Companies no longer have the luxury of putting off or failing to address privacy and security issues. Those that have performed risk assessments in the past to protect against security risks need to revisit and likely revise their procedures in light of new risks and rules. Those that never have performed risk assessments must do so now. Companies need to ensure they have prepared for and protected themselves against potential attacks from a myriad of sources that include disgruntled employees, hackers, domestic competitors, foreign intelligence services, and terrorists. They also must make certain they comply with the new rules. A company that fails to take notice of the changed landscape and does not take appropriate remedial steps places not only its assets and goodwill at risk, but it exposes the officers and directors to civil liability and criminal punishment.
Two federal laws have had a significant impact: Gramm-Leach-Bliley Act of 1999 (GLB) and the Sarbanes-Oxley Act of 2002. By now, most companies are aware of the GLB Acts requirements regarding disclosure of their privacy policies. However, only now are companies coming to understand the impact of Sarbanes-Oxley, which requires executive and financial officers to establish and maintain internal controls that ensure the maintenance of documents and accuracy of information contained in financial reports. Many companies have not yet established the required mechanisms to guard against the destruction, deletion, and/or alteration of pertinent information from whatever source, including internal or external hackers. Officers and directors are beginning to realize that penalties for failing to comply are serious.
Matters of State
What is not yet appreciated is the extent to which states have been active, as well. California has led the way in imposing regulations concerning security. It enacted a law last July that provides any entity doing business in California that suffers a security breach of its computerized data must notify each California resident whose personal data was compromised. There is no requirement the affected consumer records be located in California or even in the United States; rather, the new California law applies to any database that contains personal, unencrypted data regarding a California resident. Penalties for failing to provide the requisite notice to affected consumers include injunctive relief and civil damages.
Other state regulations concerning information security also have gone into effect recently. For example, the National Association of Insurance Commissioners developed a Model Regulation for Safe-guarding Customer Information that was adopted, in various forms, in 17 states and the District of Columbia. These state laws are in compliance with GLB. States that have passed laws based on the modelregulation include: Alabama, Colorado, Iowa, Missouri, Oregon, Vermont, Virginia, and Wyoming.
Although these various state laws have important differences, they generally share a number of features:
They require licensed insurers to create and maintain a comprehensive written policy on information security that covers administrative, technical, and physical safeguards.
Licensed insurers must design their security policy to ensure the security and confidentiality of their customer information, protect against any anticipated threats, and prevent unauthorized use or access to the information.
The policy must be appropriate to the size and complexity of the institution and the nature and scope of its activities.
Each licensed insurer must review all outsourcing and third-party contracts in which the company is involved to make sure they meet the companys security guidelines and adequately protect the companys customer information.
While most of these state regulations afford insurers certain flexibility to tailor information security programs to their specific needs, they also impose a significant burden on these institutions to evaluate threats (including threats to the companys information to the extent it is accessible to or under the control of service providers or other third parties) and implement programs to address these threats. Insurance regulators may take disciplinary action against institutions that are out of compliance with rules regarding information security. In addition, in many instances, customers who believe their information privacy has been violated due to an insurers lack of sufficient security measures may seek redress under a states unfair trade practices statutes or other laws.
Such laws clearly require companies to have a streamlined investigative process in place to determine whether a hacking incident has occurred that would trigger the notification requirement and have procedures in place to implement the companys security policies. In addition, there should be established processes for conducting the subsequent damage assessment, preserving evidence of the breach, taking steps to mitigate the damage, verifying containment, and implementing notification procedures and remediation. In that connection, note that a companys actions that are inconsistent with the companys security policy could subject the company to liability in addition to any liability it might face under the new laws.
Handle With Care
Aside from these recent enactments, directors and officers face other obligations. The doctrine of corporate duty of care provides that directors and officers have a fiduciary obligation to use reasonable care in overseeing the business operations of the company. The test for this duty of care historically was whether the directors and officers acted with reasonable care by relying on information reasonably available to them. In recent years, however, courts have broadened this reasonable care standard to include a duty of oversight requiring directors and officers to act affirmatively to confirm adequate information and compliance systems exist and are operating. The Delaware Chancery Court stated in a 1996 landmark decision that: [A] directors obligation includes a duty to attempt in good faith to assure that a corporations information and reporting system, which the board considers adequate, exists, and the failure to do so may rendera director liable. In the post-9/11 era, this duty of oversight likely will be used to try to establish legal liability for directors and officers if they fail to protect critical systems now that the risks of such failure arguably are foreseeable.
