Login Register Subscribe
Current Issue

Cyber-related directors and officers liability claims expected to increase

Reprints

LAS VEGAS — Cyber-related directors and officers liability claims are rare, but that will likely change soon.

Companies with cyber exposures should expect to face securities class action lawsuits when computer systems are compromised, as cyber breaches become even more common, legal experts say.

As the exposure grows, boards of directors should adapt their protocols to provide better oversight of cyber security, they said at the Professional Liability Underwriting Society's annual conference in Las Vegas last week.

But as cyber-related D&O exposures grow, another D&O exposure was limited earlier this year when the U.S. Supreme Court ruled that a corporate defendant could have an earlier opportunity to prevent a lawsuit being certified as a class action, several speakers at the conference said.

While there have been a limited number of cyber-related D&O claims to date, “they are coming,” said Douglas W. Greene, a shareholder at law firm Lane Powell P.C. in Seattle.

So far, stock prices have not been affected long-term by cyber incidents, which has been an impediment to D&O litigation, “but that is bound to change; and when it changes, and stock prices start to drop upon disclosure of a breach ... the plaintiffs lawyers will be there,” he said.

One reason the situation will change is “companies are going to start competing on the basis of cybersecurity,” he said. Another is the Securities and Exchange Commission's interest in the issue, though the securities regulator is trying to balance requiring disclosure of information from public companies with not providing a road map for attacks.

Mr. Greene said boards of directors have been “a bit behind in tuning up for cyber security,” but they have made “great strides over the past year in part because of the Target breach.”

Several other major data breaches have occurred since the Target Corp. breach in December 2013.

This is a “huge challenge” for D&O underwriters, said Todd Greeley, New York-based vice president of claims for executive and professional lines at Berkshire Hathaway Specialty Insurance.

Unlike other aspects of D&O underwriting, insurers cannot rely on public filings or use them as a resource because they do not contain detailed cybersecurity information, said Shanda Davis, Chicago-based D&O product manager of bond and financial products at The Travelers Cos. Inc. It is “difficult to get your arms around these issues,” she said.

This is a “rapidly developing area,” said John Black, executive principal at Skarzynski Black L.L.C. in Chicago. Amazon Inc. was founded just 20 years ago and data breach notification laws are just 10 years old, he said.

While litigation to date has been dominated by consumer class actions, a future issue will be intellectual property theft and impairment of company assets. Those claims will start to come up as the SEC scrutinizes data breaches, and whistleblowers start to speak up, Mr. Greene said.

Boards “don't need to be technical experts to be good directors overseeing cyber security,” but board structures can “represent a real impediment” to addressing the issue, he said.

“Where I think this is moving is to have separate committees” to oversee cyber security, Mr. Greene said. This allows a group of people “to become sufficiently fluent (in the technology) to be able to ask the right questions,” raise red flags and communicate with experts. It “also frees up other directors to ask questions, which often turn out to be the very best questions,” he said.

Also discussed during the conference was the effect of the U.S. Supreme Court's June ruling in Halliburton Co. v. Erica P. John Fund Inc., where the nation's high court ruled unanimously that corporate defendants must be given the opportunity to show their actions did not affect the stock price of a publicly traded company before a class is certified, rather than having to wait until the merits stage of the litigation.

The ruling, however, did not overturn the U.S. Supreme Court's 26-year-old Basic Inc. et al. v. Max L. Levinson decision, where the court endorsed the fraud-on-the-market presumption theory, under which plaintiffs do not have to demonstrate that each member of a class relied on a company's alleged misrepresentation.

Before the court's ruling in Halliburton, the case was described as the “most significant securities decision to come before the Supreme Court in decades,” said Tower C. Snow Jr., of counsel at Cooley L.L.P. in San Francisco.

However, said defense attorney Carrie L. Huff, a partner at Haynes & Boone L.L.P. in Dallas, outside the 5th U.S. Circuit Court of Appeals' jurisdiction, where the case originated, “the situation is pretty much status quo” following the ruling.

There was “great hope” on the defense side beforehand that the fraud-on the-market theory would be limited, but “that clearly did not happen” said Darren Robbins, a partner at Robbins Geller Rudman & Dowd in San Diego, who represents shareholders.

More than 1,800 attended the conference. Next year's PLUS conference is scheduled for Nov. 11-13, 2015 in Dallas.