While many are no doubt tired of hearing about cybersecurity, hackers and cyber-criminals continue to employ sophisticated and evolving strategies to access data and disrupt organizations, and, unfortunately, this issue is not going away. Cybersecurity, however, is not only a problem for legal, compliance, and IT personnel. While many executives and boardrooms have been proactive in embracing cybersecurity best practices, for many this remains an area for improvement. Recent developments in data breach litigation cases have demonstrated that officers and directors may increasingly be in the cross-hairs of claims arising from data breaches and may be exposed to individual liability. In addition, regulatory guidance has increasingly emphasized that formation and oversight of cybersecurity programs and policies should start at the top—with executives and boards of directors.
Several key best practices for officers and directors can be distilled from the recent cases and regulatory developments. These are set forth below followed by a summary of the cases and regulatory guidance.
Best Practices for Officers and Directors
The following are best practices and steps that officers and directors should take to minimize cybersecurity-related risks for their organization:
- Understand the applicable laws, regulations, and guidance relating to data protection and cybersecurity, by consulting with legal advisors or otherwise. Executives and Boards should have general knowledge of these matters and access to experts within or outside the organization.
- Ensure that an organizational risk assessment has been conducted and is periodically updated. Identify and address the company’s specific cyber and data protection risks in an effort to avoid the consequences and costs associated with a data breach. Officers and directors should know what types of data the organization has and how it is protected.
- Ensure that the organization has robust cybersecurity and data protection and privacy policies tailored to the organization’s specific risk profile, and they are implemented and followed. Officers and directors should be familiar with these policies. Management should educate board members on cybersecurity policies and guidelines that demonstrate reasonable information security procedures and implementation of data protection standards.
- Build compliance into the governance structure. Consider whether the Board should have a committee that oversees cybersecurity and data protection issues. Consider appointing a Chief Information Security Officer. Ensure that the organization has personnel charged with implementing and enforcing cybersecurity policies and procedures.
- Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.) Obtain a report from the Chief Information Officer or IT Director. Consider requiring cybersecurity updates as part of the agenda at board meetings.
- Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Organizations should conduct cyber breach exercises and penetration tests.
- For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures, including as related to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents.
- Ensure that there is employee training and education on cyber and data protection policies, and the identification of red flags.
- Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization’s data have adequate cybersecurity and privacy policies to protect such data.
- Review and assess insurance coverage for data breaches and cyber-related incidents, and consider separate cybersecurity insurance. Review and assess whether directors and officers insurance covers cybersecurity-related liability.
Data Breach Cases: Claims Against Directors and Officers
Officers and boards of directors owe two primary fiduciary duties to their organization—the duty of care and the duty of loyalty. The duty of care requires directors and officers to exercise the level of care that a prudent person would use under similar circumstances, which includes not consciously disregarding red flags when there is a duty to take action. There is generally no liability for decisions reasonably made by officers and directors in good faith. The duty of loyalty requires directors and officers to refrain from benefiting themselves at the expense of the corporation that they serve. In the seminal case on the subject, In re Caremark International, the Delaware Chancery Court stated that a director’s duty of care “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”
In the early data breach cases, claims against officers and directors were typically dismissed during motion stages. For example, in, Palkon v. Holmes, a New Jersey federal court dismissed a shareholder derivative suit against Wyndham Worldwide Corporation and its officers and directors arising out of three data breaches between 2008 and 2010 that resulted in hackers obtaining personal and financial data of over 600,000 customers, holding that the board’s actions were a proper exercise of its business judgment because the board had acted reasonably and had addressed cybersecurity concerns numerous times. In another case, In re Home Depot Shareholder Derivative Litigation, a Georgia federal court dismissed a case brought by shareholders in response to a 2014 data breach that resulted in the theft of personal financial data of 56 million Home Depot customers, holding that plaintiffs failed to set forth facts showing that the board “consciously failed to act in the face of a known duty to act,” and that “[d]irectors' decisions must be reasonable, not perfect.”
Earlier this year, a court-approved settlement in In re Yahoo! Shareholder Litigation, has shaken the sense of security (no pun intended) officers and directors may have been feeling after earlier data breach decisions. In January 2019, a California state court approved a $29 million settlement of three shareholder derivative suits against Yahoo and former officers and directors, including former CEO Marissa Mayer, which was the first instance of monetary recovery in a data breach shareholder derivative suit that targeted officers and directors for breach of fiduciary duty.
The Yahoo case arose from allegations that the former officers and directors breached their fiduciary duties by engaging in a years-long plot and sham investigation to conceal multiple cyberattacks dating from 2013 to 2016. This active concealment included a 2014 cyberattack that resulted in Russian hackers stealing user information associated with at least 500 million user accounts, which was not disclosed until 2016 after Yahoo and Verizon entered into a stock purchase agreement, as well as additional breaches impacting billions of Yahoo user accounts which were also discovered to have been concealed by Yahoo’s directors and officers. As a result of Yahoo’s disclosure of the 2014 cyberattack in 2016, the purchase price for Yahoo was ultimately reduced by $350 million and Yahoo agreed to retain 50% of the liabilities associated with the data breach and 100% of the liabilities from shareholder lawsuits arising from the breach. In addition, as described below, in April 2018, Yahoo’s successor, Altaba, agreed to a $35 million settlement with the SEC for its failure to timely disclose the data breach. Given the egregious allegations and the SEC settlement, Yahoo agreed to pay $29 million to settle the consolidated cases. It is likely that this case will provide a roadmap for future shareholder suits against officers and directors in the data breach context.
