Blog Posts

Data Breaches, Part 2 – “Reasonable Security Measures” Will Protect More Than Just Your Data

There once was a time when in-house lawyers could sleep soundly and let the computer experts stay up at night worrying about IT issues. Those days are long gone (if they ever really existed at all)!

Courts and regulators require that companies take “Reasonable Security Measures” to protect personally identifiable information and personal healthcare data. But, what exactly does that mean? How do you know if your company’s data security measures will be deemed reasonable? These are questions squarely within the legal department’s wheelhouse.

There is no one-size-fits-all solution to data security that will satisfy every court and regulator. However, several government and private organizations have published data security standards. Following these standards will go a long way toward protecting your company, both from experiencing a data breach and defending itself in the event one occurs.

Numerous statutes require that companies provide reasonable security for sensitive, personal information. These statutes include, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA and the Federal Trade Commission Act, among others. Also, nearly every state has now enacted some form of data-privacy statute. While there are certain central concepts for data security that apply regardless of the industry and data, each of these acts may require additional steps to maintain reasonable personal data security.

The Federal Trade Commission

The Federal Trade Commission has taken the position that a data breach can constitute an unfair and deceptive trade practice. As a result, since 2002, the FTC has brought approximately 60 cases against companies alleged to have put consumers’ personal data at unreasonable risk. These cases have led to fines in excess of $1 million, as well as injunctions. In one case, LifeLock agreed to pay $100 million to consumers to settle FTC contempt charges that the company violated the terms of a 2010 federal court order that required the company to secure consumers’ personal information.

All the news coming from the FTC is not bad, however. In an effort to assist companies in protecting consumer information, the FTC has issued written guidance in two documents explaining how companies can protect consumer data and, thereby, avoid liability.

Protecting Personal Information, A Guide for Business

The first FTC guidance document is called, Protecting Personal Information, A Guide for Business. According to this document, “a sound data security plan is built on 5 key principles.”

FTC Principles for Data Security
  1. Take Stock. Know what personal information you have in your files and on your computers.
  2. Scale Down. Keep only what you need for your business.
  3. Lock It. Protect the information that you keep.
  4. Pitch It. Properly dispose of what you no longer need.
  5. Plan Ahead. Create a plan to respond to security incidents.

The guide provides further detail for each of these five principles, and I strongly encourage you to study it.

Start with Security, a Guide for Business

The second document, Start with Security, a Guide for Business, contains ten lessons learned from more than 50 FTC cases. These lessons provide concrete steps to protect sensitive data. And, the FTC discusses them in greater detail than the five FTC principles mentioned above. Thus, every chief legal officer and chief information security officer must consider them.

Ten Lessons on Data Security
  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Other important Standards for Establishing Reasonable Security MEasures

The FTC is not the only organization that has issued standards for data security. Courts and regulators may also consider the following documents when deciding whether a company implemented reasonable security measures:

  1. NIST Cybersecurity Framework.
  2. SEC OCIE 2015 Cybersecurity Examination Initiative.
  3. California Attorney General’s 2016 Data Breach Report.
  4. National Association of Corporate Director’s Handbook on Cyber Risk Oversight.
  5. Center for Internet Security Critical Security Controls (CIS Controls).

As you can see, what constitutes “reasonable security measures” is a complicated question, with no single answer. Moreover, the answer depends, to a certain extent, on the type of data involved. Nonetheless, companies today cannot avoid seeking the answer to this question. The financial and reputation risks are too high to do otherwise.

Chief legal officers also no longer have the luxury of claiming that they are not “tech-savvy” and deferring to the information technology department. The issues extend beyond technical concepts into questions that merge the technical with the legal. As such, chief legal officers must immerse themselves in this topic to protect both their companies and their careers.

Photo courtesy of Blue Coats Photo on Flickr.

Data Breaches, Part 1 – How Prepared Is Your Company?

