Cyber Coverage for Penalties Imposed Under the SHIELD Act
This article examines the SHIELD Act, and the requirements it imposes on businesses. It also discusses the current state of the law regarding the insurability of civil fines and penalties in New York, and its implications on whether coverage would be permitted for penalties imposed under the SHIELD Act.
May 08, 2020 at 02:00 PM
8 minute read
On July 26, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (also known as the SHIELD Act), requiring individuals and businesses to implement safeguards for the "private information" of New York residents and broadening New York's security breach notification requirements. Every employer in New York must comply with the SHIELD Act because "private information" includes an individual's name and Social Security number. Although the SHIELD Act does not authorize a private right of action, the New York State Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. Such penalties could be costly, as the SHIELD Act permits the Attorney General to seek penalties of up to $250,000. Even more costly than the penalties themselves could be the costs incurred in responding to an investigation commenced by the Attorney General, including legal fees and the costs of retaining an expert.
Generally, under New York law, fines and penalties are not insurable as a matter of public policy. This raises the question of whether penalties imposed by courts as a result of a violation of the SHIELD Act would be covered by a business's cyber insurance, or any other type of insurance policy. This article will examine the SHIELD Act, and the requirements it imposes on businesses. This article will also discuss the current state of the law regarding the insurability of civil fines and penalties in New York, and its implications on whether coverage would be permitted for penalties imposed under the SHIELD Act.
|The NY SHIELD Act
Data breaches are a prevalent form of cyber-related risks, and involve the gaining of access of private, sensitive or confidential data by an unauthorized individual. As computer systems become increasingly targeted, the risk that hackers will gain access to private, sensitive or confidential data grows. The risks of a data breach have increased exponentially with the surge of people working from home due to COVID-19. A company's data is now overwhelmingly in the hands of the security of each employee's personal at-home servers instead of a centralized and secured company server.
The consequences of a data breach are likely to be costly, and could expose the impacted business to significant liability. Data breaches have resulted in individual or class action lawsuits brought by customers of the business for common law and statutory violations, as well as government investigations. In addition, all 50 states have passed some form of legislation requiring companies to notify those individuals who have been impacted by data breaches. In Europe, the EU's General Data Protection Regulation is the strictest regulation in this area.
New York has had a data breach notification requirement since 2005. New York's "Information Security Breach and Notification Act," which became effective on Dec. 7, 2005, requires businesses to notify affected consumers following the discovery of a data breach. The 2019 SHIELD Act amends and expands the requirements of the 2005 law by, among other things, broadening the scope of information covered under the law and changing the notification requirements.
The expanded notification rules require individuals and businesses to protect "private information," which is defined to include Social Security numbers, driver's license numbers, account numbers or credit or debit card numbers, in combination with any information (security code, password, etc.) that would permit access to an individual's financial account, as well as biometric information (fingerprint, voice print, retina or iris image).
Pursuant to the SHIELD Act, any person or business that owns or licenses computer data containing private information generally must disclose any breach of security of the system to any New York state resident whose information was improperly accessed or acquired. The notification must be made "in the most expedient time possible" and "without unreasonable delay." The SHIELD Act also require businesses to implement "reasonable safeguards" to protect private information.
The SHIELD Act expressly does not permit a private right of action. Rather, enforcement is vested in the New York Attorney General. For violations of the data breach notification requirements, the Attorney General is entitled to commence an action for an injunction against continuing violations, as well as to seek damages for "actual costs or losses incurred by a person entitled to notice" if such notice was not provided. Damages include "consequential financial losses." In the event it is determined that a person or business violated the statute "knowingly or recklessly," the court may impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per instance of failed notification, up to a maximum of $250,000.
|Coverage Implications
Under current New York law, coverage for civil penalties for "knowing or reckless" violation of the SHIELD Act may run afoul of New York public policy. The most recent appellate decision on this point is the First Department's 2018 decision J.P. Morgan Securities v. Vigilant Insurance Company, 166 A.D.3d 1 (App. Div. 2018). In that case, the insured, Bear Stearns, sought coverage for a $140 million disgorgement payment made to resolve an SEC investigation into alleged violations of securities laws. Bear Stearns further agreed to pay "civil money penalties" in the amount of $90 million. In a decision that had significant implications for D&O insurers in New York, the First Department held that the disgorgement payment made to the SEC was a "penalty" and therefore did not fall within the policy's definition of "Loss." The Court of Appeals recently granted review of the First Department's decision, so there will be much more to come on this issue.
Interestingly, while there was extensive litigation over whether the disgorgement payment was covered, Bear Stearns did not even seek coverage for the $90 million civil money penalty. J.P. Morgan Securities v. Vigilant Ins. Co., 21 N.Y.3d 324, 332 (2013). Indeed, the Court of Appeals expressly recognized the public policy limitation against coverage for a punitive damages award. The court reasoned that allowing coverage for such amounts would defeat the purpose of punitive damages, which is to punish and to deter others from acting similarly. Id. at 334-35. Thus, insuring civil penalties for knowing or reckless misconduct, as provided for by the SHIELD Act, could violate public policy.
However, proponents of the insurability of civil fines and penalties under the SHIELD Act will likely point to Navigators Ins. Co. v. Sterling Infosystems, 145 A.D.3d 630, 631 (1st Dept. 2016). In that case, the insured sought coverage under an E&O policy for statutory damages paid in connection with an underlying class action lawsuit brought under the Fair Credit Reporting Act (FCRA). The insurer argued that the statutory damages paid to the class constituted a penalty, and therefore was not covered. The First Department disagreed, noting that under FCRA, a consumer may elect the option of seeking either actual or statutory damages, and may also recover punitive damages. Therefore, the First Department determined that the statutory damages were compensatory in nature because they served the same purpose as actual damages, and were not intended to serve a deterrent or punitive purpose.
A court analyzing whether civil penalties assessed under the SHIELD Act are insurable may engage in the same analysis as the First Department in J.P. Morgan and Navigators, looking to whether the penalties are compensatory or punitive in nature. Under the SHIELD Act, as mentioned above, there are two separate categories of damages which the Attorney General can seek. First, the Attorney General can seek damages for "actual costs or losses incurred by a person entitled to notice." Second, the Attorney General can seek civil penalties for knowing or reckless violations of the statute. Although the first category appears closer to being compensatory in nature, the second category would likely be considered punitive in nature and not insurable. Moreover, because the Attorney General is seeking these amounts, there is an argument that neither category is compensatory because there is nothing in the statute that allows for reimbursement for those who suffered losses.
We also note that notwithstanding the possible absence of coverage for an action seeking fines and penalties, coverage for responding to the investigation or defending against an action seeking penalties may be covered under a cyber-policy depending on the terms and conditions of such policy.
As the SHIELD Act continues to be implemented throughout New York state, it is important for individuals and businesses to be aware of the cybersecurity requirements and their obligations to implement "reasonable safeguards," as well as their obligations in the event of a data breach. It is important for all companies in New York, no matter the size, to have a response plan in place coordinated with competent counsel, and be prepared to follow that plan upon the happening of a breach.
Eric B. Stern is a partner and co-chair of the data privacy and cybersecurity practice group at Kaufman Dolowich & Voluck. Andrew A. Lipkowitz is an associate at the firm.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250