Cybersecurity and the Next Generation of Risk and Liability
The need for companies and consumers to protect data and information is rapidly evolving with increasingly high stakes.
One of the most concerning announcements an organization can make today is that a data breach has occurred. Such revelations can strike fear in investors and consumers alike and erode a company’s hard-earned reputation.
To help our clients better view the importance of cybersecurity and how it effects the companies who turn to them for counsel and guidance, IMS interviewed Directors and Officers (D&O) insurance and economics expert Perry Granof.
IMS: After handling D&O claims for over 35 years and overseeing hundreds of matters from the Securities Exchange Commission (SEC), do you see an increase in Federal Trade Commission (FTC) proceedings?
Granof: Yes, I do see an increase in FTC proceedings as an emerging area of potential D&O liability. This has been especially enhanced due to the profound increase in corporate data breaches. The FTC and the Consumer Financial Protection Bureau have become the two principal federal agencies overseeing the actual protection of consumer data privacy.
IMS: Where does the FTC derive its enforcement authority from?
Granof: The FTC derives its cyber security enforcement authority from Section 5(a) of the FTC Act. Section 5(a) empowers the FTC to “prevent persons, partnerships, or corporations…from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” Apparently, the FTC relies on the “unfairness” language of Section 5 as the basis for their authority to challenge cyber security practices. The FTC has the authority through its administrative powers to issue cease and desist orders, seek restitution, assess fines and penalties, and may bring suit in federal court to enforce such injunctive orders.
IMS: Have there been rulings that uphold FTC Section 5(a)?
Granof: Yes, in the case of Federal Trade Commission vs. Wyndham Worldwide Corporation, et al., the U.S District Court for the District of New Jersey ruled in 2014 that the language of Section 5(a) of the statue authorized the FTC to regulate cybersecurity under the unfairness prong of Section 5(a). In 2015, the U.S Court of Appeals for the Third Circuit affirmed the ruling. The Wyndham case was ultimately settled. Thus, the Wyndham defendants never fully exhausted their appellate remedies, and the precedent could possibly be overturned at some future date. But, for the present time the FTC has the authority to pursue cybersecurity cases against companies that fail to protect consumers’ personal information and user data under Section 5(a) of the Act.
IMS: Can the FTC Act grant a private right of action?
Granof: Unlike the Securities Exchange Act (SEA), the FTC Act does not bestow a private right of action. As such, unlike Section 10(a) of the SEA, no FTC parallel class actions would likely be filed against a company or its directors and officers under Section 5(a). Given the nature of the FTC’s remedial powers, it can seek compensation on behalf of consumers—eliminating the need for a private right of action. With its arsenal of restitutionary and punitive remedies, it is unlikely that FTC actions will result in personal insurable liability for corporate directors and offices.
IMS: Is there anything that directors and officers of private and publicly held organizations should keep in mind?
Granof: They should be mindful of this heightened new FTC practice, because the filing of an FTC administrative action and the settlement of such proceedings may indirectly invite derivative, and even securities class actions, against corporate boards for mismanagement. Although the first several derivative cases brought against corporate boards for cybersecurity attacks were dismissed, in this era of constant and unceasing cyberattacks, corporate boards need to be vigilant. As such, in an effort to avoid regulatory enforcement actions and resulting shareholder lawsuits, corporate boards should begin considering the option of having a Chief Cybersecurity Officer, or head of an oversight board, regularly attending corporate boards and reporting to its members on the state of the corporation’s security system.
About the Perry S. Granof:
Perry Granof is an international insurance and securities expert who has supported IMS clients on several projects as an expert witness. He also serves as managing director for a consultancy that provides counsel to insurance companies, brokers, risk managers, and corporate boards.
Granof has overseen and negotiated to successful resolution thousands of complex national and multinational D&O, PI and FI lawsuits, and trained scores of D&O, PI and FI claim professionals. He has more than 30 years of experience in claims handling.