Potential liability for data breaches has emerged as a major concern for businesses in the past few years as massive cyber-attacks are increasing, with companies that use or store private customer data electronically or use social media as part of their marketing strategy being the prime targets. These data breaches have contributed to an increase in director and officer (D&O) litigation in connection with cyberincidents, and will continue to do so, with plaintiffs seeking to capitalize on D&O policies that do not contain cyber or data breach exclusions.
The market for D&O cyber coverage is evolving in response to these issues. However, existing policies and those covering prior policy periods do not reflect current market trends. Many D&O policies connected to the current influx of D&O litigation lack cyberliability exclusions. Thus, although both businesses and insurance companies are responding to changes in cyber liability exposure and litigation, plaintiffs continue to capitalize on the possibility of payouts for cyberliability under D&O policies.
The Increasing Threat of Cyberintrusions and Data Breach Exposure
Various agencies, departments and organizations continue to take serious steps toward electronic data protection in recognition of emerging and evolving cyberthreats. For instance, on Feb. 3, 2015, the Financial Industry Regulatory Authority (FINRA) released its Report on Cybersecurity Practices, focusing on cybersecurity issues within the financial services industry. See, News Release. Among its findings, FINRA notes that the frequency and sophistication of cyber-attacks continues to increase. See, FINRA Report. With respect to broker-dealers, FINRA advises that the industry as a whole "must make responding to these threats a high priority." Id. FINRA reports that a variety of factors are driving exposure to cybersecurity threats, including advances in technology, changes in business models, and changes in how businesses and their customers use technology to create vulnerabilities in information technology systems. The tools used to access private information are increasingly sophisticated, and insiders may also pose a substantial threat.
The Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) also released a cybersecurity examination sweep summary in February 2015, which examined 57 broker-dealers and 49 registered investment advisers concerning how they address the legal, regulatory and compliance issues associated with cybersecurity. See, OCIE Cybersecurity Summary. Notably, the OCIE Summary indicates that most of the examined firms reported that they had been the subject of a cyber-related incident. A majority also stated that they experienced cyber-attacks directly or through one or more of their vendors. Most of the cyberincidents were related to malware and fraudulent e-mails.
On Feb. 13, 2015, the White House convened a summit on cybersecurity and data protection. President Obama noted that more than 100 million Americans had personal data compromised in recent data breaches, underscoring the importance of addressing the unique and often widespread risks associated with cyberintrusions.
Cybersecurity Litigation and the Undefined Standard of Care
Due to the increasing occurrence of data breaches, cyber litigation, including related D&O lawsuits, is on the rise. The FTC, for example, has initiated cybersecurity lawsuits and investigations. See, e.g., FTC v. Wyndham Worldwide Corp., No. 13-1887 (ES), 2014 WL 2812049 (D.N.J. June 23, 2014) (FTC alleges Wyndham entities violated FTC act by failing to maintain reasonable and appropriate data security for consumers' sensitive personal information); FTC v. Wyndham Worldwide Corp. (Wyndham II), 10 F. Supp. 3d 601 (D.N.J. 2014). The district court's denial of Wyndham's motion to dismiss the complaint in Wyndham II is presently before the Third Circuit Court of Appeals on interlocutory review, where the court will consider the FTC's authority to address cybersecurity issues under Section 5 of the Federal Trade Commission Act, as well as Wyndham's alleged cybersecurity lapses.
The FTC's brief cites the reasonableness standard articulated by the New Jersey district court, stating that reasonableness is the "touchstone" of the analysis. Brief for the Fed. Trade Comn'n (Nov. 5, 2014). However, what constitutes "reasonableness" remains largely undefined by courts.
The FCC is also doubling down on cybersecurity. On Oct. 24, 2014, the FCC levied its first fine under the Communications Act of 1934, and ruled against two companies for failing to adequately protect consumer information. See, In the Matter of TerraCom, Inc. and YourTel America, Inc., FCC 14-173, Notice of Apparent Liability for Forefeiture (Oct. 24, 2014). The FCC imposed a fine of $10 million on the companies for failure to employ reasonable data security practices, misrepresenting to customers that appropriate technologies were used to protect their personal information, failing to properly protect customer information, and failing to fully inform customers that their personal information had been compromised by third-party access. Id.
