Directors, cyber risks and insurance that fits

Tuesday, 01 July 2014


    Jacques Jacobs and Nitesh Patel warn that recent legal cases signal the need to be on top of your D&O and cyber insurance cover.

    Recent legal action overseas shows we have entered a “new frontier” of claims against directors related to cyber-attacks. Boards should consider their risk management strategies very carefully and ensure that their organisations have robust policies and the right insurance in place to cover potential exposure.

    The recent legal action in the US was commenced by a shareholder in the district of New Jersey against certain directors and officers of Wyndham Worldwide Corporation. It was over three data breaches which occurred between 2008 and 2010, where over 600,000 payment records were allegedly stolen and some exported to a domain registered in Russia and fraudulently used to accumulate more than US $10 million. The lawsuit alleged, among other things, that Wyndham’s directors and officers failed to:

    • Take reasonable steps to maintain appropriate data security measures to protect sensitive consumer personal information.
    • Ensure that the company and its subsidiaries implemented adequate information security (privacy) policies.
    • Ensure that its management system server used up-to-date and properly configured operating systems and software.

    The derivative action against Wyndham (and against US retailer Target) are the most recent examples of the types of actions that can be brought against directors as a result of cyber-attacks. Cyber risk and data integrity should be a key consideration of Australian corporations’ risk management strategies and directors will be expected to assume responsibility. When breaches or attacks occur, the directors’ conduct could be scrutinised and legal actions cast as breaches under traditional duties imposed on directors, including under the Corporations Act 2001 for duties involving continuous disclosure and care and diligence. 

    Shareholders and customers who relied on privacy policies that were not properly implemented may also resort to misleading and deceptive conduct legislation, such as the Australian Consumer Law. 


    Of significant concern for directors is the potential ease by which such actions may be brought. The Wyndham action was brought shortly after a decision by the US District Court, FTC v. Wyndham Worldwide Corp, in which the court confirmed the Federal Trade Commission’s authority to investigate and prosecute companies that fail to protect consumers’ privacy by not maintaining appropriate data security standards.

    Similar powers have been afforded to the Privacy Commissioner under the Australian Privacy Principles (APP) which came into force on 12 March 2014 and govern privacy and data protection throughout Australia. 


    Past experience in other areas shows that potential litigants may “piggy back” off the findings by government agencies and gain the evidentiary ammunition on data and privacy policy failures to launch actions.


    To prevent and protect themselves from future litigation arising from a data breach, boards need to take steps to ensure that robust privacy and data protection policies are in place and are being actively implemented.


    Where a claim is made, directors will of course look to insurance policies to cover their potential exposure including, very importantly, their defence costs.


    Traditionally, directors have relied on Directors & Officers (D&O) policies to cover claims relating to breaches of their duties or misleading and deceptive conduct. It is important to understand the scope of cover.


    Many D&O policies may not afford sufficient protection to directors for cyber claims. The extent of cover will depend on the terms of each policy. Where a D&O policy is silent on cover for cyber claims, cover may apply for claims brought for breaches of director duties. However, many policies specifically exclude cover for claims arising from data breaches or cyber-crime entirely, or for certain types of cyber-crime (for example, hacking). Alternately, some policies add cover for data breaches or cyber-crime by endorsement, with certain coverage limitations built in (for example, a sub-limit).


    Directors must pay close attention to exclusions and endorsements in their D&O policies and ensure they provide adequate cover. Each company’s risk exposure to privacy and cyber issues will be different. So, it is important that insurance policies are tailored to the particular company’s risk profile.

    D&O policies may protect directors from the risks associated with cyber claims, but not fully protect companies from a data breach or cyber-crime incident. Many insurers issue cyber insurance policies to cover these risks, which can include cover for penalties imposed by government agencies, investigation or incident response costs, notification costs, third party claims against the company and business interruption. 


    Cyber policies also differ, depending on the risks each company faces. For example, online retail sales companies holding credit card information need more cover than accounting firms with online access to their systems. However, most cyber policies do not cover claims for breaches of directors’ duties.


    Policies need to work together and be regularly monitored to ensure companies and directors are protected from cyber-crime and data breaches. 

    Twitter @DLA_Piper_Aus

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.