The Ides of March and Cybersecurity
Today is March 15, 2024 - the Ides of March. As was supposedly said in 44 BC, when Julius Caesar was assassinated, "Beware the Ides of March".
These thousands of years later, today I am speaking on a panel at Georgia State University College of Law for an ABA Conference titled "Cybersecurity and Privacy Multiverse: Solving for Risks at the Edge of Law and Technology", addressing topics that similarly deserve a "Beware" warning!
My particular panel is addressing Cybersecurity Litigation Trends, with my topic focusing on Mediating Data Breach, Ransomware, Cyber + Privacy Claims and Lawsuits - as ever evolving as the claims themselves. Just think of the data breaches about which we have learned over the last couple of weeks - including American Express advising travel customers about a third-party vendor who suffered a data breach. We need to beware - or at least be aware of - today's cyber risks, risks that are just as risky as was that faced by Julius Caesar - just in a very different form! I've written about cyber and data breach claims before, but that said, what am I thinking about today?
So there has been a data breach – What types of lawsuits and claims are likely to follow?
Needless to say, the misery for the company or service provider that has been breached is just beginning and its exposures, both financial and reputational, are great – their continued existence perhaps in large part dependent on how this crisis is handled and their available insurance. So what claims and lawsuits might follow? Here are several examples:
Insurance Policies Provide Important Protection for An Impacted Company or Service Provider
Cyber insurance policies have become a “must” for businesses, vendors, third-party service providers, directors and officers, and any person or business that provides a service, sells a product and/or holds personal information of clients, customers, or memes of the general public. These policies provide both first party and third-party liability coverage. There will likely be co-insurance or high deductible clauses, more limited liability limits, and many conditions which must be satisfied both before coverage attaches and after there has been a data breach.
As a risk management “must”, business owners and the appropriate people in management should read their insurance policies carefully and make sure to implement required processes to ensure that they comply with conditions required for coverage to attach – both in their day-to-day operations and once there has been a breach (e.g. network protection requirements, reporting requirements, etc.). One should not expect that the coverages provided upon renewal will be exactly the same as in the prior year policy. Cyber policies are evolving along with the nature of evolving cyber risks and each renewal policy needs to be understood and the required conditions implemented – and then monitored to make sure that compliance is ongoing. The failure to comply with underwriting and policy “conditions” could mean that insurance coverage would not be available in the event of a loss.
Also, and just as importantly, be aware that the application for insurance is incorporated by reference into most insurance policies. At the very least, the policy is issued based on the representations in the application and misrepresentations – intentional or not – could be grounds for rescission of the policy. Be complete and careful when completing the application for cyber insurance.
That said, when a cyber incident occurs, an impacted business should have all their commercial policies reviewed to both determine which of them may provide insurance coverage for the loss and what policy conditions need to be complied with at that point. Policies such as Media Liability, Crime, Management and/or Professional Liability policies may include specific coverages for certain types of cyber claims Although not “cyber” policies per se, some other policies might provide coverage for some aspects of the loss as “silent cyber” (i.e. policies never intended to provide coverage for cyber claims may be found to in fact provide some type of coverage). That said, as the insurance industry has matured with regard to cyber losses, policy language continues to be tightened, with exclusions and conditions becoming clearer so that “silent cyber” claims will eventually become the exception. See for example, Lloyds Market Bulleting Ref #: Y5258 addressing requirements for underwriters re the existence or not of cyber cover in policies that are not specifically cyber insurance, as a way to provide insureds with clarity as to what cyber risks are covered or not, and to minimize or eliminate situations of “silent cyber”.[1] As mentioned above, declaratory relief actions involving multiple insurers seeking coverage determinations with claims for indemnity, allocation and/or other relief, are as likely to be filed by an insurer in this scenario as in any other circumstance.
As to generative AI claims, there are AI-loss related policies that are being drafted to provide coverage for losses for AI related exposures. But that said, there are certainly also endorsements and exclusions being drafted, to limit coverage for such losses under existing policy forms. A healthy risk-management policy will have insureds and their brokers questioning coverage options for these risks and exposures. What specific AI policies will actually look like and how they will or will not apply, as with any type of loss will turn on the language of the policy as it applies to the facts of the loss. Hence, all that can be said in this regard is “we shall see” and/or “time will tell”.
The availability or not of insurance coverage for losses, damages, fines, penalties, and the like under an insurance policy will turn on answers to these types of questions, on a loss-by-loss and policy-by-policy basis. Who, What, When, Where and Why re what happened? Were all pre-conditions for coverage satisfied? Were post-breach conditions satisfied? Which types of damages and losses are covered or not covered? Is other insurance available and to what extent? Was the requested cover obtained by the broker?
Settling Cyber/Privacy Claims & Lawsuits via Mediation
How data breach and cyber related claims/litigation is mediated turns on the type of situation, the extent of impact by the breach or incident, whether or not governmental agencies are involved and the types of lawsuits or claims pending. That said, regardless of the particular forum and process that is used, most litigation is resolved vis-à-vis settlement in today’s world and mediation will generally be the catalyst for settlement. Keep in mind that liability limits may become exhausted by payment of multiple claimants, meaning that the insured’s exposures to multiple claimants may also mean that an insurer will be unwilling to pay full policy limits for any particular claim or suit.
