Jacques Jacobs and Nitesh Patel warn that recent legal cases signal the need to be on top of your D&O and cyber insurance cover.
Recent legal action overseas shows we have entered a “new frontier” of claims against directors related to cyber-attacks. Boards should consider their risk management strategies very carefully and ensure that their organisations have robust policies and the right insurance in place to cover potential exposure.
The recent legal action in the US was commenced by a shareholder in the district of New Jersey against certain directors and officers of Wyndham Worldwide Corporation. It was over three data breaches which occurred between 2008 and 2010, where over 600,000 payment records were allegedly stolen and some exported to a domain registered in Russia and fraudulently used to accumulate more than US $10 million. The lawsuit alleged, among other things, that Wyndham’s directors and officers failed to:
- Take reasonable steps to maintain appropriate data security measures to protect sensitive consumer personal information.
- Ensure that the company and its subsidiaries implemented adequate information security (privacy) policies.
- Ensure that its management system server used up-to-date and properly configured operating systems and software.
The derivative action against Wyndham (and against US retailer Target) are the most recent examples of the types of actions that can be brought against directors as a result of cyber-attacks. Cyber risk and data integrity should be a key consideration of Australian corporations’ risk management strategies and directors will be expected to assume responsibility. When breaches or attacks occur, the directors’ conduct could be scrutinised and legal actions cast as breaches under traditional duties imposed on directors, including under the Corporations Act 2001 for duties involving continuous disclosure and care and diligence.
Shareholders and customers who relied on privacy policies that were not properly implemented may also resort to misleading and deceptive conduct legislation, such as the Australian Consumer Law.
Of significant concern for directors is the potential ease by which such actions may be brought. The Wyndham action was brought shortly after a decision by the US District Court, FTC v. Wyndham Worldwide Corp, in which the court confirmed the Federal Trade Commission’s authority to investigate and prosecute companies that fail to protect consumers’ privacy by not maintaining appropriate data security standards.
Similar powers have been afforded to the Privacy Commissioner under the Australian Privacy Principles (APP) which came into force on 12 March 2014 and govern privacy and data protection throughout Australia.
To prevent and protect themselves from future litigation arising from a data breach, boards need to take steps to ensure that robust privacy and data protection policies are in place and are being actively implemented.
Where a claim is made, directors will of course look to insurance policies to cover their potential exposure including, very importantly, their defence costs.
Traditionally, directors have relied on Directors & Officers (D&O) policies to cover claims relating to breaches of their duties or misleading and deceptive conduct. It is important to understand the scope of cover.
Many D&O policies may not afford sufficient protection to directors for cyber claims. The extent of cover will depend on the terms of each policy. Where a D&O policy is silent on cover for cyber claims, cover may apply for claims brought for breaches of director duties. However, many policies specifically exclude cover for claims arising from data breaches or cyber-crime entirely, or for certain types of cyber-crime (for example, hacking). Alternately, some policies add cover for data breaches or cyber-crime by endorsement, with certain coverage limitations built in (for example, a sub-limit).
Directors must pay close attention to exclusions and endorsements in their D&O policies and ensure they provide adequate cover. Each company’s risk exposure to privacy and cyber issues will be different. So, it is important that insurance policies are tailored to the particular company’s risk profile.
D&O policies may protect directors from the risks associated with cyber claims, but not fully protect companies from a data breach or cyber-crime incident. Many insurers issue cyber insurance policies to cover these risks, which can include cover for penalties imposed by government agencies, investigation or incident response costs, notification costs, third party claims against the company and business interruption.
Cyber policies also differ, depending on the risks each company faces. For example, online retail sales companies holding credit card information need more cover than accounting firms with online access to their systems. However, most cyber policies do not cover claims for breaches of directors’ duties.
Policies need to work together and be regularly monitored to ensure companies and directors are protected from cyber-crime and data breaches.
Already a member?
Login to view this content