Boards and C-Suites in Shareholders’ Legal Crosshairs for Data Breaches
As companies attempt to balance data security and privacy with data utility, security breaches have exploded in frequency. Hardly a month passes without headlines of a business experiencing a data breach involving the unauthorized disclosure of consumers’ personal and financial information. These headlines are routinely followed by reports of class-action lawsuits being filed, sometimes within days of the breach’s public announcement.
Companies and Officers In The Crosshairs
It is probably not surprising that regulatory enforcement actions along with data breach lawsuits are on the rise. What may be surprising though, is that companies, their directors and officers (i.e., the C-suite) may face their most significant liability threat not from consumers or regulators, but from their own shareholders and affiliates.[i] In fact, proxy adviser firms like Institutional Shareholders Services (ISS) are increasingly recommending that shareholders sue companies and their officers for investor losses due to data incidents.
While consumer private causes of actions have had only limited success due to the difficulty of establishing concrete injury versus speculative economic loss[ii], non-consumer plaintiffs (i.e., shareholders) do not face this challenge. Shareholders and affiliates, bringing actions under fiduciary duty theories, can identify compensable losses in the form of costly regulatory defenses, breach of non-disclosure agreements, and lost business from security incidents. Furthermore, regulators and adjudicators are very willing to hold directors’ and senior officers’ feet to the fire. Why? Because any mishap, whether it be a customer slipping on a wet restroom floor or a malicious cyber attack on the company’s network, is a failure of governance. And boards, including the officials that report to them, are accountable for all corporate governance failures.
The Regulators Weigh In
Over the past year, the Security Exchange Commission (“SEC”) has made it clear that it will “sharpen” its focus on boardroom and c-suite preparedness. In June 2014, Commissioner Luis A. Aguilar gave a speech dedicated to boardroom oversight of cyber risks stating that “there can be little doubt that cyber-risk…must be considered as part of [a] board’soverall risk oversight.” Just this year, SEC Chair Mary Jo White doubled down on Mr. Aguilar’s comments and confirmed that the Commission is targeting the cybersecurity readiness of market participants. Likewise, all of the major agencies charged with enforcing data security for the nation, including the Department of Justice (“DOJ”), the Department of Homeland Security (“DHS”), the Federal Trade Commission (“FTC”), the Federal Communications (“FCC”), and the Financial Industry Regulatory Authority (“FINRA”) have all made it clear that they too are taking data security seriously and will hold boardrooms accountable. Even the President has joined in by calling for federal legislation that would force companies to abide by a single set of consumer protection-oriented standards.
The Duty of Loyalty
Sensing a legal bullseye on boards and senior corporate officers, shareholders have channeled their frustration by bringing derivative suits against them, naming them personally in the respective complaints[iii]. After initial duty of care complaints faced court resistance, shareholders have shifted their line of attack to the duty of loyalty. This is quite a novel game plan, one that bodes ominously for negligent boardrooms and their officers.
Traditionally, courts have identified two types of fiduciary duties of corporate officers: the duty of care and the duty of loyalty. Since the duty of loyalty was historically reserved to address only those situations where directors or officers favored their interests over the corporations (i.e., self-dealing), most shareholders were left to organize their complaints around the duty of care. But these actions usually failed. The business judgment rule[iv] coupled with the fact that the bar set for corporate officials to meet their duty of care is so low (they need only discharge their duties to the best of their ability), requires that plaintiffs make a showing of gross negligence. This is a steep burden that is rarely achieved.
Enter the Delaware Chancery Court, a court of equity that recently came to the shareholder’s rescue, bringing the Delaware Supreme Court in tow. The Court identified a subsidiary fiduciary duty, the duty of “good faith”, and assigned it to those situations where a fiduciary fails to exercise effective oversight. Though the Court did not go so far as to give “good faith” the same footing as the duties of care and loyalty, it did tie it to the latter. Essentially, the Court expanded the duty of loyalty to include not only those cases involving a financial conflict of interest but also those where the fiduciary fails to act in “good faith”, requiring that corporate officers and directors act affirmatively to assure that adequate information and compliance systems are in place.
Taking on the moniker of Caremark claims, the necessary conditions predicate for director and officer oversight liability are:
- the directors utterly failed to implement any reporting or information controls; or
- having implemented such systems or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.[v]
In either case, liability attaches because by failing to act in the face of a known duty to act (e.g., addressing a weakness in data security), corporate officials demonstrate a conscious disregard for their fiduciary obligations. Such officials are deemed disloyal since they are not operating in the good faith belief that their actions are in the corporation’s best interest.