In addition to derivative liability, companies with inadequate security systems also may be exposed to contractual liability through material adverse effect clauses (i.e., contractual provisions that provide for penalties if events, occurrences, or disclosures have a significant negative consequence on a transaction) and representations and warranties regarding security, due diligence, and compliance. And some former contractual protections for companies may no longer be applicable. For example, force majeure clauses (i.e., contractual provisions that excuse performance by a party because of prohibitive conditions outside of the control of that party that could not be avoided through due care, such as acts of God) may not exempt companies from liability for hacking-related claims, given recent events may have made these attacks foreseeable. Similarly, creative lawyers in the plaintiffs bar are using tort theories to sue service providers that themselves have suffered from a cyber attack, alleging those companies inadequate computer security systems made the attack possible.
In managing cyber risks, an important consideration is the possible transfer of some of those risks through insurance. Traditional all-risk property policies and commercial general liability (CGL) policies can provide limited protection for liability arising out of security breaches. For example, a CGL policy may be read to cover damage to third parties or their property arising from a cyber threat. However, the traditional forms of insurance policies should not be relied upon to provide certain coverage for cyber risks. Indeed, since 2000, the form of CGL policy promulgated by the Insurance Services Office provides that tangible property, as covered by the policy, does not include electronic data. Courts also have issued differing opinions as to whether the definition of property under either the all-risk or CGL policies includes data.
While it is unclear whether traditional policies will provide companies with protection in the event of security breaches, specialized coverage may be available, such as policies covering theft, computer crime, or employee dishonesty. However, even if a company successfully secures sufficient coverage to protect its data and assets in the event of a loss resulting from a security breach, a companys legal issues are far from over because of its obligations under recent laws.
Audit for Best Practices
Faced with these and other laws and the exposure to crippling losses in the event of a security breachrisks companies cannot ignoreinstitutions must assess and manage their security programs. Several major companies have done so by use of a comprehensive cyber-security audit, which combines four traditional components of security preparedness: risk assessment, risk management, risk transfer, and crisis management. In planning such an audit, both technical and legal consultants are necessary to address the full panoply of issues. The audit assists companies in developing a best practices approach to security preparedness. That should identify weaknesses in the existing security thereby allowing the companies to protect their businesses before costly interruptions or outages occur and also provide significant defenses to allegations of criminal intent or negligence. In addition, the audit also may help to give comfort to insurance underwriters so that they are willing to accept risk transfer.
Among the issues an audit will address are not only whether a company has procedures in place to manage risks, but also whether those procedures are being followed. It is not uncommon for new employees to be unaware of procedures, for those procedures to be poorly documented, for different offices to have different and perhaps inconsistent procedures, or for small failures in remote offices to compromise an entire companys security. It is common to find the legal department and the CIO have not coordinated their effortsperhaps each assuming the other was doing an essential task neither has done. Also common is the failure of human resources to reflect in documentation, including handbooks and materials used during the hiring and firing processes, the essential provisions required to set forth the rights of the employer or even enable a business to seek recourse in the courts for relief.
While many of the issues and risks are new and evolving, the old maxim still applies: An ounce of prevention is worth a pound of cure.
Wayne Matus and Jonathan Damon are partners at the international law firm of LeBoeuf, Lamb, Greene & MacRae, L.L.P. Matus (wmatus@llgm.com) is the co-chair of the intellectual property/litigation practice group and has more than 25 years of experience in intellectual property and technology law. Damon (jdamon@llgm.com) has extensive experience in the areas of information technology, intellectual property law, and civil litigation. Both can be reached at 212-424-8333.
The content of Inside Track is the responsibility of each columns author. The views and opinions are those of the author and do not necessarily represent those of Tech Decisions.
We welcome contributions to Inside Track from industry consultants. Articles should deal with industry issues only (no product pitches, please) and offer advice on solving insurance IT challenges. E-mail contributions to insidetrack@tdmag.com. You will receive a reply only if your submission is chosen for publication. The editors reserve the right to edit for space and clarity.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.