Breaches in the Boardroom: What Directors and Officers can do to Reduce the Risk of Personal Liability for Data Security Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/breaches-in-the-boardroom-what-director-78635/

Corporate directors and officers may increasingly be targets of shareholder
derivative lawsuits in the wake of the surge of regulatory actions and
private litigation around data breaches,.  While no individual directors
and officers have to date been held liable for the costs of a data breach,
such lawsuits have been filed and the signals from plaintiffs’ attorneys
indicate that, if they have their way, the wave will break soon.  Corporate
leaders need not be caught off guard.  As a recent court decision confirms,
the risk of individual liability can be mitigated by taking proactive
measures.

Data Breaches on the Rise

2014 was hailed as yet another year of the data breach.  A recent study by
the Ponemon Institute estimates that 43% of companies experienced a data
breach last year, led by high-profile incidents at Target, eBay, Adobe,
Snapchat, Michaels, Home Depot, Neiman Marcus and AOL.  And, of course,
2014 was capped off by the breach of Sony Pictures Entertainment, which
splashed celebrity gossip and entertainment industry chatter across the
headlines, as well as business-critical, confidential information regarding
company financials and projections and employees’ personal information.

Personal Liability for Directors and Officers—Caremark is Alive and Well

A shareholder derivative action is a lawsuit brought by a corporation’s
shareholders, ostensibly on behalf of the corporation, and often against
the corporation’s directors and officers.  In its 1996 Caremark decision,
the Delaware Chancery Court declared that, in such actions, directors can
be held personally liable for failing to “appropriately monitor and
supervise the enterprise.”  The court emphasized that a company’s board of
directors must make a good faith effort to implement an adequate corporate
information and reporting system.  Failing to do so can constitute an
“unconsidered failure of the board to act in circumstances in which due
attention would, arguably, have prevented the loss.”

The Caremark case has become a beacon across the corporate world for
director conduct and now covers officers, including general counsel.
Directors and officers must not demonstrate a “conscious disregard” for
their duties or ignore “red flags” – failure to do so can result in a
director or officer being held personally liable for a corporation’s
losses.  This is because, as the Delaware Supreme Court later clarified in
Stone v. Ritter, conduct that evidences a lack of good faith may violate
the fiduciary duty of loyalty. And, although Delaware law allows a
corporation to waive or limit a director’s liability for violations of the
duty of care, such waivers or limits are not allowed for the duty of
loyalty.

While the Caremark case did not address information assets and corporate
duties to protect them, its reasoning is being readily applied by
plaintiffs seeking to capitalize on the cybersecurity issues confronting
companies today.  At least one expert, UCLA Professor Stephen Bainbridge,
has suggested that no good reason exists to distinguish past Caremark
decisions on lax legal compliance and accounting controls from potential
widespread failures to implement and maintain appropriate risk management
policies.

Regulators Step up Pressure

Government enforcement of data security standards has proliferated, and
regulatory actions often are cited in subsequent shareholder derivative
actions.  Such actions are pointed to both as “red flags” that should have
led officers and directors to anticipate problems and as measures that
reduced corporate value.  Leading the regulatory charge, the Federal Trade
Commission recently announced its 53rd data security settlement, while
noting that the number is “likely to go up.”

Other agencies have also staked a claim in the data security regulation
gold rush.  Among banking industry regulatory agencies, the Federal
Financial Institutions Examination Council recently announced a new
regulatory self-assessment for banks’ cybersecurity risks and the Federal
Deposit Insurance Corporation has declared cybersecurity a main supervisory
focus. Building on its 2011 guidance on corporate disclosure obligations
relating to “cybersecurity risks and cyber incidents,” the Securities and
Exchange Commission recently released a risk alert on the cybersecurity
preparedness of registered broker-dealers and investment advisers.
Subsequently, the frequency with which public companies have reported data
breaches has increased dramatically.  Likewise, in October 2014, the
Federal Communications Commission fined two companies $10 million each for
maintaining “unjust and unreasonable” data security practices in violation
of the Communications Act of 1934.  A senior FCC official noted that it was
the agency’s first data security enforcement action, “but it will not be
the last.”  And state attorneys general have enforced both state and
federal statutes against companies doing business within their
jurisdictions.  As a result, the risks to enterprises, and therefore the
relevance to directors and officers, is increasing dramatically.

The Plaintiffs’ Bar Follows Suit

Those directly affected by data breaches – consumers and businesses alike –
have followed the increase in enforcement actions and brought their own
suits, often as class actions.  The slew of lawsuits filed against Target
Corporation after the 2013 hack of its payment system exposed the financial
information of 110 million customers is typical.  A class of consumers is
seeking damages for Target’s alleged negligence in exposing their personal
financial information, and a group of banks is seeking reimbursement from
Target for the cost of reimbursing fraudulent charges and for replacing
credit and debit cards.  Last month, a federal judge in Minnesota denied
Target’s motion to dismiss both cases.

