{"id":2248,"date":"2017-03-05T20:36:36","date_gmt":"2017-03-06T01:36:36","guid":{"rendered":"http:\/\/sites.law.duq.edu\/juris\/?p=2248"},"modified":"2017-11-20T20:17:15","modified_gmt":"2017-11-21T01:17:15","slug":"hacking-profits-the-explosion-of-cybercrime-and-the-cyber-insurance-market","status":"publish","type":"post","link":"https:\/\/sites.law.duq.edu\/juris\/2017\/03\/05\/hacking-profits-the-explosion-of-cybercrime-and-the-cyber-insurance-market\/","title":{"rendered":"Hacking Profits: The Explosion of Cybercrime and the Cyber Insurance Market"},"content":{"rendered":"
Photo courtesy of Pixabay<\/figcaption><\/figure>\n

 <\/p>\n

By Kurt Valentine, Staff Writer<\/strong><\/p>\n

Cybercrime is one of the biggest threats facing companies in today\u2019s technology-driven society. In 2015, it is estimated that cybercrime cost businesses $400 to $500 billion.[1]<\/sup><\/a> That number is expected to increase to $2.1 trillion by 2019.[2]<\/sup><\/a><\/p>\n

There have been numerous high-profile hacks. In 2013, Target disclosed that hackers stole the personal information of 70 million people.[3]<\/sup><\/a> The breach cost the company approximately $191 million, offset by a $46 million insurance reimbursement.[4]<\/sup><\/a> In 2014, Home Depot was the victim of a similar attack.[5]<\/sup><\/a> Its expenses from the data breach were roughly $63 million dollars, offset by a $30 million insurance payout.[6]<\/sup><\/a> Large companies are not hackers\u2019 only targets, however: Microsoft reports that 20 percent of small to mid-sized businesses have been hacked.[7]<\/sup><\/a><\/p>\n

The growing threat of cyber-attacks is driving the growth of the cyber insurance market. Cyber insurance is the insurance industry\u2019s fastest growing product.[8]<\/sup><\/a> The market was valued at $2.5 billion in 2015 and is expected to grow to $7.5 billion by 2020.[9]<\/sup><\/a> Since the market is in its infancy, many of its policies remain untested.[10]<\/sup><\/a> This uncertainty will inevitably lead to litigation.\u00a0 There has not been a lot of cyber insurance litigation for claims after a data breach, but that is likely to change as cyber insurance policies become increasingly popular.[11]<\/sup><\/a><\/p>\n

P.F.<\/em> Chang\u2019s China Bistro, Inc. v. Fed. Ins. Co.<\/em>, decided on May 26, 2016, was the first opinion to shed light on the coverage scope for cyber insurance policies.[12]<\/sup><\/a> This action stemmed from computer hackers gaining access to 60,000 customers\u2019 credit card information from 33 P.F. Chang\u2019s restaurants.[13]<\/sup><\/a> Federal Insurance Company sold P.F. Chang\u2019s corporate parent a CyberSecurity policy described as \u201ca flexible insurance solution . . . to address the full breadth of risks associated with doing business in today\u2019s technology-dependent world.\u201d[12]<\/sup><\/a> Federal deemed P.F. Chang\u2019s a high risk because it conducts more than 6 million credit card transactions per year.[12]<\/sup><\/a> In 2014, P.F. Chang\u2019s paid $134, 052.00 for coverage.[12]<\/sup><\/a><\/p>\n

In order to process credit card transactions, P.F. Chang\u2019s entered into an agreement with third-party credit card transaction processor Bank of America Merchant Services (BAMS).[12]<\/sup><\/a> That agreement provided that P.F. Chang\u2019s was liable for paying \u201cany fines, fee, or penalties imposed on BAMS\u201d from credit card associations, like MasterCard and Visa.[12]<\/sup><\/a> Similarly, BAMS had an agreement with MasterCard that provided it was liable to pay MasterCard certain fees in the event of a data breach.[12]<\/sup><\/a><\/p>\n

After the breach occurred, MasterCard sent BAMS an assessment for the recovery of $1,716,798. 85 pursuant to their agreement.[12]<\/sup><\/a> The assessment reflected the cost MasterCard incurred notifying cardholders of the breach, issuing new cards, new account numbers, and new security codes.[12]<\/sup><\/a> Pursuant to P.F. Chang\u2019s agreement with BAMS, it reimbursed BAMS for the assessment.[12]<\/sup><\/a><\/p>\n

Following that payment, P.F. Chang\u2019s filed a claim to Federal to be reimbursed.[12]<\/sup> Federal denied the claim, and litigation ensued.[12]<\/sup><\/a> Federal filed a motion for summary judgement, which was granted.[12]<\/sup><\/a> There was an exclusion in the insurance contract that released Federal from liability that the insured party assumed via contract.[12]<\/sup><\/a> The court held that the agreement P.F. Chang\u2019s had with BAMS, coupled with the provision in the insurance contract, barred it from being reimbursed.[12]<\/sup><\/a><\/p>\n

