Not long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks—and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow—cybersecurity has become an increasingly challenging risk that boards must address.
The board’s role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit—Case number 14-cv-14-cv-203—alleging Target’s board members and directors breached their fiduciary duties to the company by failing “to maintain proper internal controls” related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target “to be exposed to millions of dollars of potential liability in class-action lawsuits,” and through “substantial damage” to “the company’s sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust.”
Wyndham Worldwide Corporation and certain of its officers and directors are also defending against a similar cybersecurity-related derivative lawsuit—Case number 2:14-cv-01234—related to the three data breaches the company sustained from April 2008 to January 2010. That complaint alleges, “In violation of their express promise to do so, and contrary to reasonable customer expectations” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint alleges further that the individual defendants “failed to ensure that the company and its subsidiaries implemented adequate information security policies,” and the company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
The actions of Wyndham are also being held to scrutiny in a Federal Trade Commission (FTC) enforcement action—which just survived a significant motion to dismiss in April—alleging Wyndham violated Section 5(a) of the FTC Act, which prohibits “acts or practices in or affecting commerce” that are “unfair” or “deceptive” (Case number 2:13-cv-01887). According to the FTC’s complaint, Wyndham and certain subsidiaries failed “to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The fact that this complaint was allowed to proceed foreshadows future regulatory enforcements actions against companies for maintaining inadequate cybersecurity measures.
It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board’s role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization’s cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that “starts at the keyboard” and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies.
While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow:
Although the risk of shareholder lawsuits cannot be eliminated entirely, taking one or more of the aforementioned steps may reduce the likelihood of directors being held accountable in data breach lawsuits against the company. The fact of the matter is that directors no longer can bury their heads in the sand with respect to cybersecurity issues because the likelihood of a breach hitting one’s company—and an ensuing lawsuit challenging the board’s role in that breach—is almost a certainty.
The board’s role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit—Case number 14-cv-14-cv-203—alleging Target’s board members and directors breached their fiduciary duties to the company by failing “to maintain proper internal controls” related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target “to be exposed to millions of dollars of potential liability in class-action lawsuits,” and through “substantial damage” to “the company’s sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust.”
Wyndham Worldwide Corporation and certain of its officers and directors are also defending against a similar cybersecurity-related derivative lawsuit—Case number 2:14-cv-01234—related to the three data breaches the company sustained from April 2008 to January 2010. That complaint alleges, “In violation of their express promise to do so, and contrary to reasonable customer expectations” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint alleges further that the individual defendants “failed to ensure that the company and its subsidiaries implemented adequate information security policies,” and the company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
The actions of Wyndham are also being held to scrutiny in a Federal Trade Commission (FTC) enforcement action—which just survived a significant motion to dismiss in April—alleging Wyndham violated Section 5(a) of the FTC Act, which prohibits “acts or practices in or affecting commerce” that are “unfair” or “deceptive” (Case number 2:13-cv-01887). According to the FTC’s complaint, Wyndham and certain subsidiaries failed “to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The fact that this complaint was allowed to proceed foreshadows future regulatory enforcements actions against companies for maintaining inadequate cybersecurity measures.
It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board’s role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization’s cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that “starts at the keyboard” and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies.
While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow:
- Develop a high-level understanding of cyber-risks facing the company through briefings from senior management and others;
- Consider retaining outside consultants to evaluate the company’s security risk management;
- Ensure that the company has at least one committee that is responsible for overseeing and understanding cybersecurity issues, controls and procedures;
- Ensure that the vendors the company retains have adequate security measures in place to protect data and that there are sufficient contractual clauses between the company and the vendor regarding such security;
- Facilitate a culture that views cybersecurity as a business issue that all employees should understand and participate in. As part of that, companies should consider employee training and awareness programs;
- Include a cyber-expert on the company’s board of directors or receive regulator reports from a cybersecurity expert that are discussed at board meetings;
- Ensure the company has an updated plan to respond to a cybersecurity attack, should it experience one. As part of that, senior management should become familiar with the legal and contractual requirements to determine what steps they would be required to take if the company fell victim to a data breach;
- Ensure that the applicable directors and officers’ insurance covers data breach lawsuits, and
- Directors may consider the guidance provided by the Cybersecurity Framework released in February by the National Institute of Standards and Technology in response to U.S. President Barack Obama’s Executive Order 13636, which was intended to be used by companies to create a cybersecurity program.
Although the risk of shareholder lawsuits cannot be eliminated entirely, taking one or more of the aforementioned steps may reduce the likelihood of directors being held accountable in data breach lawsuits against the company. The fact of the matter is that directors no longer can bury their heads in the sand with respect to cybersecurity issues because the likelihood of a breach hitting one’s company—and an ensuing lawsuit challenging the board’s role in that breach—is almost a certainty.