Let’s face it — data security is significant problem for corporate America. If you don’t think so, here’s a statistic that may help convince you: in Q1 2019 alone, there were 1.9 billion records exposed. In fact, a business falls victim to a ransomware attack every 14 seconds. That’s right — every 14 seconds. In fact, the global cost of online crime is expected to reach $6 trillion by 2021. Sadly, there are lot more statistics where those come from, and they are not encouraging. Suffice it to say that businesses must take their cybersecurity very seriously. Thankfully, may companies already take steps to secure their data, but oddly, many companies think that such measures are an IT function and that any data security program does not merit serious “board-level” oversight. Such an approach is asking for trouble, in more ways than you may think.
Let’s set a foundation that every company must understand: data security is not solely an IT function. Don’t take my word for it — the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight lists five (5) core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector. The first of those principles is to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Granted, the nature of the threat lends itself to initiating reports through the IT Department, but there can be no question that the impacts are organization-wide. Moreover, social engineering remains a big factor in data breaches; in fact, about 91 percent of attacks launch with a phishing email. When it comes data security and the role of the board, treating data security as a technology-centric issue is a big part of many data breaches. This begs the question: can directors and officers be held liable for a data breach? Although the answer to that question is not a given, the trend does not bode well for an answer in the negative.
In 2014, SEC Commissioner Luis Aquilar stated that “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.” Officers and directors have a duty of care to the corporation, and shareholder derivative claims premised upon the harm to company due to a data breach continue to push for liability. The Delaware Chancery Court held in In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996) (“Caremark”) that the board has an obligation to at least attempt in good faith to invest in or implement a monitoring system that’s sufficient to identify legal breaches by the corporation. In Caremark, shareholders (plaintiffs) brought derivative suits against the company, alleging that Caremark’s directors (defendants) breached their duty of care by failing to adequately oversee the conduct of Caremark’s employees regarding payments to doctors to refer Medicare or Medicaid patients to Caremark’s services, thereby exposing the company to massive civil and criminal penalties. Although the parties negotiated a settlement, the board did not agree to any monetary penalties — it simply agreed to implement a number of more cautious policies moving forward, such as the creation of a compliance and ethics committee.
The importance of Caremark is that the holding outlined director liability for a breach of the duty to exercise appropriate care in two distinct contexts: (i) “from a board decision that results in a loss because that decision was ill advised or ‘negligent,’” or (ii) “from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss” (emphasis added). The court further held that:
[I]t is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.
Bottom line: For liability to attach, the board must have failed to provide reasonable oversight in a “sustained and systematic fashion,” or the information reporting system which the board relied on must be deemable as an “utter failure.”
Although not a data security case, the holding is important in the context of data security. Why? Because Caremark essentially states that a board of directors can’t assume their corporation is complying with the law — there must be a reporting system so that the board can exercise oversight. Recently, the Delaware Superior Court breathed more life into that point in Marchand v. Barnhill, et al., No. 533, 2018 (Del. Sup. Ct. 2019) (“Marchand”). This case arose out of a listeria outbreak involving Blue Bell ice cream that sickened many consumers, caused three deaths, and resulted in a total product recall. In reversing the dismissal of stockholder suit asserting Caremark claims against Blue Bell Creameries, Inc., the Marchand court held that the board failed to provide adequate oversight of a key risk area and thus breached its duty of loyalty. Remember the context of breach of corporate duty in Caremark: (a) the directors must have utterly failed to implement any reporting or information system or controls; or (b) having implemented appropriate compliance controls, the directors consciously failed to monitor or oversee the operation of that system. Under the Marchand facts, the court found a lack of board oversight because the Blue Bell board allegedly failed to implement any system to monitor Blue Bell’s food safety performance or compliance. Sound like something that *may* apply in the cybersecurity context? Yep.
I realize that there has not (to my knowledge) been a holding in a shareholder derivative lawsuit of officer and director liability arising out of a data breach, but if Marchand is any indication, it seems that the trend is moving towards potential liability where Caremark claims are asserted and proven. This potential liability, however, can be thwarted if a board follows what I refer to as the “Four Cs”:
- Communication – There should be communication at all levels within the organization, but especially up to the board.
- Consideration – There should be consideration of both technical and non-technical measures to ensure data security.
- Cooperation – There must be cooperation across all levels within the reporting chain so that not only reporting mechanisms are satisfied, but that the board can satisfy its oversight responsibility.
- Coordination – There must be coordination among both internal and external teams so that any information security plan not only addresses internal requirements, but third-party service providers.
As you can see, these “Four Cs” can help avoid any “utter failure” to implement appropriate reporting or information systems or controls, as well as any failure to monitor or oversee such compliance. Of course, adhering to them is not necessarily an officer and director “get out of liability free” card for a data security breach, but it will certainly prod your company (or client) in the right direction. More importantly, don’t have your company (or client) delay implementing something along these lines concerning data security: if you wait, it just may be(come) too late.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.