Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Busy GCs Should Make Time for Cyber Compliance
Cyber experts from internet security firms, insurers and law firms agree:In a world of fast-paced, ever-changing threats to private information, general counsels need to ensure their clients protect themselves from cyber risks and prepare for the complex, costly process that follows a breach.
With so much at stake risks to their bottom line and their reputation from liability, litigation and regulators, companies need to know what is required to protect data, the sources of threats, and what preparations they ought to make –from obtaining tailored cyber insurance to having a response plan and team.
What businesses should be concerned about cyber risk?
Mark Greisiger, president of NetDiligence, urged any business, large or small, that collects personal information on people or is responsible for a business partner’s data to have a plan for protecting that information and for responding to a breach. Private information includes Social Security numbers, birth dates, drivers’ license information, debit or credit card numbers and other financial data.
Unfortunately, many companies have not gotten the message. Meredith Schnur, a broker with Wells Fargo Insurance Services Professional Risk Group, said she often encounters clients who don’t understand what personally identifiable information is -- they may only know that someone told them to be concerned about private data.
“Our clients reach out to us to discuss the exposures surrounding network security and privacy, and they think we will be done in 15 minutes. It generally turns into an hour conversation because they never really understood how much responsibility they have to protect the data; they don’t understand the costs that they can incur as a result of a breach. Most of them don’t understand the regulatory environment.
“We have multi-billion-dollar organizations that require an explanation of what these crisis management response costs are and how they will impact their business. It really all depends on who is leading the insurance and risk management decisions at the organization, some have more knowledge than others.”
Don’t Be the Example
And that is the question the experts say must be answered immediately. Who at the company is responsible and accountable for privacy? Someone needs to take ownership. While general counsels are busy and pulled in a hundred different directions, they understand better than most the implications of a data breach, experts say. GCs need to ensure their client designates a privacy point person.
“But telling you that and insuring it happens is another thing,” said Schnur. “The CEO, CFO and other C-level positions should be absolutely on board, on top of and updated regarding their organization’s privacy issues, risk practices policies and procedures. You’d be surprised how often that does not happen. Not because it’s a poorly managed organization, it just doesn’t always get to that level. It should be at the top of their priority. It’s a reputational issue at the end of the day.”
Nicholas Economidis of Beasley Group agreed. Companies and risk managers who ignore these issues do so at a significant risk, he said, “because if you’re not paying attention, if you’re not watching the ball, you’re going to be adversely impacted and surprised by these issues and not be prepared to deal with them. And then you are going to be the example. Believe me, you don’t want to be the example.”
Sticking to Policies
Once a policy is in place, applying it is the key, said Jamie Sheller of Sheller, P.C. “Having a policy to protect consumers’ private information without implementation and enforcement is again a plaintiffs’ litigation disaster.” It is akin to companies having a security guard at the front door who should check IDs for every person who comes in. With data, they also need to continue to ensure employees are implementing the policies and procedures and that they are continually trained. It often comes out during litigation that companies are “very, very sloppy,” Sheller said.
Preventing a breach by sophisticated hackers can be nearly impossible, Sheller said. But a company’s liability lies in its failure to recognize that their systems have been infiltrated, sometimes for months and months, and they can’t even document what information was taken, she said.
The Hacking Industry
Hackers are still the biggest threat to companies’ private data, said Vinny T. Sakore of Immersion Ltd. But employee negligence and fraud also do significant damage. Sakore said hacking has changed over the years. Hackers used to target data that was just sitting in a company’s database. Now they realize it is easier to catch data in transit, and the risk of getting caught is reduced. He cited the rampant use of spyware and malware to steal personal data.
Hacking has become a huge industry and today even involves organized crime. Sakore said criminal organizations hire hackers to target certain markets, perhaps food and beverage services or the hotel/hospitality industry. They tap into the point-of-sale systems and replicate the attack all across the country. When one avenue closes down, they move to another, said Sakore.
Of course, data breaches also can result from a single employee. Sakore cited the example of an employee who loses or has stolen a laptop containing private data. He also described a client whose employee handled admissions at a flu shot clinic, writing down 9,600 names and Social Security numbers. The employee sold them for $100 each.
A Company’s Obligations
After a data breach, a company needs to adhere to loss-control best practices, said Economides of the Beasley Group. Someone at the company must understand the risk management issues from a legal standpoint, the company’s responsibilities and how this is continually changing, he said.
Sakore agreed. Data breach response is getting more complex, he said. Federal regulators and 46 states require notification letters be sent to consumers whose data is at risk because of the breach. As many as 14 different letters need to be generated for a breach, and the deadline for sending them can be a little as 48 hours.
“If you have a breach involving half a million records, to get that many records out in under 48 hours is a challenge. What we’ve found is that companies don’t often think through how long it’s going to take to print, mail, insert and get out a half a million notifications,” Sakore said.
Don’t forget, everyone is watching to see what that letter said, Sheller advised. “Again and again we find that companies completely mishandled private information behind the scenes and that stands in direct contrast to the notice letter that they sent out to consumers that there really is no chance that anyone has their private information, that it’s not accessible easily by the bad guys, etcetera, etcetera. They get caught in an awkward situation, where the information that comes out in the discovery is in direct opposition to what they’ve presented to the public. It’s something that needs to be considered from the get-go. So the company can be honest with the breach with the public and maintain their public relations standard in a positive way with consumers.”
