The growing threat of cyber-related/electronic data security breaches and the attendant risk of liability and loss should compel companies in all industries to be evermore vigilant with their processes and procedures to protect against such breaches and to have a well-developed response protocol. Whether that breach is caused by a hacker, a stolen computer, a bug in a company's security software or a bug in an encryption program (see Heartbleed Bug), even companies that employ presumably state-of-the-art security measures are vulnerable to data security breaches. The reasonableness of the security measures in place and the effectiveness of response to a security breach are critical to minimizing potential liability, as well as to sound business practice.
No company that directly or indirectly receives sensitive electronic data should be without a data security policy that complies with the relevant federal and state laws and regulations. Ensuring compliance may be no easy task, however, given the often inconsistent web of laws and regulations that your company may be subject to. Still, with the attendant risk of loss and liability arising from a potential data breach, companies simply cannot afford to ignore these risks.
Avoiding Unfair Trade Practices Claims?
Your company should have a data security policy that is consistent with its published privacy policy. If it is not, your company may face an unfair trade practices enforcement action. Indeed, the Federal Trade Commission brought a data security enforcement lawsuit against Wyndham Worldwide Corporation over the hotel chain’s alleged unfair and deceptive data security practices. The FTC specifically alleged that Wyndham failed to enact reasonable data security policies, which constituted an unfair trade practice, and that its published online privacy policy was deceptive. See FTC v. Wyndham Worldwide Corp., United States District Court, District of New Jersey, 2:13-cv-01887. The District Court of New Jersey recently denied Wyndham’s motion to dismiss, holding that “the FTC’s unfairness authority over data-security can coexist with the existing data-security regulatory scheme.” Id., 2014 WL 1349019 at *7 (D.N.J. Apr. 7, 2014). Still, it remains to be seen if the FTC ultimately can prevail in its enforcement action.
An Absolute: Broker-Dealers Possess Data That Demands Protection
Perhaps not surprisingly, broker-dealers and investment advisors face significant potential exposure to electronic data breaches. The concern is twofold.
First, damages and reputational risk may accrue if hackers take over clients’ accounts or if nonpublic information is lost or stolen. The news is replete with reports of lawsuits against companies that suffered cybersecurity breaches resulting in the theft or loss of private information as well as against companies’ officers and directors. They include direct actions/class actions by individuals whose data was compromised, actions for alleged failure to take reasonable measures to maintain in a secure manner their customers’ personal and financial information, and shareholder derivative suits for alleged loss in a company's share price due to a cybersecurity breach.
Second, if regulators perceive weaknesses in your data security protocols – regardless of whether the perceived weaknesses are real – you may be subject to fines and censures. Given the unsettled regulatory landscape as to cybersecurity and the absence of uniform and consistent cybersecurity standards, the second concern should be particularly troubling. Whether a firm has instituted sufficient cybersecurity may, like an anti-money laundering program, end up being very much in the subjective eye of the beholder – a troublesome scenario when the beholder is a regulator. Regardless of whether your data security program has prevented – or could reasonably be expected to prevent – a privacy breach, if regulators perceive weakness, you may feel financial and/or reputational pain. And, as with anti-money laundering programs, it is critical that companies are able to demonstrate to the regulators that a firm-wide committee has met, considered and documented cybersecurity and privacy risks; implemented and tested procedures; and evaluated best practices. Merely having a designated privacy officer, firewalls and a privacy statement, or being able to show that your firm changed passwords and encrypted data when transmitting it externally, will not be nearly enough. What will be enough is still very much a matter for debate, and just as in other areas of regulation, the goalposts are sure to be constantly moving.
Governance For Broker-Dealers, Investment Advisors – The SEC’s Role
Every broker-dealer and investment company and every investment advisor registered with the SEC is required to adopt written policies and procedures that are “reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
65 Fed. Reg. 40362 (June 29, 2000).[1]
Earlier this year, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert designed to “provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.” SEC, Office of Compliance Inspections and Examinations, Vol. IV, Issue 2, “OCIE Cybersecurity Initiative,” Apr. 15, 2014. The OCIE has served notice that it will be conducting examinations of registered broker-dealers and registered investment advisors concerning, among other things, cybersecurity governance, identification and assessment of cybersecurity risks, and protection of networks and information. See id. Part of the examination will include information recently outlined by the National Institute of Standards and Technology (NIST). Id. This follows FINRA’s decision, announced in its January 2014 examination sweep letter, to assess firms’ approaches to managing cybersecurity risks due to “the potential harm to investors, firms, and the financial system as a whole that [those] threats pose.” See www.finra.org/Industry/Regulation/Guidance/TargetedExaminationLetters/P443219. Accordingly, although NIST’s standards regarding data security are voluntary, they soon may become mandatory and/or the basis for minimum standards to which financial institutions will have to adhere.
