IT security team

Minimizing D&O Cyber Liability

In the second of a series of articles discussing emerging theories of liability for directors and officers, Stephanie Resnick, Philadelphia Office Managing Partner and Chair of the Directors’ and Officers’ Liability Practice Group at Fox Rothschild, and John Fuller, an associate and member of the Directors’ and Officers’ Liability Practice Group at Fox Rothschild, examine the potential legal fallout from a corporate data breach and the best practices for developing comprehensive digital security policies.

with co-author John Fuller

Companies of all sizes face constant cyber threats, ranging from corporate espionage and the piracy of proprietary information to digital thieves stealing funds from online accounts. While directors and officers must be concerned about these cyber threats to corporate assets, in recent years, widespread data breaches – particularly those involving consumer information – have emerged as a significant source of liability for directors and officers themselves. The technological safeguards and procedures for responding to cyberattacks are complex and often involve sophisticated technologies. Nevertheless, officers and directors must understand the steps the company is taking to protect its digital assets.

Recent class action litigation in the wake of catastrophic data breaches has demonstrated how potential litigants may seek to hold directors and officers liable when a breach of corporate security measures occurs.

For instance, in September 2017, credit monitoring and reporting firm Equifax announced a cyber “incident,” which may have disseminated personal and credit information of as many as 143 million U.S. customers. One securities class action complaint filed in the wake of the breach asserted direct nexus between oft-pled allegations that the company failed to maintain adequate measures to protect its data systems to the precipitous decline in Equifax’s stock price following the announcement of the data breach. This connection between a data breach and a decline in stock price creates demonstrable damages, even though the potential harm resulting from the misuse of the misappropriated information is incalculable.

To address cyber threats, directors and officers must critically assess the company’s digital assets, implement appropriate security measures based on the nature of the company’s assets and known threats and, significantly, vigilantly monitor the evolution of threats and available safeguards.

In order for directors and officers to discharge their duties in evaluating threats and assessing whether their protections are adequate, directors and officers must personally understand how their company’s technologies work and how the selected safeguards are designed to react to potential threats. Directors and officers cannot merely rely on technology officers, and employees and must be in a position to genuinely engage in the decisions made to protect the company’s technological assets. Boards may, however, create subcommittees to address threats to their corporate technology, provided that that the committee’s recommendations are meaningfully implemented by the board and the company as a whole.

A comprehensive digital security program must respond to every digital security incident in some manner. Seemingly innocuous anomalies or “phishing” may be preliminary attempts by cyber criminals to probe for weaknesses in a company’s security. Further, because the reasonableness of the board’s efforts to protect digital assets is measured in part by the known and potential threats to a specific industry or company, the failure to evaluate and upgrade security in response to smaller incidents could create liability if a catastrophic breach occurs.

Further, boards should be aware of their reporting requirements with respect to the adequacy of their defenses to cyber threats and any attacks the company has experienced. Recently, the Department of Defense has implemented formal cyber-reporting rules for government contractors, and the Federal Communications Commission and U.S. Securities and Exchange Commission have brought enforcement actions against companies for their failure to implement proper cybersecurity safeguards.

Finally, digital security policies must extend beyond computer systems and must include training for management and employees. Human beings are often the weakest point in digital security, and all effective policies must take this vulnerability into account. Accordingly, the board, management and employees should understand protocols for responding when a breach occurs and should also receive training regarding email “phishing” and other scams cyber criminals use to gain access to corporate networks.

Directors and officers are ultimately responsible for ensuring appropriate cyber safeguards are in place. As the threats to data security and defenses continue to grow more complex, the fundamental best practice remains the same: genuine understanding of the threats to the company’s digital assets and fostering compliance with the security policies designed to meet those threats.


Stephanie Resnick

Stephanie Resnick is the Office Managing Partner of the firm’s Philadelphia office and is Chair of the Directors’ & Officers’ Liability & Corporate Governance Practice Group. She is consistently ranked among the top business trial lawyers both regionally and nationally and is lauded by her colleagues and peers for her strategic handling of high-stakes, complex business disputes in the federal and state courts of Pennsylvania, New York, New Jersey and beyond. She has served as lead counsel in numerous high-profile litigation matters. She has been noted by peers in top publications such as The Best Lawyers in America, Chambers USA and Benchmark Litigation as “one of the best litigators in the city – aggressive, driven and responsive.” She has an “easygoing but powerful presence” and is noted for her “ability to handle things calmly while maintaining an unflinching stance.”

Stephanie is also a member of the firm’s Executive Committee. She previously chaired the firm-wide national Litigation Department, overseeing more than 250 attorneys in 21 offices, a position she held for seven years. In state and federal courts across the United States, she has earned a reputation for sound judgment and innovative problem solving. Corporate executives, Fortune 500 companies and family-owned businesses turn to Stephanie for solutions to their most difficult and sensitive personal and professional issues.

Stephanie has tried and arbitrated complicated and complex business litigation, including injunctions. She handles the following types of litigation:

  • Directors’ and officers’ liability and corporate governance
  • Shareholder and partnership disputes
  • Family business disputes
  • Defense of class actions
  • Books and records demands
  • Shareholder derivative actions
  • Intellectual property disputes
  • Errors and omissions disputes
  • Unfair business practices and competition and misappropriation of trade secrets
  • Breach of fiduciary duty
  • Federal RICO actions
  • Health care/physician issues
  • Employment litigation, including restrictive covenants
  • Defamation and media issues
  • Ethics and professional liability
  • Insurance and reinsurance issues

In recent years, Stephanie has received a remarkable collection of accolades from the most prestigious ranking organizations in the world.

Stephanie has been named in “The Best Lawyers in America” in Commercial Litigation, and as one of the leading litigation attorneys in Pennsylvania by Chambers USABenchmark Litigation lists Stephanie as one of the “Top 250 Female Litigators in America” and as a “Litigation Star” in Pennsylvania. Stephanie was also selected for inclusion in the inaugural edition of the Martindale-Hubbell® Bar Register of AV Preeminent Women Lawyers™, which includes less than five percent of women lawyers, and has been added every year since.

For many years, Stephanie has been named as a “Super Lawyer” and one of the “Top 50 Women Lawyers in Pennsylvania.” She was one of only 10 women included in a list of the “Top 100 Lawyers in Pennsylvania” by Philadelphia Magazine and Law & Politics Magazine, which also recognized her as one of the “Top 100 Lawyers in Philadelphia.”

Stephanie is also a recipient of the coveted Sandra Day O’Connor Award, presented by the Philadelphia Bar Association. Named for the first woman justice on the U.S. Supreme Court, the award has been conferred annually since 1993 on a woman attorney who has achieved the highest degree of professional excellence in her field and has visibly used her position and stature in the community to mentor, promote and advance other women lawyers.

Related Post