Cybersecurity Starts at the Top: Risks and Concerns for Directors and Officers

By: Matthew D. Dunn and Melissa J. Erwin, Carter Ledyard & Milburn LLP

While many are no doubt tired of hearing about cybersecurity, hackers and cyber-criminals continue to employ sophisticated and evolving strategies to access data and disrupt organizations, and, unfortunately, this issue is not going away.

CYBERSECURITY, HOWEVER, IS NOT ONLY A PROBLEM FOR legal, compliance, and information technology personnel. While many executives and boardrooms have been proactive in embracing cybersecurity best practices, for many this remains an area for improvement. Recent developments in data breach litigation cases have demonstrated that officers and directors may increasingly be in the crosshairs of claims arising from data breaches and may be exposed to individual liability. In addition, regulatory guidance has increasingly emphasized that formation and oversight of cybersecurity programs and policies should start at the top—with executives and boards of directors.

Several key best practices for officers and directors can be distilled from the recent cases and regulatory developments. These are set forth below followed by a summary of the cases and regulatory guidance.

Best Practices for Officers and Directors

The following are best practices and steps that officers and directors should take to minimize cybersecurity-related risks for their organizations:

• Understand the applicable laws, regulations, and guidance relating to data protection and cybersecurity by consulting with legal advisors or otherwise. Executives and boards should have general knowledge of these matters and access to experts within or outside the organization.
• Ensure that an organizational risk assessment has been conducted and is periodically updated. Identify and address the company’s specific cyber and data protection risks to avoid the consequences and costs associated with a data breach. Officers and directors should know what types of data the organization has and how it is protected.
• Ensure that the organization has robust cybersecurity and data protection and privacy policies that are tailored to the organization’s specific risk profile and are implemented and followed. Officers and directors should be familiar with these policies. Management should educate board members on cybersecurity policies and guidelines that demonstrate reasonable information security procedures and implementation of data protection standards.
• Build compliance into the governance structure. Consider whether the board should have a committee that oversees cybersecurity and data protection issues. Consider appointing a chief information security officer. Ensure that the organization has personnel charged with implementing and enforcing cybersecurity policies and procedures.
• Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.). Obtain a report from the chief information officer or IT director. Consider requiring cybersecurity updates as part of the agenda at board meetings.
• Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Organizations should conduct cyber breach exercises and penetration tests.
• For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures relating to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents.
• Ensure that there is employee training and education on cyber and data protection policies and the identification of red flags.
• Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization’s data have adequate cybersecurity and privacy policies to protect such data.
• Review and assess insurance coverage for data breaches and cyber-related incidents and consider separate cybersecurity insurance. Review and assess whether directors and officers insurance covers cybersecurity-related liability.

Data Breach Cases: Claims Against Directors and Officers

Officers and boards of directors owe two primary fiduciary duties to their organizations—the duty of care and the duty of loyalty. The duty of care requires directors and officers to exercise the level of care that a prudent person would use under similar circumstances, which includes not consciously disregarding red flags when there is a duty to take action. There is generally no liability for decisions reasonably made by officers and directors in good faith. The duty of loyalty requires directors and officers to refrain from benefiting themselves at the expense of the corporation that they serve and to refrain from conduct that injures the corporation. In the seminal case on the subject, In re Caremark International, the Delaware Chancery Court stated that a director’s duty of care “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”¹

In the early data breach cases, claims against officers and directors were typically dismissed during motion stages. For example, in, Palkon v. Holmes, a New Jersey federal court dismissed a shareholder derivative suit against Wyndham Worldwide Corporation and its officers and directors arising out of three data breaches between 2008 and 2010 that resulted in hackers obtaining personal and financial data of more than 600,000 customers, holding that the board’s actions were a proper exercise of its business judgment because the board had acted reasonably and had addressed cybersecurity concerns numerous times.² In another case, In re Home Depot Shareholder Derivative Litigation, a Georgia federal court dismissed a case brought by shareholders in response to a 2014 data breach that resulted in the theft of personal financial data of 56 million Home Depot customers, holding that plaintiffs failed to set forth facts showing that the board “consciously failed to act in the face of a known duty to act,” and that “[d]irectors’ decisions must be reasonable, not perfect.”³

In early 2019, a court-approved settlement in In re Yahoo! Shareholder Litigation⁴ shook the sense of security (no pun intended) officers and directors may have been feeling after earlier data breach decisions. In January 2019, a California state court approved a $29 million settlement of three shareholder derivative suits against Yahoo and former officers and directors, including the former CEO, which was the first instance of monetary recovery in a data breach shareholder derivative suit that targeted officers and directors for breach of fiduciary duty.

