One click is all it takes to order goods, exchange payment, and have the items shipped and delivered to a doorstep within hours.
But what happens when that one click is not used to facilitate commerce, but rather used to intentionally or even accidentally disrupt a network? When one click releases a malicious code causing an assembly line to come to a screeching halt? When one click transfers millions of dollars to a fraudulent account? When one click by a rogue employee disseminates the contents of personal files to the public? In these instances, who is ultimately responsible?
In recent cases, fingers have pointed directly at the board of directors. Since 2013, several shareholder derivative suits have been filed following network security breaches. Defendants have included Home Depot, Horizon Blue Cross Blue Shield, Target, Wyndham, and Wendy’s. Technology is changing at a rapid pace, and it is clear that consumers and shareholders have high expectations for businesses and those who run them.
Allegations in these network security cases have included breach of fiduciary duty, negligence, breach of implied contract, and violation of various state and federal statutes. Interestingly, most of the aforementioned cases have been dismissed (or settled) – apart from Wendy’s, which is still in its early stages. These dismissals are showing that the plaintiffs are having difficulty: (1) proving corporate mismanagement as a direct cause of harm from a data breach, and (2) showing actual compensatory injuries as a direct result of the breach. Courts have been dismissing cases in which actual damages have not been proven.
Cases alleging executive mismanagement are subject to the business judgment rule, which presupposes that the individuals on the board acted in good faith, on an informed basis, and in the best interests of the company. Absent insurmountable proof that D&O’s acted in self-interest or were grossly negligent in their actions with regard to preventing a breach, those allegations have not been holding up.
Additionally, plaintiffs must prove actual economic harm has occurred as a result of a breach. Judges in recent cases have proven strict on this requirement, as evidenced by the Wendy’s case in which the original complaint was dismissed as allegedly fraudulent charges to the plaintiff’s debit card were not sufficient grounds upon which to bring suit. To further clarify that requirement, U.S. District Judge Claire Cecchi of the District of New Jersey (who presided over the Horizon BCBS case) said the individual plaintiffs "cannot rely on their increased likelihood of future harm as a basis for their case."
Despite the dismissals, this litigation highlights several concerns for Directors & Officers (D&O’s). Not all cases or allegations are being dismissed. Some financial institutions and regulators have found success in their lawsuits brought against D&O’s. Settlements have been made to avoid extensive litigation in certain cases. Even when allegations don’t stick, there may still be hefty defense costs. The relentless pursuit by plaintiff attorneys highlights that there exists a pervasive expectation of, and onus placed upon Directors & Officers with relation to cyber exposures. These individuals are collectively responsible for making important decisions on behalf of their organizations and may be held personally liable in the event that these decisions produce egregiously negative effects on the company as a whole.
D&Os remain particularly susceptible to plaintiff claims in relation to cyber exposures. These individuals are collectively responsible for making important decisions on behalf of their organizations and may be held personally liable in the event these decisions produce egregiously negative effects on the company as a whole.
It is imperative that directors and officers secure a comprehensive executive liability insurance program to protect themselves, but appropriate coverage is just one component of effective protection. As security and privacy breaches continue, and subsequent suits emerge, it is paramount that D&O’s can show they’ve taken the necessary steps to protect the information of their customers, as well as the interests of their companies.
So what can be done? How can D&O’s effectively mitigate their cyber liability exposure and that of the companies they are charged to lead?
1) Understand the risk.
2) Minimize the risk.
3) Be prepared.
Incidents are inevitable, and while the above measures can help mitigate liability in the event of a breach, no plan is foolproof. Dealing with a cyber-security incident is complicated, expensive, and time-consuming. A comprehensive privacy & network liability insurance policy provides valuable protection for a company, as well as pre-breach loss mitigation services.
D&O and Cyber Liability policies are specifically designed to address different elements of cyber risk. Whether created to respond to a breach or to protect D&O’s for their business judgments, these policies should be evaluated by an insurance broker who specializes in these lines of insurance. AmWINS Brokerage employs a nationwide team of product experts ready to assist in the analysis and placement of D&O and Cyber Liability insurance.
ABOUT THE AUTHOR
This article was authored by Megan North, a member of AmWINS' national Professional Lines Practice.
Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.
(c) 2017 AmWINS Group, Inc.
As the healthcare industry remains on the front lines of battling the COVID-19 pandemic, staying abreast of the changing landscape and how the insurance market is adapting is critical to ensure new exposures are covered and renewals are successfully placed. In this article, our specialists share what they are seeing in the Healthcare and Senior Care markets, tips for risk control and mitigation, and how to get the best results for insureds.
The disruption to business and everyday life caused by the coronavirus (COVID-19) pandemic is resulting in an economic impact for insureds. Much of this disruption is likely not covered by insurance. We have consulted with several AmWINS insurance specialists across the Property, Casualty and Professional Lines sectors and offer a COVID-19 update.
Over the last few years, the legal cannabis industry has seen rapid growth and had a significant impact on the U.S. economy. With states continuing to legalize its use, insurance needs for cannabis-related businesses are becoming a popular topic of discussion. This article examines the evolving cannabis industry by exploring five key issues impacting coverage.
Construction contract negotiations, which determine the kind and amount of insurance required for a construction project, can be time-consuming, complicated and frustrating. Project owners require contractors on a project to name the project owner as an additional insured on the contractor’s casualty insurance program. It's important that both project owners and contractors understand the coverage provided by these additional insured endorsements. This article discusses four common ISO additional insured endorsements related to commercial general liability policies purchased by contractors, including their limitations, conditions and exclusions.
Parametric insurance is an innovative product that functions differently than traditional insurance by covering the impacts of an event and not just losses sustained to an asset. Proceeds of the policy are paid quickly and can be used flexibly to cover any expense associated with the triggering event. Coverages can be designed to capture the impacts of natural perils and other forms of non-damage business interruptions such as future epidemics. Learn how the parametric landscape has and will continue to play a major role in improving coverage and the recovery experience.
The theories of recovery, as well as the ensuing loss provisions, contained in property insurance policies are often complex and, at times, seemingly in conflict. Although a policy may not directly address these theories, their application by courts plays a significant role in the coverage determination process after the claim. It is essential that brokers understand the primary theories of recovery – Efficient Proximate Cause, the Concurrent Causation Doctrine, and the Anti-Concurrent Causation Doctrine – in order to navigate the challenging post-claim process and effectively serve their clients.