With coronavirus-related developments consuming all of the attention these days, it might be easy to forget other unrelated claims trends are continuing to develop and unfold. One important pre-pandemic trend that has continued to develop is the rise of D&O claims arising out of cybersecurity incidents. In the latest sign that this claims trend remains important, a plaintiff shareholder has filed a derivative lawsuit against certain directors and officers of Laboratory Corporation of America, in connection with two cybersecurity incidents involving the company. As detailed below, the first of these two incidents involved a data breach that took place at one of LabCorp’s third-party service providers. A copy of the complaint, filed in Delaware Chancery Court on April 28, 2020, can be found here.
The newly filed complaint asserts breach of fiduciary duty claims against certain Lab Corp directors and officers based on allegations concerning two data breaches, one that that LabCorp learned about in May 2019 (referred to in the complaint as the First Breach), and a second that LabCorp learned about in January 2020 (referred to in the complaint as the Second Breach).
The First Breach came to light when a cybersecurity analysis firm identified a large number of compromised payment cards located on the “dark web” and that contained personally identifiable information (PII) and personal health information (PHI). It was eventually determined that the information likely had been stolen from American Medical Collective Agency, a debt collector in the business of collecting patient receivables for medical labs, including for LabCorp. AMCA determined that there had been a breach of its website payment portal between August 1, 2018 and March 30, 2019.
AMCA informed Lab Corp of the breach on May 14, 2019. According to the complaint, the breach affected more than 10.2 million LabCorp patients. LabCorp informed investors of the breach in a June 4, 2019 SEC filing. As a result of the First Breach, LabCorp is the subject of a separate consumer class action lawsuit pending in the District of New Jersey and filed on behalf of LabCorp patients who had personal information compromised in the First Breach. The newly filed derivative lawsuit complaint alleges that LabCorp’s “insufficient cybersecurity procedures and oversight of AMCA … permitted unauthorized access to LabCorp’s patients’ confidential, personal information.”
With respect to the Second Breach, the complaint alleges that “in early 2020, LabCorp’s historically and persistently deficient cybersecurity measures were on display.” On January 28, 2020, LabCorp was informed of a second data breach in which an unprotected web address granted access to LabCorp documentation contain personal health information. The breach was reported in an article in TechCrunch, which claimed in the breach “at least 10,000 documents were exposed. The complaint alleges that LabCorp “failed to disclose this breach in any widely disseminated public release or SEC filings.”
The complaint alleges that as a result of the First Breach, LabCorp spent $11.5 million during 2019 for response and remediation costs (not including LabCorp’s costs incurred in connection with the consumer class action).
The complaint alleges that the defendants breached their duties of loyalty, care, and good faith by: “(1) failing to implement and enforce a system of effective internal controls and procedures to protect patients’ PII and PHI; (ii) failing to exercise their oversight duties by not monitoring the Company’s compliance with its own procedures and federal and state regulations; (iii) providing PII and PHI of patients to a business associate [i.e. AMCA] with deficient cybersecurity and breach detection; (iv) failing to ensure that the Company, as well as its business associates, utilized proper cybersecurity safeguards to adequately secure the PII and PHI; (v) failing to have a sufficient incident response plan to immediately respond to Data Breaches; (vi) consciously disregarding, delaying, and failing to ensure that the Company notified all potentially affected individuals and entities in a timely manner upon discovering the Data Breaches; and (viii) allowing the Company to violate state and federal laws and regulations.”
The complaint refers to AMCA as a “business associate” of LabCorp in reference to the definition of that term in the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
The complaint alleges that the required pre-suit demand on LabCorp’s board to take up the plaintiff’s claims is excused as futile because there is not a majority of board members capable of independently considering the demand, and, among other things, because the board “willfully and intentionally disregarded the Company’s obligations to increase and/or establish more effective cybersecurity policies and procedures” and “sought to disclaim all liability and responsibility for LabCorp patient data by , in effect, levying all accountability and remedial actions upon AMCA for the First Breach and then outright ignoring the ramifications of the Second Breach.”
The complaint seeks recovery of damages on behalf of LabCorp and a requirement for LabCorp to form its corporate governance and internal procedures to comply with applicable law and to protect the company from a recurrence of cybersecurity incidents.
Discussion
As readers of this blog know, there have been prior D&O lawsuits against company officials based on cybersecurity incidents filed as shareholder derivative claims. Among the most prominent examples of these cybersecurity-related derivative suits are the lawsuits filed in recent years against Target (here), Wyndham Worldwide (here), and Home Depot (here). In addition to these various prior derivative lawsuits, there have also been a number of cybersecurity-related securities class action lawsuits filed in recent years as well (refer here for a recent securities suit example). But while there have been prior lawsuits, filed as either derivative lawsuits or securities suits, as far as I am aware there has not previously been a D&O lawsuit filed against a company based on a cybersecurity incident that took place at one of the company’s third-party service providers.
The cybersecurity incident that the complaint refers to as the First Breach involves not a breach of LabCorp’s own network security; rather, the incident involved the compromise of patient data through a breach of AMCA’s online payment portal. Among other things, the complaint expressly alleges that the defendants breach their fiduciary duties by “providing PII and PHI of patients to a business associate [AMCA] with deficient cybersecurity and breach detection” and by “failing to ensure that the Company, as well as its business associates, utilized proper cybersecurity safeguards.”
In this day and age and in our litigious society, most company officials are aware that they are accountable for maintaining and enforcing appropriate cybersecurity protocols and procedures at their company, and that they could be the target of claims for breaches that result in the compromise of confidential information. However it likely would come as a very unwelcome surprise to most company officials to learn that they could be the target of a claim for breaches of one of the company’s third-party service providers’ cybersecurity measures.
The LabCorp derivative complaint has only just been filed. It remains to be seen whether or not the plaintiff’s claims will prove to be successful. Notably, past cybersecurity-related derivative lawsuits have not been successful, and that may be the case with this lawsuit as well. (Indeed, most of the recent high-profile cybersecurity-related D&O claims, have been filed as securities class action lawsuits.) But it will be particularly interesting to monitor this case in order to see whether the plaintiff’s attempt to hold LabCorp executives liable for the cybersecurity incident at AMCA is permitted to stand.
The plaintiff’s complaint alleges, in effect, that companies must assess, scrutinize, and monitor their third-party service provider’s cybersecurity, as well as its own. The plaintiff’s allegations in this regard is based in part on AMCA’s alleged relation to LabCorp under HIPAA as a “business associate. Under HIPAA, a company providing confidential information to a “business associate” must ensure that the business associate has appropriate safeguards in place to protect the privacy of the information. The plaintiff is effectively alleging that this requirement is part of the defendants’ fiduciary duties. To the extent this plaintiff’s theory succeeds, it could represent a significant expansion of corporate officials’ potential cybersecurity-related liability exposures.