Your organization will in all likelihood suffer a cyberattack. According to a recent study by Accenture, the average Canadian organization faces about 96 cyberattacks per year, nearly one third of which result in a security breach. The aftermath of cyberattacks often leaves a wake of victims whose personal information has been breached, and correspondingly massive exposure for the companies that have been attacked.
By now, directors (hopefully) know that they have to take reasonable steps in connection with preventing and responding to cyberattacks. If they fail to do so, not only do they compromise the viability of the company which they oversee but they risk personal liability.
Decoding what specific steps one should take as a director is critical. A series of United States decisions dismissing shareholder claims against directors provides guidance for directors on this potential exposure.
In a November 2016 decision in The Home Depot case, specific guidance was given for directors. In that case, the shareholders alleged that directors failed to implement adequate data security mechanisms; failed to exercise proper oversight of cybersecurity issues; and failed to adequately respond to cybersecurity threats. The steps taken by Home Depot’s board of directors which led to the court's dismissal of the claim against them included:
- delegating responsibility for IT and data security to its Audit Committee;
- having a data security plan in place to remedy data security deficiencies;
- taking actions to remedy Home Depot’s data security deficiencies prior to the data breach occurring; and
- receiving regular briefings from both management and the Audit Committee regarding the state of Home Depot’s data security.
Determining exactly what amounts to "reasonable" and "defensible" conduct by directors in the context of data security is further informed by the United States decisions in Wyndham v Holmes, 14-CV-01234 (SRC) [Wyndham] and Davis v Target Corporation,14-CV-00203-PAM-JJK [Target]. In those cases, reasonable and defensible conduct by the directors included:
- developing cybersecurity policies (see Target Corporation Report of the Special Litigation Committee);
- understanding and being kept informed of ongoing cyberattacks and data security issues; investigating cyberattacks; and
- taking an active role in the wake of any data breach.
While the shareholder claims against directors have not yet succeeded, directors should not underestimate their potential exposure. In the cases discussed above, the courts dismissed the claims on the basis that the directors took all reasonable steps in the circumstances. What is reasonable is an evolving standard and directors must continually update themselves as to their obligations. In this regard, directors are advised to consult counsel on a regular basis to minimize their potential exposure in this increasingly risky area.