Theodore J. Kobus III, of Marshall, Dennehey, Warner, Coleman & Goggin agreed, stressing the important elements of notification letters and immediate response. He asked, What is being said? How is it being said? How is the call center answering questions? Are you offering credit monitoring? If you’re not, why not? How difficult is it to find out who has been affected by the breach?
“The answers to all of these questions are going to impact how you defend a lawsuit,” Kobus said.
Because of the legal ramifications, Sakore advised that the notification process be overseen by an attorney who understands them. He noted that the requirements don’t end after notification. Attorney generals from many states will get involved. They will want packets of information that document how residents of their states were impacted by the breach.
Beyond what is required, experts agree post-breach best practices include hiring a forensic firm to determine the scope of the breach, bringing in a law firm to determine what state and federal laws apply, hiring a notification firm and a credit monitoring firm, setting up a call center and having full identity theft services for consumers that may include identity restoration.
The Cost of a Breach
In addition to the expense of notification and providing services to victims, companies have to defend their lack of care against attorney general enforcement actions and lawsuits, including those by individuals, financial institutions, third-party payment processors and shareholders, Greisiger said. They also encounter forensic expenses and general legal costs and an immeasurable cost to their reputation.
Sheller noted that state and federal regulators are becoming more aggressive in pursuing companies in court for their failures.
Kobus said that in 2010, an attorney general filed an enforcement action under the Health Information Technology for Economic and Clinical Health Act, or HITECH. Another filed a lawsuit because he thought a company took too long to notify individuals. In 2011, with the authority given to the Federal Trade Commission’s under its red flag rules, more regulatory actions will pop up, he said.
While Kobus said the defense bar got a few good wins in 2010 with Hannaford Brothers, Gap and Starbucks, the cases were still very costly. And with more and more data breaches being handled by people who don’t know this area of the law, the plaintiffs’ bar is going to get more creative, Kobus predicted. [Cases cited: In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009); Ruiz v. Gap, Inc., 380 Fed.Appx. 689 (9th Cir. 2010), and Krottner v. Starbucks, 2010 U.S. App. LEXIS 26795 (9th Cir. 2010).
“The dust hasn’t settled. It’s just being stirred up.”
To illustrate the potential scope of even a minor breach, Oliver Brew of Hiscox cited a case involving a health care worker with a single lost laptop with just 200 names, addresses and Social Security numbers. By the time his client pays fines, forensics costs, notification expenses and litigation, what seemed to be an incidental matter without any evidence so far of identity theft will cost more than seven figures, he said.
Have a Plan
The consensus among the experts is that no company should handle a data breach alone, and every company should have an action plan in place.
Don’t wait until you have a breach, counseled Toby Merrill, vice president of ACE USA. Many organizations don’t know who to contact in the event of a breach and they wind up rushing out to hire a vendor. They often overpay, or the vendor may not be qualified. Sheller agreed. An action plan should include an arrangement with experienced breach-response vendors that have the knowledge and resources to help manage the crisis and control damage. Companies can find a reputable vendor on their own, or, many times, their insurance carrier has a panel of privacy breach experts ready to jump in.
An action plan might also include some type of cyber insurance. Most general liability policies don’t cover data breaches. Merrill advised finding an insurance broker who is knowledgeable about cyber issues who can match your company’s needs with what is available in the marketplace.
A Range of Solutions
Merrill noted that multiple types of cyber coverage options are available, even from a single carrier.
Many insurance carriers provide cyber coverage with a reimbursable expense fund so that the insured can hire various vendors to respond to the breach and be reimbursed. He cautioned, though, that not every policy provides the same coverage. Does it cover hiring a forensic firm to determine the scope of the breach? How about a law firm? What about the expense of providing identity theft services and credit monitoring and credit restoration to consumers?
“You don’t want to be shortchanged . . . There are a lot of things that a client should be discussing with their broker when they evaluate what coverage they should be purchasing,” Merrill said.
Carriers have a number of strategies for mitigating cyber-related losses, Merrill said. Some insurers, and even brokers, provide access to a loss prevention portal such as eRiskHub that provides important loss-control resources. Carriers also provide a panel of vendors, often at a discounted rate.
Cyber coverage also should be broad enough to protect companies against a wide range of claims related to a breach, including first-party liability, third-party liability, contractual liabilities, business interruption losses, and directors’ and officers’ liability, the experts say. More than ever, it is easier to find affordable technology coverage, said Brad Gow, vice president at Endurance Specialty Holdings. He reports 15 to 20 credible markets are available to underwrite, price and accept cyber risk or network risk insurance coverage. Of those, six to eight are able and willing to write the primary risk on a Fortune 500 company. Gow, who also has held leadership positions at Zurich N.A., ACE and AIG, said that even compared to a year ago, “With another year of experience and another layer of data to work with, companies are reducing redundancy, and are able to provide more accurate pricing and more competitive pricing which increases the take-up rate and continues to build the market.”