Q&A: Data privacy and cyber security: management liability

March 2024  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2024 Issue

FW discusses data privacy and cyber security management liability issues with Thomas H. Bentz, Jr at Holland & Knight LLP and Mercedes Samavi at Morrison Foerster.

FW: What do you consider to be the key issues currently impacting the data privacy and cyber security landscape? How have the risks in this area evolved?

Bentz: In the US, there are several notable issues affecting privacy and cyber security, including evolving privacy legal frameworks, heightened scrutiny relating to the use of cookies and similar technologies, and a continued increase in cyber security incidents. The legal landscape is frequently changing as new states enact comprehensive privacy laws, with the most recent being New Jersey and New Hampshire. The states’ privacy laws each include nuances, and, for some, significant differences. This makes compliance with the various laws difficult, and in some cases, impossible due to conflicting requirements. Cookies and similar technologies on a website or mobile app are easily discernible through readily available tools. This allows regulators and consumers to scrutinise the online data collection of a company and build evidence to be used in enforcement actions and litigation. The rate of cyber security incidents is not slowing, and companies are increasingly having to address multiple incidents within a given year.

Samavi: Any organisation now has to grapple with several issues. There is the sheer volume of data that any business can generate, sometimes without realising. Cyber attacks only seem to be getting more sophisticated and can disrupt the whole supply chain, not just an individual business. And we have seen both the advent and the normalisation of generative artificial intelligence (AI) in quick succession. There are many complicating factors. Added to that, we have an intricate framework of laws – not just the General Data Protection Regulation (GDPR), but the California Consumer Privacy Act and an ever-expanding list of US state consumer privacy laws, the new India Digital Personal Data Protection Act, the NIS2 Directive, the Digital Operational Resilience Act and the Cyber Resilience Act. All of a sudden, an organisation may find that it is having to expend a lot of energy, and money, on managing its privacy compliance programme just to keep up with its legal obligations. C-suite buy-in and support is needed to tackle all of these issues.

FW: To what extent are directors and executives being held personally liable for privacy and security lapses? Are liability risks intensifying?

Samavi: Accountability is one of the central tenets to many data protection and security laws. More and more, we are seeing leaders being asked to answer for privacy and security lapses. To be clear, directors and executives do not always have to directly defend their actions in the courts or with regulators – up until now, legal liability in the UK has typically been shouldered by the company itself. The landscape looks a little different elsewhere in places like the US, where regulators such as the Securities and Exchange Commission (SEC) have started taking action against C-suite executives for data breaches. Nevertheless, business leaders can still be put on the spot by stakeholders, the public and the media, and they should be expected to explain their decisions about security measures. For example, shareholders can mobilise to prompt a change in leadership if they feel there has been general mismanagement of data. Similarly, a company board looking for a successful exit or investment will be under greater scrutiny if it is viewed to not sufficiently take privacy and data security seriously.

Bentz: There has been an increasing trend to hold directors and officers (D&Os) of a company accountable for cyber security incidents. For example, in 2022 the chief security officer of a company was held criminally liable for obstruction and concealment of a felony in relation to a data breach experienced by the company. In another example from 2022, the Federal Trade Commission (FTC) issued a consent order directed to both the company and its chief executive. The consent order arose from a data breach that exposed the data of millions of individuals. The director of the FTC’s Bureau of Consumer Protection was quoted saying that “the order ensures the chief executive faces consequences for the company’s carelessness”. We believe that D&Os will continue to be in the crosshairs as the SEC’s ‘Rules on Cybersecurity Risk Management, Strategy and Governance’ are implemented. This will no doubt be exacerbated by the SEC’s public disclosure rules, which require certain companies to publicly report ‘material’ cyber security incidents.

Accountability is one of the central tenets to many data protection and security laws. More and more, we are seeing leaders being asked to answer for privacy and security lapses.
— Mercedes Samavi

FW: How would you characterise the effectiveness of regulatory enforcement? Is it encouraging corporate leaders to implement and apply appropriate data management and IT security practices across their organisation?

