Cyber Crime And Data Breaches
The evolution of the internet has led to most companies now holding increasing levels of confidential client information on their systems. The increase in the levels of client information being held has been matched by an almost meteoric increase in the frequency and sophistication of hacking and data breaches. The protection of client information is seen as a key responsibility of the companies holding it and failure to protect it has led to actions against directors. The recent data breach experienced by Target in the USA has led to a lawsuits being filed against directors personally on the basis of a failure of fiduciary duty, waste of corporate assets, gross mismanagement and abuse of control.
Counting the Cost
Quantifying the ultimate fallout from a data breach is difficult as in addition obvious claims for loss suffered by those whose details were stolen there are the secondary actions which are triggered by the hacking.
In the event of a data breach it is likely that a regulatory investigation will be triggered. Before addressing any fines or other sanctions which may be imposed, the cost of simply replying to any investigation can be significant and if the D&O policies are not worded correctly these costs may not be covered.
If shareholders believe that the data breach is as a result of a failure of the board to exercise its’ duties satisfactorily this can lead to a derivative action by the shareholders against directors personally for a failure of fiduciary duty to the company. In many cases there are statutory limitations in relation to the indemnification of directors costs and in the case of awards or settlements in derivative actions these are generally non-indefinable by the company in the absence of insurance cover.
The SEC in the United States has indicated the areas it will focus on in the event of a Data Breach investigation and these indicators are an excellent starting point in assessing the Data protection regime in any company.
- What is the organisation’s cybersecurity governance structure.
- How does the organisation identify the risks to its’ data.
- Is it considered best in class.
- How does the organisation protect its networks and information.
- What system does the organisation operate to detect unauthorised activity
The Illusion of Protection
The fact that Cybercrime and data breaches are relatively new phenomenon has meant that many policies have not evolved to address the risks associated with these activities and many boards are failing to ensure that the broad spectrum of risks associated with Cyber crime has been covered by their combined policies.
The increase in cyber crime has led to emergence of cyber liability policies, as a result of the availability of these policies many underwriters are now drafting D&O policies with a standard exclusion for privacy violations, an exclusion which would not have been there in the past. While a cyber policy will provide protection for the front line costs associated with a data breach event and provide the illusion of protection it will not provide protection to the board in the event of a derivative suit or shareholder class action.