Jason Atchley : Data Security : Derivative Cyberbreach Litigation Mitigating Exposure
jason atchleyJason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley
Derivative Cyberbreach Litigation: Mitigating Exposure
James D. Gassenheimer and Lara O’Donnell, E-Commerce Law & Strategy
July 13, 2015 | 0 Comments
Potential liability for data breaches has emerged as a major concern for businesses in the past few years as massive cyber-attacks are increasing, with companies that use or store private customer data electronically or use social media as part of their marketing strategy being the prime targets. These data breaches have contributed to an increase in director and officer (D&O) litigation in connection with cyberincidents, and will continue to do so, with plaintiffs seeking to capitalize on D&O policies that do not contain cyber or data breach exclusions.
The market for D&O cyber coverage is evolving in response to these issues. However, existing policies and those covering prior policy periods do not reflect current market trends. Many D&O policies connected to the current influx of D&O litigation lack cyberliability exclusions. Thus, although both businesses and insurance companies are responding to changes in cyber liability exposure and litigation, plaintiffs continue to capitalize on the possibility of payouts for cyberliability under D&O policies.
The Increasing Threat of Cyberintrusions and Data Breach Exposure
Various agencies, departments and organizations continue to take serious steps toward electronic data protection in recognition of emerging and evolving cyberthreats. For instance, on Feb. 3, 2015, the Financial Industry Regulatory Authority (FINRA) released its Report on Cybersecurity Practices, focusing on cybersecurity issues within the financial services industry. See, News Release. Among its findings, FINRA notes that the frequency and sophistication of cyber-attacks continues to increase. See, FINRA Report. With respect to broker-dealers, FINRA advises that the industry as a whole “must make responding to these threats a high priority.” Id. FINRA reports that a variety of factors are driving exposure to cybersecurity threats, including advances in technology, changes in business models, and changes in how businesses and their customers use technology to create vulnerabilities in information technology systems. The tools used to access private information are increasingly sophisticated, and insiders may also pose a substantial threat.
The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) also released a cybersecurity examination sweep summary in February 2015, which examined 57 broker-dealers and 49 registered investment advisers concerning how they address the legal, regulatory and compliance issues associated with cybersecurity. See, OCIE Cybersecurity Summary. Notably, the OCIE Summary indicates that most of the examined firms reported that they had been the subject of a cyber-related incident. A majority also stated that they experienced cyber-attacks directly or through one or more of their vendors. Most of the cyberincidents were related to malware and fraudulent e-mails.
On Feb. 13, 2015, the White House convened a summit on cybersecurity and data protection. President Obama noted that more than 100 million Americans had personal data compromised in recent data breaches, underscoring the importance of addressing the unique and often widespread risks associated with cyberintrusions.
Cybersecurity Litigation and the Undefined Standard of Care
Due to the increasing occurrence of data breaches, cyber litigation, including related D&O lawsuits, is on the rise. The FTC, for example, has initiated cybersecurity lawsuits and investigations. See, e.g., FTC v. Wyndham Worldwide Corp., No. 13-1887 (ES), 2014 WL 2812049 (D.N.J. June 23, 2014) (FTC alleges Wyndham entities violated FTC act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information); FTC v. Wyndham Worldwide Corp. (Wyndham II), 10 F. Supp. 3d 601 (D.N.J. 2014). The district court’s denial of Wyndham’s motion to dismiss the complaint in Wyndham II is presently before the Third Circuit Court of Appeals on interlocutory review, where the court will consider the FTC’s authority to address cybersecurity issues under Section 5 of the Federal Trade Commission Act, as well as Wyndham’s alleged cybersecurity lapses.
The FTC’s brief cites the reasonableness standard articulated by the New Jersey district court, stating that reasonableness is the “touchstone” of the analysis. Brief for the Fed. Trade Comn’n (Nov. 5, 2014). However, what constitutes “reasonableness” remains largely undefined by courts.
The FCC is also doubling down on cybersecurity. On Oct. 24, 2014, the FCC levied its first fine under the Communications Act of 1934, and ruled against two companies for failing to adequately protect consumer information. See, In the Matter of TerraCom, Inc. and YourTel America, Inc., FCC 14-173, Notice of Apparent Liability for Forefeiture (Oct. 24, 2014). The FCC imposed a fine of $10 million on the companies for failure to employ reasonable data security practices, misrepresenting to customers that appropriate technologies were used to protect their personal information, failing to properly protect customer information, and failing to fully inform customers that their personal information had been compromised by third-party access. Id.
The FCC noted that “consumers applying for telecommunications services have a reasonable expectation that the carrier will protect confidentiality” of personal information they provide in connection with a transaction. Id . at 8. It found that the companies’ data security practices were “unjust and unreasonable” because they “failed to employ even the most basic and readily available technologies and security features” for protecting consumer information. Id. at 12.
Although case law and enforcement actions have yielded factual scenarios from which companies may discern particular practices that may not be appropriate, a uniform or better-defined standard of care has yet to emerge.
The Related Increase in D&O Litigation
Along with the proliferation of cyber litigation, related D&O lawsuits continue to present themselves in connection with data breaches. These lawsuits may seek to capitalize on D&O policies that lack specific cybersecurity exclusions. It remains unclear whether and to what extent traditional D&O policies would cover such claims. Standard D&O policies simply may not contemplate the new financial risks brought about by cyberliability and therefore may not adequately cover such claims. See, e.g., “Willis Warns Directors D&O Policies May Not Cover Some Cyber Risks,” Insurance Journal (Aug. 6, 2012) (citing Willis Group Holdings Executive Risks Boardroom Guide). However, the steady increase in D&O lawsuits indicates that D&O plaintiffs may hope or expect to resolve those questions in favor of coverage under more traditional policies still in force. Because such policies are unlikely to contain cybersecurity exclusions, they may cover losses resulting from data breach-related derivative litigation.