The FCC noted that "consumers applying for telecommunications services have a reasonable expectation that the carrier will protect confidentiality" of personal information they provide in connection with a transaction. Id . at 8. It found that the companies' data security practices were "unjust and unreasonable" because they "failed to employ even the most basic and readily available technologies and security features" for protecting consumer information. Id. at 12.
Although case law and enforcement actions have yielded factual scenarios from which companies may discern particular practices that may not be appropriate, a uniform or better-defined standard of care has yet to emerge.
The Related Increase in D&O Litigation
Along with the proliferation of cyber litigation, related D&O lawsuits continue to present themselves in connection with data breaches. These lawsuits may seek to capitalize on D&O policies that lack specific cybersecurity exclusions. It remains unclear whether and to what extent traditional D&O policies would cover such claims. Standard D&O policies simply may not contemplate the new financial risks brought about by cyberliability and therefore may not adequately cover such claims. See, e.g., "Willis Warns Directors D&O Policies May Not Cover Some Cyber Risks," Insurance Journal (Aug. 6, 2012) (citing Willis Group Holdings Executive Risks Boardroom Guide). However, the steady increase in D&O lawsuits indicates that D&O plaintiffs may hope or expect to resolve those questions in favor of coverage under more traditional policies still in force. Because such policies are unlikely to contain cybersecurity exclusions, they may cover losses resulting from data breach-related derivative litigation.
The Wyndham case is one example of derivative litigation that arose in connection with a cyberattack. In Palkon v. Holmes, No. 2:14-CV-01234 (SRC), 2014 WL 5341880 (D.N.J. Oct. 20, 2014), shareholders filed a derivative lawsuit against directors and officers of Wyndham Worldwide Corp. (Wyndham). The New Jersey federal district court dismissed the D&O case with prejudice on grounds that the plaintiff shareholder failed to show that the Wyndham board's demand refusal was made in bad faith or was based on an unreasonable investigation. Under the strong presumption afforded by the business judgment rule, the court found that Wyndham's board "had a firm grasp of Plaintiff's demand when it determined that pursuing it was not in the corporation's best interest." Palkon, 2014 WL 5341880 at 6. The court noted that the company had implemented cybersecurity measures before the first breach, and those measures were followed. This finding prevented the plaintiff from showing gross negligence.
A pair of derivative suits filed Jan. 21 and Jan. 29, 2014, over Target's data breach also remain pending in the federal district court for the District of Minnesota. The first complaint alleged breach of fiduciary duty and waste of corporate assets. See, Kulla v. Steinhafel, Case No. 0:14-cv-00203 (D. Minn. Jan. 21, 2014). The second complaint alleged breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control. See, Collier v. Steinhafel, Case No. 0:14-cv-00266 (D. Minn. Jan. 29, 2014). Both complaints alleged failure to take adequate steps to prevent a security breach, and that defendants "aggravated the damage to customers by failing to provide prompt and adequate notice to customers and by releasing numerous statements meant to create a false sense of security to affected customers."
Thus, D&O lawsuits have been cropping up in connection with major cyber litigation, and the frequency and severity of these lawsuits can be expected to grow. See, e.g., D&O Claims & Trends Q2 2013, Advisen Insurance Intelligence (July 2013) (expectations are that the frequency and severity of D&O suits will grow due to increased regulatory scrutiny); see also, "Cyber Liability — the Changing D&O Risks," WGA insureblog (Oct. 10, 2014) ("The rise of cyberliability is threatening to cause one of the D&O insurance industry's periodic spasms.").
Mitigating Exposure to D&O Litigation
Existing case law does not clearly explain what constitutes "reasonable" precautions taken by a business. In Wyndham, the court offers some suggestions that guide compliance, noting that the FTC's public complaints and consent agreements, as well as its public statements and business guidance brochure, see, FTC, "Protecting Personal Information: A Guide for Business" (November 2011), indicate reasonable measures to be taken with respect to cybersecurity. It further suggests that industry practices may guide the reasonableness inquiry. See, Wyndham, 10 F. Supp. 3d at 620. Various other regulatory agencies and organizations also offer guidance on protecting private information, including the SEC, FINRA, theNational Association of Chief Information Officers (NASCIO), the U.S. Department of Homeland Security (DHS), and the Department of Justice (DOJ). See, "Mitigating the Threat of Cybersecurity Litigation in an Ambiguous Regulatory Environment," 57 No. 2 DRI For Def. 48 (Feb. 2015).
