Cyber incidents can pose a threat to any business. A recent bankruptcy case, In re Jerico Pictures, Inc., d/b/a National Public Data (“National Public Data”),[1] demonstrates that the growing recognition of the danger posed by cyber risks is also leading to greater expectations on companies to protect themselves from those risks, including through insurance.
National Public Data operated a subscription-based data service specializing in employee background checks, relying on bulk data collection of public records such as criminal records, addresses, and employment history. In December 2023, the company suffered a significant data breach orchestrated by the notorious hacker “USDoD,” compromising a database containing millions of records of Personally Identifiable Information. This breach led to sensitive data surfacing on dark web marketplaces. The fallout was severe, as National Public Data faced nearly two dozen class action lawsuits, regulatory scrutiny, customer attrition, and the obligation to notify and provide credit monitoring to potentially hundreds of millions of individuals under various state laws. In the face of these pending liabilities, the company filed for Chapter 11 bankruptcy on October 2, 2024.
The United States Trustee (the government entity responsible for safeguarding the interests of stakeholders in bankruptcy proceedings) moved to dismiss National Public Data’s bankruptcy petition on various grounds, including that the debtor failed to maintain appropriate insurance coverage to protect its remaining estate.[1] Section 1112(b)(4)(C) of the U.S. Bankruptcy Code, 11 U.S.C. § 1112(b)(4)(C), provides that a bankruptcy petition may be dismissed for the debtor’s “failure to maintain appropriate insurance that poses a risk to the estate or to the public.” In its motion, the U.S. Trustee noted that National Public Data’s insurer had already denied coverage for the pre-petition breach and that the debtor had no liability insurance to cover a post-petition data breach.[2] The U.S. Trustee argued that the company’s failure to secure adequate insurance against data breaches not only put the estate at imminent risk but also posed broader dangers to the public, in violation of Bankruptcy Code § 1112(b)(4)(C).[3]
Notably, there are no previously reported cases where §1112(b)(4)(C) has been applied to cyber insurance. Because unsecured creditors are prohibited from seizing estate assets to satisfy claims while a bankruptcy proceeding is pending, insurance for the estate must be sufficient to prevent losses that could reduce the estate’s value for unsecured creditors. “Thus, a policy of insurance that insures tangible property against casualty loss such as fire insurance, but only protects the value of a secured lender’s interest in the collateral may be inadequate to protect the risk to the estate.”[1] The United States Trustee Manual lists a number of types of insurance that the Trustee may consider necessary to protect the estate and the general public depending on the circumstances of the bankruptcy case, including fire and extended liability insurance, general liability insurance, worker’s compensation and unemployment insurance, employee health insurance, malpractice insurance, product liability insurance, and liquor or dramshop insurance.[2] However, the manual makes no mention of cyber coverage, and §1112(b)(4)(C) appears not to have been applied to such coverage previously.
So, what does this mean?
National Public Data demonstrates that as cyber incidents pose increasing danger to any business, expectations as to how companies manage those risks may increase as well and may have implications for corporate governance. A major cyber incident may be able to trigger “event-driven” shareholder derivative claims, in which plaintiffs allege that the board breached its duties by failing to adequately manage the company’s cyber risks. A well-structured cyber insurance program that effectively covers cyber-related losses can serve as a first line of defense, potentially reducing the likelihood or severity of such claims altogether. As cybersecurity threats continue to escalate, especially as artificial intelligence becomes more prevalent, managing the associated risk through insurance may evolve from protection that is nice to have if possible into an insurance must-have like D&O coverage. It is more important than ever that companies have strategies in place to mitigate the growing risk of cyber incidents.
[1] 7 Collier on Bankruptcy P 1112.04.
[2] See 3 United States Trustee Manual, ch. 11, Case Administration, § 3-3.2.3; see also In re Van Eck, 425 B.R. 54, 59 (Bankr. D. Conn. 2010) (citing Gilroy v. Ameriquest Mortg. Co. (In re Gilroy), 2008 Bankr. LEXIS 3968 (B.A.P. 1st Cir. Aug. 1, 2008)); In re Daniels, 362 B.R. 428, 435-36 (Bankr. S.D. Iowa 2007).
[1] Emergency Mot. Of United States Trustee to Dismiss This Case And Request For Expedited Hearing 1, ECF No. 24, In re Jerico Pictures, Inc., No. 24-20281-BKC-SMG (Bankr. S.D. Fla. October 23, 2024). That motion was ultimately granted, and the petition dismissed, on other grounds. See Order Granting United States Trustee’s Emergency Motion To Dismiss Case And Request For Expedited Hearing (DE 24), ECF No. 31, In re Jerico Pictures, Inc., No. 24-20281-BKC-SMG (Bankr. S.D. Fla. October 31, 2024); Transcript, ECF No. 37, In re Jerico Pictures, Inc., No. 24-20281-BKC-SMG (Bankr. S.D. Fla. March 5, 2025).
[2] Emergency Mot. Of United States Trustee to Dismiss This Case And Request For Expedited Hearing 3, ECF No. 24, In re Jerico Pictures, Inc., No. 24-20281-BKC-SMG (Bankr. S.D. Fla. October 23, 2024).
[3] Emergency Mot. Of United States Trustee to Dismiss This Case And Request For Expedited Hearing 4-5, ECF No. 24, In re Jerico Pictures, Inc., No. 24-20281-BKC-SMG (Bankr. S.D. Fla. October 23, 2024).
[1] In re Jerico Pictures, Inc., No. 0:24-20281-BKC-SMG, (Bankr. S.D. Oct. 2, 2024).