A recent trend has emerged in the world of corporate cybersecurity. In the wake of cyber breaches, upper management is increasingly being held legally responsible for failures to manage a company’s cyber risks. But, cyber insurance does not often cover tort suits (general negligence or strict liability) brought by consumers and shareholders, or other legal actions brought by federal and state agencies. As such, Directors & Officers (D&O) and Errors & Omissions (E&O) policies should also be purchased to protect against the full range of possibilities that emerge in the wake of a corporate cyber breach.
Consider the most widely-publicized corporate cybersecurity breach in history: in the winter of 2013, the credit card information of more than 40 million Target customers was stolen by hackers. The breach ultimately cost Target an estimated $1 billion; top executives, including CEO Gregg Steinhafel, were forced out. Now, seven directors and officers are embroiled in legal battles, thanks to “no less than nine class action lawsuits filed against Target on behalf of aggrieved customers” and two derivative shareholders suits specifically against upper management.
These directors and officers, though, might consider themselves lucky that the situation is not worse. Wyndham Worldwide Corporation, which also weathered a derivative shareholder lawsuit against its board after a data-breach, was not so lucky. After successfully fighting that suit, and at no small cost, the company lost a case brought by the FTC that alleged it had engaged in unfair and deceptive acts in touting the strength of its cybersecurity on its website. The point: that large corporations are no longer always considered the victims of cyber breaches in the eyes of agencies like the FTC and the SEC, or by state attorneys general. After a successful case against investment advisor R.T. Jones, the SEC stated, “Boards that choose to ignore, or minimize, the importance of cybersecurity do so at their own peril.”
With customers, shareholders and federal agencies all representing potential legal threats in the wake of a cyber breach, less is not more when it comes to insurance. To cover the potential gaps in cyber insurance, D&O and E&O policies should be purchased as well. Furthermore, directors and officers should educate themselves on the extent of their companies’ cyber-risks, and should take the necessary precautions to minimize them. Cybersecurity is a difficult and rapidly-evolving issue. It should demand the attention of directors and officers, not just for the sake of their consumers and shareholders, but also, now, for their own sake.