Only Five Days To Report Data Breach For Insurers And Agents In Connecticut

Posted on August 31, 2010 by N. Kane Bennett

One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it.  The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010.  The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.  

The Insurance Department defined a security incident requiring notification as follows: 

The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

 This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss.  In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.

Five days is a very short time frame, let alone responding immediately.  It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event.  I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents.  With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.

Tags: , , , ,

Does A Limited Liability Company Protect Its Members From Personal Tort Liability?

Posted on August 23, 2010 by N. Kane Bennett

Not always.  An individual member of an LLC or an officer of a corporation may be individually liable for their own torts.  This rule is well settled and the Connecticut Supreme Court reaffirmed it in Strum v. Harb Development, which will be officially released on August 31, 2010.  

Business owners often chose to a form a business entity to operate under, such as a limited liability company (LLC), limited liability partnership, or professional corporation.  In basic terms, the entity operates as an individual for legal purposes. There are many reasons to form a business entity. One of the more common reasons is to limit your personal liability and protect your assets.  The idea is, if you make a mistake in business, the entity is responsible, not you personally.  

Many times, a properly formed and maintained business entity, like an LLC or corporation, can provide a shield or "veil" of protection for an individual member or officer.  However, the protection is not absolute, and there are many instances where you can be personally liable in business despite the formation and operation of a business entity.    Two of the most common methods of establishing personal liability are "piercing the corporate veil" and individual responsibility for torts, such as breach of fiduciary duty, negligence, fraud, and misrepresentation. 

In the Strum case, the Connecticut Supreme Court addressed the later situation involving personal liability for torts (I will do a post on veil piercing soon). The Strum case involved a homeowner alleging poor workmanship and breach of a construction contract for new home construction.  The plaintiff homeowners in the case brought a lawsuit against not only the entity, Harb Development, LLC, but also its principal member, John Harb.   The plaintiffs alleged, among other claims, that Mr. Harb was personally liable for negligence.  Mr. Harb moved the trial court to strike the allegations against him personally seeking protections of his LLC, Harb Development.   His attorney argued that absent facts sufficient to pierce the veil of protection of the LLC, Mr. Harb personally was immune from liability.

At the lower level, the trial court granted the motion to strike primarily on the grounds that there were no facts in the complaint to pierce the veil of the LLC.  Although the Supreme Court ultimately found that there were insufficient facts alleged in the complaint to establish the negligence claim against Mr. Harb personally, the Court rejected the argument that Mr. Harb could not be personally liable for negligence merely because he was a member of an LLC. 

The Supreme Court noted that Connecticut's common law provides for personal liability of officers of a corporation for torts personally committed (such as negligence) that injure third parties provided  the injured party can show a legal duty, breach of that duty, causation, and damages.   As such, if an officer of a corporation commits a tort in business, the officer may be personally liable even if the corporation is also responsible.  The Strum case makes clear that this common law rule applies even in the absence of facts sufficient to pierce the corporate veil.  This same common law rule also applies to members of an LLC. 

The Strum case serves as a reminder to business owners that formation of a business entity will not protect you from personal liability in all circumstances.  Liability for individual torts and piercing the veil of a business entity are two common scenarios where business owners may face personal liability despite the shield that a business entity may provide.  Whether a business owner can face personal liability for negligence, fraud, or misrepresentation involving the business will often depend on the facts of the case. 

Tags: , , , ,

Cyber Crime On The Rise And Costly - What Can You Do About It

Posted on August 2, 2010 by N. Kane Bennett

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

  • The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
  • Cyber attacks are the most common occurence
  • The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
  • The companies in the study were experiencing 50 successful attacks per week
  • Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
  • Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

  • Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
  • Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
  • Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
  • Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company's ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

 

 

Tags: , , , ,