Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.
The fallout from the Equifax breach serves as a reminder of the potentially crippling liabilities faced by companies that fall victim to data breaches and cybersecurity attacks—and the importance of having adequate insurance coverage to minimize out-of-pocket defense costs and other financial losses. Cyber insurance coverages are available to cover the cost of responding to regulatory investigations and consumer claims that stem from a data breach. However, some cyber policies include sublimits that can (perhaps unexpectedly) limit recovery to a small fraction of the total cost. And crucially, fines and penalties—like those imposed on Equifax here—are not always insured or insurable. In some jurisdictions, regulatory fines are considered “punitive” in nature such that allowing insurance coverage for them would be against public policy. Companies and organizations that hold personal data can strategically structure their cyber insurance coverages to avoid tricky sublimits and to employ a governing law that will maximize the insurability of regulatory fines. Coverage counsel can assist with fine-tuning cyber policy language so that it adequately fits an organization’s risk profile.
Notably, directors and officers of companies that fall victim to a data breach sometimes face additional liabilities. Shareholder and regulatory enforcement actions against directors and officers are on the rise, and increasingly are an inevitable—and expensive—consequence of a data breach. Even for breaches far smaller in scope than the one suffered by Equifax, corporate directors and officers can often face the blame for a company’s unsatisfactory cybersecurity and data privacy practices, as well as inadequate insurance to protect against related risks. The added wrinkle in the cybersecurity context, however, is that traditional D&O insurance policies designed to protect these officers typically contain “invasion of privacy” exclusions that may knock out all potential coverage for claims relating to a data breach. And while policyholders may assume that their cyber insurance coverages will fill that void, many cyber insurance policies contain their own exclusions for shareholder or securities claims. Coverage counsel can help corporate officers to structure their company’s D&O and cyber insurance coverages so that they do not unexpectedly find themselves stuck in a coverage gap after a data breach.
Equifax’s $700 million loss underscores the need for policyholders to review their insurance coverages to make sure they have adequate and tailored coverage in place to protect them against cyber losses. Even small cyberattacks can trigger a domino effect of liabilities for a company and its officers, and a well-structured insurance program can help prevent a small incident from becoming a big problem.