With data breaches affecting companies across virtually every industry, cyber security has remained front page news. Lawsuits brought by aggrieved consumers and financial institutions against companies that have suffered data breaches are not uncommon. Increasingly, companies are also being subjected to shareholder derivative suits against directors and officers alleging breach of fiduciary duty relating to a data breach. As a result, corporate boards should expect closer scrutiny of their actions regarding cybersecurity and data breaches. A proactive approach to risk management and insurance coverage may make the difference in minimizing exposure.
Recent Examples of Derivative Litigation
One recent decision from New Jersey is worth considering. The case grew out of breaches of a hotel customers’ personal and financial data. A shareholder issued a letter demanding that the hotel’s board investigate the data breaches and sue the directors and officers for the harm they caused the company because of the data breaches. When the board refused the demand, the shareholder filed a derivative suit in federal court in New Jersey.
The court dismissed the lawsuit. Applying the business judgment rule, the court found that the board had not acted in bad faith, and had arrived at its decision after a reasonable investigation. Analyzing the board’s investigation, the court found that the board took adequate steps to familiarize itself with the subject matter of the demand, and that it had ample information at its disposal. Among the facts it found persuasive, the court pointed to: (1) the board discussed cyber-attacks at fourteen meetings prior to the shareholder demand letter; (2) the general counsel gave presentations at the board’s quarterly meetings regarding the data breaches and general cybersecurity matters; (3) the board’s audit committee discussed the same issues at least sixteen times during the relevant time period; (4) the board familiarized itself with the subject matter pursuant to an FTC investigation into the company’s security practices; and (5) the board met with the audit committee to consider the plaintiff’s demand letter.
In addition to the decision discussed above, more guidance can be found in an earlier opinion dismissing a securities fraud case against Heartland Payment Systems. There, hackers attacked the company’s computer systems and stole credit card and debit card numbers. Plaintiffs alleged that the company’s CEO and CFO misrepresented in the company’s SEC filings that they placed “significant emphasis” on cybersecurity matters.
The court found that a data breach did not make the company’s statement false. Instead, the court looked to the company’s actions before and after the security incident. The court found that the company had placed significant emphasis on their cybersecurity, as evidenced by the money and manpower invested into its efforts to fix and prevent the security issues.
With data breaches showing no signs of slowing down, the attendant litigation can also be expected to continue. Following the data breach suffered by Target, a 2014 shareholder derivative action was filed against the company’s board for failing to adequately attend to its cybersecurity. The lawsuit against Target alleges that the board’s conduct caused the data breach, and challenges the board’s subsequent containment, disclosure and analysis. In addition to the derivative action, a prominent proxy adviser also called for the ouster of Target’s directors due to their perceived “failure…to ensure appropriate management of [the] risks” of Target’s December 2013 cyber-attack (reported by the Wall Street Journal).
As the available precedent confirms, perfect data security is not the standard. Instead, courts will look to verify that boards are taking steps to understand and protect against this very real threat. However, there are practical steps that companies can take, including:
- Boards should take a proactive approach to risk management oversight, and issue clear and direct communication regarding the vital importance of cybersecurity.
- Establish and enforce a structure for cybersecurity oversight, including the full board or a board committee.
- Take steps to ensure that the board maintains sufficient knowledge of cyber risk issues, including training and presentations from consultants.
- Boards should ensure that adequate resources and support are allocated to cybersecurity efforts.
- Establish and update the company’s data incident response plan and policy, documenting the steps taken to investigate and fix any perceived threats or incidents.
- A conceptual roadmap that boards may consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology in February 2014. This framework provides companies with a set of industry standards and best practices for managing their cybersecurity risks.
- As recently urged by a high-ranking Treasury official, corporate boards should also ensure the organization has appropriate insurance coverage against cyber threats. We have previously discussed cyber insurance options in more detail in an earlier post.
Insurance Coverage for Data Breaches is a Key Element of Cyber Risk Management
A diligent and proactive approach by a company’s board in responding to a data breach, however, is just one element of a strong cyber risk management program. Ensuring adequate cyber insurance is in place is another. Of course, obtaining the appropriate coverage is company specific; however, there are several important considerations worth highlighting.
Regulatory investigations or actions are common in cyber liability scenarios, but they are not always covered under “cyber policies.” Such coverage typically turns on the policy’s definition of “claim.” If, for example, a claim is defined as an action for civil damages, then regulatory actions or claims for injunctive relief may not fall within coverage. Even if the definition of “claim” encompasses investigations, regulatory authorities often do not launch a formal investigation right away, and instead begin their inquiry informally. Companies, therefore, may want to make sure that their policies cover informal requests for information and informal proceedings, as insureds typically incur significant costs long before receiving a notice of charges or formal investigative order.
A policy’s requirements concerning when the insured must notify its insurance company of a claim also takes on particular significance in the cyber risk context. Practitioners commonly advise their corporate policyholders to limit the obligation to give notice to situations where a specified individual or group of individuals – e.g. the Risk Manager, CFO, or general counsel – has knowledge of the claim. In the event of a data breach, however, knowledge of the event may be confined to front-line IT personnel who are focused on containing the problem and who have no familiarity with the company’s insurance or its notice requirements. As a result, when purchasing cyber insurance, it is important to consider whether to negotiate a notice provision that is triggered only when the company’s risk manager, CFO, CIO, or similarly appropriate individual has knowledge of the breach and claim.
Insurance Coverage for Claims Against Directors & Officers
As illustrated by the cases discussed above, data breaches not only expose the organization to liability, but also the directors and officers themselves. Considering this, directors and officers need to be cognizant of their insurance protections in the event of a claim. While there are many factors that will dictate whether a D&O policy covers such a claim, a key consideration is whether the policy contains a privacy or data breach exclusion. Such exclusions are common in many policies and may eliminate coverage for the types of claims described above. D&O policies commonly preclude coverage for claims “based on” or “arising out of” cyber violations or data breaches. Depending on the particular language of the exclusion, there may be an argument that a director or officer’s alleged liability as a result of a data breach “arises out of” the director or officer’s alleged failure to supervise, not out of the data breach itself, and, thus, the exclusion should not apply. Policyholders should carefully review their D&O policies, paying particular attention to the existence and scope of these exclusions prior to a breach, and when purchasing or renewing insurance, to ensure adequate coverage is in place.
As with any complex insurance issue, companies should seek professional advice in analyzing coverage, especially considering that the breadth of coverage and the terms of policies vary considerably from policy to policy and carrier to carrier. As data breaches continue to occur at an ever-increasing rate, boards must ensure they have the appropriate risk mitigation tools in place, including strong cyber liability safeguards and adequate insurance coverage for both the organization and the directors and officers themselves.