The need for D&O insurance
The recent hacking of customer credit information at Target Corp. triggered more than 40 lawsuits, with more sure to follow. It’s almost guaranteed we’ll be seeing more such breaches in the months and years to come as the tactics of cybercriminals evolve at an alarming rate.
Suits against Target were filed with lightning speed on the same day the data compromise was announced, an indicator of the aggressiveness of the plaintiffs’ bar to quickly litigate.
Class action lawsuits (Cyber Risk Insurance) vs. derivative lawsuits (D&O insurance)
Some of the initial lawsuits filed against Target allege general wrongful acts and negligence that can impact entity coverage under Directors & Officers (D&O) insurance policies, according to William Um, policyholder counsel at Hunton & Williams LLP. Even though companies may already have cyber attack coverage, data breaches still affect D&O policies.
It’s likely that customers filing class-action suits due to falling share prices will be the source of the most serious trouble for companies. However, shareholders filing derivative lawsuits are on the rise and for various legal reasons insurers are more likely to pay damages for derivative lawsuits out of the Side A coverage under a D&O policy. And suits against public companies will likely rise further now that the U.S. Securities and Exchange Commission is pushing disclosure of data breaches.
“It’s interesting that not all the cyber risk D&O cases are now being brought as stock-drop cases,” said Ann Longmore, executive vice president of FINEX North America, a unit of Willis Group Holdings. “Now, a number are being filed as derivative actions.”
Allegations vs. possible outcomes
The suits allege that Target negligently breached duties owed the plaintiffs and class members resulting in their personal information being compromised. They also cited the time and expense required to cancel debit/credit cards, activate new cards and set up new automatic payments on these new cards.
Class-action plaintiffs may have trouble trying to prove that the breach led to compensable damages. Even though the customer’s data was accessed by an unauthorized entity doesn’t mean that damages resulted. However, that probably won’t always be so. “As plaintiffs get more shots at the apple, they are getting better at trying to allege compensable harm,” said Um.
For the defending companies, D&O policies may help. But it’s best that the immediate costs of cyber compromises be handled through dedicated Cyber Risk policies. Cyber insurance alleviates the stress of managing the claim.
Source: Bill Kenealy, “Data breach litigation,” Business Insurance, 19 Jan. 2014.