Bentz: Typically, regulations set out clear guidance as to what is and is not permissible. That could be extremely helpful to companies. Unfortunately, since the US federal government has been unable to pass legislation on this issue, state legislatures and other regulators have enacted their own laws, rules and regulations to establish minimum requirements for data management and cyber security practices. Since these state and regulatory entities have made little, if any, attempt to coordinate these laws and regulations, the result is a confusing mix of requirements that are often inconsistent, or flat out contradictory, on topics. This is only made more difficult for companies that also do business outside of the US, where they are subject to a host of additional rules and regulations in these areas. Another problem with regulation in the US is that the laws governing data management and security rarely keep up with the technology they are policing. In fact, many of the laws currently utilised by the plaintiffs’ bar never even contemplated the technologies of today. This is why we see laws that were intended to protect an individual’s privacy when they rented a VHS movie from the local corner store, being used to enforce streaming on websites. 

Samavi: The C-suite has so many issues vying for its attention at any given moment that it is hard to prioritise. The purpose of regulatory enforcement is to make sure that data protection and cyber security stay at the top of the list for corporate leaders – that there is a culture of accountability, in short. The needle that regulators try to thread is making sure that their interactions with businesses generate a positive and proactive attitude to compliance, with individuals’ rights front and centre. The more collaborative the regulator, the more likely it is to nurture the use of new technology and to empower organisations to manage data in creative ways, without compromising individuals’ rights. We are also seeing increasing collaboration between regulators, across both national borders and industries, such as between the Financial Conduct Authority, the Information Commissioner’s Office and the Competition and Markets Authority in the UK.

FW: What steps should senior leaders take to bolster their company’s data protection strategies generally, as well as their planned response in the event of a cyber security incident?

Samavi: Senior figures should invest in their company’s data protection and cyber security strategies and be seen to lead on this topic. A recent UK government survey noted that around 71 percent of businesses report that cyber security is a high priority for their senior management, but approximately 30 percent of businesses have board members and trustees who are explicitly responsible for cyber security as part of their job role. We should be looking to increase this figure, as a positive attitude toward compliance always starts from the top. As part of this, leaders should be willing to ask themselves some tough questions. Do you know your company’s risk profile with respect to data? Do you have a direct link to the right internal stakeholders who are responsible for data protection and cyber security management? Do you know where your vulnerabilities lie? Are you confident that if there is a data breach you will be notified at the right time? Fact-finding will help management determine what is going well and what needs work, and where their support is most needed.

Bentz: Senior leaders can bolster data protection strategies by becoming involved in and documenting decisions relating to cyber security incidents and actively participating in cyber security incident tabletop exercises. They should also think through questions to be asked during tabletop exercises, meetings relating to cyber security and cyber security incidents that will apprise senior leaders of the risks and assist them with making informed decisions. For senior leaders of public companies that fall under the SEC’s cyber security rules, these steps are particularly important because such companies are required to describe the oversight by the board in relation to risks from cyber security threats. Such companies must also describe senior leaders’ roles and expertise in relation to assessing and managing material risks from cyber security threats.

FW: How important is it that directors and executives check whether their company holds suitable insurance cover in the event of a data breach, especially cyber liability insurance? What considerations should be made to ensure the best coverage?

Bentz: The scope and amount of cyber liability insurance is something that should be carefully considered by a company and its D&Os. However, beyond just limits, it is important that insureds understand how their policies may respond in the event of a claim. Issues such as which vendors may be used, which law firms may be hired, and who controls the defence of the claim, are all vitally important. Other issues to consider include whether the cyber policy provides protection against social engineering fraud, ransomware and business interruption. Insureds should also consider how their insurance policies may interact with one another in the event of a claim. Cyber claims tend to cross over to other lines of insurance coverage such as D&O liability insurance, fiduciary liability insurance, employment practices insurance, media liability insurance, general liability insurance and others. Companies need to ensure they have sufficient coverage but should not duplicate coverage nor pay for things they do not need.

Samavi: Holding appropriate insurance cover is critical. This is not something that should be considered solely by the more data-heavy organisations. In the event of a data breach, a comprehensive insurance policy, tailored to the organisation’s specific needs, can provide financial protection and support for recovery efforts. In an M&A context, having insurance is an indicator of a mature company and gives comfort to the buyer that the business can continue to operate, even during a data breach. Even in a straightforward deal involving one party providing services to another, customers expect their service providers to be able to show evidence of suitable insurance cover. Directors and executives should pay attention to factors such as the scope of coverage, policy limits and excesses, and the responsiveness of the insurance provider in the aftermath of a breach. Alongside this, management should also be looking at its supply chain to check that they have similar insurance cover.