Development of industry standards would address some of these concerns. The February, 2015 FINRA Report notes that an effective practice for firms would be to evaluate industry frameworks and standards as reference points for developing their approach to cybersecurity.
The FINRA Report suggests a number of frameworks and standards that businesses may draw upon as a starting point, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 created pursuant to Executive Order 13549 of Aug. 18, 2010, among others. See, NIST Framework(Feb. 12, 2014). The NIST Framework specifically calls for businesses and organizations to establish a roadmap for reducing cybersecurity risk that considers legal and regulatory requirements, industry standards and best practices, and reflects risk management priorities. The related NIST Roadmap for Improving Critical Infrastructure Cybersecurity, echoes that "industry groups, associations, and non-profits can be key vehicles for strengthening awareness of the Framework."
Cyberinsurance
Another important step in mitigating cyberliability, and in particular, D&O liability, is to ensure adequate cyberinsurance coverage. Insurers are well aware of the increasing risk of cyberliability for businesses. See, e.g., Increased D&O Diligence Required, The Hartford; "Cyber D&O Claims May Be On the Rise," Zurich Insider (Jan. 2015). Some have suggested that, rather than excluding cyber events, D&O insurers may ask more questions of boards to determine their role and duties with respect to cyberrisk management. See, "Why Cyber Risk as a Boardroom Issue Can't be Ignored," WS&Co. However, it is becoming increasingly difficult for businesses and insurers to keep up with the many facets of cyberliability exposure. See, supra, "Cyber Liability — the Changing D&O Risks" (Oct. 10, 2014).
Conclusion
Cybersecurity risks are largely unknown and in constant flux. In addition to negotiating D&O policies that do not specifically exclude cyberliability, it is equally important to obtain an adequate scope of coverage. Coverage should address a broad range of cyberrisks, such as third party or vendor exposures, regulatory liability, cybercrime, and other foreseeable costs to the business resulting from a cyber incident. To the extent possible, policies should also include language broad enough to cover some risk of exposure to undefined cyberthreats. It is imperative that businesses and their advisers stay on top of evolving cyberrisks to ensure that adequate coverage remains in place.
James D. Gassenheimer is a partner and Lara O'Donnell is an associate on Berger Singerman's dispute resolution team in Miami.
Office of Personnel Management in Washington, D.C.Credit: Another Believer via Wikimedia Commons
Federal judges and judiciary employees were among the millions of federal employees whose personal information was compromised in a data breach.
Judges and judicial branch officials told the NLJ this week that they and many of their colleagues received alerts in recent weeks that their information was potentially stolen in a breach of 4.2 million federal employees’ personnel records announced last month by the Office of Personnel Management (OPM).
The federal judiciary has been in crisis mode, according to David Sellers, a spokesman for the Administrative Office of the U.S. Courts. Officials are meeting weekly at a minimum, the judiciary set up an internal website for employees with relevant information, and the Administrative Office has sent out seven branchwide memos with updates to date, according to Sellers.
“Anything that compromises personal information and consequently threatens safety and security is a great concern,” Sellers said. “We treated this at the [Administrative Office] the same way we would treat a disaster, like if a hurricane hit a court.”
On Thursday, OPM announced a second data breach affecting 21.5 million people, including 19.7 million individuals who applied for background investigations through the agency. An estimated 3.6 million federal employees affected by the personnel records breach announced in June were also affected by the background investigations records breach, according to OPM. It was not immediately clear if judges and other judiciary employees fell into that group.
Judicial security, including financial security, is a sensitive issue for courts, which routinely contend with threats against judges. Congress over the years adopted special protections to keep judges’ personal information out of the public realm, such as permitting judges to redact certain information about their finances in public financial disclosure reports.
Karen Milton, circuit executive for the U.S. Court of Appeals for the Second Circuit, said judges had been urged to alert the U.S. Marshals Service, which oversees judicial security, if their information was compromised in the OPM data breaches. A spokeswoman for the Marshals Service referred questions about its response to the data breaches to OPM.
“Of our judges who I know who have been notified, they are concerned about this,” Milton said. She added that some employees, including herself, did not receive an initial notice from OPM and only learned that they may have been affected by the breach after calling the company chosen by OPM to provide identity-theft and credit-monitoring services.
A spokeswoman for the U.S. Supreme Court declined to say whether any of the justices received a letter from OPM.
