Related Practices
Looking At Angles Of Liability After A Cyberattack
Insurance Law360 and Employment Law360January 28, 2015
By Thomas B. Caswell and Judith Bevis Langevin
To view this article in PDF format, please click here.
All employers have personnel data on their information technology systems and devices. This data includes personally identifiable information such as names, addresses, birth dates and Social Security numbers of employees and their family members. In light of high-profile, employee-led lawsuits like those stemming from cyberattacks at Sony Pictures Entertainment Inc. and the University of Pittsburgh Medical Center, employers are rightly concerned about the security of their data and the potential liability (and attorneys’ fees) that could result if they are hacked and personnel data is leaked. As with any business risk, employers should consider whether this risk is or could be insured. To answer some questions about employer liability for the hacking of personnel data and about the potential for insurance coverage, we put these questions to a lawyer practicing in the cyber and insurance arenas.
Q: Our employer clients are concerned about the possibility that they could be hacked. What should we tell them?
A: They are right to be concerned, regardless of their size or number of employees. Small and medium-sized companies are no less likely to be hacked than large corporations. In fact, in the wake of the well-publicized data breaches at Target Corp., Home Depot Inc., TJX Companies Inc. and others, most large corporations have undertaken extensive retooling of their systems and procedures, leaving small and medium-sized companies as the “low hanging fruit” for hackers. While implementing defensive measures cannot immunize employers of any size from data theft, it should be a focus of attention, regardless of an organization’s size. As an illustration of the trend toward hacking smaller organizations, consider this: In 2011, the median number of records exposed per breach was 45,000. Over the next two years, this number sharply declined to 29,000 in 2012, and to a mere 1,000 in 2013. No employer is immune, but every employer can take steps to decrease the likelihood of being hacked and the impact of a breach if one occurs.
Q: If an employer is hacked and personnel information is accessed, what claims could an employee (or group of employees) bring against that employer? What about claims by the government?
A: Legal actions that could be brought by employees would be based on the exposure of PII and any damages resulting from that exposure. Individual or class claims could be based on state or federal statutes or might include common law negligence, invasion of privacy, breach of express or implied contract or misrepresentation. As this area of litigation expands, we are likely to see additional causes of action develop. Some statutes allow a governmental entity to impose penalties in the event of PII exposure, separate from any claims by employees, and it’s important to remember that almost all states require employers to notify employees of a breach or risk penalties for failing to do so.
When assessing their risk, employers should remember that what constitutes PII varies greatly from state to state. It can include any combination of a person’s first name (or first initial) and last name with other information, such as their Social Security number, driver’s license number, credit card information, password, security codes or pins or unique biometric data. Some states have expanded the definition of PII to include names in combination with zip codes, usernames and passwords and a mother’s maiden name, or Social Security number alone (not combined with a name) and electronic signatures.
In addition to the different state definitions of what constitutes PII, states impose differing obligations on employers if PII is hacked or otherwise left unprotected and open to external sources. For example, most states require an employer to notify the individuals affected by the breach when PII was or is reasonably believed to have been obtained by an unauthorized person, or when unencrypted data is left exposed regardless of whether it was actually taken. On the other hand, some states will not require compliance with notification laws if the breach does not materially compromise PII (e.g., Arizona), or law enforcement concludes that there is no significant risk of identity theft (e.g., Rhode Island). An employer’s obligation may also depend on the number of affected individuals or the total cost of notification. The majority of states allow a "public notification" rather than a personal one, when the cost of complying with the law would exceed a certain amount of money or where the number of affected individuals is larger than a set amount. In some states, the extent of the employer’s liability may be limited to civil fines or an action by the state attorney general, while others expose the employer to private actions by the affected individuals.
The bottom line is that there are multiple legal claims that an employer can face if employee PII is exposed and there are statutory notification requirements that every employer should understand and be prepared to comply with.
Q: If an employer has business insurance that covers claims of negligence, would it cover claims brought because of a cybersecurity breach?
A: Generally speaking, traditional (i.e., noncyber-specific) insurance policies have limited coverage and sometimes no coverage for loss, damage and potential liability resulting from cybersecurity breaches. There are exceptions, but no employer should assume that its business insurance includes cyber-related coverage. This is true regardless of whether the breach occurred as a result of the employer’s negligence or despite the employer’s best efforts to protect its information.
There are an increasing number of insurance carriers writing cyber-specific coverage, which more and more businesses are purchasing. Of course, policies vary, so assuring the right coverage for a given business and a given risk is key.
Q: What kinds of risks do cyber insurance policies cover for employers?
A: Cyber insurance policies typically have several coverage provisions that can help an employer manage the risks and high costs associated with cyber-related losses. Generally, cyber policies will cover an employer’s liability for a cyberattack that results in damages, even if employer negligence or breach of contract is claimed. The available coverage may also include important protection for the very significant costs employers will face for: (1) breach response and related services, (2) regulatory action coverage and (3) digital asset losses.
Coverage for breach response and related services addresses the costs associated with complying with data breach notification laws. This includes the costs of notifying the persons whose data was exposed or breached and providing credit monitoring and identity restoration services to those individuals. In addition, expenses incurred in hiring forensic consultants for the purpose of identifying the cause of the breach and identifying the scope and breadth of PII that may have been improperly accessed are also generally covered, as well as legal fees and public relations expenses resulting from the event. This type of coverage is particularly important considering that in 2013, the average cost per breach, just for mandatory notifications that must follow the breach, was $565,020.
Regulatory action coverage generally indemnifies an insured for the expenses associated with a civil proceeding or demand brought by the Federal Trade Commission, Federal Communications Commission, or other federal, state or local government agencies because of an actual or alleged violation of privacy regulations. This coverage is designed for organizations that are within the reach of the FTC or that do business in states with data privacy regulations that require the active implementation of safeguards to protect the personal information of others.
Digital asset coverage will pay an employer the costs incurred to repair, replace or otherwise recreate needed data that is stolen or otherwise made nonusable in a hacking or other cybersecurity breach event.
Q: What do you advise your clients to do to best protect themselves from a lawsuit over a cyberattack?
A: While there is no sure fire way for any entity to protect itself from the possibility of being the victim of a cyberattack, data exposure or the target of a legal claim based on data exposure, there are best practices. These include:
- training employees on cybersecurity generally and on employer policies and practices specifically;
- keeping computers and other Internet-ready devices clean and protected from malware and viruses;
- changing passwords often and requiring that passwords conform to minimum length and composition requirements;
- compartmentalizing data, restricting access to data based on business need and getting rid of old data and employee information; and
- considering hiring a company to evaluate your IT systems and detect vulnerabilities.
Q: Some of our clients have employment practices liability insurance. Would that cover claims brought by employees because of a cybersecurity breach? What should our clients look for in their current employment practices policies?
A: EPLI might provide some coverage, but the scope would almost certainly be far less than what would be afforded under a cyber-specific policy. Employers should look carefully at the terms and conditions of their existing EPLI policy, particularly noting exclusions related to cybersecurity and provisions pertaining to invasion of privacy, negligence and misrepresentation. As hacks and data breaches become an everyday worry for employers, we may see policies that specifically address (or exclude) these risks. But for now, it may be necessary to analyze and evaluate policy language that is not obviously directed at these concerns.
—By Thomas B. Caswell and Judith Bevis Langevin, Zelle Hofmann Voelbel & Mason LLP
Thomas Caswell and Judith Bevis Langevin are partners in Zelle Hofmann Voelbel & Mason's Minneapolis office.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.