Are You Covered? Emerging Issues For Health Care Providers Under Cyber Risk Insurance

Earlier this year, the Seventh Circuit reviewed the "substantial risk" standard for Article III class action standing in Remijas v. Neiman Marcus Group and held that even a 2.5 percentage of compromised credit card holders is enough to show a substantial risk to an entire universe of credit card holders with breached data. 794 F.3d 688, 693 (7th Cir. 2015).

Under standard cyber security/network security/privacy liability insurance policies (otherwise known as cyber risk insurance), are insureds covered for reasonably incurred costs to mitigate or avoid harm caused by this "substantial risk" of identity theft after a network breach, as well as liability that may be imposed on third-party claims resulting from such a breach? Id. (quoting Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1150 n.5 (2013)).

Given this new case law, we believe health care providers should examine their cyber risk insurance policy to determine if it will respond based on Remijas and be prepared for a class action claim in the event of a data breach or hacking incident.

In Remijas, the defendant, Neiman Marcus, released a statement that 350,000 of its customers' credit card numbers were potentially exposed to hacker malware, and that 9,200 (2.5 percent of the total group) were used fraudulently. Id. at 689. This was enough to prove standing because the breach pointed to "an objectively reasonable likelihood that the future harm of identity theft would occur." Id. at 693 (citing Clapper, 133 S. Ct. at 1147). The plaintiffs, by proving the time and money they spent to mitigate risk of future fraud and identity theft, established a redressible harm. The court did not require that they prove more beyond the facts as stated in the published press release. "Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas at 693. This finding led the court to conclude that harm was "certainly impending" as required by Clapper.

Further addressing standing under Article III a key element of the decision - the court opined that there was an objectively reasonable likelihood that injury will occur. Consequently, it is essential that a cyber risk policy providing liability protections include defense and indemnification with respect to claims seeking damages for both injury sustained and likely to occur in the future.

It should be noted that in Remijas, Neiman Marcus volunteered to offer its customers a year of...