Cybersecurity is a modern tech-savvy buzzword that often makes non-IT peoples’ eyes glaze over. This mindset is very risky, and cybersecurity should not be taken lightly. The truth is that cybersecurity, while highly technical at the developer level, uses the same principles and concepts as many other business-related legal risks. Directors for both public and private companies should be asking the right questions and taking steps to protect the business – and themselves – from cyberattacks.
So, why is cybersecurity a big deal?
It is important to understand that cybersecurity includes both protecting digital forms of personal data and sensitive corporate information from exposure and protecting your business’ electronic systems from exploitation by hackers. The latter includes cases such as the Colonial Pipeline hack in 2021 when the company’s systems were taken over by Russia-based cybercriminals, ultimately resulting in Colonial Pipeline paying a $5 million ransom.
In addition to being exploited by cybercriminals, there are commonly legal repercussions with even minor cyberattacks. The most typical are investigations by regulatory agencies, breach notifications, and claims for damages for breach of contract and tort, but directors may also be held personally liable for cybersecurity breaches.
Can Directors be held personally liable for cybersecurity breaches?
Yes, a director can be personally liable for cybersecurity breaches in some instances. While no individual director has been held liable for a cybersecurity breach to date, lawsuits making these kinds of allegations have been filed, and it may be only a matter of time before one is successful. The primary risk of personal liability for a director is through derivative actions commenced by damaged shareholders. While the Business Judgment Rule generally insulates directors from personal liability, that protection is not absolute and can be rebutted.
Regulators and legislators are cracking down on cybersecurity practices
In addition to plaintiffs, regulators are also ramping up their response to cybersecurity breaches and increasing cybersecurity requirements for businesses. Numerous agencies have levied fines and brought suits for cybersecurity-related issues including the FTC, FCC, and SEC. For example, in 2014 the FCC fined two companies $10 million each for “unjust and unreasonable” data security practices in violation of the Communications Act of 1934.
In 2021, at least 45 states introduced or considered bills or resolutions concerning cybersecurity, more than 250 in total, and at least 35 states enacted cybersecurity-related laws. At the federal level, lawmakers have introduced at least 18 new bills concerning cybersecurity. For example, the Cybersecurity Disclosure Act of 2021 would require companies to disclose whether the board has any cybersecurity expertise or experience and, if not, report what aspects of the company’s cybersecurity were considered when evaluating nominees for membership on the board.\
What can a Board of Directors do to protect itself from cyberattacks?
Directors should prepare ahead of time to prevent the effects of cyberattacks and mitigate the risk of personal liability. Broadly speaking, boards must implement a reporting system and monitor or oversee the operation of that system to prevent personal liability under Caremark. In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996). In Caremark, shareholders filed a derivative suit against the board after the company was required to pay approximately $250 million for violations of federal and state health care laws and regulations. Id. at 960–61. The Delaware Chancery Court held that directors can be held personally liable for failing to “appropriately monitor and supervise the enterprise.” Id. at 961. The court emphasized that the board must make a good faith effort to implement an adequate information and reporting system and that the failure to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.” Id. at 967. While Caremark did not address cybersecurity directly, the court’s reasoning in Caremark is applicable to board involvement, or lack thereof, with cybersecurity.
In addition, businesses and boards should implement greater protections to avoid further liability under other legal theories such as negligence. For example, as a result of the Colonial Pipeline hack, plaintiffs have filed a class action complaint asserting a negligence claim against the owners of the pipeline for failing to prevent the hack. Dickerson v. CDPQ Colonial Partners, L.P., Case No. 1:21-cv-02098-MHC, WL 2009109 (N.D. Ga. 2021).
10 Questions Boards Should Ask to Protect Against Cyberattacks:
- What are our most important assets and what are our greatest cybersecurity risks?
- What is our cybersecurity and data protection plan?
- What layers of protections do we have?
- Do our communications systems (phone, email, messaging, etc.) use end-to-end encryption?
- Does our cybersecurity system work across all of our platforms, devices, tablets, phones, and laptops including personal devices?
- How do we know if there has been a cybersecurity breach?
- What is our response plan?
- What is the board’s role in the event of a cybersecurity incident?
- Do we regularly compare ourselves to others in the industry and assess our cybersecurity measures versus alternatives on the market?
- Is our cybersecurity investment enough?
10 Steps Boards Should Take for Protection:
- Ensure there is a cybersecurity expert on the board (see pending House bill, Cybersecurity Disclosure Act of 2021);
- Hire a Chief Information Officer (CIO) and/or a Chief Information Security Officer (CISO) – having the right people in place is crucial;
- Appoint a cybersecurity board committee;
- Engage outside experts to conduct regular cybersecurity assessments, including penetration testing;
- Educate directors, officers, and all other employees about cybersecurity;
- Regularly address and deliberate about cybersecurity issues and document discussions; having an incident response plan in place before a crisis means that the company is better able to respond and minimize the impact of a cyber incident;
- Adopt and employ a cybersecurity system and plan that is specifically tailored to your business’s most important assets and risks;
- Obtain cybersecurity insurance and ensure that it adequately covers potential risks for your company;
- Regularly assess potential cybersecurity threats and protections; and
- When a breach occurs, determine the scope of the breach, assess exposure, and comply with notification requirements.
Article written with assistance from Cranfill Sumner LLP clerk Devin Honbarger.