I am pleased to publish below an article by my good friend Richard J. Bortnick (pictured left) concerning the directors’ and officers’ liability issues related to cyber security and data breaches. Rick is a Member of the Cozen O’Connor law firm and he is also the co-author of the CyberInquirer blog. This article first appeared as a chapter in the July 2012 publication Willis' Executive Risks - A Boardroom Guide 2012/2013. I would like to thank Rick for his willingness to publish the article here.
I welcome guest posts from responsible commentators on topics of interest to this blog. Any readers who are interested in publishing a guest post on this site are encourage to contact me directly. Here is Rick's guest post:
Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.
Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.
The risks and costs of a data breach
It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed.
Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, Zurich American, which is seeking to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.
The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches.
Of course, big corporations are not the only entities that are vulnerable to hackers and hactavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees.
NetDiligence, a US company that specialises in assessing cyber risks and data breaches, released a study in June 2011 summarising its survey of data-breach insurance claims made between 2005 and 2010 in a variety of industries in the US (see the panels on the next three pages). Based on the claims payout data submitted for the study, the average cost for a data breach was US$2.4 million. Topping the list of the most frequently breached sectors were healthcare and financial services.
Moreover, the study found that 95 per cent of the breaches were caused by one of three things: hackers, rogue employees and loss/theft of equipment. For the most part, the information stolen consisted of personal identification information (PII) — name, address, email address, telephone number, social security number and credit card information — or personal health information (PHI).
Similarly troubling, in 2011 nearly 23 million confidential records were exposed in the US as a result of over 419 reported security breaches, according to the non-profit Identity Theft Resource Center (ITRC).
These numbers are likely to hold steady; at the start of April 2012, the ITRC reported 105 breaches and roughly 4.5 million exposed records in the first three months of the year. In turn, the Ponemon Institute, a data-security research firm, reported that the average cost of a breach to US organisations in 2011 was US$5.5 million, and that the cost per compromised data record stood at $194. These substantial numbers include the attendant costs of retaining forensic experts, attorneys’ fees, customer-notification expenses, fraud monitoring, public relations support, business interruption, loss of customer goodwill, and third-party liability claims.
Many breaches result in reputational damage, leading to diminished future cash flows. While loss of goodwill is notoriously hard to quantify, its financial impact can be both long-term and substantial.
Cyber security regulations and compliance
On October 13, 2011, in response to the “increasing dependence on digital technologies” and associated risks, the Division of Corporation Finance (DCF) of the US Securities and Exchange Commission (SEC) issued a ‘Disclosure Guidance’ that presents, for the first time, disclosure recommendations relating to cyber-security risks. It is worth noting the DCF’s own observation in the guidance that it “is not a rule, regulation, or statement of the Securities and Exchange Commission”. The DCF also emphasises that many of its ‘recommendations’ may already be encompassed within corporate disclosure obligations found elsewhere in various SEC regulations.
While the Disclosure Guidance is designed to be ‘advisory’, its practical implications establish the ‘recommendations’ as best practices and in essence render compliance essential, if not mandatory. To put it another way: non-compliance would be ill-advised.
At the same time, the DCF counsels that “material information regarding cyber-security risks and cyber incidents” may need to be disclosed “in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” It cites Basic Inc v Levinson (1988) for the proposition that “information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”
Although the Disclosure Guidance is only directed at public companies under the SEC’s jurisdiction, it can be expected to have far-reaching implications for non-public companies and even individuals doing business with public companies.
What does the disclosure guidance say?
It makes most sense to begin with what the Disclosure Guidance is not. The DCF makes it clear that it is not advising companies to make detailed disclosures of highly technical elements of their cyber-security programme or even the details of an actual cyber attack. Indeed, it is aware that “detailed disclosures could compromise cyber-security efforts — for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security — and we emphasize that disclosures of that nature are not required under the federal securities laws”. On the other hand, the DCF advises that companies should avoid offering “generic risk factor disclosure.”
It also highlights the point that existing disclosure obligations may warrant discussion of such risks — in many cases rendering cyber-security disclosures mandatory. For instance, Regulation S-K and Form 20-F of the Securities Act of 1933 require public companies to disclose “risk factors” that would be relevant to a prospective investor. Accordingly, the Disclosure Guidance counsels that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
The DCF further suggests that companies, in determining whether risk disclosure is required, should evaluate their cyber-security risks, taking account of previous incidents, the likelihood of future occurrences, the magnitude of those risks and the adequacy of preventive measures. Depending on the circumstances of individual companies, the DCF says that appropriate disclosures may include:
• discussion of aspects of the company’s business or operations that give rise to material cyber-security risks and the potential costs and consequences
• description of outsourced functions that have material cyber-security risks, and how the company is addressing those risks
• description of cyber incidents experienced by the company that are individually or in the aggregate material, including the costs and other consequences
• risks related to cyber incidents that may remain undetected for an extended period
• description of relevant insurance coverage.