The Yahoo case arose from allegations that the former officers and directors breached their fiduciary duties by engaging in a yearslong plot and sham investigation to conceal multiple cyberattacks dating from 2013 to 2016. This active concealment included a 2014 cyberattack that resulted in Russian hackers stealing user information associated with at least 500 million user accounts, which was not disclosed until 2016 after Yahoo and Verizon entered into a stock purchase agreement, as well as additional breaches impacting billions of Yahoo user accounts which were also discovered to have been concealed by Yahoo’s directors and officers. As a result of Yahoo’s disclosure of the 2014 cyberattack in 2016, the purchase price for Yahoo was ultimately reduced by $350 million and Yahoo agreed to retain 50% of the liabilities associated with the data breach and 100% of the liabilities from shareholder lawsuits arising from the breach. In addition, as described below, in April 2018, Yahoo’s successor, Altaba, agreed to a $35 million settlement with the Securities and Exchange Commission (SEC) for its failure to timely disclose the data breach. Given the egregious allegations and the SEC settlement, Yahoo agreed to pay $29 million to settle the consolidated cases. It is likely that this case will provide a roadmap for future shareholder suits against officers and directors in the data breach context.

In the same month, in In re Equifax Inc. Securities Litigation, a data breach class action case against the credit-rating firm Equifax and certain officers and directors arising out of a cyberattack in which criminal hackers breached Equifax’s computer network and obtained personally identifiable information of more than 148 million American Equifax customers, a Georgia federal court granted in part and denied in part a motion to dismiss.⁵ The lead plaintiff, representing a class of shareholders, alleged violations of the securities laws by officers and directors, who made false and misleading statements about the vulnerability of the company’s computer systems to cyberattack and its compliance with data protection laws and best practices and failed to take basic steps to protect its computer systems. The court granted the motion to dismiss with respect to the claims against most of the officers and directors; however, it denied the motion as to Equifax’s former CEO and chairman of the board, who was alleged to have had personal knowledge that Equifax’s data protection systems were grossly inadequate and yet knowingly or recklessly made false and misleading statements about the company’s data security, and had the power to control cybersecurity policies and the statements made about such policies that resulted in securities law violations.⁶

Also in 2019, the Delaware Supreme Court reinforced that directors may be individually liable for a breach of their duty of loyalty if they fail to make a good faith effort to implement “a reasonable boardlevel system of [compliance] monitoring and reporting.”⁷ While this case involved a food and beverage company’s listeria outbreak, the lesson is applicable when considering a board’s cybersecurity oversight obligations.

Courts will likely be less understanding over time as the hacks keep coming, and the business judgment rule will not protect a board that does not have its eyes on cybersecurity.

SEC and Other Regulatory Guidance and Enforcement

While the SEC has for years warned companies about cybersecurity risks and related reporting obligations, in 2018 it issued new interpretative guidance concerning the obligations of publicly traded companies to disclose cybersecurity incidents and issues.⁸ In October 2018, the SEC issued an investigative report which emphasized that issuers, in complying with the requirement to have sufficient internal accounting controls, should consider cyberrelated threats, including protection against spoofed or manipulated electronic communications.⁹

The SEC has specifically emphasized that it is the board’s role to understand the risks, ensure that the company is addressing those risks, and oversee the company’s cybersecurity program. The SEC indicates that companies should, as part of their proxy statement, disclose the board’s involvement in cybersecurity efforts and risk management and should specifically indicate “the nature of the Board’s role in overseeing the management of that risk.”¹⁰ SEC Commissioner Robert J. Jackson, Jr., in a 2018 speech relating to cybersecurity, reinforced the important role and obligations of officers and directors:

In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company’s business.¹¹

Although this 2018 guidance related only to public companies, the SEC has issued guidance and best practices for other regulated entities under the federal securities laws, such as investment advisers, broker-dealers, and self-regulatory organizations, and has a website dedicated to cybersecurity issues, which similarly focus on the importance of well-implemented cybersecurity policies and procedures.¹²

The SEC has begun bringing enforcement actions in connection with cybersecurity-related failures and misconduct, and such enforcement actions will likely increase in the coming years. In March 2018, the SEC filed an enforcement action (with parallel criminal charges) against the former chief information officer of a U.S. business unit of Equifax for insider trading in connection with the sale of shares prior to the public disclosure of a massive data breach.¹³ As a result of the SEC enforcement action, the executive was ordered to pay disgorgement and prejudgment interest totaling $125,636, is prohibited from acting as an officer or director of any public company for a period of 10 years, and was sentenced to four months in federal prison in the parallel criminal action.¹⁴ In April 2018, the SEC imposed a $35 million penalty on Yahoo successor Altaba, in the SEC’s first cybersecurity enforcement action against a public company for failing to timely disclose a data breach.¹⁵ In September 2018, a brokerdealer and investment adviser agreed to pay $1 million to settle SEC charges related to its failure to have sufficient cybersecurity policies and procedures to prevent a cyber intrusion that compromised personal information of thousands of customers, which was the first of its kind enforcement action for violations of the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.¹⁶

Companies also increasingly may be subject to cybersecurity, data protection, and data breach laws and regulations, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and New York’s recently enacted Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The GDPR, CCPA, and SHIELD Act impose requirements on companies that collect or possess certain personal information and can apply to companies located anywhere in the world. In addition, the Federal Trade Commission, the U.S. Department of Health and Human Services, and Federal Communications Commission regulate data privacy and security in specific contexts.

