Data security: A growing liability threat

Transcription

1 Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars in emergency response costs, lawsuit defense and settlements and fines and penalties. Lawsuits may be filed by customers, business partners and shareholders, with plaintiffs joining together in class action suits to press their claims. The release of non-public personal information may violate data privacy laws and lead to investigations and enforcement actions by regulatory and law enforcement agencies. The damage to a company s reputation following a data security breach is hard to quantify and even harder to restore. Consider the following recent example of a security breach of private data: Heartland Payment Systems, which provides bank card payment processing services (about 100 million transactions per month) to 250,000 merchants and businesses nationwide, was notified of suspicious activity by Visa and MasterCard. Apparently, when consumers used their debit cards, software had been capturing information about the transactions, including the cardholder name and card number, exposing tens of millions of debit cardholders to fraud. After being alerted of a possible security breach, Heartland found evidence of malicious software that compromised card data that crossed their network. This data security breach is alleged to have begun in 2007, but not discovered by the company until 2008 and not disclosed to the public until January Since the breach was disclosed, Heartland has been bombarded with lawsuits by consumers and credit card issuers. A securities class action suit filed by shareholders alleges that executives violated securities laws, made false and misleading statements regarding the breach and failed to disclose material adverse facts. Through March 2009, Heartland had recorded $12.6 million in costs associated with the intrusion, including a fine assessed by Mastercard, as well as costs associated with remediating the intrusion and notifying customers. What is especially alarming for Heartland s directors and officers is what has happened to the company s share price since the security breach was reported in the New York Times on January 20, Before the article was published, shares in Heartland Payment Systems were trading at $ The day the article was published shares declined 8.16 percent to close at $ Over the next two days the shares declined an additional percent to close at $8.18 on January 22. On February 24, Heartland announced earnings, which missed analysts earnings estimates for fiscal 2008 and the fourth quarter, and disclosed that it might incur losses from the recent security breach of its systems. However, it could not estimate the amount of losses that might be incurred in connection with the security breach. On that news, shares declined percent to close at $5.34 on February 24. The class action alleges a decline of 80 percent ($21.84) per share from a high of $27.19 on September 19, Some of the decline in share price can be attributed to the tremendous turmoil in the financial markets in the fall of Exactly how much of the decline is attributable to the data security breach remains to be answered. 1 As of the date of this paper, August 24, 2009, Heartland Payment Systems share price closed at $12.50

2 The outcome of the Heartland securities class action suit and the other lawsuits should be closely followed to see how liability is assessed and allocated for a massive security breach. The alleged hacker, Albert Gonzalez, who has been charged in the Heartland criminal case, also was charged and is awaiting trial for breaching TJX s data systems. Questions sure to be raised in this case include how the breach of data security could have gone undetected for so long and if management used all available tools to prevent such a breach. Furthermore, management s response to the crisis including how quickly and effectively consumers and business partners were notified, and what steps were taken to mitigate further damage undoubtedly will be an important consideration. Heartland Payment Systems reportedly was compliant with the security requirements of the credit card industry known as Payment Card Industry Data Security Standards (PCI DSS) requirements. Whether compliance with standards provides a shield against liability, however, remains to be seen. This is just one example of the many data security breaches occurring daily. In fact, since January 2005, according to privacyrights.org, more than 250 million records containing sensitive personal information have been involved in security breaches in the United States. Data security and privacy regulations The privacy and security of non-public personal data first became an issue of significant concern in the 1960s and 1970s. With the emergence of the internet, however, came unprecedented new possibilities for widespread loss and abuse of personal information. Around the world, data protection concerns have led to legislation affecting every company operating in the global marketplace. Until the late 1990s, legislative attempts to address these issues were based largely on sector-specific legislation and self-regulation. The introduction of sweeping European Union (EU) legislation in recent years and the subsequent upsetting of the international status quo on the treatment of personal data have altered standards of privacy and data protection. An understanding of the differences in regulation that exist between industries and countries, as well as the potential liabilities for the misuse or improper handling of personal information, is now essential for any company operating in the global online marketplace. The protection of personal information in the US The United States has no one comprehensive privacy protection law. Rather, several laws address particular situations, such as for healthcare data (HIPAA), financial data (Gramm-Leach-Bliley Act), credit information (Fair Credit Reporting Act), and information obtained from children (the Children s Online Privacy Protection Act). Another federal laws that touchs upon data privacy and security issues is the Electronic Communications Privacy Act, which principally addresses government surveillance, but also includes provisions concerning access to private computerized messages by third parties without legitimate authorization. Yet another law is the Computer Fraud and Abuse Act, which prohibits accessing a computer without authorization to obtain certain types of information. The Computer Fraud and Abuse Act also prohibits knowingly accessing a computer with the intent to defraud and thereby obtaining anything of value. As of August 2009, 45 states and the District of Columbia have enacted laws that require companies to notify consumers when there is breach of security involving non-public personal information. There are currently no breach notification laws in Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. New regulations are emerging seemingly daily. As part of the Fair and Accurate Credit Transactions (FACT) Act of 2003, recently enacted Red Flag Rules require creditors and financial institutions to implement programs to provide for the identification, detection and response to patterns, practices, or specific activities known as red flags that could indicate identity theft. Each knowing violation of this law results in a $2,500 penalty.

