Three “cyber”-related events in the last month have made corporate directors and officers sit up and take notice when it comes to cyber breaches and cyber coverage.
First, the Third Circuit’s decision in Federal Trade Commission v. Wyndham Worldwide Corp., holding that the FTC has authority to sue companies that have experienced a data breach, under federal consumer protection laws. The implications of that decision for companies generally are summarized by my colleagues Brian Sniffen and Faye Ricci in this excellent post on our Bank Law Monitor blog.
Second, the “Yates Memo,” from U.S. Deputy Attorney General Sally Yates. The Yates Memo provides revised guidance to federal prosecutors (civil and criminal) on pursuit of individual accountability for corporate wrongdoing. The memo sets out six principles for federal enforcement, including a presumption that every investigation will focus on individual as well as corporate liability; that corporations must turn over all evidence regarding individual culpability in order to get “cooperation credit”; and that civil prosecutors must evaluate whether to pursue claims against individuals based on overall public-policy goals, and not just the individual’s ability to pay. The Yates Memo is in part a response to criticism of recent settlements that let individual officers off the hook.
Third, the derivative suit filed against directors and officers of Home Depot, arising from the massive hack that stole over 50 million customers’ payment information. The complaint alleges that Home Depot’s directors and officers knew that the company’s payment systems were vulnerable and did not take action. The most serious allegations are that officers ignored internal warnings from Home Depot’s IT executives, numerous external warnings (from the FBI, from auditors employed by Visa and MasterCard, and from Home Depot’s own security-software vendor), and warnings in the form of press coverage of breaches at other large retailers. The breach resulted in 44 civil lawsuits against Home Depot (by consumers and card-issuing banks) and several government investigations.
These developments are rightly causing directors and officers to ask tough questions about whether their companies have the right insurance in place to protect them and their companies. And what they are hearing is not always good.
First, the right insurance may not be in place to protect the company. D&O company coverage (Side C) for public companies generally will not protect a company from FTC lawsuits. Private-company Side C D&O insurance may carry exclusions for claims under consumer-protection laws, among other limitations. General liability coverage (CGL) is also unlikely to be a help in FTC claims (or the suits from customers and financial institutions that always follow a breach) because of common exclusions for electronic data security.
And many companies have not purchased specialized “cyber” coverage—or, if they have, the coverage has sublimits far below the actual exposure. Complicating things further are terms and conditions in many “cyber” policies that can give the insurer an “out.” As happened in this recent suit, an insurer may argue that because of “warranty” language in the policy and/or the application for coverage, a failure to take basic security steps means that it has no obligation even to defend a cyber breach suit. The Home Depot derivative complaint claims that Home Depot did not follow minimum security practices that were specified by Visa and MasterCard (the “PCI DSS” standards) and recommended by its own software vendor. So, depending on Home Depot’s policy language, even its cyber-insurance policy may not fully cover its losses.
Second, the directors and officers may not be adequately covered. D&O policies provide broad coverage for “wrongful acts,” so there is seldom a question of at least getting a defense paid for by the insurer under Side A/B coverage. But therein lies a problem. If there is a proliferation of claims against individuals relating to data security (as the Yates Memo, the Home Depot suit, and recent SEC activity suggest there may be), there will be more people, with divergent interests, seeking a defense under the same policy. That means more lawyers being hired to defend more individuals. And because D&O policies “burn limits”—meaning that defense costs erode the limits of the policy—more individual claims will mean that less will be left in the insurance “pot” at the end of the day to pay a settlement or judgment. This increases the likelihood that even with a reasonably large “tower” of primary and excess insurance, most of the insurance money may be gone by the time the money is needed most.
What to do? Directors and officers need to take an active role in making sure that data security is a high priority for the company, involve themselves in setting objectives for security, and drive to those objectives. Informed decisions made by an active and diligent board can shield individual defendants from derivative claims, as happened with the Wyndham Hotels derivative suit (which arose out of the same breaches involved in the FTC matter). They also need to ask questions about data-security coverage not only for the company, but for individuals. What coverage will come into play in the event of a collateral suit or a government investigation involving individual liability, and are the limits enough to pay to defend everyone? Are there exclusions in the D&O coverage for fines and penalties, “professional services,” or breach of privacy rights that may be problematic? Senior management, the company’s insurance brokers, and outside counsel all have a role to play in planning for a new world of increased focus on individual accountability for cyberincidents.