This is the second of a three-part series on the implications of cybersecurity threats on boards of directors.
The diversion of resources arising out of cybersecurity threats includes, among other things, litigation. A couple of recent examples of litigation filed against corporate boards are instructive.
On January 29, 2014, the second of at least two lawsuits was commenced against Target arising out of a data breach, pursuant to which many thousands of Target customers’ credit card information was stolen by hackers. The hackers gained access into Targets’ network through an HVAC vendor. (Collier v. Steinhafel, U.S. Dist. Court, Minnesota, Civil Action No. 0:14-cv-00266-PAM-JJK.) (This case highlights the importance of ensuring that third-party contracts be drafted in such a manner that the vendor is required to implement protections of customer data, ensure security from an IT standpoint, and provide indemnification in the event of a data breach arising out of the third-party vendor’s operations. In addition, it is important to consider the third-party vendor’s ability to pay indemnification, and also whether it has cybersecurity insurance.)
The Collier case alleged derivative claims against Target’s Directors and Officers. Included among the claims were allegations that: 1) the defendants were aware of the importance of private customer information to both Target and its customers; 2) were aware of the risks to Target that a data breach could occur; 3) defendants “failed to take reasonable steps to maintain its customers’ personal and financial information” ; and 4) defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.” The Collier case also alleged that the defendants “aggravated the damage to customers by failing to provide prompt and adequate notice to customers by releasing numerous statements meant to create a false sense of security to affected customers.” Other allegations included assertions concerning Target’s failure to both prevent the breach, and to timely report accurate information concerning the breach, which “severely damaged the company” by subjecting it to numerous class action lawsuits and the possibility of hundreds of millions of dollars in damages to the company. Finally, the Collier complaint sought monetary damages and injunctive relief “by way of significant corporate and managerial reforms to prevent future harm to the Company by disloyal directors and officers.”
Thus far, lawsuits such as these have proven unsuccessful, failing on the basis of the business judgment rule, which has been interpreted to impose a very heavy burden upon plaintiffs seeking to recover damages against officers and directors. (See Palkon v. Holmes, 2014 WL 5341880, D.N.J., Oct. 20, 2014) The Collier case is still ongoing.
The Palkon case, supra, is also instructive. Relying heavily on In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Ct. of Chancery, Del., 1996), the Palkon case granted a 12(b)(6) motion to dismiss filed by the directors of Wyndam Worldwide Corporation. The Palkon complaint alleged, among other things, that the director defendants “failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers’ data.” The complaint further alleged that the director defendants “failed to timely disclose the data braches after they occurred . . .[and] that these actions damaged [Wyndam’s] reputation and cost it significant legal fees.”
As noted above, in dismissing the plaintiff’s claims, the court relied heavily on Caremark case. In so doing, the court noted the “business judgment rule’s strong presumption, [whereby] courts uphold even cursory investigations by boards in refusing shareholder demands.” (Palkon, at *5) However, Palkon court’s inquiry did not end with this legal pronouncement, but instead the court carefully reviewed the actions taken by the Wyndam directors in the wake of the the data breach, including, among other things: 1) that the board was familiar with the factual underpinnings of the plaintiff’s demand by virtue of previous board discussions of cyber-attack risks during at least 14 meetings prior to the data breach; 2) that Wyndam’s general counsel “[a]t every quarterly meeting . . . gave a presentation [to the board] regarding the Breaches, and/or [Wyndam’s] data-security genrally; and 3) Wyndam’s “[a]udit committee discussed these same issues in at least sixteen committee meetings during this same time period.”
Although the Palkon court ultimately held in favor of the director defendants by dismissing the case based upon the business judgment rule, as evident from the mere filing of cases like Palkon and Collier, cases seeking to hold directors liable for data breaches are here to stay, and eventually one will likely be successful. Moreover, as discussed above, given the regulatory scrutiny that is now being directed at corporate boards in the area of cybersecurity, it is critical that boards take a very “hands-on” approach to cybersecurity by developing a plan to: 1) detect cyber incidents as quickly as possible; 2) deal with them when they occur in an orderly and pre-planned fashion; 3) minimize the reputational damage that occurs after a cyber attack; 4) ensure that third-party vendors have safeguards in place to protect company information; 5) comply with all state and federal laws and regulations that apply relative to preventing data breaches and also reporting them when they occur; and 6) protecting the company through appropriate cyber-insurance.
The legal standard is whether the board acted rationally, reasonably and in good faith in seeking to protect the company against cyber threats; and merely because a data breach occurs does not mean that the board acted irrationally or unreasonably, and that it will, ipso facto, be found liable. (See Caremark, supra, 698 A.2d at 967)(After the fact analysis, and second guessing, of board’s conduct is not the standard.) Regardless, and notwithstanding the difficult and heavy burden that plaintiffs bear in overcoming the business judgment rule under Caremark and its progeny, there can be no doubt that more cases will be filed, and that the law will continue to evolve in this area. Directors should therefore be aware and act accordingly.
Next week, the third part of this series will address what boards of directors can do in the face of ever-increasing cybersecurity threats.