Beyond all of this, the DCF recommends the following (potentially required) disclosures that could implicate cyber issues.
Discussion and analysis of financial condition
The DCF recommends: “Registrants should address cyber-security risks and cyber incidents … if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect … For example, if material intellectual property is stolen in a cyber attack … the registrant should describe the property that was stolen and the effect of the attack on its … operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cyber-security protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material.”
Description of business
“If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure … In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments. As an example, if a registrant has a new product in development and learns of a cyber incident that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.”
“If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation …”
Financial statement disclosures
Noting that “cyber-security risks and cyber incidents may have a broad impact on a registrant’s financial statements”, the DCF sets out some of the costs and losses that may need to be disclosed in statements, depending on the nature and severity of the potential or actual incident:
• the possibly substantial costs incurred in preventing cyber attacks
• any incentives provided to customers to mitigate damages from a cyber incident and maintain the business relationship
• losses, in the wake of cyber attacks, from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts
• potentially diminished future cash flows, therefore requiring consideration of impairment of certain assets including goodwill, intangible assets, trademarks and patents.
Disclosure controls and procedures
The DCF further notes that: “Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission [SEC] filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.”
In short, directors and officers must be attuned to the regulations to protect themselves against the impact of cyber risks and costs in the larger context of their company’s disclosure obligations to investors. Or, to put it another way, those who ignore the Disclosure Guidance do so at the risk of an action by the SEC or by shareholders if a cyber incident occurs.
Given the increased prevalence and effectiveness of cyber attacks and breaches, and in light of the Disclosure Guidance, it would be difficult to justify why proper protective measures — including sufficient cyber insurance — were not put in place, and why the risks were not disclosed to the investing public.
A ‘not so hypothetical’ hypothetical
Consider the following case and contemplate whether the court may have reached a different result in light of the Disclosure Guidance. Heartland Payment Systems stores millions of credit and debit card numbers on an internal computer network to facilitate payment processing. In December 2007, hackers launched a Structured Query Language (SQL) attack on Heartland’s payroll management system. To its credit, Heartland was able to repel the attack before any personally identifiable information was stolen.
Regrettably, however, the company failed to detect malicious software (malware) that had been placed on the network by way of the SQL attack. This malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.
Heartland did not discover the malware until January 2009, at which time it notified government authorities and publicly disclosed the event.
Over the course of the following month, Heartland’s stock price plunged in value. Shareholder class actions alleging securities fraud and material non-disclosures followed.
In their complaint, the plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. For example, the plaintiffs alleged the following material misrepresentations:
• At numerous times, defendants concealed the SQL attack in statements made during earnings conference calls and in 10-K (annual) reports
• Defendants misrepresented the general state of Heartland’s data security because they were aware that Heartland’s network had been breached and yet they had not fully remedied the problem
• Notwithstanding its knowledge of the SQL attack, the company failed to disclose that its information systems were extremely vulnerable (rather, it had stated that it took computer security very seriously).
The plaintiffs claimed that Heartland and its directors and officers had violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 by failing to disclose material information related to a lack of security and known breaches of its information systems. As a result of the company’s material misrepresentations related to the security breach, the plaintiffs alleged, Heartland’s common stock lost around 80 per cent of its value.
As is common in security class action lawsuits, the Heartland defendants moved to dismiss the shareholders’ complaint on the basis that it failed to state a claim upon which relief could be granted, because it did not allege the existence of a material mis-statement or omission. In ruling on that motion (see In re Heartland Payment Systems Inc, 2009), the US District Court for the District of New Jersey found that the existence of unresolved network security issues did not, in itself, suggest that the company did not value data security or that it did not maintain a high level of security. The court further found that while knowledge of the 2007 SQL attack may have been material to the plaintiffs’ investment decisions, securities issuers have no general duty to disclose every material fact to investors.
In addition, the court found that the plaintiffs’ complaint failed to sufficiently plead the necessary elements of scienter, or knowledge of wrongdoing, as it did not allege that defendants knew or had reason to suspect that Heartland’s security systems were so deficient that it was false to say the company placed significant emphasis on maintaining a high level of security. Accordingly, the court granted the defendants’ motion to dismiss.
Now, consider the language of the Disclosure Guidance in addressing the following, potentially required ‘risk factor’ disclosures: “A registrant may need to disclose known or threatened cyber incidents to place the discussion of cyber-security risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”
In light of the express reference to ‘malware’, Heartland may have found it more difficult to argue that its failure to detect the malware embedded in its systems was reasonable and that its failure to disclose the extent of other potentially significant risks associated with a known cyber attack adequately satisfied the recommendations in the Disclosure Guidance. At a minimum, the fate of the defendants at the motion-to-dismiss stage may have been different, as the shareholder plaintiffs’ counsel would have been able to cite the company’s failure to abide by the Disclosure Guidance as being allegedly reckless and actionable.
