Large data breaches bring litigation and potential D&O liability exposuresReprints
When it comes to liability risks for directors and officers, few present more uncertainty than cyber risk.
One certainty is that large data breaches will attract lawsuits against the compromised company, as shown by the recent travails of Target Corp.
Since Target acknowledged on Dec. 19 that up to 40 million credit and/or debit cards may have been compromised in a data breach, an estimated 40 lawsuits have been filed against the discount retailer thus far.
William Um, Los Angeles-based policyholder counsel at Hunton & Williams L.L.P., said the speed with which lawsuits were filed against Target is noteworthy. “The public notification of the breach came out in the morning, and a class action lawsuit was filed in Northern California the same day,” he said.
Mr. Um said that while many companies now carry dedicated cyber attack coverage, data breaches still affect directors and officers policies.
“Some of the first lawsuits that were brought against Target have brought allegations of general wrongful acts and negligence, which can impact entity coverage under D&O policies,” he said.
While class action suits filed by aggrieved customers may represent the greatest threat in terms of severity, companies with data breaches now are increasingly subject to shareholder derivative lawsuits, said Ann Longmore, New York-based executive vice president of FINEX North America, a unit of Willis Group Holdings P.L.C.
Unlike previous class action lawsuits focused on the falling share prices of companies affected by the data breach, derivative lawsuits are filed in state courts, Ms. Longmore said. The laws regarding derivative suits make an insurer more likely to pay court awards or settlements under the Side A portion of the D&O policy than with a class action suit, she said.
“It's interesting that not all the cyber risk D&O cases are now being brought as stock-drop cases,” she said. “Now, a number are being filed as derivative actions. This changes the game significantly.”
Moreover, the ongoing guidance from the U.S. Securities and Exchange Commission encouraging public companies to disclose all data breaches will likely add to the lawsuit trend, Ms. Longmore said.
“In this new environment with the SEC's focus on cyber breach disclosures, it's a very different world,” she said.
Indeed, a class action lawsuit filed in Utah by five Target customers alleges negligence on the part of Target.
“If not for Target's negligent and wrongful breach of its duties owed to plaintiffs and class members, their personal information would not have been compromised,” according to the lawsuit.
Allegations in the suit include: plaintiffs having their personal information compromised; incurring time and expenses in cancelling their debit and/credit cards; activating new cards and re-establishing automatic payment authorizations from their new cards; and other economic and noneconomic damages, including irrecoverable losses due to unauthorized charges on their credit/debit cards.
Nonetheless, the success of such lawsuits is far from certain, Mr. Um said, adding that one problem for plaintiffs in class action lawsuits against companies that have suffered data breaches is proving the breach has led to compensable damages.
“With the mass class action suits, you will find greater clarity sooner, because one of the great hurdles is that the plaintiffs have had trouble alleging compensable damages,” Mr. Um said. “While the customer data may now be in the hands of people who have it, the question remains what has happened as a result of it. Trying to articulate compensable harm has been a struggle for the plaintiff lawyers.”
Yet this advantage for companies defending themselves against cyber breach lawsuits may not persist, he said. “As plaintiffs get more shots at the apple, they are getting better at trying to allege compensable harm,” he said.
As the legal and regulatory environment surrounding cyber attacks is changing, the nature of the threat continues to evolve.
Jerry Irvine, Chicago-based chief information officer at IT advisory firm Prescient Solutions, said even the most conscientious of firms will become increasingly vulnerable to data breaches as hackers continue to refine their attacks.
One reason that security professional and risk managers are disadvantaged relative to hackers is that affected companies are reluctant to share information about emerging breaches because of competitive and liability concerns, Mr. Irvine said.
“The potential for these vulnerabilities is so great because hackers can work together and share information to figure out what works,” he said. “Because so many organizations keep information about data breaches to themselves, IT professionals don't always have that luxury.”
Scott Schleicher, Washington-based underwriting manger for cyber risk at XL Insurance said that while D&O policies may help in the long run against lawsuits, many of the immediate, ancillary costs of cyber breaches are best handled by dedicated cyber risk policies.
“This is what cyber insurance does,'' Mr. Schleicher said. “It allows the company to not worry about the management of the claim. Cyber policies give insureds a path to run on when managing a data breach crisis.''