Litigation: Preparing for possible data breach exposure
Companies can increase the chance that insurance may defray the costs of a breach, including the risk of litigation.
September 29, 2011 at 08:16 AM
4 minute read
The original version of this story was published on Law.com
As data security and privacy risks have evolved, so too has the need for insurance to cover those risks. Yet, many corporations have not matched their evolving risks to the coverage needed. For many years, the conventional wisdom was that a “brick and mortar” company had little or no need for data security/privacy coverage.
Eventually companies learned the hard way—through headline-grabbing data breaches (such as The TJX Cos.)—that data security was a risk faced by virtually all large companies, not just those that rely heavily upon Internet-related activity. The statistics are clear: The average expense of a data security breach event is large and growing—$6.8 million in 2009, up to $7.2 million in 2010 and, in many instances, can be much more. And that expense doesn't even take into account the cost of litigation and possible settlements or judgments should a case make it past motions to dismiss.
Because so many companies are at risk for a data breach event, unlike any other possible risk facing corporate bottom lines, proactive conduct today could pay off multifold tomorrow. A critical proactive component is an immediate insurance audit to determine the scope of existing coverage and how to fill gaps. For example, insurers have been attempting in recent years to tighten policy forms to reduce within traditional coverages (such as commercial general liability (CGL); property/business interruption; errors & omissions (E&O); crime, directors and officers liability (D&O); and media liability policies) data breach protection.
However, not all of these traditional coverages within a company's insurance portfolio eliminate that protection. As a result, as a first step in a portfolio audit, companies should review their traditional coverages to determine how those policies would respond to a data breach event. If the existing coverage is potentially adequate, then the need for additional protection may be limited. However, the current policies may include current forms that insurers will argue reduce their exposure to such events. In that circumstance, other specific coverages should be considered.
The next question, however, is what to purchase? Without doubt, a full panoply of data breach protection can be purchased at significant cost. In fact, many companies arguably have paid to over-insure against certain risks—most notably third-party litigation. Other companies have underinsured for the more likely risks confronted in the area of data security, such as data breach notification, credit monitoring, consultants, lawyers, breach mitigation and public relation costs—expenditures that can reach into the multimillions.
It is impossible to know what exposure might result from a data breach event and thus exactly what insurance to purchase. The Sony PlayStation data breach, for example, has resulted in substantial litigation, including multiple class-action lawsuits. Thus, depending upon the nature and size of a data breach event, a company can face substantial litigation exposure. However, although the law presently is evolving on the issue, many courts thus far in the privacy and data breach contexts have not allowed common law litigation claims to go forward given questions regarding whether the plaintiffs have in fact suffered “damages,” and, therefore, whether they have “standing” to sue. It may be that a company's most significant exposure is “response costs” in the nature mentioned above as opposed to litigation—meaning that it may not be cost effective to purchase substantial data breach litigation coverage.
Again, depending upon the language of the company's current traditional coverages, litigation expenses might be covered under, for example, the CGL “property damage” or “personal or advertising injury” coverages. The New York court's decision in the PlayStation coverage litigation may arguably provide some guidance on how those coverages apply in this context. An argument also can be made that “response costs” should be covered under for example CGL, E&O or D&O policies as necessary to mitigate or reduce the chance that the data breach event will lead to litigation—an argument that has yet to be litigated in this context.
What is clear: Until a company has done an adequate policy audit to ascertain the nature of its existing data breach insurance coverage, it cannot make educated decisions about whether and what additional coverage may be necessary. What also is clear: When deciding what additional coverage to purchase, if any, the right company professionals should be involved.
Given the complicated nature of data security issues, it may make sense to involve in the decision-making process, in addition to insurance brokers, internal lawyers or other professionals who have the right understanding of the company's potential risks in this arena and the law surrounding the relevant issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHunter Biden Sues Fox, Ex-Chief Legal Officer Over Mock Trial Series
Judge Sides With McDonald's In Attorney-Client Privilege Dispute With Former Executives
4 minute readMarriott's $52M Data Breach Settlement Points to Emerging Trend
Trending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 3GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5Monsanto Moves to Pause PCB Trial That Starts This Week
Who Got The Work
Blank Rome partner Andrew T. Hambelton has stepped in to defend Fragrancenet.com in a pending trademark infringement lawsuit. The case, filed Aug. 29 in New York Southern District Court by the Blakely Law Group, targets the defendants for allegedly selling counterfeit fragrance products. The case, assigned to U.S. District Judge Lorna G. Schofield, is 1:24-cv-06521, Abercrombie & Fitch Trading Co. v. Quester (US) Enterprises, Inc. et al.
Who Got The Work
Davis Polk & Wardwell partners Mari Grace and Edmund Polubinski III have entered appearances for Australia-based Bitcoin-mining company Iris Energy and other defendants in a pending securities class action. The action, filed Oct. 7 in New York Eastern District Court by the Rosen Law Firm, contends that the defendants concealed the inadequacy of the company's site in Childress County, Texas, including it being 'ill-equipped' and unable to operate the company's proprietary design. The case, assigned to U.S. District Judge Peggy Kuo, is 1:24-cv-07046, Williams-Israel v. Iris Energy Limited et al.
Who Got The Work
Ryan S. Stippich of Reinhart Boerner Van Deuren has entered an appearance for biopharmaceutical company Veru Inc. and other defendants in a pending shareholder derivative lawsuit. The action, filed Sept. 30 in Wisconsin Western District Court by the Brown Law Firm on behalf of June Ovadias, accuses the defendant of failing to disclose that small sample sizes and other issues rendered it unlikely that the FDA would grant Emergency Use Authorization for the cancer drug candidate sabizabulin as a potential treatment for COVID-19. The case, assigned to U.S. District Judge William M. Conley, is 3:24-cv-00676, Ovadias, June v. Steiner, Mitchell et al.
Who Got The Work
Holland & Knight partners Cynthia A. Gierhart and Thomas Willcox Brooke have entered appearances for Pakistani American Political Action Committee and Rao Kamran Ali in a pending trademark infringement lawsuit. The action, filed Sept. 24 in District of Columbia District Court by Jackson Walker on behalf of Pakistani American Public Affairs Committee, accuses the defendants of using a mark that's confusingly similar to the plaintiff's 'Pak-Pac' marks without authorization. The case, assigned to U.S. District Judge Randolph D. Moss, is 1:24-cv-02727, Pakistani American Public Affairs Committee v. Pakistani American Political Action Committee et al.
Who Got The Work
Lauren M. Rosenberg and Yonatan Even of Cravath, Swaine & Moore have stepped in to represent Israel-based Oddity Tech Ltd. in a pending securities class action. The case, filed Aug. 30 in New York Southern District Court by Pomerantz LLP and Holzer & Holzer, contends that the defendant made materially misleading statements regarding the capability of Oddity's AI technology and ongoing civil litigation, resulting in the artifical inflation of the market price of Oddity's securities. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06571, Hoare v. Oddity Tech Ltd. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250