It goes without saying that cybersecurity is a top D&O liability concern for organizations today. According to Willis Towers Watson’s 2018 Management Liability (Directors and Officers) U.S. Survey, respondents cited cyber risks as the most concerning D&O risk for 2019. This is not at all surprising given the many recent developments that may impact potential cyber and privacy related liability for directors and officers, some of which include:
- SEC Section 21(a) Report: Last year, in a Section 21(a) report that focused on public companies victimized by cyber-related attacks, the SEC detailed the Enforcement Division’s investigations of nine public companies that had lost millions of dollars as victims of cyber fraud. While the SEC did not announce any action against the victims of the cyberattacks, the report made clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity.
- GDPR & Other Data Regulations: The GDPR, together with other new privacy regulations, and the Network and Information Systems Directive, increase the potential exposure for both companies and their directors and officers. In fact, a number of lawsuits and regulatory investigations and actions have already been initiated against directors and officers.
- Shareholder Class Actions Related to Data Breaches: As data breaches become more prevalent, directors and officers are increasingly becoming the targets of lawsuits with respect to their responsibility for the breaches and the actions taken by organizations under their leadership after a breach has occurred.
- Failure to Insure for Privacy or Cyber Liabilities Could Potentially Lead to D&O Liability: In a UK decision last year, which is currently being appealed to the UK Supreme Court, a supermarket chain was held liable for the unauthorized disclosure of its employees’ personal data where one of the supermarket’s senior employees copied the data of nearly 100,000 employees and posted it on to a website. Employees commenced an action against the supermarket alleging primary and vicarious liability for breach of statutory duty under the Data Protection Act and at common law, for the tort of the misuse of private information and an equitable claim for breach of confidence. As discussed in our colleague’s blog post last year, the court found that the company was not primarily liable but was vicariously liable. The company appealed, arguing that the employee’s conduct occurred outside the scope of his employment, but the court found that because the employee was entrusted with payroll data, there was a sufficient connection between his employment-related tasks and the wrongful acts. In response to the supermarket’s public policy argument that vicarious liability in similar scenarios imposes a disproportionate burden on innocent employers, the court said that the solution to dealing with data breach claims against a company for “potentially ruinous amounts…is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.” Further, the court said that “[t]he fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…”
Whether and which type of insurance responds to these issues is a key question for those concerned with management liability. If a cyber event is the underlying wrongful act in a shareholder claim, your D&O policy will likely cover the claim, barring any exclusions – policies should be checked. However, you may need separate cyber insurance if you are concerned about other claims and risk, such as investigations, business losses and downtime, data recovery, customer notifications and credit monitoring, and regulatory fines and penalties. While most companies are now aware of the importance of cyber insurance, sufficient D&O coverage is important as well. Below we have outlined some things to look for in assessing whether your D&O policy provides adequate coverage for cyber and privacy related exposure:
- Review your policy for gaps. These gaps may arise from provisions directly referencing cybersecurity, such as an explicit privacy or cyber-related exclusion, or from the other exclusions and limitations that could be implicated by particular cybersecurity-related claims.
Jurisdictional exclusions could be problematic in the cyber context given the risk of liability arising from violations out of the country in which the company operates.
Additionally, you should consider the impact of a professional services exclusion, and ensure that the exclusion does not affect the ability of the D&O policy to respond where directors or officers are being held responsible for the acts of others providing professional services. This is particularly important in the cyber context, given the potential for cyber liability stemming from an employee’s error.
Finally, cyber claims may arise out of actions by government or quasi-government actors, i.e. hackers. If so, D&O insurers may argue that a war or terrorism exclusion applies unless it expressly exempts cyber-related incidents.
- D&O limits may not be adequate. This is a concern if a company chooses to forgo cyber insurance.
- Review policy for limitations in the event of insolvency. The cover provided by the D&O policy should include claims not only by third parties but also by the company, liquidators, administrators and shareholders. Many policies impose insured vs. insured exclusions, which are now typically subject to various carve-outs or exceptions – it is particularly important to ensure that coverage is available for shareholder actions and other claims brought on behalf of the company, especially in an insolvency context.
- Maximize investigation coverage. D&O policies typically provide some coverage for regulatory investigations where directors or officers are targeted or required to attend for interview in the context of an investigation of the company. However, full coverage is frequently not triggered until late in the investigation process. It is important to understand the scope of this aspect of the program when placing it and when noticing claims.
- Make sure your company’s data protection officer is a true officer under the policy. The GDPR requires that there be a data protection officer – it is important to make sure that this individual is an insured “officer” under the policy.
While we’ve discussed a handful of issues to consider when reviewing your company’s D&O coverage for cyber and privacy related exposure, this is just a starting point. We would recommend a careful review of the policy’s terms and conditions, and we are here to assist as needed.