JD Supra recently published an attorney perspective piece on defining cybersecurity issues for 2016. It should come as no surprise that resolution of insurance coverage issues made the list. Despite a plethora of data breach related insurance disputes over the last few years, several key issues remain unsettled. For example, in what circumstances will a directors’ and officers’ liability policy cover a data breach-related shareholder derivative suit? Will a publication by a third-party hacker trigger typical CGL coverage? Hopefully, 2016 will bring some closure to these and other insurance coverage issues.
2016 should also bring some clarity on the issue of who has Article III standing to bring a lawsuit as a result of a data breach. On November 1, 2015, the United States Supreme Court heard oral arguments in Spokeo, Inc. v. Robins, No. 13-1339, in order to determine whether a plaintiff who suffers no concrete harm has Article III standing to file suit based upon bare violations of a federal statute. The implications of the Supreme Court’s decision in this case will directly impact the routine lawsuits filed by consumers shortly after a data breach, but prior to consumers’ ability to demonstrate any injury in fact.
The role that federal regulators, like the FTC, will have in cyber security issues this year is hard to predict. In light of the fact that its settlement with Wyndham did not involve fines or fees, and the recent dismissal of its case against LabMD, it’s plausible that we may see fewer FTC enforcement actions. On the other hand, despite these outcomes, the FTC may wish to continue its advocacy for consumers through enforcement actions rather than the alternate channels available. Either way, stay tuned as 2016 is gearing up to be another momentous year in the area of cyber security law.