Computer hacking and data security became central issues in the 2016 presidential election as a result of several, high-profile data breaches. Although the public may have been surprised to learn how vulnerable electronic data actually is, corporate chief legal officers regularly toss and turn at night worrying about their organizations’ data security. According to the Association of Corporate Counsel’s 2016 Chief Legal Officer Survey, data security has ranked among the top three concerns of Chief Legal Officers for several years running.  The ACC survey found that twenty-two percent of CLO’s experienced a data breach within the last two years. Astonishingly, forty-nine percent of healthcare CLO’s experienced a data breach within the last two years, followed by forty-five percent of education industry CLO’s.

Data breaches can be extraordinarily expensive. Response costs can quickly mount into the millions of dollars. Resulting government investigations can lead to significant legal expenses, as well as potential fines. However, the damage will likely go well beyond the initial financial costs. A high-profile data breach can inflict significant damage on a company’s brand, impacting the bottom line far more than the initial legal and investigative costs. Such damage may take years to repair. Beyond the financial damage, a high-profile data breach can often wreck the careers of CEO’s, CLO’s and information technology professionals.

So, the question becomes, how well-prepared is your organization for a data breach? Advance preparation is crucial. Waiting until a data breach is discovered is a recipe for disaster.

Preparing for Data Breaches

To reduce exposure in the event of a data breach, your company must prepare for a breach in advance. This includes instituting security and prevention measures, as well as creating an incident response plan, in the event a breach occurs. In upcoming posts, I will offer help on both fronts. These posts will examine the following topics, all of which your organization must consider before a data breach occurs:

  1. Has your company taken “reasonable security measures” with respect to data security?
  2. Is your company collecting and keeping sensitive information unnecessarily?
  3. Are your vendors and service providers a weak link in your data security plan?
  4. Does your organization have an up-to-date incident response plan?
  5. Has your company purchased adequate insurance covering both the response costs and resulting liability?
  6. Have you prepared your board of directors for a data breach?

I hope these posts prove helpful and would love to hear how your company has prepared for, and responded to, a data breach.

Photo courtesy of Zakwitnij on Flickr.

Merger Transaction – When is a Release of Officers and Directors not a Release?

Imagine you are a corporate officer or director sued personally by shareholders for breach of fiduciary duty, following the announcement of a merger transaction. You sleep soundly, believing that the release in the merger agreement fully protects you. Not necessarily!

The Court of Chancery of Delaware recently ruled that such a release will not always protect corporate officers and directors from suit. In In re Riverstone National, Inc. Stockholder Litigation, shareholders alleged that the company’s officers and a majority of the directors breached their fiduciary duties by usurping a corporate opportunity.

According to the complaint, the company executed a merger agreement ten days after the shareholders notified the company of the breaches. The merger agreement included a release, in which the acquirer released these claims. The company did not receive any additional consideration for the release. Not surprisingly, the shareholders asserted that no other shareholders benefited from the release, other than the defendant officers and directors. On the same day that the merger agreement was executed, the shareholders filed suit. Three days later, the transaction closed.

Likely feeling confident that the release protected them and that these derivative claims were extinguished by the merger, the officers and directors filed a motion to dismiss. The court swiftly denied the motion to dismiss, ruling that the shareholders could continue with their lawsuit.

Here are a few takeaways from the decision:
  1. Following a merger, shareholders may bring a lawsuit against corporate officers and directors that is normally derivative in nature, even if the merger eliminated the ability of shareholders to bring a derivative action, if the shareholders plead particularized facts demonstrating a cause of action against the officers and directors.
  2. Officers and directors may lose the protections of the business judgment rule if they receive a material benefit not shared by other shareholders.
  3. If officers and directors have a material conflict, courts may evaluate the merger under the more onerous entire fairness doctrine. This means that the officers and directors must demonstrate that the merger was entirely fair to shareholders (a fair price from a fair process). Absent a material conflict, shareholders normally must rebut the business judgment rule and demonstrate a non-exculpated breach of duty.

