On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015. VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website. (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)
Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business. Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.
- VTech’s Good News: No Liability For The Breach (So Far)
On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.
The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps. Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.” The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information. And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.
Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear. The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies. Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment. Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.
- VTech’s Bad News: Potential First Party Losses
Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price. Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo. In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:
|“Stocks on average suffer an immediate decrease in share price following a breach of 0.43%, about equal to their average daily volatility.”|
|“Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent.”|
|“More recent breaches had less of a negative impact on share price than older ones.”|
|“Breaches of highly sensitive data, such as credit card and social security numbers, had a greater impact on the immediate drop in share price following a breach than companies that leaked less sensitive info, such as email addresses. The sensitivity of breached data had a less clear impact on share price in the long term.”|
Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million. And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.