High-profile breaches have affected millions of customers and employees. They have created major losses to businesses through direct response costs, penalties, lawsuits, business disruption, and loss of shareholder value. Officers and directors face the possibility of personal liability for these losses.
Directors have so far been generally free from personal liability for cybersecurity breaches because their duties were unclear. Personal fiduciary liability claims against major company directors have been dismissed because the directors’ cybersecurity monitoring duties were not clear enough to be “known duties” that give rise to personal liability. Courts concluded claims that directors should have known of threats or had access to information about threats did not create liability for them.
Current trends suggest directors may be more likely to face personal liability for future cybersecurity breaches as their cybersecurity responsibilities become clearer.
A Georgia judge declined to dismiss a claim against a director who had personal knowledge of cybersecurity vulnerabilities, yet misrepresented the strength of the organization’s technology.
A judge in California approved the first settlement against directors and officers of a company over a data breach.
The complexity and frequency of breaches, the severe consequences they have, and the growth of the cybersecurity industry are all working to clarify directors’ cybersecurity duties.
When directors fail to institute or monitor cybersecurity measures, or consciously disregard red flags they have a known duty to address, shareholders may bring claims to hold directors personally liable. The Bluebell Ice Cream case shows how board oversight can play into liability issues.
Blue Bell operates manufacturing plants. In 2015, it suffered a listeria outbreak in several of plants that spread and caused three deaths. The company was forced to recall products, shut down production at several plants, and lay off a large part of its workforce.
Blue Bell had a history of food safety violations, but there was little evidence the board was addressing those concerns. Shareholders sued the officers and directors, saying they breached their duties by failing to make good-faith efforts to ensure the company’s regulatory compliance programs were adequate. The complaint said the board had no committee overseeing food safety, no process to address food-safety issues or to be advised of food-safety reports or developments. After the lower court dismissed the case against the directors, the appeals court reinstated it, saying the complaint adequately alleged the directors violated their duty by consciously failing to attempt to assure that reasonable information and reporting systems existed and by failing to conduct reasonable investigations.
The principles in the Blue Bell case apply directly to cybersecurity risk. If a company suffers significant losses due to data breach, and the directors failed to design board-level systems to oversee and monitor organization risk, or consistently failed to monitor systems for red flags or cyber threats or conduct reasonable investigations, they could be personally liable. In June 2014, an-SEC Commissioner counseled boards of directors that they were already responsible for overseeing the management of all types of risks and there was little doubt that cyber risk also must be considered to be part of the board’s overall risk oversight
What Directors and Officers Should Do
Understand the laws, regulations, and guidance on data security and privacy that apply to the business by consulting with appropriate experts. Know which regulatory bodies have authority over your business.
Ensure your business has conducted a cyber-risk assessment and understands its vulnerabilities. Be aware of what data your business collects or maintains and how data flows through it.
Public company directors should ensure there are effective controls and procedures to address cybersecurity risks and incidents in filings and disclosures.
Ensure your business has a written information security program and data privacy and security policies tailored to your risk profile.
Ensure employees receive regular security and privacy training, that policies are updated, and that policies are properly implemented and enforced.
Implement cybersecurity reporting systems and controls. Monitor systems to remain ahead of potential risks, red flags, and cybersecurity threats.
Ask personnel about the security practices and policies and any changes or red flags related to cybersecurity. Consider deficiencies revealed in audits and adopt a security plan that is tailored to the organization’s specific risk profile.
Ensure at least one director is sufficiently technically educated to lead board discussions and questions on information security.
Include cybersecurity as a topic at board meetings and ensure that the board is focused on security.
Establish a culture of security by consistently updating and enforcing physical and technological security policies.
Oversee the selection and monitoring providers to ensure the business’ information remains free of unnecessary risk and that contracts contain appropriate security and privacy obligations, remedy for breach, and audit rights.
Be familiar with insurance policies that cover cyber risk and data breach response. Ask about their policy limits and exclusions, and whether they cover both first- and third party data losses.