Sign In
Upcoming Event
Free Newsletter
Creative hackers pose new threats to business
Listen to this articleThese two incidents show how cyber hackers are becoming increasingly creative in manipulating electronic information for their own gain. In doing so, they are increasing the risk exposure of businesses that electronically store customer data.
These newest cyberattackers and their fraudulent schemes should put companies on alert for future claims and suits, especially because the hackers are often unknown. On a smaller scale, any business that retains customers’ email addresses may be exposed to hackers stealing customers’ email addresses and then sending fraudulent emails to customers, resulting in a loss for customers and a gain for the hackers. Further, a hacker could produce an outgoing email that looks like it was sent from the business, causing the customer to trust the source. A customer’s lack of recourse against the hacker is a prime example of why a company should obtain insurance coverage for data-breach losses.
These kinds of scenarios could be enough to satisfy the minimum requirements for customers to pursue a lawsuit. Previously, it has been difficult. Plaintiffs in federal courts have struggled to establish a concrete injury, which is required to pursue litigation and earn what is known as standing. In 2011, the Third Circuit held that an increased risk of identity theft, costs to monitor credit activity and emotional distress were insufficient grounds to allow plaintiffs to pursue a lawsuit. In that case, Reilly v. Ceridian Corp., a hacker entered a payroll processing firm’s system and gained access to personal and financial information belonging to over 27,000 employees. The court ruled against the plaintiffs because the prospect of future injuries was insufficient.
Given hackers’ increased creativity, two issues are now at stake: (1) whether a business is liable for the fraudulent manipulation of customers when the hacker obtained the customers’ email from the business; and (2) whether the loss is covered by the business’ insurance policy. Both issues essentially simmer down to the same analysis: causation.
Under any negligence theory, a plaintiff must prove that the business’ actions were the “proximate” or “legal” cause of the losses. This standard requires showing that the losses could have been foreseen by an ordinary person as the natural and probable outcome of the business’ actions and that the business’ negligent act or failure to act was a substantial factor in bringing about the plaintiff’s harm. A business’ failure to protect a customers’ email address may result in a scheme involving fraud, and thus trigger a lawsuit. But businesses could be in the clear if they can argue successfully that customers should have been more suspicious of fraudulent emails they received.
Additionally, causation comes into play when the business is seeking insurance coverage and other related costs under an insurance policy. Under Pennsylvania law, to prove coverage, an insured must show that the customers’ loss was caused by a peril covered by the insurance policy, even if other excluded perils contributed to the loss.
Lastly, there are a number of proactive steps a business can, and should, take to mitigate the harm to the customer. First, the business should have a system that provides immediate notification of a cyber breach. Second, the business should promptly notify its customers of the breach and possible suspicious activity. While these new schemes present new opportunities for litigation, they are not definite victories. Further, companies should explore cybersecurity polices and/or endorsements to obtain protection beyond their commercial general liability policies.
Elizabeth L. Melamed is an attorney with Harrisburg-based law firm Thomas Thomas & Hafer. She currently practices workers’ compensation and general liability law.
