For the past decade, the duty of corporate directors to oversee corporate risk has become more and more pronounced. Over the past several years, however, cyber and data handling risks have emerged as perhaps the most challenging of the areas requiring board oversight.
As recent headline-grabbing incidents demonstrate, the financial and public relations fallout from a cyber or data misstep can be overwhelming and expensive, and Monday-morning quarterbacking can be expected from regulators, plaintiffs attorneys, shareholders, and even business partners.
Continually evolving cyber threats and emerging legal and regulatory developments, compounded by a lack of relevant expertise on many corporate boards, make it is imperative for today’s directors to understand the nature of today’s emerging perils and protect their company and themselves from second-guessing in the aftermath of a cyber incident.
Here, we take a look at four major areas of potential liability that today’s corporate directors must understand.
The Regulators are Coming
Most significantly for board members, however, the DFS regulation explicitly places accountability for cyber security on corporate directors, effectively requiring boards to engage in active, engaged and informed oversight of the entity’s overall cybersecurity. The DFS also requires a board member or a senior officer to sign a certification, formally verifying compliance with the regulation.
As the first-mover in this area, DFS has set the example for other regulators to follow. Accordingly, board accountability for cyber security is predicted to be a going-forward reality for today’s corporate directors.
Directors also should be aware that in today’s complex integrated environment, it’s becoming increasingly common for business partners and/or new clients to demand some sort of cyber security standard or certification as a condition of doing business together. Consequently, cyber security has become a key competitive differentiator.
It’s important to note, however, that data breaches are not the only trigger for regulatory scrutiny for modern companies. Regulators both domestically and abroad are implementing rules concerning how companies are utilizing data, from their practices around data collection, use, storage, and retention periods, as well as their disclosures around those practices and the adequacy of relevant consumer consents. Missteps in this area can be quite costly. The EU’s General Data Protection Regulation, for example, allows for fines up to 4% of an entity’s annual turnover, and US regulators have imposed stiff fines, sometimes accompanied by 20 year monitorships, for improper data practices.
In addition, misguided data practices can cause serious reputational harm. For example, exploiting consumer data for poorly conceived marketing initiatives can end up alienating the very consumers with whom the company is trying to more closely connect. Modern companies must implement procedures to ensure that their data practices are not only compliant with relevant legal requirements, but that they are also well thought out and consistent with ethical standards and the corporate brand.
The Shareholders are Coming
To date, shareholder derivative lawsuits claiming that directors and officers breached their fiduciary duty by failing to prevent a cyber security incident have generally been unsuccessful. Nevertheless, no director wants to be the subject of public allegations of ineptitude or incompetence, and some companies have paid millions for early settlement of such cases. But whether a case is settled or dismissed, the associated defense costs are undoubtedly substantial. recently, some plaintiffs have taken a new litigation approach, filing suit based on the breached company’s alleged inadequacy of public disclosures concerning its cyber readiness and the impact on the company of a potential cyber incident. The reputational impact of such allegations on the corporation, its directors and officers can potentially be devastating. Moreover, as the cost and impact of cyber incidents continue to grow, we can anticipate that the expected level of board competence concerning cyber issues will continually rise.
The Consumers are Coming
As recent experience demonstrates, multiple class actions on behalf of consumers often are filed against breached companies, frequently on the same day that the breach is publicly disclosed. Initially, many companies were successful in achieving early dismissal of these suits on the ground that the plaintiffs lacked legal standing. Claims based on the fear of future financial injury or identity theft were found by courts to be too speculative. More recently, however, some courts have disagreed with that analysis, finding that the risk of future injury does indeed establish a legally cognizable injury. This split of legal authority creates yet another area of uncertainty and liability for breached entities.
Although surviving a motion to dismiss is no guarantee of ultimate success for plaintiffs in class action litigation, it certainly raises the stakes — and the financial and reputational costs — for the defendants. Expenses related to major breaches can be jaw dropping, quite likely in excess of the company’s cyber insurance coverage limits.
The Banks are Coming
For credit card breaches, the banks that issue the implicated cards also have instituted class action lawsuits against breached companies, seeking reimbursement of their breach-related costs, including those for reissuing cards and reimbursing consumers for fraudulent charges. These costs are not insignificant. Target settled their bank class action for $39.4 million, while Home Depot paid $25 million.
Republished from an October 2017 CyTech White Paper authored by Shahryar Shaghaghi, Daryouche Behboudi, and Judy Selby, JD.