminals may find hacked direct data access more efficient than phishing schemes so that they don’t get tagged as spammers and are blocked or disregarded.
A botnet, or collection of zombie computers that have been taken over by virus scripts or software that can be activated by remote instructions, can bring havoc to those virus-infected computers as well other computers through spamming or DDoS attacks.
Pharming, where criminals host fake websites by redirecting business inquiries from legitimate website addresses to fake ones, often by inserting a slight variance of a letter in a website address, can again often be traced to routine low-tech business and competitive disputes.
Obtaining adequate insurance coverage for cyber fraud requires careful coverage negotiations. Discussions may be related to the period of time that will be covered between breach, detection (which can be hundreds of days later) and delayed threats to release confidential data (which can be years later). Attribution of contributory negligence, such as claims related to inadequate security, employee negligence or insufficient detection and monitoring procedures and policies, may also be factors.
Company employees bear a large amount of responsibility to keep company data safe, thereby avoiding insurance denials. People can be instrumental in safeguarding data, but also can be a source of risk. Lost or stolen laptops or other devices can open a gateway for criminals to steal information or use them to hack other related systems. People must take precautions for the jurisdictions in which they will be going. For instance, many firms advise employees going to high cyber risk areas to refrain from using technologies such as smart phones or Skype and instead use more basic and secure devices. Employees and boards are in charge of protecting assets, whether that be physical, material or digital. Any proprietary information transmitted should be subject to ‘lock your door’ standards, making sure the information is kept safe and locked away.
Insurance and cost allocation issues should include consideration of litigation that may follow and cover many different litigation theories. There may be scrutiny from the government or customers. Class actions law suits may be brought if there are many affected by the breach. Negligence, failure to protect assets, failure to notify, failure to disclose, and/or material misleading could result in liability for the company in a suit. A company may be liable if it misled consumers regarding the safety of its data, or if the company did not adequately protect its data in a reasonable manner. Civil litigation may include suits from consumers, financial institutions such as banks, shareholders through a shareholders derivative suit, and employees. One might wonder, what standing do employees have in a suit against their employer? In the Sony hacking scandal, which resulted in the leaking of personal information such as social security numbers and sensitive health information, the resulting class action law suit brought by employees was fought by Sony, which argued the employees lacked standing. Referring to Clapper vs. Amnesty International USA, where the Supreme Court held that establishing standing required proof of ‘injury in fact’ and ‘certainly impending’ threatened injury, the Court decided that plaintiffs had standing due to the breadth of sensitive information stolen. This is ever more important when deciding to take precautionary measures to secure information, including employee data, and the breadth of insurance coverage.
Precautionary measures to mitigate claims and the risk that insurance claims will be denied include having a plan and incident response procedures in the event of an attack. All agents of a firm need to know who to contact, and the company contact must know the applicable regulatory, insurance and internal/board requirements for reporting. At this early stage, it is highly important to take care when securing evidence. Preventing access to affected systems keeps the integrity of evidence for law enforcement. Companies should preserve all evidence including computer logs, especially to determine the origin of the breach, and prepare a report on the breach documenting all employees, the nature of the breach, and all stolen or lost data. Rather than attempting to perform internal investigative measures, companies should freeze and instead seek professional advice before probing, powering down, copying, connecting or reconnecting, and/or running antivirus software on any affected computers, devices or systems.
SEC disclosure obligations for cyber fraud, cyber litigation and related insurance matters may be triggered in the following sections of ‘33 and ‘34 Act Reports: risk factors, management discussion and analysis, description of business, financial statement disclosures, disclosure controls and procedures, and legal proceedings. Complying with these reporting requirements early on will ease the litigation process, especially when working together with various law enforcement agencies and insurance to determine the origin of an attack. It also serves to show the company was responsible and had a plan to address cyber attacks, proving at least a reasonable amount of precautionary measures were taken to protect information and data and could also serve to mitigate any denials of insurance claims.
While determining the origin of a cyber attack on a company may be impossible, the attacks should not be ignored. What may seem like random attacks may actually be well orchestrated attempts to disadvantage the victim through theft of proprietary company information or the disruption of business. While the purpose may not be immediately clear, the attack should be well documented and in some cases reported to the appropriate authorities. Requests by government enforcement agencies to monitor attacks while shadow servers are used to run a company’s business going forward should be carefully considered. Legal counsel should be employed at this early stage to document the attacks and preserve records or evidence not only for ensuing litigation but also for insurance claims. Quite often, when the attacker attempts to monetise the information or the attack, more traditional legal investigative techniques may be used to bring the attacker to justice or make the attacker pay for the injury to the victim’s business.
John Kissane and Adele Hogan are partners at Watson Farley & Williams LLP. Mr Kissane can be contacted on +1 (212) 922 2219 or by email: email@example.com. Ms Hogan can be contacted on +1 (212) 922 2231 or by email: firstname.lastname@example.org.
© Financier Worldwide
John Kissane and Adele Hogan
Watson Farley & Williams LLP