Additional theories of liability against officers and directors, and actions against non-public companies Securities Act violations, as alleged by the Heartland plaintiffs, are by far the most likely to be brought by shareholders alleging cyber-related material non-disclosures. However, plaintiffs who choose not to seek federal class-action status are free to assert claims based on state law theories of fraud, breach of fiduciary duty or negligence. Therefore, directors and officers should be aware that, in addition to Securities Act violations, state law remedies could support other types of action especially against non-public or closely held companies faced with cyber/privacy liabilities. The DCF Disclosure Guidance further highlights that directors and officers continue to face exposure from the possibility of derivative suits.
The Disclosure Guidance: practical implications for non-public companies
Yes, the Disclosure Guidance only applies to public companies; but that doesn’t mean the recommended best practices do not affect private companies.
A prudent public company subject to SEC reporting requirements will require its business partners, suppliers, vendors and others to provide it with parallel disclosures in order to avoid direct (or even vicarious) liability to those with whom it is in privity for those companies’ failings. Privately held entities also have business relationships with public corporations and so may find themselves required to perform the analyses and assessments suggested by the Disclosure Guidance, albeit indirectly, simply to maintain their competitive footing in the market. To illustrate, if you were a business client and your prospective public company associate provided you with all of its cyber-related disclosures, would you not insist upon similar disclosures from potential private company partners — irrespective of whether the Guidance applies to them?
As a private company submitting a business proposal to a prospective client who asks for such information, would you refuse? Of course not. The only practical solution is to evaluate your own cyber risks and exposures — and be in a position to address them.
Why technology and cyber insurance has become a necessity
A typical CGL insurance policy defines ‘property damage’ as “physical injury to tangible property, including all resulting loss of use of that property”. Regrettably, many policyholders and brokers incorrectly assume that CGL policies extend to losses involving intangible property such as electronic data. This misconception is partially based on the intuition of policyholders and brokers that traditional policy forms should adapt to protect against evolving risks. While this belief may be understandable, it is not correct.
Beginning in 2001 (in other words, during the early emergence of electronic commerce), certain CGL policy forms added language that specifically excluded electronic data from their definitions of ‘property damage’. Additionally, professional liability policies often do not include coverage for the results of a cyber intrusion, and often contain exclusions when criminal acts are the cause of the loss.
Even though a majority of cyber incidents may not be covered by traditional insurance products, 65 per cent of company respondents in a Carnegie Mellon University study indicated that their boards are not reviewing insurance coverage for cyber-related risks, notwithstanding that 86 per cent of respondents agreed that cyber and information-security risks pose at least a moderate danger to their organisation.
The study, published in March 2012, further found that boards and senior management are not engaging in key oversight activities such as setting policies and budgets to help protect against breaches and mitigate financial losses. Thus, although many corporate executives may appreciate the risks posed by cyber breaches, most do not follow up by taking steps to ensure that their companies purchase technology and cyber liability insurance.
Technology insurance is analogous to traditional ‘tangible property’ insurance. It typically covers first-party loss such as business-interruption expense as well as the costs of a forensic expert, who would be retained to identify the cause of the technology breach, and other necessary expert consultants. In turn, cyber liability insurance provides third-party coverage that is designed to protect a company from legal claims brought by those whose personal information has been compromised.
Technology and cyber insurance can take many forms, with some insurers adding endorsements to a standard CGL policy that extend the coverage to technology and cyber risks. For example, Insurance Service Office (ISO) endorsements provide first-party coverage for loss of electronic data resulting from physical damage to tangible property. That, however, means companies may not be adequately protected against substantial risks if there is a different cause for the loss. Additionally, endorsements do not cover the crisis-management costs of lawyers, forensic experts, breach-notification letters etc.
Standalone technology and cyber insurance products are far more comprehensive and, typically, cost-effective. Although they may be marketed under various names, they generally cover similar risks and exposures. Covered losses in the first-party context include ‘data-breach expenses’, ‘cyber extortion’, ‘digital asset loss’ and ‘business-interruption loss’. However, as suggested by its name, first-party cyber insurance does not cover claims brought by third parties. Additionally, few products cover the expenses incurred to correct system problems and prevent future data breaches.
