D&O liability in data privacy and cyber security situations in Europe
February 2014 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion on D&O liability in data privacy and cyber security situations in Europe between Stephanie Pestorich Manson at Aon Risk Solutions, James Cooper at Clyde & Co LLP and George Melides at Zurich.
FW: In your opinion, what are the key risks to D&Os arising from data and security breaches in Europe? Could you outline any recent ‘cyber liability’ cases of note?
Manson: I think the largest risk for a director or officer is not appreciating and informing themselves about the company’s exposure to data and security breaches, and therefore not fulfilling their fiduciary duty to the company to properly review and address the risk. Cyber liability is not simply an IT issue, but a strategic business risk, and directors should not assume comfort simply by hiring competent IT professionals and not taking any further action themselves. There are plenty of headline cases of large data breaches and cyber attacks such as the attack on Sony in 2011, which cost the company an estimated $171m and resulted in a £250,000 fine from British regulators. While these large losses should make all directors pay attention to the potential serious effect to their business of cyber breaches, you don’t have to be hit by a headline-grabbing attack to have a financial loss. The 2013 Cost of Data Breach Study by Symantec and the Ponemon Institute found that the cost of the average data breach in the UK is over £2m and the majority are caused by employee negligence.
Cooper: One of the key risks is the impact on D&Os if a fine is levied on the organisation. In the UK, the Information Commissioner's Office (ICO) has the power to fine an organisation up to £500,000 for serious breaches of the Data Privacy Act 1998 or the Privacy and Electronic Communications Regulations. Recent cases of interest include fines of £75,000 imposed on Bank of Scotland for repeatedly faxing customers' account details to wrong recipients, and £250,000 imposed on Sony for its failure to protect customers' personal data against hacking. Furthermore, a serious data or security breach could cause irreparable damage to a business' or individual's reputation, which in turn could have an extensive financial impact. The business may incur costs of a forensic IT investigation and of notifying affected parties, as well as potential compensation to the data subject(s) concerned. Last year the Court of Appeal awarded compensatory damages for distress suffered by a man following a breach of the Data Protection Act 1998 by a consumer finance company. If these risks have not been properly mitigated by a company's directors, there is the possibility that they could be found to have breached their duties under the Companies Act 2006, in particular the duties to promote the success of the company and to exercise reasonable skill, care and diligence.
Melides: Cyber risk is probably the fastest growing emerging risk for organisations today and a key topic of discussion in the boardroom agenda. Unlike other types of risk, it can take a variety of forms such as operational disruptions, data becoming lost or stolen, breach of privacy rules and even loss of intellectual property, business trade secrets or advantages due to corporate espionage. Such events are likely to have an adverse operational and financial impact to the business but more importantly damaging the reputation of the brand and the management team. And possibly followed by shareholder litigation, regulatory enforcement activity and even legal action due to ‘poor’ performance of fiduciary duties makes the threat of personal liability more real than ever before. Whilst we become aware daily of incidents relating to data and security breaches, from a D&O policy perspective there is no major case to note; only of small scale and expense. But it’s impossible to ignore. And with increased regulatory scrutiny introduced on both sides of the Atlantic – recent SEC guidance, amended EU Data Protection Directive on cyber-crime and implementation by Member States – we can expect activity to pick up.
FW: What steps can D&Os take to prevent data breaches and cyber intrusion? What are the particular challenges and costs associated with mitigating these risks?
Cooper: Many companies will already have in place traditional insurance policies, such as general commercial liability, and E&O and professional indemnity insurance which may, in appropriate circumstances, cover, for example, a third party's claim arising from a data breach. However, traditional insurance policies will not always respond to cyber security issues and data breaches. For instance not all of the additional costs to the company associated with data breaches will always be covered, for instance, investigative or PR costs, or the cost of restoring lost or damaged data. Specialist, standalone cyber and data breach insurance is now widely available. This insurance is still more prevalent in the US than in Europe and therefore some D&Os in Europe may not be fully aware of its availability, but awareness of these types of policy and the need to have such specialist cover in place is on the increase.
