With high-profile cases like ChoicePoint and TJX acting as a lure, plaintiffs' attorneys are increasing interested in generating class-action lawsuits against businesses for data security breaches or electronic data loss events.

And the lawsuit could be the least of a business's problems. Attorney general audits and fines, third-party litigation and the threat of tighter federal regulation of data security means businesses must be more proactive than ever in mitigation such loss.

In a panel discussion at the recent 2009 PLUS International Conference in Chicago, five experts discussed the exposure environment for data breaches, passed and pending legislation, and the best ways businesses can protect themselves against a loss.

The exposure environment

Although data breach lawsuits can be attractive to plaintiffs' attorneys, lawyers know they must have their ducks in a row before seeking a class-action certification, said Sherrie Savett, Esq., shareholder and chair of the securities litigation department at Berger & Montague, Philadelphia. At the least, the breach should affect millions of users, result in an actual misuse of data, and involve sensitive information such as Social Security numbers or credit card numbers and expiration dates.

Successful cases also result in statutory damages, she added. Under the Fair Credit Reporting Act, companies that are determined to have been reckless in storing their customers' data--including medical information--could be liable for between $100 to $1,000 per victim in a case settlement. And potential defendants include not only credit scoring bureaus but banks, lenders institutions, and other financial institutions. Damage is the big issue and the exposure to a company can be huge, Savett said.

In a recent class-action case involving credit card numbers stolen from Hannaford Bros. Co., an East Coast supermarket chain, the courts are determining whether the time and money a consumer spends to restore his or her credit is compensable damage. The trend in the courts now is to consider data as real property, not just information, Savett said.

For defendants, the lawsuit is only half the story, said Theodore Kobus II, chair, technology, media & IP practice group, Marshall, Dennehey, Warner, Coleman & Goggin, Philadelphia. State attorneys general are tracking data breaches and requiring that they be reported to them. Mellon Bank, Countryside and others have been fined by AGs after audits, and state departments of insurance and others can audit if a breach is reported. Nevada and Massachusetts have especially stringent rules on responsibility to breach, and on the federal level, H.R. 2221, the Data Accountability and Trust Act, would require "reasonable security policies and procedures to protect computerized data containing personal information," as well as nationwide notice in the event of a security breach.

Anatomy of a breach

Two of the biggest and most notorious data breach cases involve credit scoring bureau ChoicePoint Inc. and TJX Cos. Inc., owner of discount retailers Marshalls and T.J. Maxx. The ChoicePoint breach occurred in 2005, when swindlers stole the personal financial records of more than 163,000 consumers by setting up fake business requests. In the subsequent lawsuit, ChoicePoint ended up paying $10 million in civil penalties and $5 million in consumer damages.

In the TJX case, hackers stole 45.7 million credit and debit card numbers over 2005 and 2006, resulting in a class-action lawsuit and a $200 million settlement with consumers and TJX's bank, Fifth Third Bancorp. According to an article from InformationWeek, TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions.


Breach response preparedness

The good news arising from high-profile cases like ChoicePoint and TJX is that businesses are taking a more cautious approach to data breach risk management, said Bradley S. Gow, senior vice president at Zurich North America, Schaumburg, Ill. Banks are now making retailers responsible for breaches, and specifically putting this responsibility into their contracts with retailers.

Because the expenses of a breach can be mitigated by prevention, and time is critical in reacting to a breach, a written response plan is essential, said Kendall Walsh, director of Direct Group, a direct marketing firm based in Pennington, N.J. This should include written documentation approved by management, and a list of team members who will respond if a data breach occurs, including legal representation, marketing representatives for brand protection, IT experts and outside vendors knowledgeable in state and federal privacy laws to handle forensics and customer notification, he said. Having such experts at your disposal is key in underwriting datas breach risks.

Efficacy of security/privacy insurance

Although data breach insurance is available and has become increasingly popular with businesses in recent years, coverage is still evolving and will change in response to frequency of loss, federal legislation, attention from the plaintiff's bar and market competition, said Gow of Zurich.

Today's data breach insurance coverage goes beyond basic coverage to provide the "bells and whistles" most businesses expect, said Patrick Donnelley, managing director of Professional Risk Solutions, Aon. In early policies, a breach response fund of $25,000 to $50,000 was built into most policies insurance policies to help minimize liability. Because of competition and the evolution of the line of business, today's funds have gone into the $1 million to $10 million range, he said. Other variations include policies with time rather than dollar deductibles, as well as business interruption coverage.

However, 5 years of pricing in a soft market has resulted in policy pricing that is "probably light," said Gow of Zurich. "While carriers are hoping losses won't occur, there has been frequency in some industries," he said. "Based on the potential of risk, we're probably whistling past the graveyard."

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.