It is well known that corporate data breaches have increased over the last few years in both incident rate and associated financial expenses. With the average breach costing $5.9 million in 2014,[1] it can be debilitating for all - including a company's directors and officers - whose liability exposure has increased dramatically as a result.
The 2013 data breach at Target Corp. is a case in point. Lawsuits by the retailer's shareholders have surfaced against the company's directors and officers alleging that the organization's leaders "failed to take reasonable steps to maintain its customers' personal and financial information" by implementing appropriate internal controls designed to detect and prevent such a data breach from happening.
"When a company like Target experiences a 46% drop in profits during its biggest retail season due to a data breach, that's material to the investor," said Abdelhamed Sadik, MBA, RPLU, CPCU, ARM, Vice President, Executive Liability Practice, HUB International. "It's something the plaintiff attorneys can use to bring suits against a company. Stakeholders can state, 'there was a loss of shareholder value due to management breach of their fiduciary duties to their stakeholders and acted incompetent with regards to privacy protection.'"
Directors and officers need to ask themselves: Have we done enough to protect both the company and ourselves from risk?
"While most US companies shield themselves by registering in Delaware where the law can be very protective of its Boards of Directors as long as the Board has discussed the cyber perils and made a formal business judgment, directors and officers may still face long term impact on customers, employees and even their own individual assets, including personal accounts and more," said Arturo Peres-Reyes, Vice President, Executive Liability Practice, HUB International.
Best Practice Protocols
Although data breaches can't be completely prevented, there are a few best practice protocols that can be instituted to minimize exposure for both the company and its decision-makers. They include:
Securing the Right Coverage. In most cases, having a separate, stand-alone directors and officers (D&O) policy and a standalone cyber liability policy that includes privacy coverage and identity restoration will provide the most protection. Consulting with a third-party, independent broker like HUB will offer a number of preventive and post-breach services while helping directors and officers (D&O) sift through the options, as many carriers will pass off their own add-on errors and omissions (E&O) coverage as a shield for data breach protection when it isn't. Don't forget to revisit your D&O and Cyber coverage annually and as new exposures surface. Refer to this list of insuring agreements prepared by HUB for more information on the various types of insurance lines and covered exposures. 
Ask Yourself the Hard Questions. Although each company and its directors and officers will face different challenges when it comes to data breaches, there are a few questions executives should be asking themselves annually to identify exposures and whether the company has the right protocols in place. They include:
- What are the company's greatest data breach/cyber risks and what steps are being taken to anticipate, manage and mitigate them?
- Is each component of the risk management program documented and periodically tested and audited to ensure it meets the needs of our company's evolving exposures? If so, are these results periodically reviewed by the board?
- What are the established protocols for reacting to a data breach/cyber risk when it occurs? Is it well defined and communicated to the board and staff?
- What insurance coverage does the company maintain for a data breach/cyber risk and is this coverage adequate in scope? Will it cover forensic IT expenses, fines, breach notification, credit monitoring, crisis management, identity restoration and attorney fees, as needed?
Develop a Risk Management Program. This program will include procedures to identify, protect, detect, respond to and recover from data breaches. Examples include instituting security on employee mobile devices; developing an incident response plan with notification requirements and protocols on how to limit the damage; and implementing interoffice access control and hiring qualified IT personnel to manage potential risks. For more ideas, check out the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology.
Communicate and Educate. Employees are the first line of defense when mitigating risk. Make sure your staff is educated on how they can protect themselves and the business from a data breach, including adhering to basic security practices and Internet use guidelines. Establish consequences for employees who fail to follow established security practices. In the event of a data breach, maintain transparency with regulators, investors, states attorney general, consumer protection agencies and credit bureaus. Designate employees to interact with customers, the media, regulators and shareholders and make sure each has talking points and a point of contact for unanticipated inquiries.
What's Next?
"We're expecting an increase in cyber claims and tie-in D&O claims related to privacy breaches," said Sadik. "Criminals will continue to find ways to access consumer's personal identifiable information. One of the questions that's going to come up to the board of directors is, 'Why didn't you manage the process and prevent this?' Delaware does provide the broadest indemnification laws, but many companies aren't incorporated in Delaware which also includes private and non-profit entities."
Contact your HUB executive liability practice leader to learn more about how directors and officers can protect themselves and reduce the severity of cyber risks by instituting the proper prevention controls and carrying the right coverage.
[1] 2014 Cost of Data Breach Study, Ponemon Institute LLC (May 2014).