Cyber Regulation

FTC Taking Action on Cyber Security

The FTC may become more active in suing organizations that don't sufficiently secure data.
By: | August 4, 2014 • 3 min read

In April, a federal court sent a clear if unintended message to the business community when it permitted the Federal Trade Commission to proceed with a lawsuit against Wyndham Worldwide Corp., alleging the hotel giant failed to make reasonable efforts to protect consumer information.

“The ruling will probably — and properly — drive more companies to the cyber insurance market,” said Thomas Caswell III, partner, Zelle Hofmann in Minneapolis, who specializes in insurance coverage litigation.


“They’ll see the exposures and their potential costs for themselves. The pure threat will push them to buy cyber insurance, just as they buy general liability insurance,” he said.

With the ruling in its favor, the FTC may become more active in pursuing regulatory actions, said Rene Siemens, partner, Pillsbury Law in Los Angeles, who represents policyholders in connection with coverage claims for privacy matters.

The types of breaches the FTC may pursue include identity theft, theft of credit card information, and improper access to protected access to health information.

The likelihood that the FTC will assume more responsibility for policing cyber security isn’t necessarily a bad thing for insurance companies or their clients, said Matt Wolfe, vice president for state relations and assistant general counsel, Reinsurance Association of America.

The current voluntary standards leave companies “shooting a bit blind regarding how to protect data and the consequences for not doing so,” he said. “Enforceable standards could actually help companies know how to prepare.”

Insurance industry observers expect carriers to introduce broad standard exclusions for privacy claims, but it’s yet to be seen how broadly they will be adopted and if carriers will adopt variations on exclusions.

“The insurance industry,” Siemens said, “is focused on limiting coverage for privacy claims under conventional coverage.”

“If the FTC pursued action for violating some rule or standard of practice … most cyber liability policies insure for that,” Caswell said. “Most traditional liability coverage doesn’t.”

Everybody’s Vulnerable

Getting hacked alone won’t invite a lawsuit from the FTC, said Kevin LaCroix, attorney and executive vice president, RT ProExec, an insurance intermediary focused on management liability.

“But if you are the target of a breach and fail to take corrective action, you’re subject to subsequent breaches due to the same vulnerability, and that could attract regulators’ attention.”

The FTC alleges Wyndham suffered three similar data breaches that compromised consumer information.

All companies that conduct business over the Internet, or that do business with other companies that do, are vulnerable to data breaches, said Siemens. The Gramm-Leach-Bliley Act already requires financial institutions to implement and maintain administrative, technical and physical safeguards for customer information.

“If the Department of Defense is vulnerable to hackers,” LaCroix said, “everybody’s vulnerable.”

Hackers’ motivations run the gamut from spite to greed to terrorism. “Still,” he said, “some multinational companies I’d consider high-risk targets don’t yet have privacy and network security insurance.”

Companies should also make sure their vendors and other third-party partners have sound security practices, and that they are insured against breaches they may cause, said Siemens.

That was the vulnerability for Target, when hackers broke into the retailer’s network last year using login credentials stolen from a heating, ventilation and air conditioning company that does work for a number of Target locations. It created the largest data security breach in retail history.


Increasingly, Siemens said, companies outsource data management to companies that specialize in running server farms and storing and processing data. “As that trend continues, risk managers need to be more careful about who they hire.”

LaCroix admitted to having personal experience with such woes. A “tiny” nonprofit school of which he was a board member was hacked through a vendor’s portal, costing $40,000 in notification costs alone. “That would have paid for the premium on cyber insurance for multiple years,” he said.

The take-home lesson for risk managers? Prevention and cyber insurance, said LaCroix, but if there is a breach, demonstrate a vigorous response to minimize risk of regulatory action.

Susannah Levine writes about health care, education and technology. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

In the Fast-Paced World of Retail, This Risk Manager Strives to Mitigate Risks Proactively and Keep Senior Leaders Informed

Janine Kral works to identify and mitigate risks, building strong partnerships with leaders and ensuring they see her as support rather than a blocker. 
By: | October 29, 2018 • 4 min read

R&I: What was your first job?

