Michelle Schaap, a member of the law firm Chiesa Shahinian & Giantomasi PC who focuses on cybersecurity and corporate law, was recently called in to advise a New Jersey-based professional services firm with multi-state operations that had suffered a cyber-breach. Her first question to management was, “Do you have cyber-liability insurance?” The answer — a policy with a $50,000 limit and a $25,000 deductible — wasn’t comforting.
“It’s important to develop a comprehensive response plan ahead of a breach, and to thoroughly vet it periodically,” she warned. “Further, a $50,000 liability limit with a 50% deductible just doesn’t cut it.” That’s because a single incident can cause several disruptions, with associated costs that can quickly spiral.
“We arranged to give notice to customers and other impacted individuals, but the company may have to pay for credit monitoring costs for them,” said Schaap. “The company also hired a forensic IT company — first to determine the root cause of the breach, and then to advise them on security improvements.”
A cyber-insurance policy is also important, but it’s only part of a good response suite, she added. “A company’s legal obligations in the event of a security incident or breach will vary depending on the industry, the information accessed, and whether the hacker distributed, altered or destroyed the information,” said Schaap. “And because there’s currently no comprehensive federal notification regulation, the location of the company, and of any individuals whose data was accessed, will also matter. That’s why it’s important to have experienced legal counsel in place before an incident.”
Following a hack or other cyber incident, one of the first calls a company should make, is to its insurer, according to Marc Schein, Cyber Center of Excellence Co-Chair at Marsh & McLennan Agency, a commercial insurance brokerage and wholly owned subsidiary of Marsh. But companies that look ahead will establish a relationship with an insurer and pur-chase a policy way before a breach.
“Having a good privacy and security network insurance policy in place is always important, but it’s even more critical now, with so many employees working from home,” he said. “There’s been a significant increase in ransomware, for example — both in the volume of attacks, and amount of ransom that is being demanded.”
From 2017 to 2018, the average ransom payment was about $10,000 per commercial incident, he noted. But as of the third quarter of 2020, it was up to $233,817, according to a Coveware report. At the same time, cyber-insurance applica-tion forms are getting more complicated, since insurers want to limit their own exposure to claims.
Insurers also want to see more safeguards on policies and procedures in place before they write a policy. “Carriers are putting more emphasis on pre-breach services — like how to engage with legal counsel from a regulatory standpoint, and how to create pre-diligence policies and procedures like getting a vulnerability scan to identify any weak spots, and creating and updating an incident response plan — including connecting with forensic experts, in case there is a breach,” added Schein.
Although there’s no “standard” cyber-insurance policy, there are some “must-have” features, he noted. “Such coverage includes insurance for business interruption, fraudulent impersonation, invoice manipulation, and reputational loss. But new rules and coverages come out constantly, so it’s important to have an adviser who’ll keep up with all the changes.”
One commercial client, located in the middle of the country, had to notify authorities in five different states and comply with each state’s requirements, she recalled. “And if a company is a healthcare provider or is associated with one, a breach will require notice to the Office of Civil Rights and may trigger HIPAA fines and sanctions; while a financial services provider will need to consider other laws and regulations. If your company has employees or customers in the European Union, Canada or another country with robust privacy laws, there are a host of other regulations to consider.”
As if that’s not enough, the breached company may have contractual obligations. “A payroll processor, for example, may have to notify its clients, and possibly the individuals,” Schaap noted. “It can be daunting, which is why a company should quickly notify its legal advisor, in addition to its security provider, and engage forensic experts to assess the scope of the impact and path to recovery.”
Management may be tempted to keep mum about a breach, “But that can come back to bite you,” Schaap cautioned. “If you don’t give notice in a timely manner, especially if Social Security and other personally identifiable information is involved, the company may be subject to fines, and could potentially be exposed to individual lawsuits. While all U.S. jurisdictions have their own breach notification laws, there are about 30 states with proactive privacy laws in place. If impacted individuals are in one of these 30 jurisdictions, the company may also face fines for failing to take ‘reasonable measures’ to safeguard sensitive information.”
