In a highly anticipated opinion issued last week, the United States Court of Appeals for the Third Circuit held that the Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to regulate cybersecurity. The opinion is the latest development in a legal drama that began after Wyndham Worldwide Corp. (Wyndham) suffered three data breaches between 2008 and 2009. The breaches resulted in the improper disclosure of the personal information of more than 610,000 Wyndham customers.
The fallout from the Wyndham breaches offers several useful lessons about the rapidly evolving legal risks related to cybersecurity. Both public and private companies, and their boards of directors, ignore these lessons at their peril.
The Wyndham litigation has underscored at least two significant new developments in cybersecurity: First: directors can be held individually liable for their failure to adequately manage cyber risks; and Second: government regulators, including the FTC, the Securities and Exchange Commission (SEC), among others, are making cybersecurity an increasingly important enforcement priority. And courts are ratifying the agencies’ broad assertion of regulatory authority.
In this environment, directors would be well-advised to begin thinking of cybersecurity as part of the fiduciary duty of care they owe to their companies. Directors who fail to take appropriate measures—both before and after a data breach occurs—risk subjecting their companies to government enforcement actions, and themselves to derivative shareholder lawsuits. Not to mention all of the other risks related to a breach, including damage to a company’s reputation, balance sheet, and stolen intellectual property, just to name a few.
Considering the enormous risks involved, one would think that cybersecurity would be a leading topic of discussion at board meetings these days. Somewhat worryingly, evidence suggests this is far from the case. In a recent survey of 1,000 information technology leaders, roughly 80 percent of those surveyed said they had not briefed their board of directors on cybersecurity in the last 12 months.
Part of the challenge that directors face is the lack of any clear legal standard defining what the law requires them to do in the area of cybersecurity. But as the recent Third Circuit decision affirmed, this lack of specific rules is no excuse for a company maintaining shoddy cybersecurity.
The good news is that while there is no panacea, there are a number of practical steps that companies and directors can and should take to mitigate their cyber risks. This post will outline some of the key legal considerations that directors should keep in mind as they evaluate their own cyber-related responsibilities.
1. Understand Your Duties
The first concept to keep in mind is that cybersecurity likely now falls within a board director’s fiduciary duty of care. This was precisely the argument that plaintiffs’ lawyers made against Wyndham’s directors after the breach. Plaintiffs argued that by failing to ensure adequate cybersecurity at the company, Wyndham’s directors had exposed their company and its shareholders to huge amounts of risk, thus breaching their fiduciary duty of care.
In 2014, a federal district court in New Jersey issued an opinion suggesting that this was a viable legal argument. While the court ultimately dismissed plaintiffs’ claims, it hinted that breach of fiduciary claims related to cybersecurity would normally be analyzed under the familiar Caremark standard. Under Caremark, a director’s duty of care includes the duty of oversight. This duty of oversight requires that directors seek to ensure, in good faith, that an adequate corporate information and reporting system exists. Directors must also continue to monitor the information system regularly.
While the court stopped short of saying so, most experts believe that in today’s world, having an adequate corporate information and reporting system means having an adequate cybersecurity policy that protects company and consumer data. This only makes sense, in a world where much of our most valuable information is stored online. Reporting systems are also often a central focus in data breach cases. Following a breach, two of the most important questions are: first, what systems did the company have in place to detect and report when a breach occurs? And second, what kinds of reports and disclosures did the company make following the breach?
Fortunately for Wyndham’s directors, the board had addressed the issue of cybersecurity at several meetings after the breach. The board had also tried diligently to understand why the first breach occurred, and sought to prevent further breaches from occurring. Moreover, the court noted, there was no evidence to suggest that directors’ conduct was so egregious that the the business judgment rule—which normally shields directors who exercise their business judgment in good faith—would not defeat plaintiffs’ claims.
While the Wyndham case interpreted the corporate law of Delaware, the fundamental concepts are similar in most other states, including Minnesota, where directors have a statutory duty under Minn. Stat. § 302A.251 to exercise the same level of care as an ordinarily prudent person would exercise in similar circumstances. Given the huge risks involved, and the prevalence of attacks—experts estimate an average of 32 U.S. companies are hacked each week—it is only prudent to ensure that your company is making reasonable efforts to protect itself from attack.
2. Size Up the Risk
In cybersecurity, as in other areas of risk management, one must have an idea not only of the risks involved, but also the potential benefits (and costs) of prevention, and a plan for how to respond if your preventive efforts fail. And here some perspective is in order. The unfortunate truth is that however much you may try, it will be difficult, if not impossible, to eliminate the risk of cyberattack. The important thing, then is to: a) do your diligence to ensure that you are allocating whatever amount of time and resources is proportional to your company’s cyber-risk profile; and b) have a plan in place for if and when a breach does occur.