Chief Judge Laurie Smith Camp (left) of the U.S. District Court for Nebraska said she received a letter from OPM that her information was compromised. She said she was at meetings this week with court personnel, and “all the hands went up when I asked how many had received letters” from OPM.
The Administrative Office of the U.S. Courts is concerned about the services offered by OPM to employees affected by the personnel records breach, according to a memo that Administrative Office Director James Duff sent to judges and judiciary officials on July 7.
“The credit-monitoring services are available for only 18 months and none of the services cover family members,” Duff wrote. “Both the scope and duration of the services concern us, as well as many of our judges and employees.”
A spokesman for OPM said the agency was reviewing the judiciary’s feedback.
If judges or judiciary employees fall into the group of individuals whose information was compromised in the background investigations breach, they’ll be eligible for more robust credit monitoring and identity-theft protection. Those services will be offered for at least three years, according to OPM.
OPM said it will notify individuals affected by the background investigations breach in the coming weeks.
Chief Judge Richard Roberts (left) of the U.S. District Court for the District of Columbia said judges and employees in his courthouse received letters from OPM that their information may have been compromised in the personnel records breach. He declined to say if he received such a letter, citing security concerns.
'Very unsettling'
The scope of the breach was “very unsettling,” Roberts said. As for whether OPM had done enough to protect federal employees whose information may have been stolen, he said it was too early to tell.
Duff has said that strengthening the judiciary’s cybersecurity protections is a priority for the Administrative Office. One downside to the judiciary giving circuits control over local affairs was that cybersecurity efforts were decentralized, Duff said, speaking in late June at a meeting of D.C. judges and court officials. The judiciary was looking into more uniform defense systems, he said, but added that it would also take a “culture change” among the judges and employees to be aware of how they protect their information online.
Judges historically have had a reputation for being tech-unsavvy. Roberts acknowledged that many judges may spend too little time thinking about their vulnerability online. “It’s a new issue for us,” he said.
Chief Judge Fred Biery of the U.S. District Court for the Western District of Texas said he doesn’t own a personal computer, and only uses his work computer when necessary. He received a letter from OPM about the data breach and signed up for the credit monitoring and identity-theft services. He said his presence on the web was limited, however.
“I use voice recognition software: It’s my voice and my clerks recognize it,” Biery said. “I can’t get hacked on a personal computer if I don’t have one.”
As many as 21 million federal workers, applicants and their family members were affected by two separate data breaches that hit the Office of Personnel Management last year.
The Obama administration said today that hackers stole Social Security Numbers from more than 21 million people and took other sensitive information when government computer systems were compromised.
On July 9, OPM announced that more than 19 million who had applied for background investigations were affected. Government officials also said nearly 2 million people were also affected who weren’t applicants, but rather spouses or other family members.
The inter-agency forensic investigation, which commenced last month, identified two separate but related cybersecurity incidents on its systems. The first incident, announced in June by the OPM—the agency that oversees staffing and security clearance for federal agencies—revealed that hackers gained access to OPM databases in December 2014 and may have compromised the personal identifiable information of as many as 4 million individuals.
“OPM discovered an incident affecting background investigation records of current, former, and prospective federal employees and contractors,” according the July 9 OPM announcement. “Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers (SSNs); residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”
The team concluded “with high confidence” that sensitive information, including the SSNs of 21.5 million individuals, was stolen from the background investigation databases. That figure includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
According to OPM, some records also include findings from interviews conducted by background investigators, and approximately 1.1 million include fingerprints. Those impacted include those who underwent a background investigation through OPM in 2000 or afterwards.
“It is highly likely that the individual is impacted by this cyberbreach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely,” OPM officials said.
This data breach began in May 2014, according to OPM Director Katherine Archuleta’s recent testimony before Congress. It was not discovered until May 2015. Government officials said there is no information that points to any misuse of the stolen data.
“There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems,” according to the OPM announcement.
For the 21.5 million background investigation applicants, spouses or co-habitants with SSNs and other sensitive information that was stolen from OPM databases, OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide credit-monitoring services. In addition, OPM launched a new, online incident resource center today.
Earlier this week, Homeland Security Secretary Jeh Charles Johnson said in a speech that he believed all civilian federal agencies will be using EINSTEIN 3A (E3A)—a cybersecurity platform—by the end of this year.
“To be frank, our federal cybersecurity is not where it needs to be,” Johnson said in the speech. “But we have taken, and are taking, accelerated and aggressive action to get there.”
