Looking At Angles Of Liability After A Cyberattack

by Zelle LLP

Insurance Law360 and Employment Law360
January 28, 2015

All employers have personnel data on their information technology systems and devices. This data includes personally identifiable information such as names, addresses, birth dates and Social Security numbers of employees and their family members. In light of high-profile, employee-led lawsuits like those stemming from cyberattacks at Sony Pictures Entertainment Inc. and the University of Pittsburgh Medical Center, employers are rightly concerned about the security of their data and the potential liability (and attorneys’ fees) that could result if they are hacked and personnel data is leaked. As with any business risk, employers should consider whether this risk is or could be insured. To answer some questions about employer liability for the hacking of personnel data and about the potential for insurance coverage, we put these questions to a lawyer practicing in the cyber and insurance arenas.

Q: Our employer clients are concerned about the possibility that they could be hacked. What should we tell them?

A: They are right to be concerned, regardless of their size or number of employees. Small and medium-sized companies are no less likely to be hacked than large corporations. In fact, in the wake of the well-publicized data breaches at Target Corp., Home Depot Inc., TJX Companies Inc. and others, most large corporations have undertaken extensive retooling of their systems and procedures, leaving small and medium-sized companies as the “low hanging fruit” for hackers. While implementing defensive measures cannot immunize employers of any size from data theft, it should be a focus of attention, regardless of an organization’s size. As an illustration of the trend toward hacking smaller organizations, consider this: In 2011, the median number of records exposed per breach was 45,000. Over the next two years, this number sharply declined to 29,000 in 2012, and to a mere 1,000 in 2013. No employer is immune, but every employer can take steps to decrease the likelihood of being hacked and the impact of a breach if one occurs.

Q: If an employer is hacked and personnel information is accessed, what claims could an employee (or group of employees) bring against that employer? What about claims by the government?

A: Legal actions that could be brought by employees would be based on the exposure of PII and any damages resulting from that exposure. Individual or class claims could be based on state or federal statutes or might include common law negligence, invasion of privacy, breach of express or implied contract or misrepresentation. As this area of litigation expands, we are likely to see additional causes of action develop. Some statutes allow a governmental entity to impose penalties in the event of PII exposure, separate from any claims by employees, and it’s important to remember that almost all states require employers to notify employees of a breach or risk penalties for failing to do so.

When assessing their risk, employers should remember that what constitutes PII varies greatly from state to state. It can include any combination of a person’s first name (or first initial) and last name with other information, such as their Social Security number, driver’s license number, credit card information, password, security codes or pins or unique biometric data. Some states have expanded the definition of PII to include names in combination with zip codes, usernames and passwords and a mother’s maiden name, or Social Security number alone (not combined with a name) and electronic signatures.

In addition to the different state definitions of what constitutes PII, states impose differing obligations on employers if PII is hacked or otherwise left unprotected and open to external sources. For example, most states require an employer to notify the individuals affected by the breach when PII was or is reasonably believed to have been obtained by an unauthorized person, or when unencrypted data is left exposed regardless of whether it was actually taken. On the other hand, some states will not require compliance with notification laws if the breach does not materially compromise PII (e.g., Arizona), or law enforcement concludes that there is no significant risk of identity theft (e.g., Rhode Island). An employer’s obligation may also depend on the number of affected individuals or the total cost of notification. The majority of states allow a "public notification" rather than a personal one, when the cost of complying with the law would exceed a certain amount of money or where the number of affected individuals is larger than a set amount. In some states, the extent of the employer’s liability may be limited to civil fines or an action by the state attorney general, while others expose the employer to private actions by the affected individuals.

The bottom line is that there are multiple legal claims that an employer can face if employee PII is exposed and there are statutory notification requirements that every employer should understand and be prepared to comply with.

Q: If an employer has business insurance that covers claims of negligence, would it cover claims brought because of a cybersecurity breach?

A: Generally speaking, traditional (i.e., noncyber-specific) insurance policies have limited coverage and sometimes no coverage for loss, damage and potential liability resulting from cybersecurity breaches. There are exceptions, but no employer should assume that its business insurance includes cyber-related coverage. This is true regardless of whether the breach occurred as a result of the employer’s negligence or despite the employer’s best efforts to protect its information.

There are an increasing number of insurance carriers writing cyber-specific coverage, which more and more businesses are purchasing. Of course, policies vary, so assuring the right coverage for a given business and a given risk is key.

Q: What kinds of risks do cyber insurance policies cover for employers?

A: Cyber insurance policies typically have several coverage provisions that can help an employer manage the risks and high costs associated with cyber-related losses. Generally, cyber policies will cover an employer’s liability for a cyberattack that results in damages, even if employer negligence or breach of contract is claimed. The available coverage may also include important protection for the very significant costs employers will face for: (1) breach response and related services, (2) regulatory action coverage and (3) digital asset losses.

Coverage for breach response and related services addresses the costs associated with complying with data breach notification laws. This includes the costs of notifying the persons whose data was exposed or breached and providing credit monitoring and identity restoration services to those individuals. In addition, expenses incurred in hiring forensic consultants for the purpose of identifying the cause of the breach and identifying the scope and breadth of PII that may have been improperly accessed are also generally covered, as well as legal fees and public relations expenses resulting from the event. This type of coverage is particularly important considering that in 2013, the average cost per breach, just for mandatory notifications that must follow the breach, was $565,020.

Regulatory action coverage generally indemnifies an insured for the expenses associated with a civil proceeding or demand brought by the Federal Trade Commission, Federal Communications Commission, or other federal, state or local government agencies because of an actual or alleged violation of privacy regulations. This coverage is designed for organizations that are within the reach of the FTC or that do business in states with data privacy regulations that require the active implementation of safeguards to protect the personal information of others.

Digital asset coverage will pay an employer the costs incurred to repair, replace or otherwise recreate needed data that is stolen or otherwise made nonusable in a hacking or other cybersecurity breach event.

Q: What do you advise your clients to do to best protect themselves from a lawsuit over a cyberattack?

A: While there is no sure fire way for any entity to protect itself from the possibility of being the victim of a cyberattack, data exposure or the target of a legal claim based on data exposure, there are best practices. These include:

  • training employees on cybersecurity generally and on employer policies and     practices specifically;
  • keeping computers and other Internet-ready devices clean and protected from     malware and viruses;
  • changing passwords often and requiring that passwords conform to minimum length and composition requirements;
  • compartmentalizing data, restricting access to data based on business need and getting rid of old data and employee information; and
  • considering hiring a company to evaluate your IT systems and detect vulnerabilities.

Q: Some of our clients have employment practices liability insurance. Would that cover claims brought by employees because of a cybersecurity breach? What should our clients look for in their current employment practices policies?

A: EPLI might provide some coverage, but the scope would almost certainly be far less than what would be afforded under a cyber-specific policy. Employers should look carefully at the terms and conditions of their existing EPLI policy, particularly noting exclusions related to cybersecurity and provisions pertaining to invasion of privacy, negligence and misrepresentation. As hacks and data breaches become an everyday worry for employers, we may see policies that specifically address (or exclude) these risks. But for now, it may be necessary to analyze and evaluate policy language that is not obviously directed at these concerns.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Zelle LLP | Attorney Advertising

Written by:

Zelle  LLP

Zelle LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.