Data breach lawsuit against Pentagon highlights vendor management risks
Another example is unfolding of why almost every company’s data security risk management practices should include a hefty dose of vendor management. And below the surface, there lurks questions that may lead others to investigate their own practices and insurance coverage.
The Department of Defense runs a health insurance program, called TRICARE, for military personnel, retirees and their families. Last September a contractor for TRICARE disclosed that up to 4.9M of its health records may have been breached. The records were contained on computer backup tapes stolen from a parking garage. The information on the tapes was not encrypted, but the contractor – Science Applications International Corporation (SAIC) – asserted that there is little risk to patients because reading the tapes would require knowledge of and access to specific hardware and software.
A $4.9B class-action lawsuit — the third one relating to this breach — has recently been filed in Washington against the Department of Defense. The lawsuit seeks $1,000 in damages for each affected individual, free credit monitoring and an order prohibiting TRICARE from moving unencrypted records from government property. TRICARE had already determined that it would send breach notification letters to each person whose data was compromised. No matter how these lawsuits are resolved, it is clear that the DoD will incur considerable costs in dealing with the breach.
It is safe to assume that TRICARE will look to SAIC for full indemnification of at least most of the costs that TRICARE incurs in this matter. Given SAIC’s size (it receives about $20B annually in DoD contracts), it is reasonable to assume that it has the financial strength to indemnify TRICARE. And one can hope that SAIC has an E&O insurance policy that will pay most, if not necessarily all, of the costs that SAIC will incur (at least to TRICARE and other third parties) in connection with the breach. If TRICARE/DoD has its own data security insurance, it may look directly to its own insurer for coverage (above the applicable retentions) and let the insurer subrogate against SAIC.
But this is not the end of the story. A few of the more salient questions raised by this matter include the following:
- While SAIC may be financially strong enough to satisfy its indemnification obligations to TRICARE, how many companies make a sufficient effort to ascertain whether their vendors and suppliers have the financial capacity to satisfy their potential exposures resulting from a data breach (assuming that there are indemnification rights in the first place)?
- If TRICARE were a privately held company, would its directors be subject to a breach of fiduciary duty claim that they failed to exercise appropriate levels of risk oversight or institute adequate risk management practices? The Washington lawsuit asserts that SAIC has been involved in six data security breaches since 2005. Would a company hiring SAIC have asked the right questions to learn of the multiple breaches; if it did, what response would be sufficient? Congressman Edward Markey was quoted fuming at TRICARE’s failure to require that all its vendors encrypt sensitive data before transporting it. Under the Massachusetts Data Security Regulations that became effective in 2010, for example, that failure might be enough to constitute a violation. In the harsh glare of a publicized breach and with the benefit of hindsight, plaintiffs’ lawyers may be able to assert claims that reach a company’s directors and officers and trigger its D&O insurance program. The affected company could face the complications involved in negotiating with its D&O insurer, its data breach insurer, its vendor and the vendor’s E&O insurer.
- If TRICARE were a publicly traded company, might it face shareholder claims if it failed to adequately disclose its cybersecurity risks and insurance coverage, as described in the SEC’s new cybersecurity disclosure guidelines (see a discussion of the SEC guidelines here)? As reflected in the discussion above, assessing the extent of cybersecurity exposures and of relevant insurance coverage is not a simple task. If a company materially underestimates the extent of those exposures or overestimates the extent of its insurance protection, it may face claims by angry shareholders and enterprising plaintiffs’ lawyers.
These are just a few of the issues that companies face whenever a vendor or supplier has access to their confidential personal data. The risk increases significantly with the number of hands touching the data. When some of those hands belong to vendors and suppliers, the risk of breach increases dramatically. When third parties have access to your sensitive data, both the due diligence and indemnification/insurance components of your risk management processes deserve and need substantial analysis and effort.
About the Author
John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.