Hackers Target Executives Too
If all of this is not enough cause for change, corporate officials are finding that not only are they in the crosshairs of regulators and shareholders, but they are also in the crosshairs of the actual hackers themselves. FireEye recently reported that accumulation hacking (also known as “pharming”, the use by hackers of data acquired over time) is being aimed at those with critical business data: C-suite members. Attackers pose as deal advisers, consultants, financial experts and lawyers to lure unsuspecting executives into clicking on false login pages and data links that request sensitive information. These so-called “phishing” and “pharming” attacks have multiplied, especially in the M&A and private equity world where companies and their advisers exchange large amounts of proprietary data outside of controlled data networks and with minimally developed business relationships.
With the historical impact that Delaware courts have on corporate law and the public pressure on government agencies to impose standards, it does not take much imagination to see where all this is headed. Directors and C-suite members will no longer be shielded for lax or nonexistent data security programs. Agencies will hand down heavy fines and wreak auditory hassle that can last up to 20 years. And for the those who want to take their chances with shareholders, derivative lawsuits, won or lost, are expensive; an expense that could ultimately be felt personally, particularly if regulators and courts cede to recent public pressure to pierce corporate veils.
How Do You Protect Yourself?
Given this perilous cyber landscape, directors and C-suite members are asking themselves, how can I keep my name from surfacing on the next trial docket? If you asked SEC Commissioner Aguilar, he would recommend that implementing the Framework for Improving Critical Infrastructure Cybersecurity, which was released by the National Institute of Standards and Technology in February, 2014 (the “NIST Framework”) is a good place to start. Just months after the release, Mr. Aguilar asserted to a group collected at the New York Stock Exchange that the NIST Framework should serve as a “roadmap for boards.”
NIST implementation can take time. In the meantime, corporate officers should start thinking beyond consumer data breach lawsuits and consider potential claims from shareholders, business partners or affiliates. Here is a list of things that must be done:
– Boards must encourage a culture of data security by developing and championing a written information policy that is supported through regular training of the entire workforce, including board members and senior officers. Compliance needs to start in the C-suite.
– Mechanisms should be created that allow employees to raise concerns and receive guidance on best practices without fear of retaliation.
– Disciplinary measures should be in place to dissuade internal security breaches. These procedures must apply uniformly, and board members must themselves be subject to their reach.
– Companies should secure the necessary expert advice to ensure that privacy practices comport with regulatory requirements and guidance, including those overseas if the company has international exposure. Experts can also be utilized to help companies take advantage of the benefits afforded by governmental resources that are now being aimed at fending off cyber attacks.
– Information systems and networks must be secure and comply with prevailing security standards and contractual requirements. And they need to be monitored and updated regularly as threats and standards evolve.
– Companies should obtain cybersecurity insurance in addition to their Directors and Officers (“D&O”) and Errors and Omissions (“E&O”) insurance to make sure that they and their affiliates are covered for data breaches.
– Data protections should be incorporated into third party contracts so that their security policies have comparable robustness to the corporation’s.
Finally, officers should continually monitor the rapidly developing law relating to data breaches to ensure that they have taken the necessary steps to strengthen their legal footing should they find themselves at the wrong end of a lawsuit, derivative or otherwise.
[i] In April 2015, Target announced it had reached a $19 million settlement with partner financial institutions that issued MasterCard-branded credit and debit cards that were compromised by a data breach.
[ii] The “economic loss doctrine” bars recovery in tort actions where only economic losses are asserted. Seeley v. White motor Co., 403 P.2d 145 (Cal. 1965), East River S.S. Corp. v. TransAmerica Delaval, Inc., 476 U.S. 858 (1986).
[iii] Dennis Palkon, a shareholder in the Wyndham Worldwide Corporation, brought a derivative suit against the hotel chain naming directors and officers Steven P. Holmes, Eric A. Danzinger, Scott G. McLester, James E. Buckman, Micahels H. Wargotz, George Herra, Pailine D.E. Richards, Myra J. Boblowit, Brian Mulroney, Steven A. Ridnitsky and Does 1-10 on the actual Complaint. Scott C. McLester was the company’s General Counsel. Palkon, et al. v. Holmes, et al., (D. N.J. Oct. 20, 2014).
[iv] Under the business judgment rule, courts defer to the judgment of corporate officials thereby insulating them from liability if they have considered and acted on an issue through a rational and informed process. In re Caremark Int’l Inc. Derivative Litig., 698 A.2nd 959, 967-68 (Del. Ch. 1996).
[v] In re Citigroup Inc. S’holder Derivative Litig., 926 A2d 106, 123 (Del. Ch. 2009)(quoting Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362 (Del. 2006)).