Breach at email marketing service highlights privacy issues
All over the U.S., people have been receiving emails from familiar corporate giants (including Best Buy, Walgreens, Citi, Home Shopping Network, JPMorgan Chase, Kroger, The College Board, Brookstone, U.S. Bank, and Tivo, among others) informing them that their names and email addresses had been hacked and could possibly be used in phishing attacks attempting to perpetrate financial fraud by convincing individuals to reveal account information, passwords or other confidential information. The hackers’ capture of both names and emails has increased concerns about “spear phishing” – the use of personalized emails containing the customer’s name and maybe even address, as well as the logo of the relevant financial institution. Such personalized emails often appear authentic so that consumers reveal sensitive account or other information. Many of the affected companies have responded by advising their customers not to respond to suspicious or otherwise unexpected emails, especially those asking the recipient to confirm personal or account information after clicking on a supplied link.
These email addresses were hacked from Epsilon, a permission-based email marketing services firm. It has been estimated that Epsilon sends about 40 billion email annually on behalf of its clients. Epsilon has commenced an investigation into the cause and scope of the breach (which will almost certainly be extremely expensive), but initially it appeared that only names and emails were stolen – not other sensitive financial, health or other data.
As others have noted, it does not appear that the kind of information that was stolen — names and email addresses — would trigger notice requirements under the many federal and state laws and regulations that address privacy issues (the situation may be very different with respect to victims who reside in European Union countries, as the EU has a more expansive view of what information is considered private).
Epsilon will certainly incur very substantial costs in dealing with this breach, however. To what extent would those costs be covered by insurance policies? The Epsilon breach reveals some of the shortcomings in the current iteration of many policies that attempt to address these kinds of exposures.
For starters, it can matter a great deal whether these exposure are addressed in privacy/data security insurance policies or in professional liability (errors and omissions — E&O) policies. The proper “home” for this type of coverage will depend on facts specific to the insured’s particular situation. Who owns the data that was compromised — the insured or a third-party? Why does the insured have the data, and what are its obligations with respect to its protections? How are those obligations expressed? How would a claim happen? How would a claim be framed by the claimant? These are just a few of the very many issues that need to be considered when a company wants to make sure that it buys the right policy with the right coverages. The process should begin — and be repeated frequently — with a detailed conversation between the insured and its broker (and the insured’s lawyers, if possible) about the insured’s business, operations, security practices, and customers or clients.
Even when the right type of insurance policy is clear, the nature and scope of the policy’s coverage provisions will determine the extent of coverage. Consider the following scenarios that could play out in the Epsilon situation (all of the following are merely hypothetical speculations):
- Company A sends an email notice of the breach to its customers (as so many people have already received), does some internal investigation, talks to its lawyers, puts some information and phone numbers on a sticky note and sends Epsilon a bill for the aggregate costs of doing so.
- Company B sends out a similar notice, does the same investigation and pays the same lawyers, but also decides that it needs to provide a call center for worried customers, and to offer credit monitoring services to those who want it. It also bills Epsilon for all of these costs.
- Company C realizes that some of the names and emails belong to EU residents, and it may have violated the EU Data Privacy Directive in providing that information to Epsilon in the first place. It send out a similar notice, does some more extensive and costly internal investigation, talks longer to its lawyers and pays them more, and maybe gets investigated by one or more EU countries’ privacy enforcers. It too bills Epsilon for all of these costs.
- Company D send out a notice, does the investigation, pays the lawyers, and sues Epsilon for errors made by Epsilon in the performance of Epsilon’s duties for Company D. Epsilon’s business agreement with Company D specifies what happens in the event of Epsilon’s breach of its service obligations and describes and limits the type and extent of damages that could be paid by Epsilon.
- Company E does the same as Company D, but its lawsuit accuses Epsilon of breaching its express confidentiality agreement with Company E. The confidentiality agreement has its own provisions regarding what happens in the event of Epsilon’s breach.
Connect with John Doernberg on LinkedIn.