Insurance Coverage, Contractual Indemnification Spread The Risk
Broker-dealers’ and investment advisors’ use of third-party clearinghouses to process their customers’ financial transactions further exposes them to potential breach of their customers’ financial information. Accordingly, it is critical for a broker-dealer to understand what security measures its third-party vendors maintain. The clearinghouse, for that matter, should have appropriate security measures in place to protect data from theft or loss as required by, among other laws, the Gramm-Leach-Bliley Act.
Both parties should consider and expressly set forth in their contracts which party will be responsible for liability arising from a data breach. Will the clearinghouse indemnify the broker-dealer for such a breach, and if so, what is the scope of that indemnity? Whose acts or omissions will the indemnity cover? What if both the broker-dealer and the clearinghouse were allegedly responsible for the data breach? Which party controls the response to the data breach, including reporting to governmental agencies? And who controls litigation arising from a data breach? Regardless of the indemnity obligations, insurance policies could be a source of funding for those obligations – depending on the terms and conditions of those policies and the nature of the underlying claims.
Traditional general liability, directors and officers, and error and omissions policies may not provide coverage for losses arising from a data breach. See, e.g., Ward General Servs. Inc. v. Employers Fire Ins. Co., 114 Cal.App.4th 548 (Cal, App. 4 Dist. 2003) (data loss does not constitute physical loss or damage because such information “can[not] be said to have a material existence, be formed of tangible matter, or be perceptible to the sense of touch”). Indeed, some traditional liability policies exclude electronic data from the definition of property damage. Still, some D&O and E&O policies may provide coverage for certain defense and indemnity costs arising from alleged “wrongful acts” of the insured company related to the data loss or breach, and some commercial crime policies may provide coverage for first-party losses under computer and funds transfer fraud endorsements. See, e.g., Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821 (6th Cir. 2012) (finding a “sufficient link between the computer hacker’s infiltration of plaintiff’s computer system and plaintiff’s financial loss to require coverage under [the] endorsement”).
Although not new, cyberliability insurance policies may pick up coverage for data breaches where the traditional insurance policies leave off, providing coverage for both first-party losses and third-party liabilities. Indeed, such policies generally provide coverage for managing the costs of responding to a data breach, including notification costs, the costs of credit monitoring for those whose data may have been compromised by the data breach, and the costs of identity theft services. These policies also may provide coverage for costs a company incurs in response to a governmental agency’s investigation of a data breach, as well as costs incurred in defending against lawsuits brought on behalf of individuals and entities that allegedly have been damaged as a result of a data breach, together with indemnity costs arising from such third parties’ claims. Accordingly, cyberliability insurance may be a critical part of a company's overall data privacy/cybersecurity risk management plan. Auditing your insurance coverage to determine what coverage you have, what coverage gaps may exist, and filling those coverage gaps before a loss are critical to properly managing the risk.
The Three Cs – Coordination, Communication And Cooperation
Coordination, communication and cooperation among a company’s IT department (including its chief information officer), legal department, risk management department and board are critical to developing a well-coordinated approach to combat cybersecurity risks and respond to breaches. Indeed, a company’s failure to recognize and put into action the Three Cs has the potential to adversely affect an organization’s ability to effectively respond to a data breach. See, e.g., DiPietro, Ben, Risk & Compliance Journal Blog, The Wall Street Journal, May 6, 2014, “Data Breaches Expose Corporate Communication Breakdowns.” Moreover, evidence that a company coordinated activities, communicated across departments and displayed internal cooperation could help create a favorable record if it is sued – by individuals whose data was compromised, for instance, or by shareholders in derivative actions – or if federal or state governmental agencies investigate or bring administrative or other legal actions against the company.
The bottom line as to protecting data and responding appropriately to breaches is fairly simple and abundantly clear: The costs of doing so are not insignificant, but the costs of failing to do so are potentially monumental.
This article is for informational purposes only and no reader should act based on this article without seeking appropriate professional advice.
[1] Amended as of December 8, 2004, to implement provisions requiring proper disposal of consumer report information and records. See 69 Fed. Reg. 71329 (Dec. 8, 2004).
Published May 14, 2014.