You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.
On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.
Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.
State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.
In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.
If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.
Impact on Investors
A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern. For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.
Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.
It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.
Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information. But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”
As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.