Melides: It is important to map the exposure and introduce mechanisms to monitor and control the risk via the wider adopted enterprise risk management framework. The common mistake made by many companies today is treating cyber risk as an issue for the IT department. Yet this is only part of the exposure and focus. In case of data breach or cyber intrusion, the whole business is affected and normal operation interrupted. Therefore in such circumstances it is vital to respond timely and accurately. Areas to focus on would be introducing a response protocol that would outline the actions to ensure compliance with local laws and regulations – mainly around data privacy – notifying all affected parties and investing in employee training programs. By embedding cyber risk into the enterprise risk management framework there’s a higher chance of successful response and risk mitigation. And of course, the purchase of cyber liability insurance forms part of that framework. Yet money, people and time present clear challenges and not easy to overcome for any company, large or small.
Manson: At board level D&Os have a unique position to be able to set the tone of the company and encourage cooperation across the business. As the majority of data breaches are still caused not by sophisticated hackers, but by negligence such as employees losing devices or failing to properly secure confidential information, getting the message from the board, rather than IT, about the importance of data security is vital. To mitigate cyber risks you have to be able to identify them properly and many companies are not able to do this. One common source of friction we see is between the IT and risk functions. IT views its job as preventing cyber breaches, so if the risk function tries to evaluate exposure to cyber events IT may get defensive. It does not help that these two areas within a business probably do not have a common vocabulary. It is important for IT to drive best practice and appropriate cyber security, but there must also be a thorough risk evaluation done, which must include the notion that the systems in place could be breached even with IT doing the best job possible. The board can play an important role in encouraging this dialogue.
FW: How should firms in Europe respond when they fall victim to cyber-crime? What steps should D&Os in particular take in the early phase following such an occurrence?
Melides: The underlying objective of cyber-crime and cyber attacks may vary. In some instances it is driven by criminal purposes – for example, stealing credit card information – while in others the focus is to disrupt the operation of an organisation and exert pressure. Corporate espionage is an additional area of more recent activity. Organisations must have clear guidelines in place that would ensure that following a cyber-attack, specific actions take place that ensure compliance with the applicable data privacy laws and protect the individuals affected by such breach. Response time is key and monitoring of all suspicious activity applies 24/7. The latest EU directive refers to an obligation to answer to urgent requests within eight hours. So, timely and accurate response is important to minimise the exposure and mitigate any financial and non-financial loss.
Manson: Companies should have disaster recovery and business continuity plans in place and test these regularly. The precise actions needed may depend on the nature of the crime and the information stolen or systems affected. The breadth of possible responses that may be necessary is where one of the values of cyber insurance can be seen. As a company may not always know what type of response is needed or required in a breach, it may not have researched or retained a sufficiently wide array of professionals to assist them with a response. Cyber insurance can provide cover for data breach crisis management costs, as well as access to an emergency hotline and experts that can help a company deal with a breach. In the early phases of a crime response, it is important for D&Os to understand what their reporting obligations are to regulators – that is, what type of breach, the timeframe during which it must be notified, and to which regulators – to ensure that these are not breached. D&Os of publicly traded companies should also be aware that the existence of a large or significant breach could be considered inside or material information that needs to be disclosed to the markets.
Cooper: A priority should be preventing any further data breach. Reporting criminal incidents to the relevant enforcement authority is also necessary, and consideration should be given to self-reporting to the ICO – if the breach is in the UK – since a failure to report can be taken as an aggravating factor in some cases when the ICO is considering what penalty to impose. However, it is also important to have a wider strategy in place for such situations. The loss should be managed from an IT, compliance, PR and data subject perspective, and the business should consider the policies which need to be in place in relation to each of these various elements before any form of cyber crime takes place.
FW: What legal and regulatory issues are affecting the ways companies manage data and approach cyber security? How constructive, in your opinion, is government guidance regarding cyber security risks and cyber incidents across Europe?
Manson: The legal and regulatory environment is very disjointed throughout Europe. The EU does not currently have a single set of rules and different countries take individual approaches. These range from mandatory notification to best practice to nothing. Accordingly if your business is cross-border creating a single risk management plan is difficult if not impossible. The EU-wide Data Protection Regulation will hopefully harmonise some of this across Europe, but this does not necessarily help companies who operate further afield. To some extent government concentration on cyber security risk is helpful as they focus companies on the importance of the issue, but governmental actions need to be balanced between consumer and individual privacy protection, and the fiscal effect of regulatory regimes which are unduly administratively burdensome.
