Printed from

Capital One hack could hit wider cyber market

Posted On: Aug. 6, 2019 7:00 AM CST

Capital One hack

Capital One Financial Corp.’s massive data breach could have a ripple effect throughout the cyber liability insurance marketplace, say experts.

Capital One itself is expected to face significant liability from consumer litigation as well as state and federal regulatory authorities’ actions as a result of the data breach that affected about 106 million U.S. and Canadian individuals, say experts.

The bank said it has said it has $400 million in cyber coverage that is subject to a $10 million deductible. American International Group Inc. is the primary insurer, with up to a dozen insurers on higher layers, according to a source.

Some experts say the flaws in Capital One’s firewall protection that led to the breach is one the bank should have been caught earlier.

Capital One will be dealing with the breach’s impact for a long time, say experts.

“I don’t think it will go away anytime soon for them,” said Linn F. Freedman, a partner with Robinson & Cole LLP in Providence, Rhode Island.

 “It’s one of the largest breaches, and with a bank, which is unusual,” she said. The financial services industry “has been ahead of the curve on data security and data breaches.”

At least three putative class action lawsuits have been filed against the bank in connection with the data breach, which was purportedly caused by the McLean, Virginia-based financial institution’s failure to correct a flaw in its firewall.

The company also faces investigations by regulatory authorities, including New York State Department of Financial Services, state attorneys general and the House Oversight Committee.

The incident is also likely to have a significant negative effect on Capital One’s reputation, say observers.

The largest category of information accessed was on consumers and small businesses that applied for one of its credit card products from 2005 through early 2019, the company said in its statement.

The stolen data included personal information, such as names, addresses and birthdates, as well as the Social Security numbers of 140,000 credit card customers and the linked bank account numbers of 80,000 credit card customers.

The breach was discovered through a tip sent to an email address maintained by Capital One that solicits disclosures of actual or potential vulnerabilities, according to the complaint filed by the FBI in U.S. District Court in Seattle in United States of America v. Paige A. Thompson. Ms. Thompson has been arrested in connection with the breach.

Capital One has said the breach stemmed from its decision to store data in Inc.’s cloud unit, Amazon Web Services.

Some experts said the “configuration vulnerability” to the bank’s firewall, which it has identified as the source of the breach, should have been caught.

“With proper security protocol and due diligence, certainly at Capital One, it’s something that likely should have been caught through their own internal IT department,” said Joseph Salvo, a partner with Gordon Rees Scully Mansukhani LLP in New York.

 “What’s really sad here is how did this occur,” said Michael R. Overly, a partner with Foley & Lardner LLP in Los Angeles. “It occurred not by some kind of truly exotic social engineering” or by the use of “some incredibly complex hacking tool, but because someone misconfigured a firewall.”

However, it is important to keep in mind that Capital One was a crime victim, said Scott N. Godes, a partner with Barnes & Thornburg LLP in Washington. “There’s no silver bullet for cyber security; there’s no such thing as perfect security.”

Capital One and affiliates are being charged with negligence and breach of implied contract, according to the complaint filed in the U.S. District Court for the District of Columbia in Kevin Zosiak et al. v. Capital One Financial Corp. et al., which was filed the day after the breach was announced.

The same day, another case was filed in U.S. District Court in Alexandria, Virginia, in DuWayne Baird et al. v. Capital One Financial Corp. et al. charging negligence, breach of implied contract, unjust enrichment, breach of confidence and invasion of privacy.

A third lawsuit was filed in Oakland, California, on Aug. 1 that also names GitHub Inc., a unit of Microsoft Corp. that provides software development hosting services, as a defendant, in Aimee Aballo and Seth Zielicke et al. v. Capital One Financial Corp.

The hacked information had been on GitHub’s website for three months, but GitHub never informed Capital One of the situation, and Capital One finally learned about it through an email from a GitHub user, according to the complaint.

GitHub said in a statement that it promptly investigates content, once it has been reported to it, and removes anything that violates its terms of service.

“Plaintiff firms just have templates they’ve used in prior cases,” so when word of a breach hits the news, “they’re ready to go,” said Devin J. Chwastyk, a member of McNees Wallace & Nurick LLC in Harrisburg, Pennsylvania.

“Almost every circuit has found that the threat of future harm is sufficient to warrant standing” to sue, although some are “stronger than others on that issue,” said Brian E. Middlebrook, a partner with Gordon Rees in New York.

 “The plaintiffs will identify the appropriate venue to file suit where they have a greater likelihood of meeting the standing requirements,” he said.

Capital One’s directors and officers may also be sued, say observers. A stock drop that followed news of the breach could continue to affect the share price, “and the shareholders could certainly sue the directors and officers for breach of fiduciary duty,” said Michelle Lopilato, Boston-based director of cyber and technology solutions at Hub International Ltd.

“I have no doubt that’s going to happen,” said Peter Taffae, a directors and officers liability insurance expert at Los Angeles-based wholesale brokerage Executive Perils Inc.

“The directors and officers are ultimately responsible and have a duty of care to the shareholders, and the plaintiff bar’s going to say that they weren’t proactive enough,” Mr. Taffae said.

New York Attorney General Letitia James said in a statement last week her office will begin an immediate investigation of the breach.

Last week, Republicans on the House Oversight Committee sent letters to Capital One CEO Richard Fairbank as well as Amazon Chief Executive Jeff Bezos on the breach.

In addition to state attorneys general and New York’s Department of Financial Services, “you’ll probably see the Federal Trade Commission get involved and you’ll probably see other financial services regulators get involved because banks have a whole host of regulators,” said Ms. Freedman, adding, “It’ll be interesting to see if it’s all coordinated” between state and federal regulators.

An FTC spokesman could not immediately be reached for comment.

As a possible example of what might happen to Capital One, Mr. Overly pointed to the agreement reached by Equifax Inc. to pay up to $700 million to settle a lawsuit brought by the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 states and territories stemming from its 2017 data breach, which affected about 147 million people.

The Capital One data breach could hit the entire cyber market, say observers. If insurers must pay their full limits on the tower, that “can send ripples through the market” in terms of underwriters’ “willingness to sell policies at the same rate,” said Mr. Godes.

“As the costs to remediate increase, I think it’s inevitable that premiums for coverage will go up,” said Ryan T. Becker, a partner with Fox Rothschild LLP in Philadelphia. “More of these high-profile, wide-ranging, large-scale breaches will certainly put upward pressure on insurance premiums for cyber-related security incidents.”

However, Mr. Middlebrook said he does not know if Capital One will necessarily have an across-the-board impact, although insurers who are high up on a tower “might have to rethink” whether they want to insure corporations such as Capital One.

“It depends on where you’re sitting in your tower and the size of the insurer,” he said.