Since the breach, Federal has reimbursed P.F. Chang\u2019s more than $1.7 million for a forensic investigation into the data breach and for costs incurred defending litigation from customers and banks.[12]<\/sup><\/a> Using this case as an example, experts suggest that policyholders should be sure their cyber insurance policies do not bar coverage for charges passed along by third-parties.[14]<\/sup><\/a> Additionally, the case is a cautionary tale to never assume that a cyber security policy will provide full coverage in the event of a data breach.[8]<\/sup><\/a><\/p>\n

As the cyber insurance market matures, litigation will follow. As Thomas Rohback and Patricia Carreiro note, \u201cThe next year or two will see the birth of massive insurance coverage litigation that will dwarf the litigation spike seen several decades ago.\u201d[15]<\/sup><\/a> This case just represents the beginning.<\/p>\n

 <\/p>\n

Sources<\/strong><\/p>\n

\n

[1]<\/a> http:\/\/www.forbes.com\/sites\/stevemorgan\/2016\/01\/17\/cyber-crime-costs-projected-to-reach-2-trillion-by-2019\/#2035de103bb0<\/a><\/p>\n

[2]<\/a> Id.<\/em><\/p>\n

[3]<\/a> http:\/\/www.canadianbusiness.com\/the-last-days-of-target-canada\/<\/a><\/p>\n

[4]<\/a> http:\/\/www.pymnts.com\/news\/2015\/target-home-depot-reveal-full-breach-costs\/<\/a><\/p>\n

[5]<\/a> http:\/\/www.pymnts.com\/news\/2015\/target-home-depot-reveal-full-breach-costs\/<\/a><\/p>\n

[6]<\/a> http:\/\/www.pymnts.com\/news\/2015\/target-home-depot-reveal-full-breach-costs\/<\/a><\/p>\n

[7]<\/a> https:\/\/www.forbes.com\/sites\/stevemorgan\/2016\/01\/17\/cyber-crime-costs-projected-to-reach-2-trillion-by-2019\/#aaf38683a913<\/a><\/p>\n

[8]<\/a> https:\/\/www.law360.com\/articles\/890831\/developing-trends-in-cyberinsurance-litigation-part-1<\/a><\/p>\n

[9]<\/a> Id.<\/em><\/p>\n

[10]<\/a> http:\/\/www.insidecounsel.com\/2015\/10\/14\/cybersecurity-litigation-the-tip-of-the-iceberg-pa<\/a><\/p>\n

[11]<\/a> https:\/\/www.law360.com\/articles\/890831\/developing-trends-in-cyberinsurance-litigation-part-1<\/a><\/p>\n

[12]<\/a> https:\/\/www.law360.com\/articles\/891726\/insurance-group-of-the-year-hogan-lovells<\/a><\/p>\n

[13]<\/a> P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 70749<\/p>\n

[14]<\/a> https:\/\/www.law360.com\/articles\/804825?scroll=1<\/a><\/p>\n

[15]<\/a> https:\/\/www.law360.com\/articles\/890831\/developing-trends-in-cyberinsurance-litigation-part-1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

  By Kurt Valentine, Staff Writer Cybercrime is one of the biggest threats facing companies in today\u2019s technology-driven society. In 2015, it is estimated that cybercrime cost businesses $400 to $500 billion.[1] That number is expected to increase to $2.1 trillion by 2019.[2] There have been numerous high-profile hacks. In [\u2026] <\/p>\n

<\/div>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,4],"tags":[1555,1554,1544,1543,1547,1548,1557,1542,1546,1552,85,1553,1545,875,1100,1549,1556,1551,1550,1080],"class_list":["post-2248","post","type-post","status-publish","format-standard","hentry","category-juris-blog","category-posts","tag-bams","tag-bank-of-america-merchant-services","tag-business-law","tag-cyber-crime","tag-cyber-insurance","tag-cyber-insurance-market","tag-cyber-security","tag-cybercrime","tag-cyberinsurance","tag-cybersecurity","tag-data-breach","tag-federal-insurance-company","tag-hackers","tag-hacking","tag-insurance","tag-insurance-market","tag-mastercard","tag-p-f-changs","tag-p-f-changs-china-bistro","tag-technology"],"_links":{"self":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/2248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/comments?post=2248"}],"version-history":[{"count":1,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/2248\/revisions"}],"predecessor-version":[{"id":2250,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/2248\/revisions\/2250"}],"wp:attachment":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/media?parent=2248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/categories?post=2248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/tags?post=2248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}