The Rise of Cyber Liability
In a 2015 report by McAfee, the global impact of cybercrime is US $375 billion to US$575 billion – similar to the size of the illegal drug industry, or worldwide damage from vehicle collisions. Expert consensus is that cyberspace will be a less secure place over the next 5-10 years. Cyber criminals often target organizations that have made little investment in cyber protection and have no business continuing capacity – organizations with a strong incentive to pay a ransom so they can resume operations. Canadians spend more time online than people in any other country in the world - 43.5 hours per Canadian per month. Between June 2018-2019, 53% of malware attacks occurred in the US, and 10% occurred in Canada. All of this supports the growing trend that cybercrimes are on the rise as we enter the cyber liability era.
The future is in subrogated claims. These are claims involving third party contractors or service providers who breach contracts or the standard of care, thus providing an opportunity for bad actors to breach security (by way of analogy, the security company that leaves open the door, letting in the arsonist who burns down building). In these situations, typically, the insurer will pay the claim but may be able to recover the amount paid from the third party by way of a subrogated claim. To date, while we have seen the rise of first party claims and litigation, what we anticipate will follow is the rise of third-party claims. These are subrogated claims, and in the U.S. have been recognized as “Cyber Subrogation.” Such claims are analogous to property loss claims but require the additional knowledge and expertise to confidently address both the privacy and technological issues that inevitably arise.
The U.S. Experience
The first cyber subrogation cases arising from cyber breaches have started to appear in the U.S. Some of the notable cases are discussed below.
Travelers Casualty and Surety Company of America v. Ignition Studio, Inc.
In 2015, Travelers Casualty and Surety Company of America (“Travelers Insurance”) brought an action against Ignition Studios, Inc. (“Ignition Studios”) a web services company. Travelers Insurance insured Alpine Bank and commenced a claim in its name. The case was filed in Illinois Federal Court. Alpine Bank had been the victim of a cyber attack that resulted in losses in the amount $154,711.34. Alpine Bank claimed the same amount under its policy with Travelers Insurance, which Travelers Insurance paid. Travelers Insurance sought to recover its payment from Ignition Studios, which had developed and maintained the Alpine Bank website that had been compromised in the hack.
The suit brought claims in professional negligence and breach of contract. The Statement of Claim pleaded that Ignition Studio negligently allowed one or more hackers to access Alpine Bank’s website through lax Internet security on the server where the website was hosted. Because of Ignition Studio’s negligence, Alpine Bank had to expend substantial funds to comply with its data breach obligations. Alpine Bank made an insurance claim to Travelers Insurance for the losses, which Traveler paid.
While ultimately the parties settled a few months after the claim was filed, this case provides important guidance on the shape that cyber subrogation claims will take. This is exactly the type of third party claims we anticipate to follow in Canada.
Trustmark National Bank et al v. Target Corp et al
In 2014, a class action was commenced in Federal Court in Chicago by Trustmark National Bank and Green Bank against Target and Trustwave Holdings Inc. (“Trustwave”), after a significant privacy breach occurred after the shopping holiday Black Friday when Target’s point-of-sale system was compromised. While a number of law suits followed from the massive data breach in this case, this was the first suit to name Trustwave Holdings Inc., a third party company to which Target had allegedly outsourced its data security services. The claim was founded in negligence and the Statement of Claim alleged that Trustware failed to live up to its promises, or to meet industry standards. Trustwave’s alleged failings, in turn, allowed hackers to cause the data breach and to steal Target customers’ personal information and sensitive payment card information. In addition, Trustwave failed to timely discover and report the data breach to Target or the public.
Only after the suit was filed, Trustwave publicly declared it was not in fact one of the companies Target outsourced its data security or IT obligations to. Shortly after, both plaintiff banks voluntarily dismissed the class action lawsuit. While the action ultimately did not go forward, it does provide helpful direction as to what we may see from these third party claims against IT companies who may have played a role in the breach.
The Marriott Hotel Data Breach Class Actions
While still in its early stages, a number of class actions have been filed involving the Marriott hotel chain in the aftermath of a significant data breach. In November 2018, Marriott announced the security of its reservation and booking system had been compromised. Approximately 500 million hotel guests may have been affected by the data breach. This will be a case to closely monitor to see whether any cyber subrogation claims may arise from the fall out of the data breach.
The Canadian Experience
While we have yet to see much in the way of cyber subrogation claims filed in Canadian courts, we have seen a significant rise in the number of law suits arising out of privacy breaches. As cyber liability has continued to develop in Canada, many of these cases exist in the class action context. This is because the damages of individuals who have personal information are, for the time being, considered to be low. This is still a novel area of jurisprudence that deals with high profile events, including internal misuse and abuse as well as malicious third party attacks. Courts are clearly becoming increasingly concerned about privacy protection, going so far as to introduce new torts. As the law develops and cyber incidents continue to rise, it is inevitable that individual cases resulting in significant damages will occur and insurers will seek to recover on claims where an at fault third party can be identified.
Kaplan v Casino Rama
The defendant, Casino Rama, was the target of a cyberattack. A hacker accessed the Casino’s computer system and stole the personal information of customers, employees and suppliers and demanded a ransom in exchange. The Casino refused to pay the ransom and the hacker posted the personal information online of around 11,000 people.
The plaintiffs brought a class action on behalf of members in casino programs and casino employees. The plaintiffs claimed negligence, breach of contract, intrusion upon seclusion, breach of confidence, and the tort of publicity given to private life. The motions judge dismissed the class action in finding there were no proposed common issues, but held in obiter that if pressed, he would find viable causes of action in negligence, breach of contract, and intrusion upon seclusion.
In particular, the motions judge held that “the scope and content of the applicable duty and standard of care depends on the sensitivity of the personal information that has been collected”. The less sensitive the information, the lower the duty or standard of care; and conversely, the more sensitive the information, the higher the duty and standard of care. In this case, the motions judge acknowledged the type of information stolen and posted by the hacker varied from person to person, and thus there were no common issues across the plaintiffs.
In other words, the reason the class action failed in Kaplan was because the type and amount of personal information varied, while class actions require commonality of issues. The case nonetheless suggests that although the organization is a victim of criminal hacking, it could be held liable for the harm to affected individuals if their inaction or insufficient security measures facilitate intrusion into their system. It is therefore not at all difficult to imagine the courts holding a third party contractor or service provider responsible if they failed to meet their obligations.
As the number of privacy breaches, data hacks, phishing scams and other cyber attacks continue to grow, it is likely only a matter of time before these types of cyber subrogation cases we have seen in the U.S. begin to arrive in Canada.
 “Cyber Risks – 2019: Implications for the Insurance Industry in Canada,” Insurance Institute, p 9 [“Cyber Risks”].
 Ibid, p 10.
 Ibid, p 13.
 Ibid, p 17.
 Ibid, p. 33.
 Winder v Marriott International Inc., 2019 ONSC 5766; see also Wong v Marriott International Inc., 2020 BCSC 55 and.
 Ibid at para 16.
 Ibid at para 19.
 Kaplan v Casino Rama, 2019 ONSC 2025 at para 1 [Kaplan].
 Ibid at para 5.
 Ibid at para 19.
 Ibid at para 62.
 Ibid at para 63.
 Ibid at para 64.