We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

NetDiligence is pleased to announce that it hosting a series of Lunch & Learn webinars this fall to discuss emerging technologies and their impact on cyber liability insurers. Bring your lunch and join us for 45 minutes of real-world information about how technology is changing the nature of cyber risk and the implications for insurers underwriting that risk. Conceptually visionary and pragmatically useful, these sessions should not be missed! Learn more.

Insurance industry leader, Patrick G. Ryan, will deliver the keynote address at the NetDiligence® Cyber Risk & Privacy Liability Forum, a leading gathering on insurance risk, which will be held Oct. 10-12, 2017, in Santa Monica, Calif., HB Litigation Conferences, the program organizer, has announced. Click to read entire article.

In its recent Attias v. CareFirst, Inc. opinion, the D.C. Circuit held that the plaintiffs had standing to bring a lawsuit by alleging they suffered a mere risk of future identity fraud resulting from a breach—rather than requiring that they suffered actual identity fraud—joining similar decisions by the Third, Sixth, Seventh, and Eleventh Circuits. Click to read entire article.

The personal data breach affecting 300,000 patients disclosed last month by Women’s Health Care Group of PA LLC was the third-largest reported this year to the U.S. Department of Health and Human Services, according to the agency’s website. Click to read entire article.

Thousands of people with HIV received mailed letters from Aetna last month that may have disclosed their HIV status on the envelope. Click to read entire article.

On February 12, 2017, Plastic Surgery Associates of South Dakota discovered its health IT systems had experienced a ransomware attack. The healthcare organization immediately attempted to remove the ransomware from the infected servers and decrypt stored health data, it said in an online statement. Click to read entire article.

The breach affected 1,100 patient records from 2003 through May 2017 and included names, addresses, phone numbers, dates of birth, gender, diagnoses or other information about medical treatment at Tewksbury Hospital. For some individuals, it may also have included a social security number. Click to read entire article.

The UC health privacy office learned of the breach in June. Now, Daniel Drake Center is notifying 4,721 patients about potential exposure of their information, and it’s offering a year of credit monitoring and identity theft protection services from Experian. Click to read entire article.

The publisher of Reader’s Digest has settled a class action suit for $8.2 million after it allegedly breached privacy laws. Click to read entire article.

Variety reports that an anonymous hacker sent a copy of a message sent by HBO that apparently offered a “bounty payment” of $250,000 to the hacker involved in a recent massive data breach for the network. Click to read entire article.

An unauthorized third party managed to gained access to certain Virgin America information systems containing employee and contractor data. How many victims? Approximately 3,230 employees and contractors were affected by the breach.
Click to read entire article.

Screenshots of the tweets, posted on the morning of Monday 21 August, suggest that PlayStation Network databases were leaked, but this has neither been confirmed or denied by Sony. Click to read entire article.

Italy’s top bank, UniCredit SpA, is yet another victim in a series of cyberattacks exploiting vulnerabilities in the financial services industry. Criminals made off with biographical and loan data from 400,000 UniCredit loan accounts after gaining access to the bank’s computer system through one of UniCredit’s third-party commercial partners. Click to read entire article.

A total of almost 6.5 million records were hacked, and of those, 5.5 million from 10 states included social security numbers (SSNs), one of the most sensitive data types to which a hacker can gain access. According to the records obtained by the Kansas News Service, about half a million of the hacked accounts with SSNs were held by individuals located in Kansas. The following states were affected:

• Arkansas: 597,734 SSNs
• Arizona: 896,370 SSNs
• Delaware: 236,134 SSNs
• Idaho: 170,517 SSNs
• Kansas: 563,568 SSNs
• Maine: 283,449 SSNs
• Oklahoma: 430,679 SSNs
• Vermont: 183,153 SSNs
• Alabama: 1,393,109 SSNs
• Illinois: 807,450 SSNs

Click to read entire article.

City of Hope in California recently suffered a data breach in which four staff member email accounts were accessed by an unauthorized party through an email phishing attack. Click to read entire article.

A potential data breach of the city of Oceanside’s online utility bill payment system was being investigated Tuesday, and the system has been taken down. So far, it appears the affected customers made one-time payments of their water bills between July 1 and Aug. 13. …The system also allows for sewer and trash bills. Click to read entire article.

Personal information about thousands of students and their families was sent out in a mass back-to-school e-mail by the South Washington County School District in what school officials are calling “an inadvertent employee error.” Click to read entire article.

A hacker aiming to get revenge by targeting the computer systems of his former employer has been sentenced to 34 months in jail and will have to pay a fine of more than $1 million for damages, Bleeping Computer reported. Click to read entire article.

The legal industry’s susceptibility to cyberattacks was on display Tuesday in a Los Angeles courtroom, where a Superior Court judge warned attorneys about a recent incident in which email phishing scammers duped a law firm into handing over $500,000 meant for plaintiffs in a wage and hour class action. Click to read entire article.

Delaware updated its data breach notification law, accounting for medical data in what is considered personal information. Click to read entire article.

The ICO report referred to 21,000 TalkTalk customers who’d had their data breached. Fraudsters started to ring TalkTalk customers at home, quoting their account numbers, and were able to convince them that they were calling from the broadband firm. Click to read entire article.

A London council has been fined €70,000 after it accidentally published a cache of personal data including medical details, cheques, and even one person’s prison record. Click to read entire article.

The Swedish government has exposed sensitive details on millions of citizens in one of the biggest government screw-ups ever, and the official responsible for the whole fiasco was fined only half of her monthly salary, which is 70,000 Swedish krona – or around $8,500. Click to read entire article.