FTC Taking Action on Cyber Security
In April, a federal court sent a clear if unintended message to the business community when it permitted the Federal Trade Commission to proceed with a lawsuit against Wyndham Worldwide Corp., alleging the hotel giant failed to make reasonable efforts to protect consumer information.
“The ruling will probably — and properly — drive more companies to the cyber insurance market,” said Thomas Caswell III, partner, Zelle Hofmann in Minneapolis, who specializes in insurance coverage litigation.
“They’ll see the exposures and their potential costs for themselves. The pure threat will push them to buy cyber insurance, just as they buy general liability insurance,” he said.
With the ruling in its favor, the FTC may become more active in pursuing regulatory actions, said Rene Siemens, partner, Pillsbury Law in Los Angeles, who represents policyholders in connection with coverage claims for privacy matters.
The types of breaches the FTC may pursue include identity theft, theft of credit card information, and improper access to protected access to health information.
The likelihood that the FTC will assume more responsibility for policing cyber security isn’t necessarily a bad thing for insurance companies or their clients, said Matt Wolfe, vice president for state relations and assistant general counsel, Reinsurance Association of America.
The current voluntary standards leave companies “shooting a bit blind regarding how to protect data and the consequences for not doing so,” he said. “Enforceable standards could actually help companies know how to prepare.”
Insurance industry observers expect carriers to introduce broad standard exclusions for privacy claims, but it’s yet to be seen how broadly they will be adopted and if carriers will adopt variations on exclusions.
“The insurance industry,” Siemens said, “is focused on limiting coverage for privacy claims under conventional coverage.”
“If the FTC pursued action for violating some rule or standard of practice … most cyber liability policies insure for that,” Caswell said. “Most traditional liability coverage doesn’t.”
Getting hacked alone won’t invite a lawsuit from the FTC, said Kevin LaCroix, attorney and executive vice president, RT ProExec, an insurance intermediary focused on management liability.
“But if you are the target of a breach and fail to take corrective action, you’re subject to subsequent breaches due to the same vulnerability, and that could attract regulators’ attention.”
The FTC alleges Wyndham suffered three similar data breaches that compromised consumer information.
All companies that conduct business over the Internet, or that do business with other companies that do, are vulnerable to data breaches, said Siemens. The Gramm-Leach-Bliley Act already requires financial institutions to implement and maintain administrative, technical and physical safeguards for customer information.
“If the Department of Defense is vulnerable to hackers,” LaCroix said, “everybody’s vulnerable.”
Hackers’ motivations run the gamut from spite to greed to terrorism. “Still,” he said, “some multinational companies I’d consider high-risk targets don’t yet have privacy and network security insurance.”
Companies should also make sure their vendors and other third-party partners have sound security practices, and that they are insured against breaches they may cause, said Siemens.
That was the vulnerability for Target, when hackers broke into the retailer’s network last year using login credentials stolen from a heating, ventilation and air conditioning company that does work for a number of Target locations. It created the largest data security breach in retail history.
Increasingly, Siemens said, companies outsource data management to companies that specialize in running server farms and storing and processing data. “As that trend continues, risk managers need to be more careful about who they hire.”
LaCroix admitted to having personal experience with such woes. A “tiny” nonprofit school of which he was a board member was hacked through a vendor’s portal, costing $40,000 in notification costs alone. “That would have paid for the premium on cyber insurance for multiple years,” he said.
The take-home lesson for risk managers? Prevention and cyber insurance, said LaCroix, but if there is a breach, demonstrate a vigorous response to minimize risk of regulatory action.