Shareholders Seize the Opportunity

In the wake of a data breach, companies can face government enforcement,
significant fines, litigation settlements or judgments, and declining share
prices, all of which are fodder for shareholder derivate lawsuits brought
under Caremark.  A number of such lawsuits have in fact recently been
filed.  Although their filing confirms the risks of personal liability that
directors and officers face in the event of a data breach, a federal
district court’s recent decision in a data breach involving Wyndham
provides a roadmap for some appropriate proactive measures to help mitigate
risks.

After hospitality company Wyndham Worldwide Corporation suffered three data
breaches between 2008 and 2010, a shareholder brought a derivative action
on behalf of the corporation against Wyndham’s board.  Coming after the FTC
had initiated an enforcement action (which remains pending on appeal
today), the plaintiffs in Palkon v. Holmes alleged that Wyndham had failed
to implement adequate data security mechanisms and that this failure
allowed hackers to steal the data of over 600,000 customers. They seek to
assert claims on behalf of the company against its directors and officers
for their alleged role in those failings.

In October 2014, a New Jersey court dismissed the case with prejudice,
deferring to the board’s business judgment that the company should not
bring such a case against its officers and directors.  In its opinion
citing the Delaware case law spawned by the Caremark case, the court
highlighted the board’s engaged and thorough response to two demand letters
and a prior FTC investigation.  Specifically, the court found that the
board had discussed the breaches at 14 meetings between 2008 and 2012, the
Wyndham Audit Committee had discussed the breaches in at least 16 meetings
during that same period, and the board had engaged an outside technology
firm to assess Wyndham’s information security policies.  This record of
extensive consultation led the court to conclude that the board “had enough
information when it assessed plaintiff’s claim,” and hence that the board’s
decision not to bring suit was within its broad discretion under the
business judgment rule.

Despite not needing to discuss the merits of the claims that the plaintiffs
(because of its ruling that the plaintiffs had no right to pursue those
claims on the company’s behalf), the court specifically stated that the
plaintiff’s suit fell short of alleging, as Caremark requires, that the
board had “utterly failed to implement any reporting or information system
[or] consciously failed to monitor or oversee its operations.”  The court
noted that “security measures existed when the first breach occurred,” and
the board had addressed data security concerns “numerous times.”

The Wyndham case thus shows that the risks of shareholder derivative
actions against directors and officers arising from a data breach are very
real, but also that strong defenses on both the threshold demand
requirement and the underlying merits can be presented if companies take
appropriate measures both before and again, if necessary, after any data
breach.

Moving Data Security from the Server Room to the Board Room

Data security and information governance are increasingly part of the
board-level communications as the centrality of information to enterprises
continues to grow.  But these discussions cannot happen quickly enough—the
same Ponemon Institute study that found almost half of U.S. companies
experienced a data breach in 2014 also noted that 27% did not have a data
breach response plan in place.

Cybersecurity is becoming ubiquitous in the United States and with that
saturation comes the potential for greater liability.  Because of the klieg
lights currently trained on data security, corporate defendants will find
it difficult to argue that there were no “red flags,” likely opening the
door to Caremark just wide enough for waiting plaintiffs to walk right in.

The good news is that, as the Wyndham case confirms, it is possible for
directors and officers to take action that will satisfy their Caremark
duties.  Some measures frequently identified that boards may consider
include:

- Hire a Chief Information Security Officer and engage outside technical
experts to conduct regular assessments and to educate officers and board
members on data security.
- Evaluate and/or appoint a board committee to focus on data protection.
- Have the board regularly address and deliberate when deciding issues of
data security, and carefully document the deliberations to demonstrate
appropriate care.
- Adopt a security plan that is tailored to the company’s specific risk
profile (and review and assess those risks systematically on a regular
schedule and as needed in response to specific threats).
- Hold information and training sessions to increase awareness at all
corporate levels.
- Perform gap analyses and comparative benchmarking with peer organizations
that hold similar types of information.
- Learn from experience.  Perfect security doesn’t exist but every
organization can learn.
- Ensure open lines of communication.  Often competing pressures may limit
IT’s ability to deliver security, but by enabling open and direct
communication to and with the board and senior management, security risks
have a greater chance of being addressed appropriately.
- Review D&O insurance and related insurance policies holistically for
coverage regarding security incidents and protection of the company’s
brand, information assets and other assets.

Just as no perfect security exists, there are no perfect solutions for
officers and directors.  Fortunately, the courts have not required
perfection.  Rather, by being able to demonstrate attention and care,
including some or all of the steps set forth above, officers and directors
can both help protect the organizations they serve and mitigate the risk of
personal liability in this rapidly emerging and increasingly important area.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!