Tag Archives: david lewison

How Data Breaches Affect More Than Cyberliability

You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.

On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.

Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.

In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.

If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.

Impact on Investors

A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern.  For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.

Other Claims

Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.

It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.

Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information.  But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”

As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.

D&O Coverage: A Low-Cost Alternative for Nonprofits

Who needs nonprofit directors and officers (D&O) coverage when you have volunteer immunity and homeowners insurance? Not so fast. It is possible to find some coverage, or form of immunity, under your homeowner’s policy, and there are attorneys that find ways to wedge things into coverage when there are no other remedies available.  However, that doesn’t mean you should ignore the availability of the proper insurance. Rather than hope to fit a round peg into a square hole, buyers should look to purchase coverage for any exposure that keeps them up at night.

There are people who wrongly believe that if they are performing charity work they can’t be sued, won’t be sued, or have some form of mythical immunity or free insurance somewhere to protect them. Let’s explore those theories in more detail.

Isn't there a federal law that grants immunity?
In 1997, our government passed the federal Volunteer Protection Act (VPA) to promote volunteerism for nonprofit organizations. There is more to the act than can be summarized in this article, and any legal advice should come from an attorney, but it’s important to know that there is a federal law designed to provide protection to volunteers. Also, note that the immunity applies to volunteers, and not necessarily the nonprofit organization or compensated employees/executives. With that knowledge, it’s important to be aware of other limitations of the act.

Exceptions from the federal law include:

  • Acts of violence
  • Acts of international terrorism
  • Hate crimes
  • Sexual offenses
  • Civil rights violations
  • Claims involving use of alcohol or drugs

In the absence of a definition of “Civil Rights” in the act, all sorts of common problems could be exempt. Three instances that immediately come to mind are discrimination, sexual harassment and privacy rights. Those are common allegations in claims we see made against volunteers, nonprofit organizations and their leaders.

Volunteers may also lose their potential immunity in these situations if:

  • the volunteer is acting outside the scope of his or her responsibilities to the organization
  • the volunteer was unlicensed if required or appropriate
  • the harm was caused by gross negligence rather than ordinary or simple negligence
  • the harm was a result of operating a vehicle, vessel or aircraft that requires a license or insurance
  • the volunteer receives compensation or anything other than compensation that is worth over $500
  • the charity loses its nonprofit status

The VPA has provisions indicating that immunity provided by the act cannot be reduced by state laws, but can be broadened by state law. The federal law will apply to volunteers unless a state opts out of the law, which is permitted.  New Hampshire, for example, opted out in instances where everyone involved is a state resident and a New Hampshire state court is used.

Can we find immunity provided by state laws?
Many states do have immunity laws available to volunteers providing services to nonprofits. Every state has its own advantages and limitations. Again, seeking the advice of an attorney licensed in the relevant state is appropriate. When seeking the advice of counsel as to the immunity provided by state law, there are some questions to ask:

  • Does the state law only protect volunteers, D&O or both?
  • Will the state law prevail if the plaintiffs are from a different state?
  • What material limitations exist?
  • How is immunity impacted by willful or negligent activities?
  • Is the nonprofit organization immune from vicarious liability arising from the conduct of the volunteers?
  • Can an organization subrogate against a volunteer for costs associated with vicarious liability?

Will a personal homeowner's insurance or personal umbrella policy protect me?
The easy answer is that an insured might find some coverage, but not for all situations. Not all homeowners policies are the same and some may have special D&O enhancements. If you review what is generally covered, you will see coverage for bodily injury and property damage on those policies. It is also important to keep in mind that these are personal policies and any coverage provided would not be shared with the nonprofit organization or any other person affiliated with the organization. So if a homeowners policy or personal umbrella is designed to only cover bodily injury or property damage and is limited to protecting only one individual, is this the best solution for a nonprofit organization and all its leaders, employees and volunteers? That’s easy – no.

