Tag Archives: class-action lawsuit

How the Sony Hack Should Affect You

In the past two years have revealed anything, it’s that every conceivable mode of communication comes with its share of serious privacy and security issues. Email can be hijacked, mail servers can be breached and malware can turn your smartphone into a peepshow. Wikileaks revealed that even our phone conversations are at risk.

That said, don’t panic! It’s highly unlikely anyone is listening to your phone calls. (OK, it’s possible, but you’d have to be incredibly sloppy or unlucky enough to download call-intercepting malware, or targeted by folks who can handle a price tag that hovers north of the $1 million mark.) The more relevant point here is that the big data mills at the NSA that may or may not be crunching your calls don’t care if you’re negotiating the sale of Ford to General Motors, much less if you’ve been naughty or nice – unless you’re a world leader or someone perceived as a threat to America.

So what about the other, more likely ways you may be exposed? There are man-in-the-middle attacks that are fairly affordable for a hacker. There’s malware from friend (hard to spot) and foe (you can’t be alert to every danger every second of the day). It almost seems like the only way to be completely safe from intrusion is to have nothing you wouldn’t want broadcast or skywritten on your smartphone, nothing you wouldn’t want the world to know about in your browser history, not a single text message you want to keep private and no phone calls made or received that you don’t want to share with Dr. Phil and his audience.

Recent news has been nothing less than terrifying. JPMorgan Chase and Home Depot joined the ever-growing list of mega-breach victims. Sony Pictures was gutted, with career-killing emails sent hither and yon, servers erased and trade secrets and intellectual property joyously tossed like flower petals from a float in the Rose Bowl parade. The hack initially stopped the release of “The Interview,” costing the studio millions, and that’s not taking into account future losses associated with class-action lawsuits brought by current and former employees whose personally identifiable information was stolen and published for the world to see, or enforcement actions by various and sundry state and federal regulators. It’s major stuff. And then there were all those other cybercrimes. It all makes for a really uneasy feeling at the workplace.

The trend here is simply too clear: Nothing is sacrosanct, and nothing is beyond reach. And while there may be no way to keep prying eyes out of our email, there is a way to keep the most sensitive information pertaining to your business out of reach. With that thought foremost in my mind, it is, indeed, time to make some serious changes.

Call me old-fashioned, but I think I’d rather take my chances with the government listening to my phone calls. How about you? When I say, “phone call,” I mean literally, like, on the phone-and I say this because, of all the ways we communicate, a landline affords the better shot at privacy and a more secure mode of communication.

The act of getting out of a chair and walking down the corridor to talk to a colleague helps to burn off holiday excesses, builds inter-office rapport and can’t be hacked. Email and text have supplanted the collegial walk-by. There are those who will say that it’s not efficient to pick up the phone. I’m not sure I buy that. Email and text streamline workflow only in theory. Each is just a swipe or click away from the major time-sucks provided by social media. And the interaction that happens without the interference of keystrokes or thumbing a screen provides sparks that just don’t happen in the dynamic-free zone of tit-for-tat correspondence. And again, a face-to-face or headset-to-headset conversation is probably the most secure mode of communication in the post-Sony hack world.

I’m sure it will take some getting used to, but if anyone at my office needs a fast answer from me, I’m going to ask that whenever possible they tap my doorframe or give me a call. Beyond the security considerations, the truth is that I actually like talking to people, and I ultimately learn more about whatever it is we’re talking about. For all their convenience, emails and texts are far from perfect modes of communication. Much meaning is lost when communicating by keystroke. Anyone who’s emailed a sarcastic quip that was taken literally will confirm this.

There are other options. Sony Pictures had to revert to communication via fax during the days following the hack, but faxes leave too much to chance because¬†you never know who’s waiting on the other end of your transmission, and there’s the added possibility that you might dial a wrong number.

If smoke signals weren’t so easy to spot, I’d suggest that route. And while it’s true that you never know when a fake cell tower’s going to roll into your neighborhood, using the phone and having more face-to-face discussions at the office are perhaps the better ways to engage in team building through a group commitment to data security.

How Data Breaches Affect More Than Cyberliability

You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.

On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.

Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.

In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.

If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.

Impact on Investors

A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern.  For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.

Other Claims

Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.

It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.

Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information.  But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”

As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.