One click is all it takes to order goods, exchange payment, and have the items shipped and delivered to a doorstep within hours.
But what happens when that one click is not used to facilitate commerce, but rather used to intentionally or even accidentally disrupt a network? When one click releases a malicious code causing an assembly line to come to a screeching halt? When one click transfers millions of dollars to a fraudulent account? When one click by a rogue employee disseminates the contents of personal files to the public? In these instances, who is ultimately responsible?
In recent cases, fingers have pointed directly at the board of directors. Since 2013, several shareholder derivative suits have been filed following network security breaches. Defendants have included Home Depot, Horizon Blue Cross Blue Shield, Target, Wyndham, and Wendy’s. Technology is changing at a rapid pace, and it is clear that consumers and shareholders have high expectations for businesses and those who run them.
Allegations in these network security cases have included breach of fiduciary duty, negligence, breach of implied contract, and violation of various state and federal statutes. Interestingly, most of the aforementioned cases have been dismissed (or settled) – apart from Wendy’s, which is still in its early stages. These dismissals are showing that the plaintiffs are having difficulty: (1) proving corporate mismanagement as a direct cause of harm from a data breach, and (2) showing actual compensatory injuries as a direct result of the breach. Courts have been dismissing cases in which actual damages have not been proven.
Cases alleging executive mismanagement are subject to the business judgment rule, which presupposes that the individuals on the board acted in good faith, on an informed basis, and in the best interests of the company. Absent insurmountable proof that D&O’s acted in self-interest or were grossly negligent in their actions with regard to preventing a breach, those allegations have not been holding up.
Additionally, plaintiffs must prove actual economic harm has occurred as a result of a breach. Judges in recent cases have proven strict on this requirement, as evidenced by the Wendy’s case in which the original complaint was dismissed as allegedly fraudulent charges to the plaintiff’s debit card were not sufficient grounds upon which to bring suit. To further clarify that requirement, U.S. District Judge Claire Cecchi of the District of New Jersey (who presided over the Horizon BCBS case) said the individual plaintiffs "cannot rely on their increased likelihood of future harm as a basis for their case."
Despite the dismissals, this litigation highlights several concerns for Directors & Officers (D&O’s). Not all cases or allegations are being dismissed. Some financial institutions and regulators have found success in their lawsuits brought against D&O’s. Settlements have been made to avoid extensive litigation in certain cases. Even when allegations don’t stick, there may still be hefty defense costs. The relentless pursuit by plaintiff attorneys highlights that there exists a pervasive expectation of, and onus placed upon Directors & Officers with relation to cyber exposures. These individuals are collectively responsible for making important decisions on behalf of their organizations and may be held personally liable in the event that these decisions produce egregiously negative effects on the company as a whole.
D&Os remain particularly susceptible to plaintiff claims in relation to cyber exposures. These individuals are collectively responsible for making important decisions on behalf of their organizations and may be held personally liable in the event these decisions produce egregiously negative effects on the company as a whole.
It is imperative that directors and officers secure a comprehensive executive liability insurance program to protect themselves, but appropriate coverage is just one component of effective protection. As security and privacy breaches continue, and subsequent suits emerge, it is paramount that D&O’s can show they’ve taken the necessary steps to protect the information of their customers, as well as the interests of their companies.
So what can be done? How can D&O’s effectively mitigate their cyber liability exposure and that of the companies they are charged to lead?
1) Understand the risk.
2) Minimize the risk.
3) Be prepared.
Incidents are inevitable, and while the above measures can help mitigate liability in the event of a breach, no plan is foolproof. Dealing with a cyber-security incident is complicated, expensive, and time-consuming. A comprehensive privacy & network liability insurance policy provides valuable protection for a company, as well as pre-breach loss mitigation services.
D&O and Cyber Liability policies are specifically designed to address different elements of cyber risk. Whether created to respond to a breach or to protect D&O’s for their business judgments, these policies should be evaluated by an insurance broker who specializes in these lines of insurance. AmWINS Brokerage employs a nationwide team of product experts ready to assist in the analysis and placement of D&O and Cyber Liability insurance.
ABOUT THE AUTHOR
This article was authored by Megan North, a member of AmWINS' national Professional Lines Practice.
Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.
(c) 2017 AmWINS Group, Inc.
Ordinance or Law insurance coverage provides limited protection for costs associated with repairing, rebuilding, or constructing a structure when physical damage to the structure by a covered cause of loss triggers an ordinance or law. Compliance with ordinances and laws after a loss can add 50% or more to the cost of a claim. This article will help you educate your insureds on exclusions and limitations and help them take a proactive approach to their insurance program.
In 2017, the issue of sexual harassment – especially in the workplace – gained greater awareness as accusations of harassment by high-profile individuals were constantly in the news. In many cases, sexual harassment lawsuits seriously impacted businesses and their respective insurers. Employment Practices Liability Insurance not only provides protection against employee lawsuits, but can also help your clients mitigate their sexual harassment risks.
Due to the Doctrine of Negligent Entrustment, the consequences of allowing an employee with a poor driving record to operate any motor vehicle for work purposes extend beyond a possible traffic violation or accident. These seven tips will help you to proactively manage your drivers and maintain your CDL files as part of your fleet safety program.
The Commercial General Liability policy (CGL) is an essential factor in the equation that consists of building planning, financing, construction, operation, and protection from risk. Standard ISO form CGL policies contain an insuring clause subject to long-standing exclusions, which have been the subject of interpretation and case law over the years. This article focuses on the operation of the form’s exclusions j, k, and l.
The Federal Motor Carrier Safety Administration mandate which requires nearly all U.S. truck operators to use electronic logging devices (ELDs) to track duty status has been upheld in court and will take effect December 16, 2017. The mandate will impact not just the trucking industry, but the trucking insurance sector as well.