The Wyndham case is one example of derivative litigation that arose in connection with a cyberattack. In Palkon v. Holmes, No. 2:14-CV-01234 (SRC), 2014 WL 5341880 (D.N.J. Oct. 20, 2014), shareholders filed a derivative lawsuit against directors and officers of Wyndham Worldwide Corp. (Wyndham). The New Jersey federal district court dismissed the D&O case with prejudice on grounds that the plaintiff shareholder failed to show that the Wyndham board’s demand refusal was made in bad faith or was based on an unreasonable investigation. Under the strong presumption afforded by the business judgment rule, the court found that Wyndham’s board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.” Palkon, 2014 WL 5341880 at 6. The court noted that the company had implemented cybersecurity measures before the first breach, and those measures were followed. This finding prevented the plaintiff from showing gross negligence.
A pair of derivative suits filed Jan. 21 and Jan. 29, 2014, over Target’s data breach also remain pending in the federal district court for the District of Minnesota. The first complaint alleged breach of fiduciary duty and waste of corporate assets. See, Kulla v. Steinhafel, Case No. 0:14-cv-00203 (D. Minn. Jan. 21, 2014). The second complaint alleged breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control. See, Collier v. Steinhafel, Case No. 0:14-cv-00266 (D. Minn. Jan. 29, 2014). Both complaints alleged failure to take adequate steps to prevent a security breach, and that defendants “aggravated the damage to customers by failing to provide prompt and adequate notice to customers and by releasing numerous statements meant to create a false sense of security to affected customers.”
Thus, D&O lawsuits have been cropping up in connection with major cyber litigation, and the frequency and severity of these lawsuits can be expected to grow. See, e.g., D&O Claims & Trends Q2 2013, Advisen Insurance Intelligence (July 2013) (expectations are that the frequency and severity of D&O suits will grow due to increased regulatory scrutiny); see also, “Cyber Liability — the Changing D&O Risks,” WGA insureblog (Oct. 10, 2014) (“The rise of cyberliability is threatening to cause one of the D&O insurance industry’s periodic spasms.”).
Mitigating Exposure to D&O Litigation
Existing case law does not clearly explain what constitutes “reasonable” precautions taken by a business. In Wyndham, the court offers some suggestions that guide compliance, noting that the FTC’s public complaints and consent agreements, as well as its public statements and business guidance brochure, see, FTC, “Protecting Personal Information: A Guide for Business” (November 2011), indicate reasonable measures to be taken with respect to cybersecurity. It further suggests that industry practices may guide the reasonableness inquiry. See, Wyndham, 10 F. Supp. 3d at 620. Various other regulatory agencies and organizations also offer guidance on protecting private information, including the SEC, FINRA, theNational Association of Chief Information Officers (NASCIO), the U.S. Department of Homeland Security (DHS), and the Department of Justice (DOJ). See, “Mitigating the Threat of Cybersecurity Litigation in an Ambiguous Regulatory Environment,” 57 No. 2 DRI For Def. 48 (Feb. 2015).
Development of industry standards would address some of these concerns. The February, 2015 FINRA Report notes that an effective practice for firms would be to evaluate industry frameworks and standards as reference points for developing their approach to cybersecurity.
The FINRA Report suggests a number of frameworks and standards that businesses may draw upon as a starting point, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 created pursuant to Executive Order 13549 of Aug. 18, 2010, among others. See, NIST Framework(Feb. 12, 2014). The NIST Framework specifically calls for businesses and organizations to establish a roadmap for reducing cybersecurity risk that considers legal and regulatory requirements, industry standards and best practices, and reflects risk management priorities. The related NIST Roadmap for Improving Critical Infrastructure Cybersecurity, echoes that “industry groups, associations, and non-profits can be key vehicles for strengthening awareness of the Framework.”
Another important step in mitigating cyberliability, and in particular, D&O liability, is to ensure adequate cyberinsurance coverage. Insurers are well aware of the increasing risk of cyberliability for businesses. See, e.g., Increased D&O Diligence Required, The Hartford; “Cyber D&O Claims May Be On the Rise,” Zurich Insider (Jan. 2015). Some have suggested that, rather than excluding cyber events, D&O insurers may ask more questions of boards to determine their role and duties with respect to cyberrisk management. See, “Why Cyber Risk as a Boardroom Issue Can’t be Ignored,” WS&Co. However, it is becoming increasingly difficult for businesses and insurers to keep up with the many facets of cyberliability exposure. See, supra, “Cyber Liability — the Changing D&O Risks” (Oct. 10, 2014).
Cybersecurity risks are largely unknown and in constant flux. In addition to negotiating D&O policies that do not specifically exclude cyberliability, it is equally important to obtain an adequate scope of coverage. Coverage should address a broad range of cyberrisks, such as third party or vendor exposures, regulatory liability, cybercrime, and other foreseeable costs to the business resulting from a cyber incident. To the extent possible, policies should also include language broad enough to cover some risk of exposure to undefined cyberthreats. It is imperative that businesses and their advisers stay on top of evolving cyberrisks to ensure that adequate coverage remains in place.
James D. Gassenheimer is a partner and Lara O’Donnell is an associate on Berger Singerman’s dispute resolution team in Miami.
Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley Jason Atchley