Directors and officers (D&O) losses stemming from data breaches should be a top-of-mind concern for an organization’s C-suite and board. Although proving harm in these cases can be difficult, defense costs are expensive, and not all allegations are unsuccessful. Advisen data gives a glimpse into the types of allegations frequently made against directors and officers following a data breach and the most common industries to face these losses.
D&O Losses Stemming From Data Breaches
Following a data breach, the decisions made by an organization’s directors and officers are often intensely scrutinized. Data breach-related D&O losses can arise from allegations such as directors and officers failing to take reasonable steps to protect customers’ personal and financial information, failing to implement controls to detect and prevent a data breach, and failing to report a breach and notify people in a timely manner.
D&O losses stemming from data breaches in Advisen’s loss database are primarily classified as shareholder risks or corporate capital risks. These losses encompass a wide range of loss types, including merger objections, securities class actions, derivative shareholder actions and capital regulatory actions. It’s important to note that Advisen data categorizes these case examples as losses, regardless of trial outcomes. Therefore, not all losses shown above were won by the plaintiff or resulted in significant financial compensation.
Data Breach-related D&O Allegations
Allegations against directors and officers are often dismissed, indicating that plaintiffs have trouble showing actual compensatory injuries and proving corporate mismanagement was the direct cause of harm from a data breach. Nevertheless, defense costs are expensive.
However, not all allegations are unsuccessful. For example, the D&O lawsuits following data breaches at Yahoo and Equifax settled for $80 million and $149 million, respectively.
In the Yahoo loss, settled in 2019, the plaintiff alleged the company:
- Made false or misleading statements
- Failed to disclose material adverse facts about the company’s business—specifically that Yahoo failed to encrypt users’ personal information or data, leaving more than 1 billion users vulnerable to theft
- Made public statements that were materially false and misleading at relevant times
According to Advisen’s loss database, Equifax’s 2020 settlement followed allegations that it made false and misleading statements, failed to disclose that the company did not maintain adequate measures to protect its data system, maintained inadequate monitoring systems to detect security breaches, and failed to maintain proper security systems and controls.
Equifax accounted for multiple D&O losses in Advisen’s database, including capital regulatory actions, securities class actions and derivative shareholder actions.
D&O Losses From Data Breaches by Industry
Since 2010, the information sector has accounted for the most significant percentage of data breach-related D&O losses at 42%. The information sector encompasses many software publishers, computer programmers, telecommunication organizations and research-based companies.
For example, Facebook agreed to a $100 million settlement with the Securities and Exchange Commission after the social media company was accused of permitting a third-party developer known as Cambridge Analytica to misuse user data. Facebook’s directors and officers were accused of issuing false or misleading statements by declaring they had found no evidence of wrongdoing, even though they had discovered the misuse of data as far back as 2015, according to Advisen loss data.
Finance and insurance accounted for the second greatest frequency of D&O losses stemming from data breaches at 16%, followed by admin, support, and waste management and remediation services at 15%, according to Advisen data.
*Advisen’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.