Minimizing D&O Cyber Liability
In the second of a series of articles discussing emerging theories of liability for directors and officers, Stephanie Resnick, Philadelphia Office Managing Partner and Chair of the Directors’ and Officers’ Liability Practice Group at Fox Rothschild, and John Fuller, an associate and member of the Directors’ and Officers’ Liability Practice Group at Fox Rothschild, examine the potential legal fallout from a corporate data breach and the best practices for developing comprehensive digital security policies.
with co-author John Fuller
Companies of all sizes face constant cyber threats, ranging from corporate espionage and the piracy of proprietary information to digital thieves stealing funds from online accounts. While directors and officers must be concerned about these cyber threats to corporate assets, in recent years, widespread data breaches – particularly those involving consumer information – have emerged as a significant source of liability for directors and officers themselves. The technological safeguards and procedures for responding to cyberattacks are complex and often involve sophisticated technologies. Nevertheless, officers and directors must understand the steps the company is taking to protect its digital assets.
Recent class action litigation in the wake of catastrophic data breaches has demonstrated how potential litigants may seek to hold directors and officers liable when a breach of corporate security measures occurs.
For instance, in September 2017, credit monitoring and reporting firm Equifax announced a cyber “incident,” which may have disseminated personal and credit information of as many as 143 million U.S. customers. One securities class action complaint filed in the wake of the breach asserted direct nexus between oft-pled allegations that the company failed to maintain adequate measures to protect its data systems to the precipitous decline in Equifax’s stock price following the announcement of the data breach. This connection between a data breach and a decline in stock price creates demonstrable damages, even though the potential harm resulting from the misuse of the misappropriated information is incalculable.
To address cyber threats, directors and officers must critically assess the company’s digital assets, implement appropriate security measures based on the nature of the company’s assets and known threats and, significantly, vigilantly monitor the evolution of threats and available safeguards.
In order for directors and officers to discharge their duties in evaluating threats and assessing whether their protections are adequate, directors and officers must personally understand how their company’s technologies work and how the selected safeguards are designed to react to potential threats. Directors and officers cannot merely rely on technology officers, and employees and must be in a position to genuinely engage in the decisions made to protect the company’s technological assets. Boards may, however, create subcommittees to address threats to their corporate technology, provided that that the committee’s recommendations are meaningfully implemented by the board and the company as a whole.
A comprehensive digital security program must respond to every digital security incident in some manner. Seemingly innocuous anomalies or “phishing” may be preliminary attempts by cyber criminals to probe for weaknesses in a company’s security. Further, because the reasonableness of the board’s efforts to protect digital assets is measured in part by the known and potential threats to a specific industry or company, the failure to evaluate and upgrade security in response to smaller incidents could create liability if a catastrophic breach occurs.
Further, boards should be aware of their reporting requirements with respect to the adequacy of their defenses to cyber threats and any attacks the company has experienced. Recently, the Department of Defense has implemented formal cyber-reporting rules for government contractors, and the Federal Communications Commission and U.S. Securities and Exchange Commission have brought enforcement actions against companies for their failure to implement proper cybersecurity safeguards.
Finally, digital security policies must extend beyond computer systems and must include training for management and employees. Human beings are often the weakest point in digital security, and all effective policies must take this vulnerability into account. Accordingly, the board, management and employees should understand protocols for responding when a breach occurs and should also receive training regarding email “phishing” and other scams cyber criminals use to gain access to corporate networks.
Directors and officers are ultimately responsible for ensuring appropriate cyber safeguards are in place. As the threats to data security and defenses continue to grow more complex, the fundamental best practice remains the same: genuine understanding of the threats to the company’s digital assets and fostering compliance with the security policies designed to meet those threats.