Senior leaders can bolster data protection strategies by becoming involved in and documenting decisions relating to cyber security incidents and actively participating in cyber security incident tabletop exercises.
— Thomas H. Bentz, Jr.

FW: What essential advice would you offer to senior leaders on making data privacy and protection a core component of their business, with clear oversight structures?

Samavi: Data privacy and protection should be thought of as ongoing project – a list of action items that can never be ticked complete. Senior leaders should conduct a gap analysis of what they do and do not have and set priorities. First, establish clear oversight structures, such as a dedicated privacy officer or committee, to ensure accountability at the highest levels. Second, check that products and services are suitably privacy-friendly. Third, regularly review data protection policies and procedures to make sure they align with the business as it changes. Fourth, invest in robust cyber security measures, such as advanced threat detection and encryption technologies to meet evolving threats. As part of this, conduct regular risk assessments to stress test incident response plans and help identify vulnerabilities. Lastly, get employees on board. Train and educate them on best practices to foster a corporate culture of awareness and responsibility. Often, an effective way to test an overall strategy is by carrying out a security tabletop exercise, a ‘dummy run’ of a cyber incident scenario, involving all stakeholders from business and support functions. This will help flush out any issues.

Bentz: It is becoming more common for cyber liability insurance carriers to require companies to respond to in-depth and comprehensive assessments and questionnaires before issuing insurance. Risks and issues identified during this process could impact a company’s ability to obtain cyber liability insurance. Apart from the ability to obtain cyber liability insurance, if data privacy and cyber security programmes are not implemented and maintained, including with oversight by senior leaders, there are increased risks of regulatory scrutiny, consumer lawsuits – including class actions – and significant business interruption and impact in the event of a cyber security incident. Finally, a failure to prioritise data privacy may result in personal liability for D&Os.  

FW: Looking ahead, what are your predictions for management liability in connection with data privacy and cyber security? What trends do you expect to unfold?

Bentz: Unless the federal government is able to pass comprehensive legislation on data privacy and cyber security, we expect more state laws and regulatory agency rules with varying requirements to address these concerns. As that happens, there will be additional requirements imposed on companies, including their D&Os, many of which may be inconsistent with other laws and regulations that the company is required to follow. We also expect an increased focus on how personal information is used by companies. For example, we have seen consumers move from ‘I did not consent to you having my data’ to ‘I consented to you having my data but did not consent to you using it in the way that you did’, and ‘I consented to you having and using my data but did not consent to you sharing that data’. As the use of personal information changes and expands, there will be additional scrutiny as to how such information is used and who is responsible for the misuse of the information.

Samavi: So far, in the UK, we have yet to see a significant court claim that successfully holds management personally liable for damages arising out of data breaches or other violations of the UK GDPR. It may be that there is an increasing desire to introduce legislation to make this process easier. If we do see this type of law, it will be helpful to include a defence for directors to show that they did all they reasonably could to establish an appropriate privacy and data security compliance programme. We cannot discuss future trends without talking about AI. On one hand, sophisticated AI‑driven cyber attacks exploit vulnerabilities at an unprecedented scale, rendering traditional defence mechanisms largely ineffective. Simultaneously, an increased reliance on AI for data processing and decision making introduces privacy concerns, such as decision bias or the mishandling of data, and challenges conventional safeguards.

 

Thomas H. Bentz Jr. practices insurance law with a focus on D&O, cyber and other management liability insurance policies. Mr Bentz leads Holland & Knight's D&O and management liability insurance team, which provides insight and guidance on ways to improve policy language and helps insureds maximise their possible insurance recovery. He also co-chairs the firm's insurance industry team. He can be contacted on +1 (202) 828 1879 or by email: thomas.bentz@hklaw.com.

Mercedes Samavi’s work encompasses commercial, digital regulatory and data protection matters. As part of her privacy work, she advises clients on a spectrum of complex privacy compliance matters, ranging from developing global and pan-European privacy programmes and strategies, responding to regulatory requests and investigations, and implementing data protection contractual arrangements. She can be contacted on +44 (0)20 7920 4170 or by email: msamavi@mofo.com.

© Financier Worldwide

THE PANELLISTS

 

Thomas H. Bentz, Jr.

Holland & Knight LLP

 

Mercedes Samavi

Morrison Foerster

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.