To date, data breach plaintiffs have struggled to find a way to access insurance monies in D&O policies. Shareholder derivative suits have been unsuccessful, though that certainly has not stopped the plaintiffs’ bar from trying (see, for example, the suits against Home Depot, Target, Wyndham Worldwide, Wendy’s, and more).

Recently, plaintiffs have pivoted to securities suits as a new way to potentially trigger the deeper pockets associated with D&O policies:

  • In January, Yahoo was sued for securities violations associated with its alleged concealment of information about the data breaches that exposed information about nearly 1.5 billion users. (In November, the parties reported to the Court that they had made “substantial progress” toward settlement.)
  • In September, plaintiffs sued Equifax alleging materially false or misleading statements, and failure to disclose inadequate data security monitoring and protection systems associated with its massive breach.
  • This month, PayPal was sued for similar alleged misconduct associated with its acquisition of bill-pay management company TIO Networks Corporation. Soon after the acquisition, PayPal discovered security vulnerabilities in TIO’s platform that potentially compromised the data of 1.6 million customers.
  • And, also this month, plaintiffs sued Quidian, a Chinese online microlender. The securities suit alleges, in part, that Qudian’s data system and security procedures did not adequately protect sensitive borrower data affecting potentially more than one million students. Following publicity of the data breach (and a Chinese crackdown on high-interest payday loans), Qudian’s trading value dropped to 45% below its IPO price (after having been one of the largest IPOs of the year just a few months earlier).

Insurers are no doubt monitoring this growing trend of litigation, so insureds should pay close attention to cyber-related exclusions in their D&O insurance policies. This is particularly important as those policies come due for renewal, as insurers may attempt to adjust their wording or add endorsements that are specifically tailored to avoid coverage for cyber-breach securities claims.