A company’s intellectual property, for instance its client databases, can be by far one of its most valuable assets. The increase in the use of technology in businesses of all sizes has meant that more and more of a company’s most important documents are stored in online systems as opposed to being locked away in a safe, as would have been the case in years gone by. As a result, directors face the challenge of implementing measures to identify and counter the risks that are associated with the use of technology in order to comply with their duties as directors under the Companies Act 2006 (“the Act”) and their traditional fiduciary duties at common law.
What are the risks?
Any data stored in an online system is vulnerable to being attacked by third party hackers. If appropriate measures are not taken, companies risk their most valuable data being deleted or corrupted. This is particularly true for companies which allow their employees to access their emails from remote devices; often an employee’s home computer will not have the same sophisticated security software that has been installed on the company’s office computers. It is estimated that over 90% of large organisations will suffer a digital security breach each calendar year, so taking steps to protect intellectual property is essential for directors to comply with their duties.
Which duties are affected?
Firstly, directors have a duty under section 172 of the Act “to promote the success of the company”. In order to comply with this duty, directors must have regard to the interests of the company’s employees and the need to foster the company’s business relationships with suppliers, customers and others. If a company stores data in relation to its employees, suppliers and customers in an online system, as many businesses do, then a director will have failed to comply with his duty under the Act if adequate measures are not taken to protect this information from being stolen.
Directors must also have regard to the impact of the company’s operations on the community and the environment. Depending on the industry that the company operates in, a digital security breach could have severe environmental consequences if the breach inhibits the use of monitoring and safety systems.
A digital security breach has the potential to cause a company severe reputational damage. Not only could this lead to a certain degree of professional embarrassment, it could also be a breach of a director’s duty if the director is deemed to have failed to have had regard to maintaining the company’s reputation for high standards of business conduct.
Under section 174 of the Act, directors have a duty to “exercise reasonable care, skill and diligence”. In the context of implementing digital security measures, a director will need to exercise reasonable care and skill in the measures that he implements himself and also in choosing and appointing an appropriate third party to implement more sophisticated measures. The Act specifies that both the director’s actual knowledge and the knowledge that may reasonably be expected of a person carrying out the director’s functions should be taken into account when deciding what level of care, skill and diligence will be deemed reasonable.
If a director is found to have breached his duties under the Act or at common law, the company may be able to bring a claim against the director which could result in him being personally liable to pay damages for any loss suffered as a result of the breach.
How to comply with the duties
In order to comply with their duties to promote the success of the company and to exercise reasonable care, skill and diligence, directors should ensure that adequate security measures are in place to prevent cyber attacks on the company’s intellectual property. Given that most directors are unlikely to have the expertise required to implement the measures themselves, they should ensure that the task is delegated to a competent third party and reasonable care, skill and diligence should be exercised when deciding upon which third party to use.
This article is supplementary to the Directors’ Toolkit which can be found here.