Accountants May Face Personal Cyber Liability for Stolen Client Data

Service providers take note. Accountants and others may be personally responsible for protected client data which is lost or stolen while in their possession. A recent Seventh Circuit case highlights some important issues for service providers and their clients, and further underscores the need to assess the risk of cyber-related losses and how those risks can be managed.

In Nationwide Ins. Co. v. Cent. Laborers’ Pension Fund, 704 F.3d 522 (7th Cir. 2013), certain pension funds retained the services of an accounting firm. To perform these services, the pension funds provided the firm with a CD containing the confidential personal information of 30,000 participants and beneficiaries of the pension funds. One of the firm’s employee accountants took the CD home in her car, from which it was subsequently stolen. As a result of this theft, the pension funds incurred $200,000 in credit monitoring and insurance costs.

Interestingly, the funds elected to sue the accountant herself to recover these costs. The accountant then sought coverage for this potential liability under her homeowner’s policy. In a declaratory judgment action filed by the homeowners’ carrier against the insured accountant and the pension funds, the court held that the loss was not covered, based on the application of two exclusions: The policy did not cover damage to property in the “care of” the insured. Also, the policy did not cover property damage arising out of or in connection with a “business” engaged in by an “insured.” Accordingly, the court affirmed the lower court’s judgment that the insurance company had no duty to defend or indemnify the accountant.

This case illustrates the potential for significant problems for individual service providers if a client sues to recover data breach losses. Here, the accountant may not have the assets to cover the $200,000 in damages. In a footnote, the Nationwide court noted that efforts made by the pension funds to recover from the accounting firm were pending, although it was unclear whether those efforts were of the legal variety, or whether the firm had professional liability or other coverage for this loss.

The attorneys in Governo Law Firm’s Data Privacy and Cyber Liability Practice Group specialize in compliance, insurance, risk management, and litigation for companies dealing with data security and breach issues. Please contact David Governo at [email protected] or Nancy Kelly at [email protected] for more information on compliance with state and federal data privacy laws.