[BreachExchange] Cyberattacks Are the New Norm - How to respond and get insurance recovery for government investigations.
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Sep 25 20:51:59 EDT 2017
http://www.jdsupra.com/legalnews/cyberattacks-are-the-new-norm-how-to-54851/
Takeaways
- Companies that suffer cyberattacks can expect not sympathy but scrutiny
from legal authorities.
- D&O insurance can cover not only litigation but also investigation costs.
- Strategic negotiation of D&O and E&O policy language can mitigate risk
that may arise.
The script is well-worn by now: a major corporation suffers an embarrassing
data breach that has led to the loss of tens of millions of customer
records. Compounding the embarrassment is the quick reaction by state
attorneys general launching investigations and lawsuits against the
corporation and executives. Will your insurance carrier help cover the
costs associated with defending against the AGs’ claims?
Background: State AGs Are Aggressively Using Their Authority under Data
Privacy and Unfair/Deceptive Advertising Laws to Pursue Claims Following
Cyberattacks
The last ten years have seen an explosive growth in the number of data
privacy protection laws enacted and updated across the country. Nearly
every state now has a law requiring companies of all shapes and sizes to
disclose when “personally identifiable information” (or PII, a term whose
meaning varies from state, but typically involves some combination of a
person’s name and a unique identifier like a social security number, credit
card or other payment account number, or driver’s license number) has
either been accessed without authorization or stolen.
Under those laws, companies will have a set amount of time to notify
affected individuals as well as provide them some form of recourse,
typically through free access to credit monitoring services. Additionally,
the data privacy protection laws also usually give attorneys general the
authority to pursue litigation against the companies whose databases were
stolen. Such actions initially were only taken following the most egregious
data breaches (extremely large size or the security failure appeared to
have been the result of gross negligence on the part of the company.) Now,
however, attorneys general are increasingly filing such lawsuits simply
upon receipt of news that a data breach has occurred. Most troublesome for
some companies is that they might be sued before they even know how the
breach occurred or who conducted it.
Such investigations tend to be expensive, protracted, and disruptive to the
company’s efforts to conduct day-to-day business. Executives and officers
often find themselves being deposed by multiple attorneys general offices
as well as civil plaintiffs while simultaneously being excoriated in the
press for their alleged malfeasance or perceived lack of interest in
protecting the data of their customers. Even though a determination as to
whose actions were ultimately responsible the cyberattack may be months or
even years away—and may require the resources of federal law enforcement
and national security agencies to make a definitive conclusion—the costs of
internal investigations, settlement negotiations or even lawsuits can
seriously impair the day-to-day operations of a company.
Strategies for Managing and Responding to Civil Investigative Demands and
Subpoenas
In the event of a cyberattack, a company can anticipate Civil Investigative
Demands (CIDs) or subpoenas will be issued. How the company responds will
be critical. The company should review the subpoena, Civil Investigative
Demand or other investigative demand carefully to ensure that it
understands the scope of information requested, terms used, and time frame
affected. It is highly advisable that counsel experienced in handling
government investigations be consulted. Counsel can begin the conversation
with the issuing government official to respond properly to the information
being requested by the Government. Counsel can help to evaluate whether the
scope of the request may be narrowed to (i) effectively target the relevant
information sought by the Government, and (ii) efficiently respond to the
Government’s requests and minimize the disruption that collecting such
information entails. Counsel can also advise on the potential for working
with the government to identify the culprit of the cyberattack. These
initial discussions will greatly impact the government’s perception of the
situation and how it treats the company throughout the investigation.
Moreover, it is highly likely that the company will want to conduct an
internal investigation to address potential risks and liabilities that may
flow from the Government request.
Insurance Coverage for Data Breach/Cybersecurity Investigations
Targets of cyber-related attacks can expect to incur significant expenses
if they are forced to respond to government investigations into a data
breach. The categories of costs faced by the subject of such an
investigation (apart from the costs associated with the breach itself and
the resultant lawsuits) could include:
- Outside counsel fees for the review of a subpoena, CID or other
information request, and for the review and production of documents;
- The cost of any internal investigation commissioned by the company;
- Outside counsel fees for ongoing interaction with the AG or other
enforcement officials; and
- Settlements or judgments associated with the investigation or resulting
lawsuits.
In addition, publicized government scrutiny of a data breach could inspire
civil actions such as shareholder derivative suits and securities class
actions and lawsuits by individuals whose PII was stolen.
Fortunately, companies should be able to call upon their directors and
officers (D&O) and possibly other liability insurers to help defray these
costs. D&O policies, for example, cover “claims” arising from alleged
“wrongful acts” of certain officers, directors, and employees of the
company, as well as, in some cases, those of the company itself. Depending
upon the wording of each particular policy, investigation-related expenses
may be covered. Potential sources of recovery should not be overlooked
simply because an insurer or broker asserts that the “conventional wisdom”
is that a certain policy is not “meant” to cover subpoenas or other
investigation response costs. Third-party vendors may also owe
indemnification to companies who have been the victim of a data breach and,
in some cases, may also have named such companies as additional insureds on
certain liability policies. Be sure to investigate all potential sources of
recovery.