In turn, third-party cyber insurance often fills in these gaps and may be referred to as ‘privacy liability insurance’, ‘network security liability insurance’ or ‘internet media liability insurance’. Despite the differing labels, each provides similar cover for third-party liability after a data breach, namely: ‘crisis-management expenses’, including notification costs, fraud monitoring, forensic investigations, public relations consultants and the costs of pursuing third parties responsible for the breach, ‘liability expenses’, including the costs of defending and settling lawsuits, and ‘regulatory expenses’, including the cost of compliance with SEC regulations.
Regardless of what form of insurance is purchased, companies and their insurance professionals must ensure that their policies are tailored to their own unique needs.
Why directors and officers’ insurance should supplement cyber insurance
In addition to purchasing tech/cyber insurance covering first-party and third-party exposure, both public and private companies should ensure that their D&O liability policies respond to cyber-related claims based on allegations of securities fraud, breach of fiduciary duty and alternative theories of liability.
In the event of a data breach or a catastrophic first-party loss, it would not be surprising for shareholders’ counsel to file securities fraud and/or derivative suits against a company’s directors and officers alleging failure to properly disclose and manage risks and/or breach of fiduciary duty. Given the defence costs associated with such suits, even in the absence of liability exposure, it is essential to have a D&O policy that complements a cyber insurance policy. In this respect, a specialist insurance broker is not just helpful, it is a necessity.
Methods of preventing data breaches, and strategies in the event of an intrusion
Ultimately, the responsibility for preventing cyber breaches falls on each individual company whose reputation is on the line. While government regulation may have advanced in addressing the problem of data breaches, it has been estimated that 85 to 90 per cent of a company’s assets are maintained on an electronic platform and susceptible to a tech/cyber crisis — and regulations alone cannot protect them. In some cases, they may be self-defeating, as the cost of regulatory compliance can consume much of a company’s ‘security’ budget.
Of course, it is far less costly, from both a financial and reputational point of view, to prevent a cyber breach than to attempt after-the-fact mitigation of its negative effects.. This point is made clear by the 2012 ‘Data Protection & Breach Readiness Guide’, published by the Online Trust Alliance (OTA). The report advocates several ‘security best practices’ that could significantly reduce the likelihood of a tech/cyber loss. While the OTA provides 19 guidelines on ‘data governance and loss prevention’, four in particular bear mention.
First, according to the OTA, companies should engage in data classification according to the level of the data’s sensitivity and tailor their software protection schemes accordingly. Next, the OTA advises that data minimisation can prevent a breach, as hackers cannot obtain information that is not kept on a system. Companies should review any sensitive information on their system and eliminate non-essential data that poses an unnecessary risk of data breach.
Third, companies should destroy data that is no longer in use. And fourth, the OTA suggests that companies provide employee awareness and readiness training to ensure that staff understand company policies on data collection and retention, and data-loss reporting procedures.
In addition to taking steps to prevent an incident, organizations need to be ready to identify and deal with the results of any breach. They should have in place a data response team trained to respond to a breach in a co-ordinated and prompt fashion. This trained response team should include representatives from key groups within the company, including legal, information technology, information security, human resources, public relations and customer service. The data response team should have broad decision-making authority and be available 24/7. The initial goal of the group should be to evaluate systems and create plans and procedures to prevent and, if necessary, manage a tech/cyber incident.
Additionally, companies should determine the notification requirements that govern their industry. Since many state, federal and foreign regulations require prompt notification, it is important to work out in advance how the relevant individuals should be contacted, as it will significantly improve the company’s ability to mitigate consumer frustration and increase compliance. Should a breach occur, the response team and dedicated employees can move quickly to contain and repair the damage.
Although the DCF says the Disclosure Guidance is ‘advisory,’ it makes it equally clear that cyber-security risks may fall under existing SEC disclosure obligations in certain circumstances. Accordingly, a public company would be ill-advised to disregard the best practices provided by the DCF.
The essential message is simple: if companies are aware of material cyber-security risks and/or incidents, and if disclosure of those risks or incidents would be material to investors, a company risks SEC action (not to mention shareholders’ and derivative actions) by failing to publicly disclose this information as part of its routine reporting requirements.
Companies also should follow prudent security practices to reduce the likelihood of a data breach, and have a data response team ready to deal with and mitigate potential future damage in the event of a cyber incident. Perhaps most importantly, businesses should ensure that they have virtually seamless insurance coverage to deal with any such events. Just as our economy is evolving, so are the types of insurance available to meet a policyholder’s changing needs.
Understanding the components of these new-age policies is critical, and executives should devote the time and resources needed to identify a specialist insurance broker who can assess a company’s vulnerabilities and ensure that it purchases the right products.
Data is a prized asset that warrants its own specific protection. Now is the time to ensure that your data and corporate executives are properly insured so that, when a cyber incident occurs tomorrow, your company and its directors and officers are not burdened with exorbitant costs and huge, uncovered potential exposures.