Conclusion

Given the continued threat of cyberattacks and breaches and the complex regulatory landscape, strong corporate defenses and compliance best practices should start at the top—with officers and directors. The costs associated with data breaches can be significant, and data breaches may lead to investigations by state or federal agencies, regulatory fines and sanctions, private litigation, shareholder suits, and even liability for officers and directors. Executives and boards are encouraged to consult counsel regarding cybersecurity compliance and initiatives.

Matthew D. Dunn is a partner at Carter Ledyard & Milburn LLP, representing clients in complex litigation and cybersecurity and data privacy matters. Melissa J. Erwin is counsel at the firm, representing clients in white-collar criminal defense, commercial litigation, and employment law, as well as cybersecurity and data privacy matters. The authors can be reached at mdunn@clm.com and erwin@clm.com, respectively.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Articles

Related Content

1. 698 A.2d 959, 970 (Del. Ch. 1996). 2. 2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 20, 2014). 3. 223 F. Supp. 3d 1317 (N.D. Ga. 2016). 4. Case No. 17-CV-307054 (Cal. Sup. Ct., Santa Clara Co. Jan. 4, 2019). 5. 357 F. Supp. 3d 1189 (N.D. Ga. 2019). 6. Id. at 1240-52. 7. Marchand v. Barnhill, 212 A.3d 805, 821 (Del. 2019). 8. Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities and Exchange Commission (Feb. 21, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf. The SEC has made clear that it expects companies to have comprehensive cybersecurity policies and procedures; to be transparent regarding cyber risks, security, and incident preparedness; and to make timely and non-generic disclosures in public filings. The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, and reputational consequences. Further, the SEC requires companies to “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.” 9. Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018), https://www.sec.gov/litigation/investreport/34-84429.pdf. 10. Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 CFR Parts 229 and 249, SEC Release Nos. 33-10459 and 34-82746 (Feb. 6, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf. 11. Robert J. Jackson Jr., Commissioner, Securities and Exchange Commission, Corporate Governance: On the Front Lines of America’s Cyber War (Mar. 15, 2018), https://www.sec.gov/news/speech/speech-jackson-cybersecurity-2018-03-15. 12. See Spotlight on Cybersecurity, the SEC, and You, https://www.sec.gov/spotlight/cybersecurity; see also Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P—Privacy Notices and Safeguard Policies, SEC Risk Alert (Apr. 16, 2019), https://www.sec.gov/files/OCIE%20 Risk%20Alert%20-%20Regulation%20S-P.pdf (risk alert for investment advisers and broker-dealers, which emphasized that Regulation S-P requires registrants to have written policies and procedures for the protection of customer records and information); Cybersecurity Guidance, SEC Division of Investment Management (Apr. 2015), https://www.sec.gov/investment/im-guidance-2015-02.pdf (cybersecurity guidance for registered investment companies and registered investment advisers); Observations from Cybersecurity Examinations, SEC Risk Alert (Aug. 7, 2017), https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf (observations and guidance from cybersecurity examinations of broker-dealers, investment advisers and investment companies); SEC Staff Guidance on Current SCI Industry Standards (Nov. 19, 2014), https://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf (adoption of Regulation Systems Compliance and Integrity applicable to certain self-regulatory organizations, including registered clearing agencies, alternative trading systems, plan processors, and exempt clearing agencies). 13. Former Equifax Executive Charged With Insider Trading, SEC Press Release No. 2018-40 (Mar. 14, 2018), https://www.sec.gov/news/press-release/2018-40. 14. SEC Obtains Final Judgment Against Former Equifax Executive Charged with Insider Trading, SEC Litigation Release No. 24541 (July 18, 2019), https://www.sec.gov/litigation/litreleases/2019/lr24541.htm; former Equifax employee sentenced for insider trading, U.S. Department of Justice (June 27, 2019), https://www.justice.gov/usao-ndga/pr/former-equifax-employee-sentenced-insider-trading 15. Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, SEC Press Release No. 2018-71 (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71. 16. SEC Charges Firm With Deficient Cybersecurity Procedures, SEC Press Release No. 2018-213 (Sept. 26, 2018), https://www.sec.gov/news/press-release/2018-213.