I have written a couple of blog posts where I briefly share my opinion that courts misunderstand the stages of a hack. Courts do not appreciate that a hack also entails infecting a computer with malicious software for the sole purpose of observing electronic communications that may lead to a phishing or spoofing scheme. Without the information gathered through spyware, fraudsters would not have intimate or confidential details that make spear and whale phishing so convincing.
My basic opinion is that some of the decisions rendered in insurance coverage cases related to phishing or spoofing schemes may have resulted in a different outcome if the parties had thoroughly investigated whether or not a hack actually occurred - even if it was spyware.
Joshua Mooney at White and Williams, LLP has a similar opinion regarding the courts' lack of understanding in cybersecurity technology. Mr. Mooney recently wrote an article titled Metadata and American Tooling Courts Misunderstood Tech.
Metadata and American Tooling are separate cases in which the companies were victims of social engineering and spoofing schemes that resulted in employees voluntarily transferring large amounts of money to fraudsters. At issue was whether the loss was covered under computer fraud provisions in separate insurance policies. To review my published article on Metadata and American Tooling click here.
Since I wrote my article about American Tooling, the United States Court of Appeals reversed the lower court's decision holding that the spoofing attack did not implicate coverage. The Court of Appeals instead held that a spoofed email constituted “use of a computer to fraudulently cause” a transfer of money to satisfy the definition for “computer fraud.” In other words, my article is already outdated in a quickly evolving area of the law.
But getting back to Mr. Mooney's article, he concludes that if the courts in Metadata and American Tooling had a better understanding of technology and basic correlating concepts of cybersecurity, they may have reached a different conclusion.
Mr. Mooney suggests that a closer look at the technology used in each of these schemes, and the courts’ misunderstanding of it, suggests that the basis of each decision is suspect. In particular, the courts misunderstood concepts of a computer system’s “integrity” and instruction “to” a computer system.
While I agree with Mr. Mooney, courts are only partially to blame for this misunderstanding. As a former clerk for a Federal Judge, I know that judges rely on the attorneys to educate and inform the court about all relevant information. A judge cannot be expected to have expertise in every esoteric issue that is presented to the judiciary. Cybersecurity and cyber law present cutting edge issues that are unfamiliar to many judges and attorneys.
If the attorneys misunderstand the technology and fail to provide the judge with all relevant information, then the judge may render a decision based on misinformation.
What is probably occurring is that very good attorneys with years of litigation experience are handling these matters, but simply do not understand the technology involved in cyber events. Are these attorneys properly equipped to handle some of the legal issues in cyber law?
It's possible that clients simply do not understand that an experienced insurance attorney is not the right person for these types of cases. It makes sense that if a case has cyber law issues, then a cyber law attorney should be involved.
As a surgeon once asked me:
Would you hire a hip surgeon to operate on your neck?
~ Robert Stines, Florida Cyber Lawyer