3 Data privacy laws are also becoming more onerous. Massachusetts is set to implement the strictest data protection rules in the country. This law will require notification of a security breach and provide for the implementation of security freezes. The law will also allow for triple damages, payment of defense costs and other costs. The rule, once set for implementation on January 1, 2010, has been pushed back to accommodate the concerns of small businesses. Finally, to demonstrate the spreading breadth of data privacy compliance, even the American Recovery & Reinvestment Act (ARRA) of 2009 (Stimulus Act) mandates additional data breach notification requirements for certain types of companies. The protection of personal information in the EU The EU has taken a global leadership position in setting and enforcing standards for the protection of private data. The Information Directive of 1995 and the more recent Directive on Privacy and Electronic Communications of 2002 emphatically state that EU residents are entitled to a right to privacy. The 2002 EU Directive builds on the privacy protections that are contained in the 1995 EU Information Directive which defines personal data as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity In the US, medical and financial records are protected under separate legislation, while most other private information acquired online does not have legal protection. The EU centrally supervises the private sector s use of personal data. A proposed amendment to the Directive on Privacy and Electronic Communications would mandate security breach notification. European regulators remain vigilant of data security breaches. In July 2009, the UK s Financial Services Authority (FSA) fined three HSBC Holding PLC firms a total of 3 million ($4.9 million) for failing to protect customers confidential information, the highest fine ever imposed by the FSA for data security breaches. Costs associated with data security breaches Data security breaches can result in large losses from a number of sources. Companies need to consider the full range of costs associated with data security breaches, which can include: Costs of notice to consumers and government authorities, which can average $30-$140 per notice to each consumer; Credit monitoring services; ID theft coverage; Defense costs and damages; Expenses to secure compromised networks and assess damages; Costs of compliance with government investigations; an Fines for violation of laws (e.g. HIPAA, GLBA, FRCA) Loss of trust and other reputational damages can also have significant top line and bottom line impact. In extreme cases it can be ruinous. Lawsuits by customers, business partners and shareholders can result in tens of millions of dollars in settlements. For example, a well publicized case involved the parent company of T.J. Maxx and Marshalls (TJX), in which debit card information belonging to at least 45.7 million customers was obtained by hackers. TJX has reached settlements with private plaintiffs as well as the FTC. TJX has reported that cost of the breach may total as much as $256 million.

