Directors and officers (D&O) losses stemming from data breaches should be a top-of-mind concern for an organization’s C-suite and board. Although proving harm in these cases can be difficult, defense costs are expensive, and not all allegations are unsuccessful. Advisen data gives a glimpse into the types of allegations frequently made against directors and officers following a data breach and the most common industries to face these losses.
Directors and Officers Losses Stemming From Data Breaches
Following a data breach, the decisions made by an organization’s directors and officers are often intensely scrutinized. Data breach-related D&O losses can arise from allegations such as directors and officers failing to take reasonable steps to protect customers’ personal and financial information, failing to implement controls to detect and prevent a data breach, and failing to report a breach and notify people in a timely manner.
D&O losses stemming from data breaches in Advisen’s loss database are primarily classified as shareholder risks or corporate capital risks. These losses encompass a wide range of loss types, including merger objections, securities class actions, derivative shareholder actions and capital regulatory actions. It’s important to note that Advisen data categorizes these case examples as losses, regardless of trial outcomes. Therefore, not all losses shown above were won by the plaintiff or resulted in significant financial compensation.
Data Breach-related D&O Allegations
Allegations against directors and officers are often dismissed, indicating that plaintiffs have trouble showing actual compensatory injuries and proving corporate mismanagement was the direct cause of harm from a data breach. Nevertheless, defense costs are expensive.
However, not all allegations are unsuccessful. For example, the D&O lawsuits following data breaches at Yahoo and Equifax settled for $80 million and $149 million, respectively.
In the Yahoo loss, settled in 2019, the plaintiff alleged the company:
- Made false or misleading statements
- Failed to disclose material adverse facts about the company’s business—specifically that Yahoo failed to encrypt users’ personal information or data, leaving more than 1 billion users vulnerable to theft
- Made public statements that were materially false and misleading at relevant times
According to Advisen’s loss database, Equifax’s 2020 settlement followed allegations that it made false and misleading statements, failed to disclose that the company did not maintain adequate measures to protect its data system, maintained inadequate monitoring systems to detect security breaches, and failed to maintain proper security systems and controls.
Equifax accounted for multiple D&O losses in Advisen’s database, including capital regulatory actions, securities class actions and derivative shareholder actions.
Directors and Officers Losses Stemming From Data Breaches by Industry
Since 2010, the information sector has accounted for the most significant percentage of data breach-related D&O losses at 42%. The information sector encompasses many software publishers, computer programmers, telecommunication organizations and research-based companies.
For example, Facebook agreed to a $100 million settlement with the Securities and Exchange Commission after the social media company was accused of permitting a third-party developer known as Cambridge Analytica to misuse user data. Facebook’s directors and officers were accused of issuing false or misleading statements by declaring they had found no evidence of wrongdoing, even though they had discovered the misuse of data as far back as 2015, according to Advisen loss data.
Finance and insurance accounted for the second greatest frequency of D&O losses stemming from data breaches at 16%, followed by admin, support, and waste management and remediation services at 15%, according to Advisen data.
*Advisen’s loss data is curated from a wide variety of public sources. Their collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.
We can help.
In the unfortunate event that your business falls victim to a cyber attack, of any type, we can help you recover.
Cyber & Data Breach Liability coverages are developing on a daily basis as new threats emerge and new insurance companies enter the market.
Regardless of the type of business, one thing is certain, if you’re a business in operation today, you face cyber risks. Which means you need to thoroughly understand your risk of a loss, how you would respond if a loss did occur, and whether Cyber & Data Breach Liability coverage makes sense for you.
The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It’s important to work with an Insurance Advisor that can identify your areas of risk, and customize a policy to fit your unique situation.
If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our eBook, or if you’re ready to make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download our Cyber & Data Breach Insurance Application and we’ll get to work for you.