The National Association of Insurance Commissioners (NAIC) and the Department of Financial Services of New York state have introduced regulation on cyber-security for insurance companies and risk retention groups (RRGs) (see the Captive.com article “New York Cyber-Security Regulation Update: RRG Exemption”). To meet existing laws and regulations, many companies in the captive and insurance industries have invested a significant amount of money and time in cyber-security to protect their stakeholders. The one question that needs to be asked is “will the proposed regulations from New York and the NAIC prevent cyber-security lawsuits from plaintiffs that would allege damages?” If the answer is no, then what is the litigation strategy to defend this type of lawsuit?
In “Data Breach Class Action Lawsuits: First Response for Defense—Motion to Dismiss for Lack of Standing,” a January 2017 report published in Pratt’s Privacy & Cybersecurity Law Report Vol. 3 No. 1, authors James M. Westerlind and Malcolm McNeil discuss data breach legal action and what defense companies can apply to mitigate the risk. According to the report, a company can file "a motion to dismiss [the case] under Rule 12(b)(1) of the Federal Rules of Civil Procedure for lack of subject matter jurisdiction on the ground that the putative class action plaintiffs lack standing to sue." In layman's terms, a motion can be dismissed by asserting that the allegation is insufficient to establish standing or factual challenge. This defense mostly applies to plaintiffs who allege an increased risk of future identity theft—the plaintiff has been damaged from the future cost that would be incurred to reduce the risk of future harm.