Could D&O be the new cyber liability 'pot of gold'? Could D&O be the new cyber liability 'pot of gold'?

Could D&O be the new cyber liability 'pot of gold'?

16 February 2018 | Cyber

Compared with the United States, there has been little third party litigation in Australia brought about by individuals aggrieved in the wake of corporate data breaches or privacy events.

There are a number of reasons for that, including the difference in the statutory rights afforded to citizens in each country (generally speaking American citizens enjoy a right to privacy on which they can sue;  Australians don’t), the tortious and other common law causes of action available, and our differing jurisprudence.

That said, it’s very interesting to observe that despite the greater availability of legal avenues to pursue and the apparent larger appetite for class action activity, data breach plaintiffs in the US have generally struggled to obtain successful Court outcomes, either through shareholder lawsuits or individual/direct class action claims.

In a recent turn of events, it appears plaintiff lawyers might be changing their tack – pivoting their client’s claims from individual privacy arguments to claims targeting defendant breaches of corporate governance and security laws… and potentially securing them access to the “deeper pockets” of D&O insurers. 

Here’s a taste of what’s been happening in recent months:

  • In September, plaintiffs sued Equifax alleging materially false or misleading statements, and a failure to disclose inadequate data security monitoring and protection systems associated with its huge data breach (affecting 143 million users);
  • In December, PayPal was sued for similar alleged misconduct associated with its acquisition of bill-pay management company TIO Networks Corporation.  PayPal discovered security vulnerabilities in TIO’s platform soon after its acquisition, which potentially compromised the data of 1.6million customers; and
  • Also in December, plaintiffs sued Quidian, a Chinese online micro lender.  The claim alleges, in part, that Quidian’ s data system and security procedures did not adequately protect sensitive borrower data, affecting more than 1 million students.  Following public reports of the data breach (and a Chinese crackdown on high interest pay day loans) Quidian’ s trading value dropped to 45% below its IPO price (after having been one of the larges IPOs of the year just a few months earlier). 

With the Australian D&O market already under pressure, insurers are no doubt monitoring this litigation trend with great interest given that we have similar corporate governance laws and our regulators have cyber security squarely on their compliance radar.  In the meantime, insureds need to pay close attention to any cyber-related exclusions or coverage sections in their D&O policies, and ensure they are adequately covered for data breach security claims.

Megan O'Rourke

Megan O'Rourke

Special Counsel