On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.
FTC investigations are often commenced by the service of a Civil Investigative Demand (CID), which is a subpoena-like document issued by the FTC to a company that demands the production of certain documents that the FTC deems relevant to its investigation, and/or seeks the appearance of certain individuals to give testimony. FTC investigations, like all regulatory investigations, can be expensive for its targets. In fact, companies can incur several millions of dollars in legal costs alone when reviewing and responding to CIDs and any supplemental investigative inquiries that may follow. As they should, companies will attempt to offset these legal costs through their corporate insurance programs. In the data privacy context, many companies will look to their Cyber/Technology Errors & Omissions (Cyber/Tech E&O) insurance policy for this type of coverage.
This begs the question: to what extent are legal fees incurred in connection with responding to CIDs covered by the typical Cyber/Tech E&O insurance policy? As discussed below, coverage might not always be afforded in this situation. Coverage issues associated with regulatory enforcement investigations in the data privacy area will be of increasing importance to Cyber/Tech E&O insurers and their insureds as the federal government ramps up privacy enforcement, and state governments ramp up their own similar investigations pursuant to newly-enacted state data privacy statutes.
Potential Cyber Insurance Coverage Issues Implicated by FTC Civil Investigative Demands
To best illustrate the coverage issues that arise when dealing with FTC investigations, let’s use a hypothetical policyholder called “Company X.”
The FTC launches an investigation into Company X for possible violations of Section 5 of the FTC Act as it relates to Company X’s data privacy procedures. Specifically, the FTC alleges that Company X may be engaging in unfair trade practices because, instead of encrypting certain personally identifiable information that Company X obtains and processes from its customers, it leaves the information unencrypted on its servers, which leaves the information vulnerable to theft in the event of a data breach. In connection with that investigation, the FTC issues a CID to the “Custodian of Records of Company X,” seeking certain documents for inspection, as well as written responses to several interrogatories.
In order to respond to the CID, Company X retains a reputable law firm with partners who are former FTC and/or DOJ attorneys, and who are well-versed in civil enforcement investigations. The partner assigned to the case bills at $1,160 per hour, and the partner utilizes three associates billing at $750 per hour on average, as well as a paralegal billing at $400 per hour. The attorneys inform Company X that it will need to spend the next two-three three weeks combing through large swaths of documents and electronic data in order to prepare document and interrogatory responses to the FTC. On top of that, the law firm informs Company X that additional costs will be incurred in the event that the FTC issues a supplemental CID, seeks testimony from certain employees, or ultimately commences an enforcement action against Company X. Company X, staring down considerable legal fees and costs, submits a copy of the CID and information about the proposed legal response to Company X’s insurer, which issued a Cyber/Tech E&O insurance policy (the Policy) to Company X for the relevant policy period.
The Policy contains multiple insuring agreements addressing first-party claims (such as claims for business interruption to the policyholder caused by a cybersecurity incident) as well as third-party claims (e.g., lawsuits filed by plaintiffs seeking damages from the insured arising out of a cybersecurity incident). The Policy also contains a “Regulatory Investigation Coverage” insuring agreement that states the following:
The Insurer shall pay all Regulatory Damages and Defense Expenses that the Insured is legally obligated to pay as a result of a Regulatory Enforcement Investigation first made against any Insured during the Policy Period arising out of any actual or alleged Privacy Breach.
The bolded terms above are defined in the Policy as follows:
Regulatory Enforcement Investigation means receipt by the Insured of any civil, administrative or regulatory request for information, or investigation from any government entity.
Regulatory Damages means fines, penalties, or monetary amounts which the Insured is legally obligated to pay due to any judgement or settlement with a regulator.
Defense Expenses means reasonable and necessary fees, costs and expenses incurred in connection with the investigation, adjustment, defense, and/or appeal of any Regulatory Enforcement Investigation.
Privacy Breach means the access, use, destruction or alteration of personally identifiable information of a customer which is unauthorized.
Applying our policy language above to the matter submitted, the CID issued to Company X likely constitutes a Regulatory Enforcement Investigation because the request by the FTC, a regulatory entity, is a “regulatory request for information…from any governmental entity.” The costs to be incurred by the attorneys that Company X retains to respond to the CID likely constitute “Defense Expenses.” However, in order to trigger coverage, the CID issued to Company X must “aris[e] out of any actual or alleged Privacy Breach.”
According to the Policy, a Privacy Breach occurs when actions with respect to personally identifiable information are unauthorized. If the FTC in our example is investigating whether or not it is an unfair trade practice for Company X to leave certain data unencrypted on its servers, query whether that constitutes the unauthorized “access, use, destruction or alteration of personally identifiable information.” If the CID issued to Company X does not arise out of a Privacy Breach, there is arguably no coverage available under the Policy for Defense Expenses or Regulatory Damages incurred by Company X in connection with the FTC investigation. Company X’s cyber insurer may deny coverage for Company X’s legal costs in this instance.
While not all Cyber/Tech E&O insurance policies contain language similar to the hypothetical provided above, many do. Therefore, it is important when confronted with regulatory investigations to pay particularly close attention to the language of the applicable insuring agreements. Not all data privacy-related investigations involve privacy or data breaches. As such, one must be mindful of whether any Cyber/Tech E&O insurance policy’s insuring agreement with respect to regulatory investigations contains any privacy or data breach trigger. Insurers may deny coverage for these types of costs.