Even as the dust begins to settle on the massive Target and Home Depot data breach revelations, those companies continue to face extraordinary expenses in responding to the breach events. The high costs to deal with these breach events, including the costs to notify consumers, to identify the source of the breach, to pay for credit monitoring, among many other costs, have been widely publicized. Consumer class action lawsuits following notification of these breach events are now common and the affected companies have come to expect that these lawsuits will follow notification. Moreover, lawsuits filed by financial institutions and credit card companies seeking to recover costs incurred to rectify their customers’ compromised financial information have added to the mix, and at least for now, have been able to survive the motion to dismiss stage.1
Amidst these increasing costs, shareholders of these companies have begun to question the affected companies’ leadership efforts to prevent, to mitigate, and to respond to such breach events. Recent history suggests that derivative and shareholder actions over inadequate data security measures are likely to become a more common occurrence in the current cybersecurity landscape. In addition to these shareholder actions, regulatory enforcement actions are on the rise, as the Federal Trade Commission and more recently, the Federal Communications Commission, have been undertaking aggressive enforcement of data security. These actions by shareholders and regulatory agencies raise the issue of what steps companies and their boards should take to protect against the ever-increasing exposure to litigation costs arising out of corporate governance of cyber risk. How much of a threat are they facing? And will Directors’ and Officers’ (“D&O”) insurance help provide coverage for such risks?
Shareholder Actions On the Rise
Following the playbook of recent high profile data breach events, companies affected by a massive data breach have come to expect the litany of class actions filed by consumers alleging privacy violations and unwarranted disclosure of their personal identification information. In addition to these consumer actions, shareholder derivative actions are now adding a new front with which companies will need to battle. The latest blockbuster data breach events have spurred criticism of corporate officers and directors over their companywide policies on data security and alleged lax efforts to prevent breaches before they occur. One of the many lawsuits filed against Target, following its announcement that over 100 million customers’ credit and debit card information may have been compromised, accused the company of breaching its duty to implement procedures to detect and to prevent the loss or unauthorized dissemination of consumers’ private information, along with violating its duty to timely disclose the breach.2 Eventually, Target’s directors and officers were hit with derivative lawsuits, alleging breaches of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control.3 Target is not alone. In 2008, cybercriminals hacked into Heartland Payment Systems’ network and recorded card data of as many as 100 million credit and debits cards. Heartland soon faced class actions and various regulatory inquiries over the breach. Notably, Heartland was named in a shareholder suit alleging that Heartland’s executives misrepresented the state of the company’s computer network security and failed to disclose prior security incidents.4 Moreover, Wyndham Worldwide Corporation, after suffering several data breaches in which hackers obtained personal data of over 600,000 customers, faced a similar challenge by its shareholders. Specifically, Wyndham shareholder Dennis Palkon filed a derivative lawsuit alleging that Wyndham failed to implement adequate cyber security measures, and demanded that the company bring a suit against the responsible executives. Although the District of New Jersey granted the board members’ motion to dismiss the case—relying on the business judgment rule and the fact that the Wyndham Board took reasonable steps to investigate and to consider the measures proposed by Palkon5—company boards that fail to conduct such an investigation may not fare as well.
More recently, Home Depot suffered a similarly monumental data breach. There, hackers apparently broke into Home Depot’s payment-card processing systems and stole as many as 40 million payment cards. Home Depot recently announced that, as of November 2014, it already was facing at least 44 lawsuits relating to the breach, as well as investigations by several state’s attorneys general.6 Judging by recent history in the above cases, litigation costs for companies affected by large scale data breach events will continue to increase, as the plaintiffs’ bar has added shareholder lawsuits as part of its collective response following breach notifications.
The Regulators Step In
In addition to shareholder lawsuits, enforcement actions by federal agencies have also added to the costs of cyber incidents. The Federal Trade Commission has been leading the pack, and in its latest actions against Bayview Solutions LLC and Cornerstone and Company LLC, the FTC has emphasized the importance of establishing security practices to detect potential breaches before they occur.7 The FTC alleged that Bayview and Cornerstone exposed consumers’ personal information on interactive online marketplaces used for exchanging information about debt portfolios, all without any encryption, redaction, or other measures to protect the security of those data. The FTC concluded that the failure to undertake adequate security measures constitutes an unfair or deceptive act or practice in violation of the FTC Act. With these and other enforcement actions, the FTC has clarified that companies that hold vast amounts of personal data should be incorporating data security measures as part of their regular corporate management, and should be preemptively creating breach response policies before breaches occur.8
More recently, the Federal Communications Commission has joined the enforcement barrage by including enforcement of data security measures as part of its jurisdiction over telecommunication carriers. The FCC recently fined carriers TerraCom, Inc. and YourTel America, Inc. $10 million for their deficient protections of the privacy of phone customers’ personal information.9 TerraCom and YourTel allegedly stored Social Security numbers, names, addresses, drivers’ licenses, and other personal identification information belonging to their customers on unprotected Internet servers that could be accessed through a simple Google search.10 Following the FTC’s lead, the FCC found that a telecommunications carrier’s failure to maintain appropriate security measures in violation of the FTC Act likewise constitutes an unjust and unreasonable act under Section 201(b) of the Communications Act.11 This forfeiture decision marks the beginning of the FCC’s rigid enforcement of data security in the communications industry, and the FCC itself stated that “the Commission is committed to aggressive enforcement of unlawful practices related to cyber security and data protection.”12
Even the Department of Health and Human Services has stepped into the data security fray. Relying on its enforcement authority provided under the Health Insurance Portability and Accountability Act or “HIPAA,” the DHHS recently reached a $4.8 million settlement with Columbia University and New York Presbyterian Hospital after a breach of electronic patient information became available via Google searches.13 The DHHS pointed out that the hospitals failed to conduct an adequate risk analysis of their patient data security practices prior to the breach, and even failed to comply with their own policies on patient data access management.
