Data Breach Liability – Are You Prepared?


By Ben Mathis and Mary Anne Ackourey
The potential for data breach liability is a financial risk that many companies and public entities are just beginning to recognize and address.  Unfortunately, for too many, the significant financial liability they can incur becomes apparent only when it is too late.

Seemingly each day, there are new instances where large amounts of confidential information, including bank accounts, medical records, and other private data, have been unlawfully accessed or disclosed.  In many of these situations, those whose information was stolen or disclosed have then filed lawsuits for financial damages.  These claims by the victims of a data breach often sue both the employer and the employees (in their personal capacity), and claim they were negligent in allowing the data to be accessed.
A recent case of data breach involving Epsilon Data Management is illustrative of the potential financial exposure a company may face.  Epsilon Data managed email communications for large companies like Walgreens, TiVo, Kroger, JP Morgan Chase, Best Buy, and Target.  Epsilon’s email system was subject to an unauthorized entry that exposed some of their client’s customer data to cyber-thieves.  The hackers gained access to customer email addresses and names.  It has been estimated that nearly sixty million email addresses were stolen.  Estimates of the total cost of the resulting forensic audits, fines, litigation, and lost business run as high as $4 billion.
In another instance of data breach, TJX Companies, Inc., the owners of T.J. Maxx and Marshalls, suffered a data breach that lasted over two years.  That breach resulted in the theft of an estimated 45.6 million credit card numbers.  Recently, the company settled the first of numerous claims that had led it to reserve approximately $178 million in anticipated compensation.
In another data breach case, TD Ameritrade’s system was illegally accessed leading to disclosure customers’ email addresses, home addresses, and other account information.  The company announced its settlement exposure for what is believed to be a limited disclosure still was approximately $6.5 million.
Liability for data breach is not limited to large companies.  Just last month, the Briar Group, a Boston-based company that runs several restaurants, agreed to pay a six figure settlement in a data breach claim.  The settlement arose after it was alleged that the company’s poor cyber-security practices allow a data breach to occur.  That breach resulted in hackers obtaining customer credit and debit card information as well as other customer information.  In the resulting lawsuit, it was claimed that the Briar Group failed to adhere to certain basic security principals like changing default passwords and securing its wireless network.
Any company can be hacked by cyber-criminals.  As case after case shows, a company and its employees can suddenly find themselves financially liable for releasing credit card numbers or confidential information like email addresses, health information, legal information, etc.  Indeed, any company or public entity whose computer systems contain information of this type could be financially liable where a third party hacks into its system and accesses the data.
Unfortunately, only after the fact do many employers and their employees learn that they are effectively uninsured for these kinds of claims.  According to the Insurance Information Institute, only a small number of businesses are properly insured.  According to the Institute, traditional insurance policies often do not adequately deal with the risks of cyber-attacks or network security failures.  Fortunately, the insurance industry is responding to the risk with development of specialized cyber-risk policies as a primary stand-alone policy or as an endorsement to Directors and Officers policies or other traditional coverages.
These policies cover the cost of defending lawsuits filed against a company in the wake of a breach as well as indemnity liability for damages.  Companies should consider policies geared toward liability for breach of privacy, transmission of viruses, copyright infringement, and for other types of financial harm to third parties that can be caused by cyber-attacks.  Prudent employers should carefully review their coverages to insure they have adequate protection for the financial exposure they face.
Also, it is clear that employers must take action to prevent unauthorized access to data.  Fortunately, most entities holding high risk data can minimize their potential liability by instituting basic security protocols.  For example, employers need to enforce password procedures that require employees to regularly change passwords using a strict set of rules.  Also, companies must secure wireless access to their networks.  Companies also should work closely with their information technology employees or contractors to develop and maintain systems by which intrusion attempts are monitored, prevented, and defeated.  Regular audits of technology practices and adherence to established security protocols are valuable to demonstrate the employer has exercised reasonable care to prevent data breaches.
Recent data breach lawsuits are a warning to all employers to prepare for cyber-risk with as much diligence as they prepare for other business risks.  Employers holding confidential data would be wise to not only scrutinize their preventive practices to stop a data breach from occurring, but also to review their insurance coverage to minimize their financial exposure in the event of a successful cyber attack.
For more information, contact Ben Mathis at 770.818.1402 or [email protected] or Mary Anne Ackourey at 770.818.1407 or [email protected].