Cooper: Regulators across Europe are intensifying their focus on data protection and privacy, and cyber security. In the UK, scrutiny comes from the ICO and also from other regulators such as the FCA, which has imposed fines on institutions for the loss of customer data. The EU continues to debate the text of the proposed new Data Protection Regulation – which may finally be agreed at the next meeting in April 2014. It will establish one single data protection law across all EU member states with each state having its own national data protection. There is also the Cyber Crime Directive, which must implemented by 4 September 2015. It aims to tackle the sophisticated and large scale forms of attacks on information systems by requiring member states to strengthen national cyber-crime laws and introduce tougher criminal sanctions. This increased regulatory and legislative scrutiny, together with a number of high profile data breaches in recent years, is increasing companies' concern about, and focus on, managing the risks of data and cyber breach. In the UK, government guidance on cyber security for businesses was issued in September 2012. This is of some use but does not provide the level of detail which a large, complex organisation is likely to need in order to make sure that its systems are compliant with cyber security best practice – consultancy input is likely to be necessary.
Melides: From a legal perspective the Data Protection Directive currently regulates how businesses process personal data within the European Union and forming part of the EU privacy and human rights law. However the problem is that the 27 EU Member states have interpreted these rules differently leading to a fragmented privacy framework across Europe with different levels of enforcement. In addition to this, over the past decade advances in technology such as cloud computing, encouraging global trade, have profoundly changed the way our data is collected and used. As a result of this in January 2012 the European Commission announced a thorough reform of the EU’s 1995 data protection rules to further develop the Europe’s digital economy while increasing the privacy rights of individuals. The introduction of a single piece of legislation will remove this fragmented approach while easing administrative burdens for companies. From a cyber security standards perspective, governments are doing a lot more to help create awareness to business about digital threats and are working with industry to provide frameworks for businesses. If we look at the UK, for example, the Home Office has launched a new £4m information security awareness campaign to educate businesses and consumers about rising cyber threats. The scheme complements other more established information security initiatives, such as Get Safe Online as part of the government’s National Cyber Security Programme. Of course there is more that can be done however we are definitely moving in the right direction.
FW: What insurance solutions exist for D&Os, in connection to cyber security and data breaches? How aware are D&Os of the existence and the availability of risk transfer options?
Cooper: Many companies will already have in place traditional insurance policies, such as general commercial liability, and E&O and professional indemnity insurance which may, in appropriate circumstances, cover – for example – a third party's claim arising from a data breach. However, traditional insurance policies will not always respond to cyber security issues and data breaches, aor cover the costs to the company associated with such breaches, such as investigative or PR costs, or the cost of restoring lost or damaged data. Specialist, standalone cyber and data breach insurance is now widely available. This insurance is still more prevalent in the US than in Europe and therefore some D&Os in Europe may not be fully aware of its availability, but awareness of these types of policy and the need to have such specialist cover in place is on the increase.
Melides: In the last two to three years we have seen a great shift in the market towards cyber liability and data privacy insurance protection. As risk managers become more aware of the issues relating to cyber risk, they view such policies as an effective way to support and complement the corporation’s risk management framework. The emerging and continuously evolving nature of cyber risk lately tends to dominate boardroom discussions and conferences for the risk management professionals. The insurance industry has responded dynamically on this challenge and we now see a number of solutions ranging from traditional to more sophisticated products that offer not only first party response cover but third party as well. And with market capacity at high levels, risk managers have a range of options to consider.
Manson: There are a number of insurance solutions available to help D&Os protect their businesses against the cost of cyber risks. These can and should be tailored based on an individual company’s risk analysis, but typically should include elements of both first party cover, including cover for loss of income and extra expense due to business interruption, costs to restore or recreate data or software, and cover for breach notification and management costs, as well as third party cover for losses to third parties resulting from network security or unauthorised access events. In our experience many boards are not aware of the available insurance solutions or have relied on IT assurances they are not exposed. D&Os need to make sure they have a full view of their risk and can show clear audit trails around decision making. We are seeing a trend emerging where D&Os are requiring the conversation to take place. Of course, good risk management can and should reduce the risk, but it is not realistic to think this can eliminate the risk entirely. Insurance can be part of the solution with respect to cyber security and data breaches.