Corporate Governance of Cyber Risk
The common theme among all of these shareholder grievances and regulatory enforcement actions is an alleged failure to satisfy the standard of care in preventing and mitigating cyber risks before such breach incidents occur. In fact, recent regulatory initiatives confirm that comprehensive data security policies are increasingly becoming a standard part of corporate governance. The Securities and Exchange Commission, for instance, requires corporations registered with the SEC to disclose to investors information that a reasonable investor would consider important to an investment decision.14 The SEC takes the position that cyber risks may constitute “material information” that must be disclosed to investors. This may include a “[d]escription of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences.”
Similarly, the National Institute of Standards and Technology (NIST) has echoed the importance of transparency of cyber security practices as a critical component of corporate governance. On February 12, 2014, NIST released its Framework for Improving Critical Infrastructure Cybersecurity.15 The Framework recommends the creation of a “Current Profile” that organizations can use to describe its existing cybersecurity state, including current practices that pose risks.16 That profile may be used to communicate cyber risks among all stakeholders who help to deliver essential services that support the enterprise.17 Even though the NIST Framework is not binding law, many consider it to be the closest to a “standard of care” for data security, as well as a benchmark for future legislation.
Indeed, on November 17, 2014, NIST released its “Guide to Cyber Threat Information Sharing,” in which it proposes creating sharing networks among ICT companies for sharing information about cyber attacks and breaches.18 The intent is to generate an aggregation and analysis of information from internal and external sources in order to better detect data security threats before breaches occur. This initiative demonstrates the ongoing efforts to develop a more concrete “standard of care” for data security that companies will be expected to follow.
What does all this mean for companies that hold sensitive, personal data? Cyber risk is a critical component of corporate governance and poses potential liability risks for corporate boards. The costs to companies in the wake of a breach event will only increase as such affected companies will have to deal with remediation costs, increased cybersecurity protection costs, lost revenues, litigation costs, and reputational damages. Moreover, as regulatory corporate standards become more solidified, companies can add derivative action and enforcement defense costs to the mix.
In addition to considering new cyber insurance products in the marketplace, affected companies should look to D&O insurance coverage to help mitigate and offset some of the costs to defend against shareholder lawsuits and governmental enforcement actions.
Coverage for Cyber Risk—Understanding the Standard of Care
Given that most D&O insurance policies covering “wrongful acts” define this term broadly, alleged “acts, errors or omissions” by corporate boards will likely encompass cyber related claims absent any express exclusion for such liability. Although data breach exclusions are now becoming more common in traditional general liability policies, D&O insurance policies typically do not contain such exclusionary language and should provide some relief for losses arising from cyber liability risks.
Generally, D&O policies provide coverage for any neglect or breach of duty by directors and officers while acting in their capacities as fiduciaries to the corporation. Directors and officers generally owe three duties to a corporation: (1) a duty of care; (2) a duty of loyalty; and (3) a duty of obedience. The requisite duty of care is the amount of care which ordinarily careful and prudent people would use in similar circumstances, considering all material information reasonably available in making business decisions.19 Industry practices and standards may be used by a Court to determine if a duty of care has been breached.20 That duty of care can be breached by a director’s act or failure to act, or from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.21
Cyber risk is not an abstract concern—it is real and should already be on the minds of directors and officers. The Target data breach exemplifies how the duty of care comes into play in the online context, and confirms the importance of maintaining company-wide policies on cyber risks as part of a wider corporate governance strategy. Not only was the delay in notifying consumers an impetus for many class action claims, the nondisclosure of security risks fueled ire among shareholders. Shareholders lamented that Target “significantly downplayed its true significance” and “withheld the truth about the breach, put millions more customers at risk and had the effect of significantly increasing the damage to Target’s goodwill and brand trust.”22 D&O policices should respond to cyber-related claims based on these allegations of securities fraud, breach of fiduciary duty and alternative theories of liability.
Coverage for regulatory enforcement actions pose potential additional challenges. Because most D&O policies exclude fines and penalties, carriers typically argue that governmental actions, which seek imposition of fines from the targeted company, are outside the purview of coverage. Nonetheless, where regulators allege that a data breach occurred because cybersecurity measures taken by corporate leadership fell below the standard of care, some D&O and professional liability policies providing broad coverage for “wrongful acts” may be triggered. Indeed, in the Bayview and Cornerstone enforcement actions, the FTC pointed to specific acts taken by high-level officers that undermined the security of customer data. Carriers and policyholders have litigated coverage for regulatory enforcement actions well before the recent wave of cyber-related investigations and there is nothing unique about the cyber risk arena that would suggest that these new enforcement actions are more or less likely to be covered under typical D&O policies.
Insurance policies can mitigate the growing consequences of cyber risk. Specialized “cyberinsurance” policies are still evolving, and by their terms may eventually help shape standards of cyber governance, but their development has been slowed by the general lack of understanding of cyber threats. In this dynamic market, it is vital for companies to involve insurance coverage counsel and experienced insurance brokers in the insurance buying process. Counsel can assist the policyholders in evaluating the unique cyber-risk profile to match coverage offered under the different cyberinsurance products in the marketplace as well as to evaluate whether existing lines of coverage, including D&O policies, may be sufficient to cover such risks. In addition to helping policyholders avoid any gaps in coverage and exposure risks, these professionals could also assist companies avoid the potential overlap of coverage issues.