Shareholders filing suits against Target and Wyndham Worldwide could be a harbinger of things to come wherever there’s a major breach. In Judy Greenwald’s article on businessinsurance.com, she cites Kevin Kalinich, global practice leader of cyber risk insurance at Aon Risk Solutions, saying Target and Wyndham litigations prompted “hundreds of inquiries” from organizations worried whether their own D&O coverage addresses breaches.
In Greenwald’s businessinsurance.com piece, she talked to a number of insurance experts to get their views on how litigation will affect corporate executives, directors and breach insurance coverage. The following has been edited to fit our format. You can find the full article by clicking on this link.
“I do think there’s going to be more lawsuits. It’s just the beginning,” said Heidi A. Lawson, a member of law firm Mintz, Levin, Cohn, Ferris, and Glovsky & Popeo P.C. in Boston.
Robert Parisi, a managing director and network security and privacy practice leader at Marsh L.L.C. in New York, said the Securities and Exchange Commission made it clear in 2011 guidance that it views technology and privacy breaches as potentially material, so when an event occurs, “that’s certainly the kind of things that get plaintiff attorneys excited.”
During an SEC cyber security roundtable…the agency’s chairwoman, Mary Jo White, said cyber threats are “of extraordinary and long-term seriousness. They are first on the (SEC’s) division of (market) intelligence’s list of global threats, even surpassing terrorism.”
Cyber breaches are “a significant issue in terms of the liability,” said John D. Hughes, a partner at Edwards Wildman Palmer L.L.P. in Boston. Directors must make sure their companies have adequate planning and security measures. “If they haven’t, and there’s a significant loss, then the shareholders will seek to pursue that.”
Ann Longmore, New York-based executive vice president of FINEX North America, a unit of Willis North America Inc., said proxy adviser Institutional Shareholders Inc.’s recommendation that Target stockholders vote against seven of 10 directors because they failed to manage cyber risks is the first time there has been an effort to unseat board members because of a cyber breach.
“This has just got to throw oil on the fire in terms of the suits against the board members.”
In Wyndham’s case, D&O litigation followed an enforcement action by the Federal Trade Commission, said Kevin LaCroix, an attorney and executive vice president at RT ProExec, a division of R-T Specialty L.L.C. in Beachwood, Ohio.
“The message there is regulators are going to be more active in the space. [This will be followed by shareholder litigation].”
Lawsuits are likely, though, only when a major data breach occurs.
A data breach “would have to cause enough of a loss, or potential loss, to a company to truly affect the bottom line, and that’s what you had in Target,” said Joseph P. Monteleone, a partner at Rivkin Radler L.L.P. in Hackensack, New Jersey.
As in the suits already filed, most are expected to be shareholder derivative litigation filed on the company’s behalf, rather than securities class actions brought by shareholders in response to stock drops.
Dan Bailey, a member of Bailey Cavalieri L.L.C. in Columbus, Ohio, said the plaintiff bar would prefer to file securities class actions “because those typically are going to be worth a lot more, the management exposure of the defendants is typically much greater and so the settlements in those cases are typically far greater than the derivative lawsuits.”
So far, though, stock prices apparently have not been significantly affected by the data breach disclosures. “The securities marketplace seems to take the disclosure of a data breach in stride,” said Aon’s Mr. LaCroix.
That may change, though. The Target breach has “put companies on notice of what could happen if appropriate cyber security measures are not in place,” which increases potential future stock market reaction due to the heightened disclosure requirements, said Kimberly M. Melvin, a partner at Wiley Rein L.L.P. in Washington.
While D&O-related cyber risks are not explicitly excluded in D&O claims, D&O insurers may begin to take them into account in the future, possibly in the form of higher retentions, sublimits, or exclusions, Mr. Bailey said.