Home > Property & Casualty > Data breach lawsuit against Pentagon highlights vendor management risks

Data breach lawsuit against Pentagon highlights vendor management risks

Another example is unfolding of why almost every company’s data security risk management practices should include a hefty dose of vendor management. And below the surface, there lurks questions that may lead others to investigate their own practices and insurance coverage.

The Department of Defense runs a health insurance program, called TRICARE, for military personnel, retirees and their families. Last September a contractor for TRICARE disclosed that up to 4.9M of its health records may have been breached. The records were contained on computer backup tapes stolen from a parking garage. The information on the tapes was not encrypted, but the contractor – Science Applications International Corporation (SAIC) – asserted that there is little risk to patients because reading the tapes would require knowledge of and access to specific hardware and software.

A $4.9B class-action lawsuit — the third one relating to this breach — has recently been filed in Washington against the Department of Defense. The lawsuit seeks $1,000 in damages for each affected individual, free credit monitoring and an order prohibiting TRICARE from moving unencrypted records from government property. TRICARE had already determined that it would send breach notification letters to each person whose data was compromised. No matter how these lawsuits are resolved, it is clear that the DoD will incur considerable costs in dealing with the breach.

It is safe to assume that TRICARE will look to SAIC for full indemnification of at least most of the costs that TRICARE incurs in this matter. Given SAIC’s size (it receives about $20B annually in DoD contracts), it is reasonable to assume that it has the financial strength to indemnify TRICARE. And one can hope that SAIC has an E&O insurance policy that will pay most, if not necessarily all, of the costs that SAIC will incur (at least to TRICARE and other third parties) in connection with the breach. If TRICARE/DoD has its own data security insurance, it may look directly to its own insurer for coverage (above the applicable retentions) and let the insurer subrogate against SAIC.

But this is not the end of the story. A few of the more salient questions raised by this matter include the following:

  • While SAIC may be financially strong enough to satisfy its indemnification obligations to TRICARE, how many companies make a sufficient effort to ascertain whether their vendors and suppliers have the financial capacity to satisfy their potential exposures resulting from a data breach (assuming that there are indemnification rights in the first place)?
  • If TRICARE were a private company and charged with a HIPAA and/or state privacy law violation for failing adequately to vet its service provider, would those defense costs and any government fines be chargeable to SAIC or SAIC’s insurer? That would seem tantamount to an assertion that the damages caused by SAIC’s breach include all costs associated with the failure of the organization that hired SAIC to make sure that SAIC was up to the task of protecting the data in the first place. One might expect a meaningful discussion with SAIC and its insurer about whether those costs should be indemnified or covered. While the organization that hired SAIC might look to its own well-negotiated privacy policy for coverage of those costs above the applicable retention, it would likely have some meaningful uncovered exposures.
  • If TRICARE were a privately held company, would its directors be subject to a breach of fiduciary duty claim that they failed to exercise appropriate levels of risk oversight or institute adequate risk management practices? The Washington lawsuit asserts that SAIC has been involved in six data security breaches since 2005. Would a company hiring SAIC have asked the right questions to learn of the multiple breaches; if it did, what response would be sufficient? Congressman Edward Markey was quoted fuming at TRICARE’s failure to require that all its vendors encrypt sensitive data before transporting it. Under the Massachusetts Data Security Regulations that became effective in 2010, for example, that failure might be enough to constitute a violation. In the harsh glare of a publicized breach and with the benefit of hindsight, plaintiffs’ lawyers may be able to assert claims that reach a company’s directors and officers and trigger its D&O insurance program. The affected company could face the complications involved in negotiating with its D&O insurer, its data breach insurer, its vendor and the vendor’s E&O insurer.
  • If TRICARE were a publicly traded company, might it face shareholder claims if it failed to adequately disclose its cybersecurity risks and insurance coverage, as described in the SEC’s new cybersecurity disclosure guidelines (see a discussion of the SEC guidelines here)? As reflected in the discussion above, assessing the extent of cybersecurity exposures and of relevant insurance coverage is not a simple task. If a company materially underestimates the extent of those exposures or overestimates the extent of its insurance protection, it may face claims by angry shareholders and enterprising plaintiffs’ lawyers.

These are just a few of the issues that companies face whenever a vendor or supplier has access to their confidential personal data. The risk increases significantly with the number of hands touching the data. When some of those hands belong to vendors and suppliers, the risk of breach increases dramatically. When third parties have access to your sensitive data, both the due diligence and indemnification/insurance components of your risk management processes deserve and need substantial analysis and effort.

About the Author

John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.

617.646.0336   JDoernberg@wgains.com   Connect with John via LinkedIn


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s