In case there wasn’t already enough confusion regarding cyber liability, data breach events, cyber coverage and cyber reporting, recent events suggest we have officially reached the fork in the road. On March 26, the Senate Committee on Commerce, Science, and Transportation, chaired by Sen. John D. Rockefeller IV (D., W.Va.), held a hearing titled “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.”
At the hearing, committee members examined consumer risks emanating from recent data breaches, the current lack of federal data security protections, and several data security bills pending before the Senate Commerce Committee that would establish federal standards.
The committee also released a report asserting Target Corp. failed to take adequate steps to prevent the recent payment card hacking breach affecting up to 110 million customers. The report went on to charge Target with missing numerous opportunities to detect and stop the attack, including multiple automated warnings sounded by the company’s anti-intrusion software.
FTC chairwoman Edith Ramirez testified at the hearing to repeat the agency’s call for a vigorous federal data security and breach notification law. “Never has the need for legislation been greater,” she stated, while adding, “To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances.”
Sen. Rockefeller has already introduced legislation (S. 1976) authorizing the FTC to write and enforce new rules requiring retailers and other companies to protect consumers’ personal data, while notifying individuals in the event of a breach. Violators would face civil penalties.
The same day, less than a mile away at Securities and Exchange Commission headquarters, business executives and officials participating in a cybersecurity roundtable discussion offered a more nuanced point of view.
Although attendees agreed that companies are required to report data breaches likely to affect investor decisions, several voices suggested the potential damage to shareholder value from an attack is sometimes unclear and open to interpretation. What’s more, the amount of harm attributable to a disclosure, from broadcasting internal vulnerabilities and subsequent reputational damage, can often exceed the limits of the initial attack. The disclosure itself can decrease company value, potentially calling into question company leaders’ responsibilities to shareholders.
As if to second these concerns, Cowen & Co.’s Consumer Tracking Survey, conducted quarterly and for the first time since Target’s security breach news in mid-December, reported finding “meaningful decreases” in year-over-year customer satisfaction with both the total shopping experience and customer service at Target stores in March.
Satisfaction with the overall shopping experience at Target was down almost 2% in March, with declines “most acute” among desirable middle-and-upper-income shoppers. On the scale of customer service, Target’s scores dropped 3.3% to 71% with the score among upper-income shoppers falling 9% to 70%.
To make matters worse, S&P recently cut the firm’s credit rating, as it expects the data breach to decrease store traffic at least through June. This, of course, will increase the company’s borrowing costs, further decreasing shareholder value.
During the Securities and Exchange Commission Roundtable discussion, Douglas Meal, an attorney on the panel, offered the opinion the majority of data breaches are immaterial to investors. “If the company doesn’t have a legal obligation to disclose, it’s often not in their interest,” he said. The Cowen & Co. Survey does nothing to contradict his observation.
Since Target reported its data breach in December, consumers and banks have filed dozens of lawsuits. Many complainants fault the timing and scope of Target’s disclosures. These lawsuits have been filed even though, according to a Target spokesperson, the retailer alerted the public within days of confirming the attack. As its internal investigation uncovered more stolen customer data , the company made additional disclosures, although it was not legally required to do so.
Although he was not specifically addressing the Target situation, attorney Meal said in an interview following the SEC Roundtable, “if you never disclose the breach at all then you don’t have the class action suits…it’s the disclosure of the breach that creates the firestorm of litigation.”
Or, in other words, “no good deed goes unpunished.”
Report? Don’t report? That is the question. Eventually, lawyers and legislators will answer the dilemma captured by this soliloquy through regulation and legislation. Meanwhile, we in the insurance industry must guide our insureds regarding risk management and transference.
When it comes to cyber reporting, especially following a cyber-event, our own advice is to seek the advice of counsel with expertise in this area. If you have insurance coverage, contact your insurance professional to trigger the notification requirements of your policy and get your carrier support team engaged. Because these reporting choices are complicated, seek the advice of others to fully explore the impact of your decision making.
When it comes to cyber risk, we can build up your internal practice and offer expertise to help insureds anticipate and prevent cyber events.
When it comes to cyber insurance, the choices available to insureds from underwriters are growing in number. As traditional coverages increasingly adopt language specifically excluding damages arising out of cyberattacks, the need for stand-alone cyber insurance only becomes greater. The activities and events will not be less this year than last year. We can be certain of one thing; there will be a greater need for coverage going forward.
Our work has just begun.
Image credit: Franky242 / FreeDigitalPhotos.net
Find an upcoming Loss Prevention Seminar near you! View our full schedule of Loss Prevention Seminar topics for information about our Loss Prevention Services.
Learn more about how Tolman & Wiker helps our clients succeed by lowering their total cost of risk: