Corporations that fall victim to data breaches are often faced with a deluge of lawsuits, especially when private or sensitive information is disclosed. It is not uncommon for the plaintiffs to pile up after a major breach, each with their own alleged claims for damages. Complaints typically come from the individuals to whom the data pertains, either individually, as a class or as multiple sets of classes. Plaintiffs may also include financial institutions and payment card issuers, third parties such as partners, vendors and clients, and company shareholders or investors. State, federal and foreign regulators are often front and center with their own inquiries and enforcement actions.
Beyond company liability, however, there has also been a steady rise in actions that individually target directors and officers brought by both regulators and shareholders.
One of the first examples was a shareholder derivative suit that named more than a dozen TJX directors shortly after the massive breach that the company suffered in 2005. More recently, similar actions have been brought against Target, Heartland Payment Systems, Wyndham Worldwide, Home Depot, Wendy’s and Yahoo – to name just a few of the larger ones.
The primary basis of each are allegations that the directors and officers breached various fiduciary duties, such as those of care and loyalty. In Target, for example, the plaintiffs alleged that the directors breached their duties by “failing to take reasonable steps to maintain [the] customers’ personal and financial information” and by failing to implement a system of internal controls to protect such customer information from a data breach.
Duty of Care
The duty of care generally obligates directors to act on an informed basis, in good faith and in the honest belief that the action was in the best interests of the company. The duty of loyalty, on the other hand, obligates them to develop and monitor controls and reporting systems in order to ensure that they are adequately informed of any risks which require their attention. In the data breach context, these fact-specific inquiries typically turn on what the directors knew regarding their cyber risks, and how they acted to prevent them.
None of the early cases survived past summary judgement. After demanding that the boards bring action against the company, the plaintiffs simply could not overcome the high bar of the business judgment rule when applied to the director’s decision not to do so. However, as this rapidly developing and volatile area of law matures, so too has the plaintiff’s bar adapted.
Plaintiffs have now begun taking an entirely different approach. In the Home Depot and Yahoo cases, for example, they skipped demand on the boards altogether and instead alleged that doing so would be futile because the directors face personal liability and therefore cannot exercise independent business judgment when responding. They have also begun to add additional claims such as deficiencies in disclosure of material information. In the case of Yahoo, which individually named both the company’s CEO and CFO, the claims focus on alleged materially false and misleading statements made by the executives and company in their security filings. The court fully denied the plaintiffs claims in the Home Depot case in April. The Yahoo matter is still pending, and the plaintiffs’ new actions don’t seem to be slowing down.
In addition to the threat of lawsuits, officers and directors also face a threat to their tenure at the affected company in the event that the organization experiences a data breach. For instance, in 2014 Target’s CEO and chief information officer resigned after its breach, and in 2015 the CEO of the parent company of AshleyMadison.com resigned after news of a data breach at his company broke. In 2016 Yahoo’s general counsel resigned without separation payments after reporting a 350 million dollar purchase price adjustment by Verizon, and over 11 million dollars in legal expense resulting from the company’s several breaches. So, although plaintiffs have yet to prevail in any securities class actions, the costs and risks to directors and officers are still quite substantial.
In addition to taking enterprise-wide actions to protect their company from liability, directors and officers must ensure that they take steps to minimize exposure to personal liability as a result of a data breach. A review of the claims and allegations along with the final rulings in the several major cases mentioned above shows a clear line of best practices that can help to mitigate these risks.
Implement and monitor security controls before an event happens to demonstrate diligence as to the duty of care.
These controls should not be limited to technical, physical and administrative controls for IT systems and devices. They should extend to the full spectrum of information-related business operations and processes and their resulting risks to data security. This includes such areas as employee background checks and off-boarding, vendor contracts, cross boarder data flows and use of technology policies, among others.
Ensure that the board is informed and equipped to respond.
It’s not enough simply to rely on periodic reports from the IT security teams. The directors and officers need to have meaningful and digestible information that they can act upon. This means reporting the correct key performance indicators (KPIs) that go beyond metrics about the number of patches deployed and the number of events averted. Instead, KPIs should measure such areas as time to detect, contain and mitigate those events, improvements in employee readiness and awareness and overall operational maturity. This allows the executives and directors to have meaningful discussions on data security and to ensure that security efforts are in alignment with overall business strategy. Boards should also have technical advisory committees and experts they can reply on to help them distil and understand the information presented to them.
Have a playbook and test it regularly.
The technical teams will typically have their own playbooks that describe their response plans for various security events for each system and data type. While these are invaluable, they should be extended to include the full scope of response activities across the company: from the escalation of events up to executive management and to the board, to company investigations, responses and disclosures. Once defined, these various plays should be tested and validated on a routine basis, so everybody knows what to do before a crisis hits.
Designate a quarterback to run the plays.
Not so long ago, the responsibility for managing data breach responses fell squarely on the CIO or CISO. However, the dismissal of Yahoo’s general counsel demonstrates a shift in expectations as to who should manage the response within the company. Every aspect of a data security incident response is rife with delicate and complex legal issues. The current expectation is that counsel will have clear visibility into, and will participate in, all aspects of cybersecurity planning, monitoring, reporting and, of course, response (in addition to the post-event legal issues). It is fair to say that counsel is now on notice – if there was any lingering doubt – that cyber risks fall squarely within their functional mandate.
Review your disclosures.
These include security filings, privacy and security policies and marketing materials. Given the new focus on disclosures, both from the plaintiff’s security bar and regulators, directors and officers must ensure that the company is in fact doing what it says it is doing, and reporting material events in a timely manner.
Check your insurance policies.
Director and officer policies don’t often cover losses from cyber events. Take the time to review your coverage and to understand overlaps and gaps between your D&O and cyberinsurance policies and the limits to coverages for both, and ensure that they properly align with your real-world risk scenarios based on the types of data the company is responsible for.
Enlist the help of experts.
The board should learn from the best practices of other similar organizations. One way to do so is to hire an outside firm to investigate internal practices and provide a maturity assessment that benchmarks the company against its peers. Again, this shouldn’t be limited to technical IT assessments of your networks and servers, but should extend to all areas of information management and related business risks, including privacy and security.