Emerging D&O Risks of Data Breaches | Property & Casualty

Emerging D&O Risks of Data Breaches | Property & Casualty

IBM Security has estimated over 18.8 billion data records were breached in just the first six months of 2020. These exposures can reveal customer personally identifiable information (PII), intellectual property and sensitive corporate data. Not only can this cause reputational and financial difficulties for organizations, but they also put directors and officers (D&O) at risk.

Recent data from Advisen highlights frequent data breach allegations against directors and officers and common industries to face these losses.

D&O Losses Stemming from Data Breaches

DO_chart_1.png

Cybersecurity and data breach policies and procedures can be the most intensely scrutinized board decisions. Directors and officers face litigation for several board-level exposures, including:

  • Failure to take reasonable steps to protect customers’ personal and financial information
  • Deficient data breach detection and prevention controls
  • Untimely manner to report a breach and notify stakeholders
  • False and misleading statements
  • Failure to disclose inadequate measures to protect data systems
  • Inadequate security breach monitoring systems
  • Failure to maintain proper security systems and controls

Data Breach-Related D&O Allegations

Many organizations dismiss the risks of D&O data-breach liability as many plaintiffs have difficulty attributing actual damages to corporate data breach mismanagement. Regardless, defense costs are expensive and one large settlement could cripple or permanently close your business.

Some D&O allegations have been successful, including:

Yahoo

In 2019, the organization settled for $80 million in damages based on D&O claims of:

  • False or misleading statements
  • Failure to disclose material adverse facts about the company’s business — specifically that Yahoo neglected to encrypt users’ personal information or data, leaving more than 1 billion users vulnerable to theft
  • Materially false and misleading public statements

Equifax

The company’s 2020 settlement accounted for multiple D&O losses, including capital regulator actions, securities class actions and derivative shareholder actions. The allegations included:

  • False and misleading statements
  • Failure to disclose inadequate measures to protect data systems
  • Inadequate security breach monitoring systems
  • Failure to maintain proper security systems and controls

D&O Losses from Data Breaches by Industry

DO_chart_2.png


In the last decade, over 42% of data breach-related D&O losses occurred within the information sector. Including software publishers, computer programmers, telecommunication organizations and research-based companies, this is the most significant sector for increase. 

For example, Facebook agreed to a $100 million settlement with the Securities and Exchange Commission (SEC) after the social media company was accused of permitting a third-party developer known as Cambridge Analytica to misuse user data. Facebook’s directors and officers were accused of issuing false or misleading statements by declaring they had found no evidence of wrongdoing, even though they had discovered the misuse of data as far back as 2015.

We’re Here to Help

If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach. Connect with a member of our team to learn more about the D&O risks of data breaches.


© Copyright CBIZ, Inc. and CBIZ CPAs P.C. (together, “CBIZ”). All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ is the brand name for CBIZ CPAs P.C. and CBIZ Advisors, LLC (together), a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of growth-oriented companies. CBIZ Advisors, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). CBIZ CPAs P.C. is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and CBIZ CPAs P.C. are members of Kreston Global, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

Emerging D&O Risks of Data Breaches | Property & Casualtyhttps://www.cbiz.com/LinkClick.aspx?fileticket=LRQXe1Gj5UE%3d&portalid=0Data breaches will always be a big concern for companies. Here are some of the most prevalent emerging D&O risks coming from data breaches that you should be aware of. 2022-01-17T17:00:00-05:00IBM Security has estimated over 18.8 billion data records were breached in just the first six months of 2020.Risk MitigationProperty & Casualty InsuranceYes