IBM Security has estimated over 18.8 billion data records were breached in just the first six months of 2020. These exposures can reveal customer personally identifiable information (PII), intellectual property and sensitive corporate data. Not only can this cause reputational and financial difficulties for organizations, but they also put directors and officers (D&O) at risk.
Recent data from Advisen highlights frequent data breach allegations against directors and officers and common industries to face these losses.
D&O Losses Stemming from Data Breaches
Cybersecurity and data breach policies and procedures can be the most intensely scrutinized board decisions. Directors and officers face litigation for several board-level exposures, including:
- Failure to take reasonable steps to protect customers’ personal and financial information
- Deficient data breach detection and prevention controls
- Untimely manner to report a breach and notify stakeholders
- False and misleading statements
- Failure to disclose inadequate measures to protect data systems
- Inadequate security breach monitoring systems
- Failure to maintain proper security systems and controls
Data Breach-Related D&O Allegations
Many organizations dismiss the risks of D&O data-breach liability as many plaintiffs have difficulty attributing actual damages to corporate data breach mismanagement. Regardless, defense costs are expensive and one large settlement could cripple or permanently close your business.
Some D&O allegations have been successful, including:
Yahoo
In 2019, the organization settled for $80 million in damages based on D&O claims of:
- False or misleading statements
- Failure to disclose material adverse facts about the company’s business — specifically that Yahoo neglected to encrypt users’ personal information or data, leaving more than 1 billion users vulnerable to theft
- Materially false and misleading public statements
Equifax
The company’s 2020 settlement accounted for multiple D&O losses, including capital regulator actions, securities class actions and derivative shareholder actions. The allegations included:
- False and misleading statements
- Failure to disclose inadequate measures to protect data systems
- Inadequate security breach monitoring systems
- Failure to maintain proper security systems and controls
D&O Losses from Data Breaches by Industry
In the last decade, over 42% of data breach-related D&O losses occurred within the information sector. Including software publishers, computer programmers, telecommunication organizations and research-based companies, this is the most significant sector for increase.
For example, Facebook agreed to a $100 million settlement with the Securities and Exchange Commission (SEC) after the social media company was accused of permitting a third-party developer known as Cambridge Analytica to misuse user data. Facebook’s directors and officers were accused of issuing false or misleading statements by declaring they had found no evidence of wrongdoing, even though they had discovered the misuse of data as far back as 2015.
We’re Here to Help
If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach. Connect with a member of our team to learn more about the D&O risks of data breaches.