How about buying the proper insurance?
There is a policy specifically designed to protect the directors, officers, employees, trustees, volunteers, committee members, interns, domestic partners and the organizational entity.  Note that the coverage isn’t limited to just the directors and officers. Those other individuals are also protected by this insurance.  A typical D&O policy pays on behalf of the nonprofit organization when that organization is obligated to indemnify the individuals for their actions on behalf of the organization, as outlined in the organization’s bylaws.  The organization itself is also generally covered for alleged wrongful acts. D&O policies are broadly written to cover claims alleging any error, act or omission arising from activities on behalf of a nonprofit organization. The policy won’t cover bodily injury, property damage, pollution, workers’ compensation or issues arising from the administration of benefit plans. Those items should be covered on other policies specifically designed for those exposures.  You should also find coverage for the individuals and entity for things like discrimination, harassment, wrongful termination and other personal injury violations such as invasion of privacy, wrongful imprisonment and, in some cases, copyright violations.

Similar to personal lines policies, no two D&O policies are the same. Each one needs to be closely reviewed to identify limitations as well as unique coverage enhancements. Some limitations to avoid are antitrust exclusions, third party discrimination exclusions, or overly broad insured versus insured exclusions. There are enhancements to negotiate such as coverage for immigration claims, wage and hour claims, lifetime personal extended reporting provisions, publishers liability, public relations expense coverage, priority of payments, punitive damages coverage, where insurable, and more.

Considering the relatively low cost for a properly constructed D&O policy for a nonprofit organization, it makes a lot more sense to buy the coverage than try to hide behind limited immunity or wedge coverage into the wrong insurance policy.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.

Outlook For The Private Directors & Officers Marketplace

Private Directors and Officers Liability (D&O) policies are generally combined policies including D&O and Employment Practices Liability (EPL). Although they are typically marketed as Directors & Officers policies, and there are definitely D&O claims, claims frequently come from the Employment Practices Liability side of the form. Private Directors & Officers carriers find it challenging to cope with the high frequency of Employment Practices Liability claims that come with this line of business.

The premiums associated with these policies have been creeping up over the past few years, and now is an appropriate time to investigate and report on the causes. Rather than give you generalities that claims are frequent, here is some of the data that supports what the insurers are telling us.

2012 EEOC Complaints
Top Five States Total Complaints Percent Change Since 2010 2010 Total Complaints Total Population 2010*
Texas 8,929 -4.1% 9,310 25.1 million
Florida 7,940 2.1% 7,779 18.8 million
California 7,399 3.3% 7,161 37.3 million
Georgia 5,903 2.3% 5,771 9.7 million
Illinois 5,490 3.8% 5,288 12.8 million
Year Total Total Complaints – All 50 States
2012 99,412
2011 99,947
2010 99,992
2009 93,277
2008 95,402

* The population totals are included to show that the highest volume of claims generally come from the largest states.

The Equal Employment Opportunity Commission (EEOC) isn't the only regulatory body bringing employment actions against employers — state agencies like the California Department of Fair Employment and Housing (DFEH) are filing cases as well. In its 2010 annual report, the California DFEH notes that they filed between 17,500 and 20,000 cases each year between 2007 and 2010 (2011 and 2012 numbers are not yet available). The department also estimates that the average post-accusation case settled for more than $40,000.

Let's put this into perspective. The Betterley Report: Employment Practices Liability Insurance Market Survey 2012 (December 2012) estimates the total Employment Practices Liability market at around $1.6 billion in premium. Just for discussion purposes, let's assume that the Department of Fair Employment and Housing estimate is applied to all claims. At $1.6 billion in total premiums collected, the insurance marketplace could handle 40,000 claims and break even (40,000 claims X $40,000 average settlements = $1.6 billion). Considering we know there are more than two times that many EEOC complaints, plus tens of thousands of other state agency claims, we know that the volume of insured claims exceeds 40,000 per year.

Since we know that there are more than 40,000 claims a year, the second half of the debate is what these claims cost. The Department of Fair Employment and Housing has their estimate for out of court settlements at over $40,000. Jury Verdict Research, a publication that puts out jury trial settlement trend data, indicated in its 2011 report titled, “Employment Practices Liability: Jury Award Trends and Statistics,” that the average awards range from $600,000 for discrimination claims to as much as $790,000 for wrongful termination claims. Their median award range is from $200,000 to $260,000 based upon their research. This data implies that the average claims are going to be far greater than $40,000 to settle on a nationwide basis. These reports only show us awards, which do not include the defense costs paid to get to the award stage.

