Everything is electronic. Companies are increasingly reliant on electronic processes to obtain and store valuable customer data, confidential, privileged and proprietary information. With that increased reliance comes the increased risk that this information can be compromised. In light of many recent high-profile data breaches, litigation surrounding data and privacy protection is increasing. A side effect of this litigation is the attention now paid to the role of boards of directors in managing and responding to cyber liability risks. Boards concerned about potential liability of its officers and directors can look to two recent sources for guidance on this issue.
The critical importance of the role of the boards of directors in managing cyber security issues was highlighted in a recent speech by SEC Commissioner, Luis A. Aguilar. Aguilar addressed the role of boards of directors in overseeing and managing cyber risk to avoid litigation against officers and directors as a result of data breaches. He recommended utilizing the NIST Cybersecurity Framework (“Framework”) as a roadmap for industry standards and best practices for managing cybersecurity risk. He instructed that boards should work with management to ensure their corporate policies align with the Framework and to identify areas of improvement.
Other recommendations include mandatory cyber risk education for directors, creating a separate risk committee on the board and assigning appropriate personnel to carry out the cyber-risk management initiatives and provide regular reports to the board. While approaches to cyber risk management will necessarily vary based on the specific needs of the company, the end goal is always the same: board preparedness. As Aguilar cautions, “it can be just as damaging to have a poorly implemented response to a cyber-event.”
Additionally, a recent opinion by the U.S. District Court for the District of New Jersey, dismissed a derivative action targeting directors and officers for several data breaches where the board had taken actions similar to those discussed by Aguilar. The court dismissed the suit with prejudice because it found the board had adequately investigated the derivative claim and its decision not to pursue plaintiff’s claim was in the corporation’s best interest under the business judgment rule. While the decision may ease the concerns of some corporate boards in this newly evolving realm of potential liability, it remains to be seen whether future courts will adopt the court’s reasoning.
As this area of the law continues to evolve, boards should continue to take precautions to minimize the risk of a data breach and the resulting liability. The court’s analysis of the board’s actions illustrates several ways for a board to be proactive in this area. First, the board held numerous meetings dedicated to a discussion of the cyber-attacks, company security policies, and proposed security enhancements. Second, it appointed an audit committee to investigate the breaches. Finally, it hired an outside firm to recommend security enhancements. In a footnote the court also acknowledged that the lawsuit was potentially flawed because the company had installed security measures before the breach occurred and that the board had addressed security concerns numerous times.
The bottom line is that identifying potential cybersecurity risks and developing a plan of response should be a critical element of all board of directors’ responsibilities. The more involved the board is in drafting company policies pertaining to data breaches, the better off the board members will be in responding to a potential derivative lawsuit. More importantly, the greater the oversight and implementation of risk management protocol, the less likely there will be a security breach in the first place.