A recent U.S. court decision assigning liability for data breaches to the compromised company may soon be applicable in Canada, industry and legal experts say.
The U.S. District Court for the District Court of New Jersey ruled that the Federal Trade Commission can sue companies on charges related to data breaches.
The lawsuit accused Wyndham Worldwide Corp.—which suffered three major data breaches in two years—of unfair trade practices and of misleading customers into believing their cardholder data was adequately protected.
To Tony Busseri, CEO of Toronto-based Route1, the decision signaled a lasting shift toward corporate responsibility for “inadequate data security measures” in both the U.S. and Canada.
“Legal consequences are a very concrete risk that organizations accept when settling for inadequate data security measures,” said Busseri, who has long suspected such a legal precedent. “As evidenced by [US District Judge] Judge Esther Salas’ decision, proper technological controls must be put in place to ensure the security of sensitive information. Information security can affect the financial well-being of the entire organization and thus ceases to simply be an IT function. Boards and executive management teams can no longer ignore the topic.”
#pb#
Carrying the proper insurance is an important part of these increasing risk management responsibilities, says Gregory Podolak, a partner with insurance law firm Saxe, Doernberger, and Vita.
“The key point is that now that clients…will be even more concerned about having the proper coverage in place to respond and absorb this loss, and they will need their broker to walk them through that,” Podalak said.
Because the cyber liability product is a long way from standardized, Podalak says producers must be especially conscientious regarding policy language—particularly with how it relates to covering regulatory risks and potential legal fees.
Because many companies pursued by governmental agencies or unhappy policyholders end up settling outside of court, commercial clients will want the peace of mind that comes with a ready amount of cash.
“These products are so new, many have never been considered by courts before and you have to be careful in making sure the actual policy language has been engineered to respond to that specific regulatory risk,” Podalak said. “Most of these policies are manuscript—written in [the underwriter’s] own language.”