If we take this one step further and assume that the average claim will cost approximately $120,000 — though the Jury Verdict data tells us it's higher — then the amount of claims the insurers could handle in a year, and possibly break even, is more like 13,333 claims per year ($1.6 billion total annual premium divided by $120,000). If we factor in underwriting expenses and other transactional costs, then even less money is available for defense costs and settlements.

So, what's the bottom line? The insurers have been struggling to make a profit on this line of business for many years. While competition for market share has continually lowered the premiums they could charge and still write business, we've gotten to a crossroads and blown right through the stop sign. The pricing has been creeping up over the past three to four years, and we are still far from a corrected market. The dilemma for insurers has been how to adjust their pricing and terms in a way that still provides a valuable policy for insureds. The responses have varied from insurers pulling out of a specific region (like southern California), gradual elevation of retentions, increasing premiums, reducing limits available and declining risks with specific employee count ranges.

Bertrand Spunberg, Senior Vice President, Hiscox USA: “We have strived to maintain 'sustainable underwriting' since we opened up in 2009, even when the market was still very soft. That discipline is now starting to pay off as other insurers are adjusting their rates and retentions up to a point that's more comparable to what we have been all along. We are seeing some insurers revising their appetites or pulling out of jurisdictions and segments altogether. Other carriers are taking a portfolio view of the business, making them more prone to declining rather than underwriting around account-specific exposures. This creates an environment that is increasingly difficult to navigate for both insureds and brokers. EPL claims have been leading the way, but we are also seeing D&O claims arising from financial issues, such as bankruptcy. In response to that, we have seen insurers indicate that they would be looking to limit or even remove entity coverage.”

Mr. Spunberg's comments should serve as a warning to all brokers. While pricing and retention changes are typically obvious changes to renewal terms, you need to pay extra attention to any other changes in coverage terms. On some policy forms, the inclusion of entity coverage may only be signified by an “X” in a box on a declarations page or quote letter. It could be easy to miss the removal of this subtle notation. Also watch out for changes in endorsement numbers and titles. You may find an insurer substituting an endorsement with the same title as previous years but adding a new clause that removes or restricts coverage from what you've come to expect.

Steven Dyson, Executive Vice President, ERisk Services, LLC: “We track a lot of data on our insureds and claim performance. Rather than penalize all insureds in every state, we have evaluated where our claims are coming from and adjusted our rates in a targeted fashion. Difficult venues like southern California, Illinois, southern Florida and metro New York, are getting more rate adjustments than less litigious parts of the country. We drill down to the county level when evaluating the performance of our book and adjust accordingly.”

As brokers, we appreciate ERisk's targeted approach. As insurance professionals, it can be a difficult message to give to insureds that an underwriter is penalizing them for the poor performance of another risk, or that the underwriters may have misunderstood the risks of the businesses they underwrite.

No insured likes to see their premiums rising. It helps when underwriters are doing their best to stabilize the marketplace and articulate the logic behind rate changes.

Joseph Casey, President, ACE Westchester: “At Westchester, we have seen a significant increase in the number of Private Company D&O submissions, apparently based in part by some markets reacting to an increase in Employment Practice Liability claims. The increase in EPL litigation and the corresponding rise in defense costs require, more than ever, greater underwriting discipline. However, the right carrier, with an expertise in EPL and a flexible approach, has the ability to look at the type of company, the jurisdictions in play and other factors unique to the insured, and provide suitable coverage.”

Our wholesale-dedicated markets like ACE Westchester and ERisk are less prone to some of the broad brush underwriting approaches taken by many of the standard markets. The wholesale markets are always looking for a way to differentiate and uncover risks that are neglected or underserved by the standard markets. When the retail-focused markets head out the door, our markets are usually running in; that appears to be what we are currently experiencing. We've had a sustained period of underpricing in the private D&O/EPL area as insurers compete for market share. With the loss frequency where it is and expenses rising, it is indeed time to reevaluate. While the wholesale markets are noticeably more competitive in a challenging market, they also do a great job when things are going smoothly.