According to a report recently released by IBM Security, there has been a decreased of more than 50% in the number of cyber-attacks between 2012-2014. However in 2014, retailers still suffered the theft of more than 61 million customer records. Additionally, not surprisingly, retailers remain cyber-thieves’ top targets.
On February 4, 2015, Anthem Inc., the second largest health insurer in America revealed that hackers broke into the company’s servers and stole social security numbers and other personal information. This is a massive data breach with the potential to expose the information of nearly 80 million Anthem customers and has the potential to be the largest health care related data breach in history.
In December 2013, Target Corporation, the Minnesota-headquartered retailer that is one of the nation’s largest retail chains, announced that over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit- and debit-card information for approximately 110 million of Target’s customers. The hackers allegedly accessed Target’s point-of-sale systems; in other words, its cash registers. Dozens of lawsuits against Target followed, which were consolidated into two tracks, one for the Consumer plaintiffs class and a second for the class of Financial Institutions that are part of the credit and debit card payment process relied upon by Target and its customers.
In Zurich American Insurance Co. v. Sony Corp., the New York State Appellate Division is primed to issue one of its first decisions regarding the availability of insurance coverage under a comprehensive general liability (“CGL”) policy for losses due to a data breach.
On January 12, 2015, President Obama introduced the Personal Data Notification & Protection Act to preempt state data breach notification laws. Presently, some 47 states have enacted data breach notification statutes which call upon firms whose data has been hacked or breached to give notice to those whose PII may be affected or compromised. The administration’s legislation would preempt all of those state statutes, so that firms do not have to adhere to fifty different sets of requirements, imposing instead a single federal notice requirement. The proposed legislation does not appear likely to impose or change the standards for liability for data breaches. A more comprehensive article on the proposed legislation is available here.