Getting Coverage for Subpoena Response Costs under a D&O Policy
The subpoena—a written order commanding the production of documents and/or
witness testimony—is a widely used tool in government investigations, and
is often the first step in a larger investigation. As a threshold matter,
insurers often dispute that a subpoena is a “claim” within the meaning of
that term in D&O policies. There is an emerging consensus in various
jurisdictions that insurers are wrong on this issue.
The typical D&O policy contains a definition of “claim” similar to the
following:
(1) a written demand for monetary or nonmonetary relief;
(2) a civil, criminal, administrative, regulatory or arbitration proceeding
for monetary or nonmonetary relief which is commenced by:
(i) service of a complaint or similar pleading;
(ii) return of an indictment, information, or similar document (in the case
of a criminal proceeding); or
(iii) receipt or filing of a notice of charges
A number of courts have held that a subpoena constitutes a “demand for
nonmonetary relief.”
An important recent New York case is Syracuse University v. Nat’l Union
Fire Ins. Co. of Pittsburgh, Pa., in which the New York Supreme Court,
affirmed by the Appellate Division, held that under the policy’s definition
of “claim,” the plain meaning of the term “nonmonetary relief” encompassed
subpoenas issued by the U.S. Attorney’s Office and a county district
attorney’s office in connection with their investigations into sexual
abuse. The court relied heavily on MBIA Inc. v. Federal Ins. Co., in which
the U.S. Court of Appeals for the Second Circuit found coverage for
subpoena response costs, stating: “We reject the insurers’ crabbed view of
a subpoena as a ‘mere discovery device’ that is not even ‘similar’ to an
investigative order. New York case law makes it crystalline that a subpoena
is the primary investigative implement in the NYAG’s toolshed.” The
Syracuse Universitycourt also noted that, pursuant to both New York and
federal law, failure to comply with a subpoena is a punishable offense.
Courts in other jurisdictions have also found D&O coverage for subpoena
response costs: Protection Strategies v. Starr Indem. and Liab. Co. (E.D.
Va.) (applying Virginia law and finding defense coverage for NASA subpoena
and search and seizure warrant); Minuteman International Inc. v. Great
American Ins. Co. (N.D. Ill.) (applying Illinois law and finding coverage
for compliance with SEC subpoena); Polychron v. Crum & Forster Ins. Cos.
(8th Cir.) (applying Arkansas law and finding coverage for grand jury
subpoena served on a bank).
Courts have also found coverage under errors and omissions (E&O) policies
for subpoenas and CIDs. For example, Ace American Insurance Co. v. Ascend
One Corp. involved a policyholder that was subject to an administrative
subpoena issued by the Maryland Attorney General’s office and a CID issued
by the Texas Attorney General’s office. The E&O policy at issue defined
“claim” to include “[a] civil, administrative or regulatory investigation .
. . commenced by the filing of a notice of charges, investigative order or
similar document.” Applying Maryland law, the U.S. District Court for the
District of Maryland held that the subpoena and CID were part of an
investigation into potential consumer protection law violations, and were
therefore an “investigation” under the policy.
Coverage for Other Investigation-Related Costs
In addition to responding to a subpoena, companies facing an AG
investigation may engage in many other costly tasks. For example, in some
cases, a subpoena may be preceded by a less formal information request from
the authorities, and decisions will have to be made (often with the advice
of outside counsel) as to whether and how to respond to such requests. In
the MBIA case mentioned above, the Second Circuit found coverage for costs
incurred by the insured in voluntarily complying with the SEC’s and NYAG’s
informal, oral document requests. The Second Circuit held that this
activity was covered because it was intended to head off formal subpoenas
and additional public relations damage.
A company under investigation may also engage a public relations firm,
security service and other vendors to help manage the fallout from
publicized government scrutiny. While these “indirect” response costs are
arguably investigation defense costs, there is scant case law on whether
they are covered. But a policy with “crisis response” coverage might
provide some relief. Coverage might also be available for resulting
shareholder lawsuits, because such lawsuits commonly fit into the
definitions of “claim” in D&O and E&O policies.
Practical Tips for Policyholders
Companies should keep the following points in mind in order to maximize
coverage for government investigations:
- Be proactive. Even before a subpoena or “target letter” lands on the GC’s
desk, work with your broker to negotiate a relatively broad definition of
“claim” in your D&O and E&O policies. Some newer policy language can
provide coverage for certain “pre-claim” inquiries from government agencies
and specifically for subpoenas, which would also include attorneys’ fees
and costs associated with interviews or meetings with enforcement
authorities. Policy exclusions must also be scrutinized. Consult competent
coverage counsel to review proposed policy language.
- Understand and comply with notice obligations. A government investigation
may begin with a formal subpoena, or even informally at an earlier point in
time. It is essential that you understand when, under your D&O and E&O
policies, notice of claim, or notice of circumstances giving rise to a
claim, must be given. On a similar note, it is important to understand your
obligation to provide information to and cooperate with your insurer in
defending an investigation. Best practice is to involve coverage counsel
early—the advice will be protected by the attorney-client privilege,
whereas conversations with a broker may not be.
When faced with a government investigation, policyholders should carefully
examine all potentially available sources of coverage. The law is different
in many states, and some courts have not addressed the issue. Policyholders
should be careful to understand their policies, the law and their risks
before they are subject to an investigation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170925/8192d601/attachment.html>
More information about the BreachExchange
mailing list