Exploring the Cyber Insurance Claims Landscape
The following article is part of our Hedge Fund Insiders Article Series and was contributed by Willis Group Holdings Ltd. Read more articles from the Series HERE.
The Cyber risk landscape is rapidly evolving. Governments are facing an unprecedented level of Cyber attacks and threats with the potential to undermine national security and critical infrastructure. Similarly, businesses across a wide range of industry sectors, particularly those in the health care, retail and financial services industries1, are exposed to potentially enormous liability and costs as a result of Cyber incidents and data breaches.
Given the risk landscape, it is no wonder companies of all sizes continue to be subject to increasing data breach liability, both in the form of single plaintiff or class action lawsuits and regulatory investigations and proceedings. Negligence, breach of fiduciary duty and breach of contract are just some of the allegations that a company may face as a result of a systems failure or lax security that compromises the security of customers’ personal information or data.
Plaintiffs in data breach class actions typically allege that businesses failed to adequately safeguard consumer information and gave insufficient and untimely notice of the breach. Companies may also face class actions from banks and credit unions seeking damages for administrative expenses, lost interest, transaction fees and lost customers.
Settlements of data breach class actions can be exorbitant. For example, 25 class action lawsuits were settled in the wake of a retailer’s 2007 data breach involving the theft of data related to over 45 million credit and debit cards. The settlement included: up to $1 million to customers without receipts; up to $10 million to customers with receipts ($30 per claimant); $6.5 million in plaintiffs’ attorneys fees; and three free years of credit monitoring, with total costs reportedly up to $256 million. More recently, in 2014, two major retailers reported that the total costs of data breach and related class action lawsuits (less expected insurance recovery) was estimated at $63 million and $191 million, respectively. And, this year, two major health care companies are separately facing several lawsuits as a result of data breaches that reportedly exposed the personal records of 80 million and 11 million people, respectively. While these matters have yet to be resolved, the anticipated costs of litigation and settlement may set records.
Most data breaches result in first-party loss to the victim of the Cyber breach. For example, a business sustaining a Cyber breach or failure to protect confidential consumer information may incur the following expenses to remedy the issue (i.e., first-party costs):
Costs to restore its computer system, remove viruses, malicious code, Trojan horses
Costs related to loss of business (such as a denial-of-service computer attack on a company’s network that limits the ability to conduct business)
Costs to conduct a forensic investigation as to the cause of the unauthorized access
Legal consultation costs or “breach counsel” to consult the business regarding all statutory requirements
Costs to notify affected consumers, and costs to offer credit monitoring services to customers
Costs to retain public relations assistance or advertising to rebuild a company’s reputation after an incident
To the extent that there was a Cyber-attack on the business’ network in an attempt to extort money (“Cyber extortion”), costs to settle such extortion demands, as well as costs of hiring a security firm to negotiate with blackmailers may also be at issue
Companies affected by a Cyber breach may also face liability to third parties, which may result in defense costs, settlements, judgments and, sometimes punitive damages. Third parties bringing lawsuits against businesses for damages are increasingly seeking to expand the nature of injuries and remedies sought in light of early case law which determined that there was no injury in fact sustained by the Cyber breach and thus no standing to sue. The Federal Trade Commission (FTC)’s Bureau of Consumer Protection has increased its investigations of data breaches on behalf of consumers given the rise in the number of organizations that rely on “Big Data” in their advertising and marketing campaigns. In 2014, the agency issued a press release announcing its 50th Data Security Settlement on behalf of consumers. One of those settlements involved the much publicized 2006 settlement with a data aggregation company wherein the company agreed to pay $10 million in civil penalties and $5 million in consumer redress for time customers may have spent to monitor and repair their credit following a breach that exposed their personal information.
In addition, the Federal Identity Theft Enforcement and Restitution Act (“ITERA”) provides that perpetrators of identity theft must reimburse their victims for the value of the time the victims spent repairing their credit records. The enactment of ITERA and the growing recognition in the business community that time spent repairing credit may constitute an injury in fact, may create an increased willingness of courts to find consumer standing to bring such actions and thus an increased liability risk to businesses. Increased regulation at federal and state levels related to information security and breach notification is expanding the legal avenues that may be pursued. Forty-seven states plus Puerto Rico, Washington D.C., and the Virgin Islands, have enacted laws requiring companies to notify consumers of breaches of personal data. Federal laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, have requirements to safeguard the privacy of personal information, and some states require notification to the state attorney general. Given this ever-evolving and regulatory landscape, companies should expect an increase in third-party liability claims led by federal regulatory agencies as evidenced by a March 2015 federal court decision involving a large hotel chain wherein the court held that the FTC has regulatory authority to enforce data security practices.
1 NetDiligence Claims Study, 2014