Privacy breaches often not due to technology failure: PLUS Canada speakers

Class action lawsuits involving information security breaches are increasing but cyber risk is operational and strategic rather than one of computer technology, insurance professionals suggested at a workshop Wednesday in Toronto.

In North America, American International Group Inc. “gets about three breach notices every business day, and more than half of them deal with operational failure, not technology failure,” said David Price, AIG Canada’s financial lines leader, of his firm’s claims experience. “The technology works fine. It’s the practice of a senior executive not following protocol. It’s the CEO writing his password on his computer. It’s people leaving briefcases on planes, trains and automobiles.”

Price made his remarks to an audience of about 100 at a luncheon and workshop titled Cyber Liability – the Potential Impact on Directors and Officers.

Katie Andruchow, national cyber expert for commercial brokerage Aon Reed Stenhouse Inc., echoed Price’s comments.

“I think everybody in this room is sophisticated enough to know that while hacking electronic data is certainly one of the types of cyber losses, there are so many other ways” that privacy is breached, she said. Examples include employees losing laptop computers or sending contact lists to the wrong person.

“All of those are real breaches that can result in damages,” she said at the workshop, held at the Hilton Toronto and organized by the Canadian chapter of the Professional Liability Underwriting Society (PLUS).

“Cyber is a strategic risk,” said Greg Eskins, national cyber practice leader at commercial brokerage Marsh Canada Ltd. “It’s no different than environmental. If it’s material to the organization, it’s something that the board as to deal with, so we are starting to see that the boards are dealing with it.”

Class action lawsuits resulting from such privacy breaches “are on the rise,” suggested Robert Frank, a partner and litigation lawyer with Norton Rose Fulbright.

Plaintiffs in such class action lawsuits could include customers whose personal data might be subject an attack or breach, Frank added.

For the civil tort of “intrusion upon seclusion,” Andruchow suggested, damages of $10,000 to $20,000 per individual, for mental anguish, can be awarded even in cases where there is no economic loss.

Other plaintiffs in class action lawsuits arising from cyber breaches could be shareholders, Frank noted.

“When cyber risk reaches the level of material risk, there are obligations in terms of disclosure” to shareholders, Frank said. “That is likely to spawn more securities class actions (involving) claims that public disclosures failed to adequately recognize the cyber risks of the company.”

Price suggested cyber insurance is a “new and emerging” product, in reply to a question about endorsements added to policies such as general liability and the variation in cyber policy wordings.

“People are just starting to buy cyber in Canada,” he said. “We are still determining how the current coverages will respond to cyber breaches and things like first-party property policies, crime policies – everyone is trying to find the right solution for the client.”

Andruchow suggested that “typically” when cyber coverage is provided by an endorsement, there is a sub limit.

“There may be further sub limits within that sub limit,” she added, in commenting on how brokers should be advising commercial clients. “We need to do our due diligence in investigating what would the cost of a stand-alone cyber policy be.”