Data Security & Corporate Governance: What Is The Individual Liability Of Officers & Directors?

by Larry Kunin, Partner and Chair of MMM Data Security & Breach Practice
     Brian Levy, Associate and Member of MMM Data Security & Breach Practice

A lot has been publicized regarding the need for data security, and the damages and tasks that face a company when a breach happens.  What about the individual liability officers and directors?   Do they face an individual legal obligation to ensure the data breach risks are at a minimum?  Do they face ultimate liability?

Officers and directors have a fiduciary duty to their corporations, including using competent business judgment, exercising good faith, and acting in the best interests of the corporation.  These duties arguably include proactively minimizing the risk of data breach.  For public companies, the SEC has also made statements regarding the expectations of officers and directors to establish competent programs to prevent and respond to data breach.

The following is a sample FAQ of issues that may face officers and directors, and that should be considered as a company establishes a strategy for minimizing the risk and effect of a data breach.

FAQ:  Corporate Governance and Cybersecurity

1. Q. Does a board of directors owe fiduciary duties to shareholders to actively
monitor cybersecurity risks?

A.  Yes.   Directors owe shareholders the fiduciary duties of care and loyalty to preserve corporate assets and protect against enterprise risk, including cybersecurity risks.  During a 2014 speech, SEC Commissioner Louis A. Aguilar cautioned that “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

2. Q. What are some of the consequences to a company arising from a cyber-attack?

A.   Companies face decreased revenues, disruption of business systems, erosion of customers, and theft of intellectual property and trade secrets.  Cyber-attacks also can result in reputational damage, as evidenced by the recent cyber-attack against Sony Pictures over the movie “The Interview,” that resulted in the dissemination of unflattering personal emails by senior executives. Companies also face significant risk of government enforcement actions and private litigation.  The federal and state governments can bring enforcement actions under laws requiring the safeguarding of personal information.Consumer class action lawsuits are routinely filed in the wake of data security breaches, such as the multi-district litigation proceedings currently pending against Home Depot.  Shareholders have filed derivative actions following data security breaches involving Target and Wyndham Hotels and a securities fraud action due to the decline in stock price following a data security breach involving Heartland Payment Systems.

3. Q. News reports focus on cybersecurity attacks against large companies.  What is the cybersecurity risk to small or medium sized companies?

A. Cyber-attacks often do not originate within the target company’s IT system, but result from vulnerabilities in the systems of vendors or suppliers.  Thus, boards should ensure that management assesses cybersecurity risk within the ecosystem in which the company operates.

4. Q. Does a uniform standard exist for a board of directors to follow to satisfy its fiduciary duties with respect to cybersecurity risks?

A.  Not explicitly.  In February 2014, the National Institute of Standards and Technology issued a Framework for Improving Critical Infrastructure Cybersecurity in response to President Obama’s Executive Order 13636.  While voluntary, many commentators view the NIST’s Framework as a baseline for best practices by companies to manage their cybersecurity risks.  The Framework recommends companies identify cybersecurity risks and vulnerabilities, protect critical infrastructure assets, implement measures to detect the occurrence of a cybersecurity event, develop a plan to respond to a detected event, and develop a plan to restore capabilities or critical infrastructure services impaired by an event.  The Framework is technology neutral and each company’s protocols should be tailored to its particular business model.Ultimately, the business judgment rule should apply to decisions that directors make as long as the directors abide by the core standards of care, loyalty, and good faith which apply to board decisions generally.

5. Q. Can directors be held personally liable for failing to actively monitor cybersecurity risk?

A.  Yes.  A director can be held personally liable for breaching the duty of loyalty by knowingly failing to implement reporting information systems or controls to protect against data security breaches, or by consciously failing to monitor or oversee such systems or controls thereby disabling themselves from being informed of risks or problems requiring their attention.

6. Q. What systems or controls should directors implement to reduce cybersecurity risk?

A.  Companies should implement the following systems or controls to reduce cybersecurity risk:

  1. Maintain written cybersecurity standards and practices;
  2. Employ a full-time chief information security officer (CISO) who reports directly to senior management;
  3. Establish a board committee responsible for cybersecurity risks that meets regularly and reports to the board;
  4. Recruit directors with cybersecurity expertise and educate the entire board of directors on cybersecurity risk;
  5. Establish a cross-organizational team that is required to meet regularly to coordinate and communicate on privacy and security issues.  The team should include senior management from various business
    units in the company, finance, internal audit and compliance, human resources, IT, risk management and legal;
  6. Implement cybersecurity incident response and recovery plans;
  7. Engage outside technical experts to help manage and report on the company’s cybersecurity risks;
  8. Implement training and awareness programs for employees; and
  9. Contractually require all third-party vendors with access to sensitive information to have adequate cybersecurity measures and indemnify the company for cybersecurity incidents.

7. Q. What steps should directors take to monitor or oversee such systems or controls?

A. Directors should monitor and oversee systems and controls implemented to reduce cybersecurity risk through the following steps:

  1. Regularly review cybersecurity policies at board meetings;
  2. Review assessments of the company’s security program as presented by the board committee for cybersecurity risks and senior management and ensure compliance with best practices and standards;
  3. Conduct annual audits of the company’s security program and that will be reviewed by the board committee for cybersecurity risks and presented to the full board;
  4. Require regular reports from senior management on cybersecurity risks;
  5. Review budgets for cybersecurity risk management;
  6. Conduct annual tests of incident response, breach notification, disaster recovery, and crisis communication plans
  7. Review adequacy of insurance coverage for cybersecurity events; and
  8. Document discussions in board minutes.

8. Q. Can effective corporate governance reduce the cost incurred by a corporation in the event of a cybersecurity event?

A.  Yes.  The average cost of cybercrime incurred by organizations located in the United States in Fiscal Year 2014 was $12.69 million, up from $11.56 million in Fiscal Year 2013.  The estimated cost savings for companies employing expert personnel is estimated at $1.3 million and $1.1 million for achieving certification against industry-leading standards.

9. Q. What are a public company’s disclosure requirements regarding cybersecurity risks?

A. According to SEC guidance, registrants should review, on an ongoing basis, the adequacy of their disclosures relating to cybersecurity risks and cyber incidents.Registrants should disclose the risk of cyber incidents if cybersecurity risks are among the most significant factors that make an investment in the company speculative or risky.  A cybersecurity risk disclosure must adequately describe the nature of the material risks and specify how each risk affects the registrant.  The disclosure should be tailored to the registrant’s particular circumstances and avoid generic “boilerplate” disclosure.

Cybersecurity risks and incidents should be disclosed in management’s discussion and analysis of financial condition and results of operation if the costs or other consequences associated with a known incident or risk of potential incident represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.  Examples include theft of intellectual property or a material increase in cybersecurity expenditures.


Larry Kunin
Partner and Chair of MMM Data Security & Breach Practice

Brian Levy
Associate and Member of MMM Data Security & Breach Practice

The information presented is for educational and informational purposes and is not intended to constitute legal advice. Readers should consult their professional advisor. Any opinions expressed within this article are solely the opinion of the featured author and not of Morris, Manning & Martin, LLP.