My very first paid job was working on my uncle’s ranch in British Columbia in the summers. He had cattle, horses and grapes — an unusual combo. But my first real job out of college was as a multi-line claims adjuster at Liberty Mutual.

R&I: How did you come to work in risk management?

Right out of college I applied for a job that turned out to be a claims adjuster at Liberty Mutual. I accepted because they were offering six weeks of training in Southern California, and at the time that sounded really fun. I spent about three years at Liberty Mutual and then I spent a short period of time at a smaller regional insurance company that hired me to start a workers’ compensation claims administration program.

I was hired at Nordstrom as the Washington Region Risk Manager, which was my first job in risk management. When I started at Nordstrom, the risk management department had about five people, and over the years it has grown to about 75. I’ve been vice president for 11 years.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

I would say that technology has probably been the biggest change. When I started many years ago, it was all paper and no RMIS.


R&I: What risks does the retail industry face that are unique?

We deal with a lot of people — employees and customers. With physical brick and mortar settings, there are the unique exposures with people moving in and out in a public environment. And of course, with ecommerce, we have a lot of customer and employee data, which creates cyber risk — which is not necessarily a unique risk in today’s environment.

R&I: Can you describe your approach to working with senior leaders and front-line staff alike to further risk management initiatives?

It starts with keeping the pulse of what’s happening with the business. Retail moves really fast. In order to identify and mitigate risks proactively, we identify top risk areas and topics, and then we ensure that we have strong partnerships with the leaders responsible for those areas. Trust is critical, ensuring that leaders see us as a support rather than a blocker.

R&I: What role does technology play in your company’s approach to risk management?

Janine Kral, claims adjuster, Nordstrom

We have an internal risk management information system that all of our locations report events into — every type of incident is reported, whether insured or uninsured. Most of these events are managed internally by risk management, and our guidelines require that prevention be analyzed on each one. Having all event data in one system allows us to use the data for trending and also helps us better predict what may happen in the future, and who we need to work with to mitigate risks.

R&I: What advice might you give to students or other aspiring risk managers?

My son is a sophomore in college, and I tell him and his friends all the time not to rule out insurance as a career opportunity. My advice is to cast a wide net and do your homework. Research all the different types of opportunities. Read a lot — articles, industry magazines, LinkedIn. Be proactive and reach out to people you find interesting and ask them about their careers. Don’t be shy and wait for people and opportunities to come to you. Ask questions. Build networks. Be curious and keep an open mind.

R&I: What are your goals for the next five to 10 years of your career?

I have always been passionate about continuous improvement. I want to continue to find ways to add value to my company and to this industry.

R&I: What is your favorite book or movie?

My favorite book is Shantaram by Gregory David Roberts. It’s a true story about a man who was in prison in Australia after being convicted of armed robbery, and he escaped to India. While in India, he passed himself off as a doctor in a slum. It’s a really interesting story, because this is a convicted criminal who ends up helping others. I am not always successful in getting others to read the book because it’s 1,000 pages and definitely a commitment.

R&I: What’s the best restaurant you’ve ever eaten at?

Fiorella’s in Newton, Massachusetts. Great Italian food and a great overall experience.


R&I: What is your favorite drink?

“Sister Carol.” I have no idea what is in it, and I can only get it at a local bar in Seattle. It’s green but it’s delicious.

R&I: What is the riskiest activity you ever engaged in?

Skydiving. Not tandem and without any sort of communication from the ground. Scary standing on a wing of a plane, but very peaceful once the chute opened, slowly floating down by myself.

R&I: If the world has a modern hero, who is it and why?

I can’t think of one individual person. For me, the real heroes are people who have a positive attitude in the face of adversity. People who are resilient no matter what life brings them.

R&I: What about this work do you find the most fulfilling or rewarding?

It’s rewarding to help solve problems and help people. I am proud of the support that my team provides others. &

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]