FW: What are your predictions for the cyber security landscape over the next 12-18 months? Do expect any further regulatory or legislative changes, and what will be the impact on D&Os?
Melides: We anticipate many changes in the cyber security landscape over the next 12-18 months. Not only are there likely to be additional regulatory changes via the reform of the EU Data Protection Directive, but other countries are starting to tighten their own data protection laws leading to an increased level of compliance for global companies. Coupled with a growing awareness of risks and exposures, particularly at the board level, this will likely increase demand and drive the purchase of cyber coverage in the coming months. D&O’s will have an increased responsibility to make themselves aware of the available coverage and services, and engage with all areas of their company, to ensure they are adequately protected for such exposures.
Manson: Whether there will be any changes with regards to cyber security and data protection regulation over the next 12-18 months very much depends on the EU Data Protection Regulation and the harmonisation of a framework. The draft regulation of the Act was published in 2012, but due to the number of amendments that have been proposed and the amount of negotiation that is still ongoing, it is not clear when the regulation will be agreed and it may not be in force until 2016. The main proposals in the regulation include increased fines of up to 2 percent of the company’s global turnover for a wide range of breaches and compulsory notification of breaches to the regulator and individuals affected by the breach within 24 or 48 hours of the breach. Some countries, such as the Netherlands and Germany, are pushing ahead with their own data protection legislation in spite of the delays with agreeing the EU Data Protection Regulation. It is anticipated that commercial contracting, consumer power and corporate governance, which along with the increased fines and reporting obligations will be of particular concern to D&Os, will all play a part in the changing cyber security landscape.
Cooper: The main expectation for reform will be from the proposed new EU Data Protection Regulation. This has been subject to lobbying from organisations in the US – who may be affected in their dealings with EU businesses – and various Member States including the UK, who are concerned that the compliance burdens on businesses would outweigh the benefits in the reforms. In addition, there is uncertainty over the proposals, with many UK businesses not fully understanding the implications of the changes or being able to estimate the potential costs, not least because the proposals are subject to ongoing negotiation and amendment. Proposed reforms include the introduction of new reporting and notification requirements, increased penalties and mandatory requirements for certain companies to have a data protection officer. Overall, the reforms are likely to result in an increased workload and responsibilities for D&Os as businesses become subject to new and stricter requirements. It remains to be seen whether the tougher sanctions proposed in the Cyber Crime Directive are in any way preventative.
Stephanie Pestorich Manson is D&O Product Leader for the UK and EMEA in Aon’s Global Broking Centre. She advises both commercial and financial institution clients on D&O coverage. She has over 10 years legal experience and is a dual-qualified lawyer, licensed to practice law in both England and the US. Prior to joining Aon in London, Ms Manson was in private practice in Washington, D.C. where she litigated insurance coverage cases from first advice through appeal. She can be contacted on +44 (0)20 7086 4928 or by email: firstname.lastname@example.org.
James Cooper is a partner in the professional and commercial disputes team at Clyde & Co LLP. He specialises in all aspects of D&O and financial services and has extensive experience in acting for directors and officers and financial institutions on contentious matters in a number of jurisdictions. Much of this has involved arbitration and cross-border work with an international connection. His insurance experience covers all aspects of financial institutions and D&O claims, including Bankers Blanket Bond and Civil Liability claims. Mr Cooper can be contacted on +44 20 7876 6388 or by email: email@example.com.
George Melides is the head of management liability for Europe, Middle East and Africa, at Zurich General Insurance. Mr Melides has over 12 years’ experience in Management Liability for UK and international companies gained through a variety of underwriting and broking roles. Prior to this role, he headed the Commercial D&O & Crime team for Zurich UK. Mr Melides holds an MSc in Risk Management & Insurance from City University Business School and is a Member of the Institute of Risk Management. He can be contacted on +44 (0)20 7648 3008 or by email: firstname.lastname@example.org.
© Financier Worldwide