In the same month, in In re Equifax Inc. Securities Litigation, a data breach class action case against the credit-rating firm Equifax and certain officers and directors arising out of a cyberattack in which criminal hackers breached Equifax’s computer network and obtained personally identifiable information of more than 148 million American Equifax customers, a Georgia federal court granted in part and denied in part a motion to dismiss. The lead plaintiff, representing a class of shareholders, alleged violations of the securities laws by officers and directors who made false and misleading statements about the vulnerability of the company’s computer systems to cyberattack and its compliance with data protection laws and best practices, and failed to take basic steps to protect its computer systems. The court granted the motion to dismiss with respect to the claims against most of the officers and directors; however it denied the motion as to Equifax’s former CEO and Chairman of the Equifax Board, who was alleged to have had personal knowledge that Equifax’s data protection systems were “grossly inadequate” and yet knowingly or recklessly made false and misleading statements about the company’s data security, and had the power to control cybersecurity policies and the statements made about such policies that resulted in securities law violations.
Courts will likely be less understanding over time as the hacks keep coming, and the business judgment rule will not protect a boardroom that does not have its eyes on cybersecurity.
SEC and Other Regulatory Guidance and Enforcement
While the SEC has for years warned companies about cybersecurity risks and related reporting obligations, in 2018 it issued new interpretative guidance concerning the obligations of publicly traded companies to disclose cybersecurity incidents and issues. In October 2018, the SEC issued an investigative report which emphasized that issuers, in complying with the requirement to have sufficient internal accounting controls, should consider cyber-related threats, including protection against spoofed or manipulated electronic communications.
The SEC has specifically emphasized that it is the Board’s role to understand the risks, ensure that the company is addressing those risks, and oversee the company’s cybersecurity program. The SEC indicates that companies should, as part of their proxy statement, disclose the Board’s involvement in cybersecurity efforts and risk management, and should specifically indicate “the nature of the Board’s role in overseeing the management of that risk.” SEC Commissioner Robert J. Jackson, Jr., in a 2018 speech relating to cybersecurity, reinforced the important role and obligations of officers and directors: “In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company’s business.”
While this 2018 guidance related only to public companies, the SEC has issued guidance and best practices for other regulated entities under the federal securities laws, such as investment advisers, broker-dealers, and self-regulatory organizations, and has a website dedicated to cybersecurity issues, which similarly focus on the importance of well-implemented cybersecurity policies and procedures.
The SEC has begun bringing enforcement actions in connection with cybersecurity-related failures and misconduct, and such enforcement actions will likely increase in the coming years. In March 2018, the SEC filed an enforcement action (with parallel criminal charges) against the former Chief Information Officer of a U.S. business unit of Equifax for insider trading in connection with the sale of shares prior to the public disclosure of a massive data breach. As a result of the SEC enforcement action, the executive was ordered to pay disgorgement and prejudgment interest totaling $125,636 and is prohibited from acting as an officer or director of any public company for a period of ten years, and was also sentenced to four months in federal prison in the parallel criminal action. In April 2018, the SEC imposed a $35 million penalty on Yahoo successor Altaba, in the SEC’s first cybersecurity enforcement action against a public company for failing to timely disclose a data breach. In September 2018, a broker-dealer and investment adviser agreed to pay $1 million to settle SEC charges related to its failure to have sufficient cybersecurity policies and procedures to prevent a cyber intrusion that compromised personal information of thousands of customers, which was the first of its kind enforcement action for violations of the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
Companies may also be subject to state cybersecurity and data breach laws, such as the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies, which imposes various requirements on banks, insurance companies, and other covered entities, as summarized in our January 2017 advisory, and the newly enacted Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) which amends and broadens New York’s data breach notification law applicable to those who own or license private information of New York residents. Companies may be subject to data protection laws, including the European Union’s General Data Protection Regulation (GDPR), which is discussed in our April 2018 and December 2018 advisories. In addition, the Federal Trade Commission, Department of Health and Human Services, and Federal Communications Commission regulate data privacy and security in specific contexts, as described in our April 2017 advisory.
Given the continued threat of cyberattacks and breaches, strong corporate defenses and best practices should start at the top—with officers and directors. The costs associated with data breaches can be significant, and data breaches may lead to investigations by state or federal agencies, regulatory fines and sanctions, private litigation, shareholder suits, and even liability for officers and directors. Executives and Boards are encouraged to consult counsel regarding cybersecurity compliance and initiatives.