[co-author: Robert Shoemaker]
A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent company, Retrieval-Master Creditors Bureau Inc., into Chapter 11 bankruptcy. AMCA has not stated whether it had cyber insurance, but the situation presented by this breach and bankruptcy filing serves as a cautionary tale for those without adequate cyber insurance coverage—or any at all.
AMCA Data Breach and Resulting Bankruptcy
AMCA is a collections agency specializing in medical receivables, providing services to customers such as LabCorp. In March 2019, AMCA became aware of a potential data breach. The company eventually deduced that the breach had been occurring since as far back as August 2018 and had affected the data of millions of individuals. On June 3, 2019, AMCA notified its clients of the breach, and within two weeks filed for bankruptcy protection.
The direct costs of the AMCA data breach were substantial. By the time of the bankruptcy filing, it is reported that:
IT consultant fees had exceeded $400,000;
Direct mail costs of notifying the seven million affected individuals exceeded $3.8 million; and
Litigation costs from class action lawsuits, breach of contract claims, and government investigations had the potential to become substantial.
In addition to these direct costs, the use of AMCA’s website functionality was severely limited for normal operations. Further difficulties followed when AMCA experienced the almost immediate termination of its contract with LabCorp and the cessation of all new work from its other large clients. Despite AMCA’s efforts to contain the impact, including reducing its headcount, all these effects combined to lead AMCA’s parent company, Retrieval-Master Creditors Bureau Inc., to file for bankruptcy.
What Role Could Cyber Insurance Have Played?
Cyber insurance comes in a variety of forms, but commonly provides coverage for both first-party loss and third-party liability in the event of a data breach. Cyber insurance may cover various types of costs that typically arise from a breach, such as costs associated with breach investigations, data system repairs, legal defense fees, judgments against the policyholder or settlements, breach notification costs, and even business losses stemming from a breach.
Corporate boards and officers have become more focused on cyber insurance, and more and more companies are starting to purchase it. However, many companies still question the value of cyber insurance and operate without cyber insurance for a number of reasons. For example, some companies believe that cyber insurance is too expensive or that their cyber risk is low. Given the prevalence of data breaches and the large potential for losses, this lack of insurance can prove catastrophic for some companies. Paying the high direct costs of mitigating such a breach may easily cause a company to deplete its cash reserves, and the indirect effects, even if temporary, can prove insurmountable in the end.
Cyber insurance can increase the likelihood that operations hit with a breach like AMCA will be able to weather the storm.
Given the all-too-frequent news of cyberattacks on businesses, AMCA’s data breach is certainly not a unique story. However, the resulting bankruptcy was unfortunate and potentially preventable.
An appropriate cyber insurance program may have helped offset some (or perhaps all) costs that arose from the data breach and possibly allowed AMCA to regain its prior market position. Without cyber insurance, a company may all too easily face larger business continuity risks in the wake of a data breach.