Intellectual Property Law Update (September 2015)

Senior management of organizations of all types are increasingly at risk in the wake of data breaches and security failures:

  • Data breaches sink careers. Senior management of recent victims of data breaches continue to populate the ranks of the unemployed, a recent addition to their number being the former director of the U.S. Government’s Office of Personnel Management.
  • It’s personal—as in liability. Senior management are in the crosshairs of plaintiffs attorneys’ filing derivative and class action lawsuits for real or perceived lapses. Caremark is proving to be very much alive and adaptive to the data security context. The Delaware Chancery Court declared in this 1996 case that directors can be held personally liable for failing to monitor and supervise the enterprise appropriately and for losses which could have been prevented if they gave their due attention.
  • Multiple government agencies may pursue enforcement actions. The FCC has now joined the FTC, SEC, and state Attorneys General in going after companies for lapses in data security. It does not look good for senior management when the government comes snooping into your data practices and decides to stay put for 20 years or so (and/or imposes a hefty fine).
  • Standard & Poors has very recently stated that it will downgrade bank debt where it is dissatisfied with issuer security practice -­‐ even absent a specific incident.

Some takeaways:

  • Officers and directors must be engaged in matters of data security.
  • Matters of data security should be regularly discussed at Board meetings with references to recognized objective standards and with good minutes kept.
  • IT management must be held accountable for proper practice and results.
  • A viable post-­‐incident response plan must be in place before the breach, and table top exercises performed.
  • Officers’ and directors’ fiduciary obligations under corporate law require them to oversee that data security is properly handled and protected. That translates into regular oversight over cloud computing/storage contracts, and other vendor contracts, with good due diligence, negotiation, and vendor management.
  • Cybersecurity and D&O insurance policies should be evaluated/purchased to fill in gaps in coverage when the inevitable happens. Read the provisions very carefully and understand up front the requirements for coverage in the event of a loss.
  • Public company management and Boards must comply with their special securities law disclosure obligations.
  • In M&A situations, companies should heed the recent Radio Shack – AG Accord regarding handling of consumer information.