Subrogation types of lawsuits can generally be resolved in a one-day mediation, the core issues being liability and damages, like most any other tort or contract case. Successful mediation to resolve insurance related litigation will turn on how well the facts have been developed and liability assessed, or not, and the number of involved insureds, claimants, insurers, policies and/or brokers – much like any other type of complex insurance coverage matter arising out of a complex underlying action. This mediation may be able to be successful in a one-day session but may well need to be phased over multiple sessions, to better address and focus on the various issues and claimants.
Coverage issues should ideally be mediated separately from the issues in the underlying action, in advance of the contract or tort mediation to the extent possible.
Recommended by LinkedIn
Class actions and governmental actions provide their own unique challenges and may be handled via ongoing mediation as part of an MDL in federal court or administrative action with a prescribed administrative process.
Preparing for Mediation
Successful mediation of data breach and cyber-related claims requires advance preparation unique to these types of losses.
Causation is of course the initial liability issue, there being no damages if there is no liability. As with any dispute, mediation is not a forum that will determine liability. That determination is in the ultimate province of the courts. That said, one will go into the mediation with liability either being disputed, or not. It may be that the investigation that followed the cyber incident has identified its cause. In that situation, the expert reports and findings may be all that is needed to move beyond the causation question. If not, then while the parties may argue causation issues in the mediation, to get the case settled, both (or all) parties will need to move forward knowing that liability will not be able to be established – all the more beneficial to reaching a mediated settlement. To prepare for addressing causation issues, reports and expert analysis should be shared in advance as well as damage information. If insurance coverage is in issue, then it is best to mediate the insurance aspect of the case first, before going to mediation with the claimant on the substantive loss issues.
Looking at the damages question, and by way of example, where attorney fees and reimbursement of monies paid are sought, documentation supporting those damage claims need to be shared with defense counsel far enough in advance of the mediation session so that the amounts and reasons for the expenses can be evaluated by counsel and any involved insurer. “No surprises” is a good mantra for a claimant to take in this type of situation – the more information that can be provided to the defense to support the reasonableness of the claimed expenses/damages, the more likely a settlement will be able to be achieved sooner than later.
Many times these mediations will take place prior to litigation or arbitration actually being filed. The parties may want to consider entering into non-disclosure and/or non-waiver agreements regarding the information being shared, along with an agreement that documents shared in pre-suit mediation are protected from disclosure or use as evidence in a future lawsuit, unless of course properly produced through discovery in the subsequent lawsuit. The United States does not have one universal confidentiality or privilege law regarding confidentiality of mediation communications and counsel should be mindful of mediation confidentiality laws regarding whatever states may ultimately come into play for the matter – whether the matter might go into litigation or not.
All of this said, preparing for mediation by sharing as much information as possible, as early in time prior to the mediation session as possible, will increase the chances that the dispute can be settled at mediation.
I also highly recommend pre-mediation calls with the mediator. In these types of cases, I recommend both individual calls for each counsel and the mediator and a joint call with all counsel and the mediator. It is best to make sure that there is no missing information that someone thinks is necessary to receive, with enough time to get that information to the other side.
And finally, make sure that the decision makers attend and participate in the mediation session. This means that anyone who will have the final say in reaching a settlement, or not, should be there – along with anyone who has any special knowledge of the factual situation. Experts, if needed, should be available to participate by phone or zoom. The business owners/managers, insurance claims professionals and anyone else who would have the authority to agree to a settlement need to participate or be available.
In terms of whether to hold these mediations in person or via Zoom or another online platform, I think either is fine and that matters have settled as easily on Zoom as if in person. It is usually easier to arrange for decision makers to participate if held via Zoom, especially where insurance is involved, and it is certainly efficient and cost-effective being on Zoom. That said, the parties may have a long-term business relationship to preserve, which may or may not mean that mediating in person is the preferred approach. My assumption is that most of these mediations will be held online rather than in person, but each matter needs to be decided based on its own factors.
And finally, settlement counsel with a mediation mindset is who should attend for a party. This person could be the same attorney as who would be the trial attorney, but a mediation mindset is not the same as a trial mindset, mediation needing to be approached with the confidence of trial but with the flexibility to compromise and find an agreeable common ground that can let the parties get back to the business of their businesses. Mediation advocacy skills on the part of counsel are very important to the impact on the outcome of the mediation.
Conclusion
It is said in privacy circles that it is not a matter of “if”, but “when” a data breach or cyber incident[2] will happen to any given business. Mediation will generally happen at some point thereafter. Good risk management hygiene and affirmative preparation for mediation will together lay the groundwork for a successful resolution to be had during the mediation session (or sessions).
[2] The term “cyber incident” is the appropriate term to use at the outset, until and if it is determined that there has actually been a breach impacting data, i.e. a “data breach”.