A Directors and Officers ‘Cheat Sheet’ on D&O Cyber Insurance
MARCH 2, 2015
by Mary-Pat Cormier & Jennifer Garner, Bowditch & Dewey, LLP
The Wall Street Journal covered a recent study finding 53% of 277 directors and officers said that “insufficient preparation to manage cyber threats,” was among top five concerns “‘significantly impact[ing]’ their organizations this year.” “[E]xecutives recognize the need for ‘cyber resiliency’, . . . it is not a matter of if a cyberrisk event might occur, but . . .when it will occur.”
Small wonder with these numbers:
- a 78% increase in stolen or compromised data records from 2013 and 2014, over one billion data records affected in 2014;
- 2014 saw an all-time high of 783 data breaches, a 27.5% jump over 2013. 47% of U.S. adults have been affected since 2014;
- Cybercrime costs the global economy $575 billion and the U.S. economy is hardest hit at $100 billion annually;
- Hacking is the primary cause of data breaches.
Add to these statistics recent litigation:
- A 2014 derivative suit against Wyndham Worldwide Corporation and certain directors and officers related to three data breaches that compromised over 619,000 consumer payment card accounts, resulting in several million dollars in fraud loss. The complaint alleges breach of fiduciary duty, corporate waste, and unjust enrichment, and that the defendants’ failures resulted in damage to the company’s reputation with its customer base. It seeks “to rectify the conduct of the individuals bearing ultimate responsibility for the company’s misconduct – the directors and senior management.” The lawsuit challenges the conduct allegedly causing the data breach and relating to the investigation, disclosure, and remediation of the data breach. Ultimately, the suit was dismissed because the plaintiff lacked standing: the board’s rejection of the presuit demand was protected by Delaware’s business judgment rule.
- Derivative lawsuits against Target Corporation and its executives arising out of its 2013 breach, affecting 40 million payment cards. Plaintiffs asserted claims for breach of fiduciary duty and waste of corporate assets. This suit also assailed conduct allegedly causing the data breach and the investigation, disclosure, and remediation of the data breach, claiming executives’ conduct “aggravated the damage to customers by failing to provide prompt and adequate notice to customers by releasing numerous statements meant to create a false sense of security to affected customers.”
Although a suit has not been filed against The Home Depot executives, it is facing at least 44 lawsuits related to a 2014 data breach that exposed 53 million customers’ email addresses and 56 million payment card accounts.
Equally deserving of attention – but sometimes overlooked – are the cyber-insurance policies available to corporations, their officers, and directors. With dozens of carriers offering insurance for virtually every type of cyber threat, data/privacy breach, or hack, the problem is not lack of choice. It is that the options are dizzying, and a company could pay for coverage that doesn’t completely cover its exposures or those of its officers and directors..
Directors and officers need to ensure that a company is “cyber resilient”, but they should also ensure their own liability coverage for cyber risks. Above all: If coverage for a data breach claim is not covered on a directors and officers (“D&O”) policy, executives should ensure that claim is covered under another policy provided for data breaches in as broad terms as possible, including:
- Because derivative claims are trending, non-indemnifiable risks (so-called, ‘A-Side’ coverage) must be fully covered, including no retention or deductible on the A-side coverage;
- Indemnifiable loss (so-called ‘B-Side’ coverage) should be similarly robust to cover; indemnification provisions in corporate documents should be sure to include any claims or demands arising out of any privacy or data breach whatsoever;
- “Claim” should be sufficiently broad to encompass any investigation costs, including investigations conducted by independent counsel or a regulator investigating a data breach even where no suit has been filed;
- “Wrongful act” should be sufficiently broad to encompass any alleged breach of a duty arising out any privacy or data breach whatsoever, including hacking, cyber extortion, computer fraud, theft of funds, theft of personal data or personal identifiers;
- The policy should advance defense costs to counsel selected by the director/officer;
- Misconduct exclusions (i.e. barring coverage for fraud, misrepresentation, criminal activity, and the like) should contain an adjudication provision through appeal and should cover all defense costs regardless of liability;
- The insured v. insured exclusion should contain a carve back for claims arising out of any alleged breach of a duty arising out any privacy or data breach whatsoever and defined as broadly as possible;
- If there is an exclusion for employment practices related claims, it should contain a carve back for claims arising out of any alleged breach of a duty arising out any privacy or data breach whatsoever and defined as broadly as possible;
- Bodily injury exclusions should include a carve back for emotional duress claims arising out of any alleged breach of a duty arising out any privacy or data breach whatsoever and defined as broadly as possible;
- Intellectual property or advertising injury exclusions should contain a carve back for claims arising out of any alleged breach of a duty arising out any privacy or data breach whatsoever and defined as broadly as possible;
- Policies should provide order of payment and allocation provisions for liability of the company and its directors and officers, such that officers’ and directors’ defense costs and indemnity are paid in priority to the company’s, unless independent directors determine that it would not be in the best interest of the company to do so;
- The coverage territory for the policy must be as broad as the locus of a company’s cyber risks. If a company has customers in a foreign country or a supply chain in a known cyber-crime territory, a U.S.-only policy would be insufficient;
- Because different policies covering the same claim may be underwritten by the same or different carriers, the scope and wording of ‘other insurance’ and ‘anti-stacking’ provisions are important.
Given the certainty of cyber breaches, the concomitant risks, and the threat of litigation, this ‘wish list’ of D&O coverage is worth sourcing as actively as a company’s raw materials.
About the Authour
Mary-Pat Cormier is a partner at the Boston law firm of Bowditch & Dewey. She focuses her practice in the area of financial services and securities litigation, including disputes arising out of both coverage and bad faith claims handling against professional and specialty lines liability carriers, banking, creditors’ rights, and limited partnership disputes. Jennifer Garner is an associate and concentrates her practice in all aspects of civil litigation. She advises clients on a wide range of matters involving business, construction, employment, and insurance defense disputes.