4 Coverage for data breaches under standard property and casualty insurance policies Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud. A company s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating. The following types of insurance policies may provide some coverage for data security breaches and resulting claims: 1. First-party property polices typically cover all risk of loss or damage to covered property. However: a. Some policies may have exclusions for certain causes of damage to systems; and b. The policy may need to be endorsed to cover computer equipment and electronic data. 2. Third-party liability policies such as Commercial General Liability (CGL) policies provide coverage to a company when it issued. Provisions in CGL policies may provide coverage for some types of lawsuits triggered by a data security breaches. However: a. Some policies may exclude personal or advertising injury arising out of knowingly violating the rights of another and/or personal or advertising Injury arising out of publication of material that violates a person s right of privacy; b. Damage to personal property in the care, custody or control of the insured is usually excluded; and c. Some policies exclude coverage for electronic data. 3. Errors and Omissions (E&O) policies cover wrongful acts committed in the insured s performance of professional services. However: a. Whether there is coverage for data security breaches depends upon the policy s definition of the covered professional services. 4. Directors and Officers Liability (D&O) insurance provides coverage for directors and officers, and usually coverage for the entity, for wrongful acts committed in their capacity as directors and officers of the insured organization. However: a. Organization coverage may be limited to securities claims; b. D&O policies typically contain exclusions for intentional acts and property damage. Of all the standard property and casualty insurance coverages, D&O policies may be the most exposed to large claims arising from a data breach. As incidents of data security breaches rise, so does the impact, financial and reputational, to companies. Directors and officers are increasingly a target for lawsuits by shareholders looking to hold management responsible for losses incurred by a company and loss of shareholder value. Exposure for directors and officers may arise if they have not responded appropriately to prepare for, respond to, and finance the cost of a data security breach. Additionally, once a breach occurs, directors and officers may be targeted by shareholders if it is believed that the financial consequences of the breach were not fully disclosed in a timely manner. Relevant principally to public companies, the corporate governance rules of the Sarbanes-Oxley Act of 2002 require that company directors and officers evaluate and maintain a safe control environment. This responsibility may be interpreted as including regular evaluation of an organization s procedures for data security to ensure the company is protected against unauthorized breaches.

5 Cyberliability insurance: data breach coverage As a backstop to data security technology, data breach insurance coverages have been introduced. Data breach coverage still is relatively new, and terms can vary materially from one carrier to another. However, policies have become both more comprehensive and more focused as insurers have come to better understand the risk landscape of cyberspace, as well as the specific business needs of their customers. Additionally, meaningful limits of liability now are available, which was not the case only a few years ago. Insurers offer property and theft (first party) coverage and liability (third party) coverage related to privacy and data security. Some insurers also offer crises management benefits (including hiring a public relations team), customer notification expense coverage and risk management services. Data breach coverages also may be bundled with complimentary cyberliability coverages such as unauthorized access or use of an insured s computer system, alteration or destruction of electronic data and denial of service attacks. Conclusion As the world becomes increasingly reliant on new technologies, utmost care must be taken to ensure that the private data entrusted to companies is protected. Almost every company maintains transaction and customer information on computers, and a great many companies transact at least a portion of their business electronically. Consequently, the vast majority of companies are exposed to electronic data security breaches. When non-public personal data is inadvertently released, a company faces civil litigation, regulatory inquires, fines, penalties and even criminal investigation. It is imperative to consider the consequences of a data security breach before it happens and to prepare for the likely event a company will be the victim of an unauthorized release of non-public personal information at some point in the near future. The financial consequences of a data breach can be enormous sometimes even devastating but most companies have relied almost exclusively on technological solutions to manage the risk. The market for data security insurance is growing with increasingly sophisticated products, higher policy limits, and competitive pricing. Combined with a growing awareness at many companies that data security should not be exclusively an IT issue, these developments will eventually make cyberliability insurance products a standard part of data security risk management strategies. This report was produced by Advisen Ltd. Advisen integrates business information and market data for the commercial insurance industry and maintains critical risk analytics and time-saving workflow tools for over 530 industry leading firms. Advisen combines the industry s deepest data sets with proprietary analytics to offer unique insights into risk and insurance. For more information, visit For more information, contact: Zurich 1400 American Lane, Schaumburg, Illinois This fact sheet is intended as a general description of certain types of insurance and services available to qualified customers through the companies of Zurich in North America. It is not an insurance contract. The insurance policy is the contract that specifically and fully describes coverage. The description of the policy provisions gives a broad overview of coverages and does not revise or amend the policy. We make no guarantee of results and assume no liability in connection with the information, methods or suggestions contained in this fact sheet. Insurance coverages underwritten by member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages are not available in all states. Some coverages may be written on a nonadmitted basis through surplus lines brokers 2009 Zurich American Insurance Company