Whether we like it or not, hacks are a fact of modern life. As FBI Director James Comey testified to Congress, “[t]here are two kinds of big companies … those who’ve been hacked … and those who don’t know they’ve been hacked.” The 2013 IP Commission found that up to 50 percent of cyberattacks go undetected, even by the hacked companies themselves.
Each day, it seems, brings new revelations about widespread cyber vulnerabilities, including at businesses and government agencies that once seemed impenetrable. Just last week, the Defense Department disclosed that China and Russia have begun pooling the hacked data they have about U.S. government officials, including by cross-referencing the information published by the hackers of the anonymous dating website Ashley Madison. Chinese and Russian spies will now be able to determine which U.S. employees committed adultery and would therefore be vulnerable to threats of blackmail and extortion. As one expert at Harvard University cautioned following the Ashley Madison hack, “consumers and companies largely should not have an expectation of privacy.” Indeed.
The point of this information is not to scare you or to induce complacency—quite the opposite. Rather, directors should approach cybersecurity knowing that while preventing an attack may be difficult or impossible, there may be ways to invest in cybersecurity that offer reasonable return on investment. Some of these steps are outlined in the next section.
Moreover, in a world where nobody is immune from cyberattack, it is critical to have a plan in place for if and when a breach does occur. For specific advice about how and why to develop an effective post-breach plan, read the article “Eight Keys for Developing a Data Breach Response Plan” by Sten-Erik Hoidal.
3. Take Reasonable Steps to Show Due Diligence
Here are some easy steps that board directors can take now to minimize their cyber-related liabilities.
- Raise the Issue at Board Meetings
The Wyndham case showed how simply raising the issue of cybersecurity at board meetings can help reduce directors’ liability and demonstrate due diligence. At your next board meeting, consider bringing up the issue. Ask what, if anything, your organization is doing in the area of cybersecurity. If your organization has a designated person responsible for cyber security, invite that person to give a presentation to the board. When the presentation is over, ask follow-up questions, and ask for recommendations.
- Bring in Outside Experts
Retain an independent, qualified third-party to evaluate your organization’s cybersecurity risk profile and provide specific recommendations for reforms. Then, conduct an in-depth evaluation of the recommendations before deciding whether and how to implement the advice. Directors of corporate boards cannot be expected to be experts in the field of cybersecurity, but they should be able to find an outside consultant who is.
- Consult with Counsel
When making important decisions about cybersecurity, consider bringing in outside counsel. The Wyndham board’s consultation with counsel was another factor that the court found demonstrated good faith and diligence.
4. Know Your Regulator, Know Your Industry
In addition to taking the above steps, directors should also become familiar with whatever regulatory agency has authority over their company, both with respect to cybersecurity and more generally. Many agencies, such as the SEC and the National Institutes for Science and Testing (NIST), have issued guidance that can serve as a useful starting point. Of course, in designing an effective cyber risk management program, directors should consider any industry-specific risks. For example, health-care organizations must take extra precautions to protect patients’ medical health records.
The National Institute of Standards and Technology (NIST) has implemented a cybersecurity framework that is mandatory for all organizations that are deemed part of the nation’s critical infrastructure. Although not strictly binding on other non-critical infrastructure companies, the framework is gaining momentum as a de facto standard that companies in many diverse industries are moving to adopt. Companies can access those recommendations here.
The SEC has also issued guidance for registered investment companies and advisers, available here. In addition, SEC Commissioners and staff have offered the following advice:
- Approach cybersecurity as an enterprise-wide concern. A helpful analogy is the way that boards began to implement enterprise-wide accounting controls in the wake of the accounting scandals in the early 2000s.
- At a minimum, boards must develop and communicate a clear understanding of who at the organization is responsible for cybersecurity.
FTC et al.
Using its authority to police unfair trade practices under Section 5 of the FTC Act, the FTC has already brought claims against several companies for inadequate cybersecurity practices, often entering into consent agreements that require companies to undergo extensive monitoring and compliance.
The recent Third Circuit decision is a good reminder that even in the absence of clear statutory authority, many regulators can (and do) exercise broad authority over cybersecurity.
Directors should ask whether their company’s regulator has issued any guidance regarding cybersecurity. If the answer is yes, directors should act now to ensure their company is in compliance. As recent events have made all too clear, sticking one’s head in the sand and ignoring the importance of cybersecurity is no longer a viable option.