Until relatively recently, it appeared that data breach “situations” were limited to the Health Care industry (in August, Community Health Systems revealed that it had experienced a theft of 4.5 million medical records, including social security numbers), retail industry (Home Depot Inc., Target Corp., Neiman Marcus, Michaels Arts & Crafts, KMart), and the financial sector (JPMorgan Chase & Co. revealed that a previously disclosed data breach potentially affected 76 million households and 7 million small businesses).
But fairly recent litigation, including the lawsuit against Wyndham Worldwide Corporation (Wyndham), demonstrates that the hospitality sector is also at risk.
In the Wyndham case, it is alleged that “intruders” gained unlawful access to Wyndham’s computer network, thus allowing them access to clients’ personal data.
In response, a shareholder initiated a derivative lawsuit against the company and the director and officers for breach of fiduciary duty, waste of corporate assets, and unjust enrichment. The complaint alleged that the company failed to secure its customers’ personal and financial information. The complaint also alleged that Wyndham failed to disclose the data breaches in a timely fashion (the breach was allegedly disclosed over two years after a third breach occurred), thus exacerbating the damage and potential exposure to the company.
Wyndham also came under investigation by the Federal Trade Commission (FTC) which alleged that the data breach compromised over 600,000 credit card accounts and that many of those account numbers were exported to a Russian registered domain. The FTC further alleged that the breach resulted in fraud loss of over $10M. In accusing Wyndham of failing to provide reasonable and appropriate data security, the FTC’s prayer for relief demanded that the company improve its security to prevent future breaches and that it remedy harm to its clients.
Other recent breaches revealed in the hospitality space are PF Chang’s China Bistro and Jimmy John’s.
It is anticipated that as the plane of cyber risk continues to evolve, so will these types of lawsuits increase – exposing a company to a potential “trinity” of litigation – by the consumer (as individual or class action), by the shareholder, and by the regulators. Indeed, in a June 10, 2014 speech delivered at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized that cyber-security must be “part of a board of director’s risk oversight responsibilities.”
In light of this developing landscape, it is important for a company to:
- Review its internal controls designed to protect client personal and financial information
- Immediately advise clients of actual or potential security breaches
- Review its policies to determine the extent of coverage – or limits thereto — that may be provided, and evaluate its exposure accordingly
By Audrey Samit, Vice President, Claims Management