Authors: John Doernberg Susan Friedman, Esq.
We are often asked by corporate officers, including those outside the C-Suite, whether they could be exposed to uninsured personal liability for cyber events. Two recent court cases — one criminal, one civil — may justify their concern.
Court cases with personal liability implications for cyber events
In the criminal case, in late 2022 a corporate chief information security officer (CISO) was convicted of obstruction of justice and failure to report a felony for hindering an investigation conducted by the Federal Trade Commission (FTC) into his company's cybersecurity practices following a cyber breach of approximately 50 million user records. The court determined that the CISO concealed the breach and destroyed data. This CISO is now subject to incarceration and substantial fines.
The civil case resolved an issue left open in an earlier seminal case. In 1996, the Delaware Chancery Court had held that corporate directors have a duty of oversight to ensure that their company has appropriate information and reporting systems. The Court further held that corporate directors were to address red flags that come to their attention and could signal potentially significant wrongdoing or other problems. Earlier this year, the Delaware Chancery Court resolved the open issue from 1996 by holding that corporate officers also have a fiduciary duty of oversight, at least within their respective spheres of responsibility. This case did not involve cybersecurity, but the principles seem equally applicable to corporate officers responsible for the cyber realm.
These cases highlight the recent expansion of responsibility and liability for failures of cybersecurity — including the potential targeting of corporate officers for their roles in cyber breaches. For example, in late 2022. the FTC charged a CEO with failing to take adequate steps to remedy his company's information security shortcomings after a 2018 cyber incident while he publicly maintained that the company had appropriate security measures in place. The case settled with an extensive list of security-related obligations imposed on the CEO personally through the next decade, even if he moved to other companies. This case exemplified the regulatory reach to hold individual executives responsible for privacy and security breaches.
Personal liability coverage from D&O, Cyber, both or neither?
Cases like these, together with the new wave of more assertive cybersecurity enforcement actions, have many CISOs and others questioning whether claims against them will be covered under their companies' Directors and Officers (D&O) policies, or Cyber policies, or both, or neither.
The structure of some leading D&O and Cyber policies drives these concerns. A number of D&O policies exclude coverage for breaches of privacy, while many Cyber policies exclude coverage for securities claims and provide limited coverage for regulatory actions. The reasons for these limitations are straightforward: D&O insurers don't want their policies to provide backdoor coverage for what are essentially cyber incidents, and Cyber insurers do not want their policies to provide backdoor coverage for what are essentially D&O claims.
The coverage issues can become more complex when novel privacy-related claims are made. For example, while privacy exclusions in D&O policies generally contain exceptions for shareholder claims as noted above, it may be unclear whether the exception would apply to:
- A criminal charge relating to a breach of confidential personal information (as in the criminal case noted above) — especially if made against a CISO or other cybersecurity employee who is not considered a corporate officer
- A non-shareholder claim alleging a general failure of oversight (analogous to the civil case noted above), which may be of particular concern in an environment of increasing regulatory activity around cybersecurity
Although Cyber policies typically provide coverage for an insured's failure to prevent a cyber breach, it may be unclear whether a Cyber policy would provide coverage for the alleged post-incident concealment of information from investigators or for a regulatory claim alleging some failure that isn't tied directly to a specific cyber incident.
Given these questions regarding insurance coverage, corporate cybersecurity employees are understandably concerned that the growing number of laws and regulations governing cybersecurity — combined with vigorous and creative plaintiffs' lawyers — might expose them to liability and also force them to search for an "insurance home" in the event that they are targeted.
The cases discussed above demonstrate the reason that new sources of exposure should spur companies to re-evaluate their D&O and Cyber insurance policy forms to revisit the scope of this coverage.