While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.
According to the complaint in Ruma v. Keenan & Associates, the third party accessed the protected information in August of 2023 and the broker learned of the breach soon thereafter. The compromised repository contained information such as full names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, health insurance information and general health information. Five months later, individuals received notification of the breach in a notice that they allege was neither prompt nor accurate. A putative class filed suit and asserted seven causes of actions: negligence in data protection, negligence per se related to violation of HIPAA and FTC rules, unjust enrichment and breaches of confidence, contract, the covenant of good faith and fair dealing and fiduciary duty.
Though the Ruma case is still in its infancy, it will certainly not be the last time a putative class seeks damages against companies falling victim to data breaches. This case serves as a stark reminder of the necessity of cyber insurance, including robust liability coverage, as well as the necessity of maintaining adequate cyber insurance policy limits. Indeed, IBM published in its annual Cost of a Data Breach Report that the average cost of a data breach in the US is nearly $9.5 million as of 2023, nearly $5 million higher than the average cost of a data breach worldwide, largely due to how litigious claimants in the US are. A well-crafted cyber insurance program can help protect the company, and its directors and officers, against follow-on lawsuits after a major cyber incident. To ensure the policy responds as expected, policyholders should ensure that their preferred defense counsel is pre-approved on the policy by endorsement or is otherwise on the insurer’s pre-approved panel counsel list. With this end game in mind, coverage counsel can provide invaluable guidance in deciding whether to modify existing policy provisions or seek different coverage (such as a different policy form or new endorsements) at renewal. In some cases, the difference between a covered and uncovered claim can be as simple as a minor tweak to exclusionary language or a request to add the companies preferred vendors by endorsement.