When a company gets hit by a major data breach, the business, its leaders and its board members should be prepared for directors and officers liability related litigation that is certain to follow.
Shareholder lawsuits already filed against data breach victims Minneapolis-based Target Corp. and Parsippany, New Jersey-based Wyndham Worldwide Corp. (see story, page 29) exemplify what litigation experts say is likely when a major breach occurs, an issue that has increased worries among other businesses.
The Target and Wyndham litigations have prompted “hundreds of inquiries” from organizations worried whether their own D&O coverage addresses the issue, said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions.
“I do think there's going to be more lawsuits. It's just the beginning,” said Heidi A. Lawson, a member of law firm Mintz, Levin, Cohn, Ferris, and Glovsky & Popeo P.C. in Boston.
Robert Parisi, a managing director and network security and privacy practice leader at Marsh L.L.C. in New York, said the Securities and Exchange Commission made it clear in 2011 guidance that it views technology and privacy breaches as potentially material, so when an event occurs, “that's certainly the kind of things that get plaintiff attorneys excited.”
During an SEC cyber security roundtable in March, the agency's chairwoman, Mary Jo White, said cyber threats are “of extraordinary and long-term seriousness. They are first on the (SEC's) division of (market) intelligence's list of global threats, even surpassing terrorism.”
Cyber breaches are “a significant issue in terms of the liability,” said John D. Hughes, a partner at Edwards Wildman Palmer L.L.P. in Boston. Directors must make sure their companies have adequate planning and security measures. “If they haven't, and there's a significant loss, then the shareholders will seek to pursue that,” he said.
Ann Longmore, New York-based executive vice president of FINEX North America, a unit of Willis North America Inc., said proxy adviser Institutional Shareholders Inc.'s recommendation that Target stockholders vote against seven of 10 directors because they failed to manage cyber risks is the first time there has been an effort to unseat board members because of a cyber breach.
“This has just got to throw oil on the fire in terms of the suits against the board members,” Ms. Longmore said.
In Wyndham's case, D&O litigation followed an enforcement action by the Federal Trade Commission, said Kevin LaCroix, an attorney and executive vice president at RT ProExec, a division of R-T Specialty L.L.C. in Beachwood, Ohio.
“The message there is regulators are going to be more active in the space,” which will be followed by shareholder litigation, he said.
Lawsuits are likely, though, only when a major data breach occurs.
A data breach “would have to cause enough of a loss, or potential loss, to a company to truly affect the bottom line, and that's what you had in Target,” said Joseph P. Monteleone, a partner at Rivkin Radler L.L.P. in Hackensack, New Jersey.
As in the suits already filed, most are expected to be shareholder derivative litigation filed on the company's behalf, rather than securities class actions brought by shareholders in response to stock drops.
Dan Bailey, a member of Bailey Cavalieri L.L.C. in Columbus, Ohio, said the plaintiff bar would prefer to file securities class actions “because those typically are going to be worth a lot more, the management exposure of the defendants is typically much greater and so the settlements in those cases are typically far greater than the derivative lawsuits.”
So far, though, stock prices apparently have not been significantly affected by the data breach disclosures.
“The securities marketplace seems to take the disclosure of a data breach in stride,” said Aon's Mr. LaCroix.
That may change, though.
The Target breach has “put companies on notice of what could happen if appropriate cyber security measures are not in place,” which increases potential future stock market reaction due to the heightened disclosure requirements, said Kimberly M. Melvin, a partner at Wiley Rein L.L.P. in Washington.
While D&O-related cyber risks are not explicitly excluded in D&O claims, D&O insurers may begin to take them into account in the future, possibly in the form of higher retentions, sublimits, or exclusions, Mr. Bailey said.
Mr. Kalinich said companies also should be sure there is continuing coverage if they have claims-made policies.
In addition, Ryan O'Hare, Chicago-based assistant vice president at Aon P.L.C., said it is important to have severability language in D&O coverage to establish that knowledge of material false statements in the insurance application by one covered individual will not be imputed to other directors or officers also covered under the policy.