In his opinion, Vice Chancellor Glasscock offered some consolation to corporate officers and directors. He noted that a court must be wary of conclusory allegations that a merger extinguished a potential derivative suit. Absent particularized facts pled in the complaint. “much ground for strike suits and other mischief would be possible.”

Let’s hope for a lot less of that mischief!

Corporate Insurance Policy Does Not Cover SEC Investigation Before Wells Notice or Target Letter Sent

We buy insurance hoping to never need it. Nonetheless, we pay the premiums so that we can sleep better in the event that we have a problem someday. But, in the early stages of a government investigation, your insurance policy may not provide the coverage that you hoped for.

A Colorado federal court recently ruled that a D&O insurance policy did not provide coverage for an SEC investigation because the SEC had not yet issued a Wells Notice or otherwise alleged a violation of securities laws. In MusclePharm Corporation v. Liberty Insurance Underwriters, Inc., the SEC’s Division of Enforcement sent a letter to the company advising that it was conducting an investigation into its operations. The letter also requested voluntary production of certain documents. Less than two months later, the SEC issued an “Order Directing Private Investigation and Designating Officers to Take Testimony.” The order said that the SEC had “information that tends to show” “possible violations” of federal securities laws by MusclePharm and/or its officers and directors.

The Insurance Policy

The company had previously purchased a D&O insurance policy that provided coverage for “Securities Action Liabilities.” The insurance company refused to cover MusclePharm’s claim for legal fees and expenses incurred during the investigation. It denied coverage because the SEC had not yet issued a Wells Notice or target letter. Absent such notice or letter, the insurance company asserted that the SEC had not alleged wrongdoing to trigger coverage. (A Wells Notice is a notification that the SEC is close to recommending that the Commission commence action against the recipient. A target letter is a notification from a prosecutor that the recipient is the target of a federal criminal investigation.).

The policy’s coverage section provided that it covered losses resulting from a “Securities Action” for a “Wrongful Act” that occurred during the policy period. “Wrongful Act” was defined to mean:

any actual or alleged error, misstatement, misleading statement, act, omission, neglect, or breach of duty, actually or alleged committed or attempted by the Insured Persons in their capacities as such or in an Outside Position, or, with respect to Insuring Agreement 1.3, by the Insured Organization[.]

The Court’s Ruling

The court held that the insurance policy did not cover the investigation. In reaching this decision, the court found that the SEC had not alleged conduct in any of its communications that met the definition of “Wrongful Act” in the policy. To meet that definition, the “alleged error or omission must involve a positive assertion that the implicated error or omission is believed to have actually occurred, even if still subject to proof,” according to the court.

None of the SEC’s communications had ever asserted that an error or omission had actually occurred. To the contrary, the SEC’s Order repeatedly said that the SEC had not determined if any of the acts described in the Order had actually occurred. The court held that the policy did not cover the investigation until the SEC alleged a past “Wrongful Act.” The court did not consider the SEC’s comment that “[I]nformation that tends to show” “possible violations” existed sufficient to trigger coverage.

How to Protect Your Company Before a Government Investigation

Although this case does not establish any startling, new legal principal, it illustrates how vulnerable companies and their officers and directors may be during the early stages of a government investigation if the company has not purchased “pre-claim inquiry” coverage for the officers and directors and coverage for investigative costs for the company. Kevin M. LaCroix, an insurance executive with RT ProExec, notes in his blog that such coverage is now available, either as a stand-alone policy or as an accessory to the primary D&O policy.

Government investigations are exorbitantly expensive. They often require separate counsel for the company and each officer and director, all paid for by the company. Additional coverage for investigative costs may be considered expensive by some. However, the additional premium likely pales in comparison to the $3 million in legal fees and expenses paid by MusclePharm during the SEC investigation. This case demonstrates that absent adequate coverage, a government investigation may be a devastating hit to your bottom line.

MusclePharm has appealed the decision, so stay tuned. This may not be the last word on this case.

Photo courtesy of Photos of Money on Flickr.