The key to any effective crisis communications is to be open and transparent,” according to Jonathan Jaffe, president and CEO of Jaffe Communications Inc. “Customers have an inherent trust in the companies they choose to do business with. As such, there is an expectation that the company will share relevant information that can adversely affect them.”
After a spring 2017 security breach at an Essex County-based nonprofit — when donor lists, addresses and credit card information were accessed — the organization retained Jaffe Communications to develop a crisis communication plan.
“We created key messages for employees of the non-profit, the donors and the community at-large within the first 24 hours of the crisis,” Jaffe related. “We were fortunate the issue did not get picked up in the media, but we were still prepared with statements and other relevant information for the public at-large. The crisis communication program was in effect for 90 days, with regular updates for stakeholders. In the end, the reputation of the non-profit was intact, as it communicated honestly and immediately.”
Best practices include developing a strategy before a cyberbreach takes place, advised William P. Murray, executive vice president-national director of international public relations firm MWWPR. “For most businesses it’s only a matter of time [until something happens], despite the precautions in place,” he cautioned.
Staying silent isn’t an option, he added. “Many sectors are guided by regulations in terms of timing, content and extent of reporting requirements. Considerations of extending beyond those protocols need to take into account legal counsel, as well as a multitude of communications concerns. The specifics of the actual breach are the most critical factor in determining how a company should communicate. Sometimes, over-communicating to a wide array of audiences in these situations can be as bad, if not worse than holding back.”
Within the last three years, he’s seen multiple high-profile breaches at New Jersey and other health care organizations. In one case, “The company and the communications team already planned for the inevitability – and had all structures already in place,” Murray said. “That included communications programs discussing how customers should protect themselves.”
When the breach occurred, MWWPR helped the client with direct notifications, “via email, telephone and mail to all impacted accounts with information on steps to take and company contact for resources, support and further information,” he added. “While the company already had alerted law enforcement, the communications team directly engaged other relevant regulatory officials at the state and federal levels, and alerted regional, state and congressional representatives.”
The firm also used traditional media and social media platforms to communicate with employees and others, developing messaging “that sought to protect the brand — ensuring that future consumers and commercial accounts would trust that the client had their best interests at heart,” he said. “We underscored that protections already were in place, but that the breach was part of a concerted criminal act intent on securing private consumer and commercial financial data. Our client was not the only company in that sector impacted during recent years — but not all had implemented the same measures of protection.”
The standard public relations instinct is to “get out ahead of the story,” noted Murray. “Yet if they are not careful, that rush to action actually may create bigger brand and liability issues for the company, and confuse audiences.”
THE COSTS OF INCAUTION
A Pennsylvania Supreme Court Case, Dittman v. UPMC, should have been a wakeup call for companies that are on the fence about beefing up their cybersecurity protection, Schaap said. In the case, Barbara Dittman and other employees of the University of Pittsburgh Medical Center filed a class action complaint claiming negligence and breach of implied contract against UPMC for a data breach that compromised the personal information of more than 60,000 current and employees and former employees.
“The state supreme court overturned a lower court decision and found that the class had a case against UMPC,” said Schaap. “Although there was no proactive legislation on the books in Pennsylvania requiring due diligence on the part of an employer to guard against cyber-intrusions, the state supreme court found the defendant was negligent in not preventing a foreseeable risk by training employees and taking other reasonable, proactive steps. The Dittman decision is only binding on Pennsylvania courts, but a company will be hard pressed to convince a jury or judge anywhere in the country that it did not know that a data breach was a potential risk.”
At least one court — the U.S. District Court for the District of Massachusetts — has already cited Dittman in a Dec. 31, 2019 ruling for Portier v. Neo Technology Solutions, et al. Several other high profile breach litigation cases both before and after the Dittman ruling have included similar allegations, added Schaap, including Equifax and Target class actions, and Capital One litigation.