Cybersecurity is a modern buzzword for techies that often makes non-IT people’s eyes glaze over. This mindset is very risky and cybersecurity should not be taken lightly. The truth is that cybersecurity, while very technical at the developer level, uses the same principles and concepts as many other business-related legal risks. Directors of both public and private companies need to ask the right questions and take steps to protect the company, and themselves, from cyberattacks.
So why is cybersecurity so important?
It is important to understand that cyber security includes protecting digital forms of personal data and sensitive corporate information from exposure and protecting your company’s electronic systems from exploitation by hackers. The latter includes cases such as the Colonial Pipeline hack in 2021, when Russian-based cybercriminals took over the company’s systems, ultimately resulting in Colonial Pipeline paying a $5 million ransom.
In addition to being exploited by cyber criminals, there are often legal repercussions even with minor cyber attacks. The most typical are investigations by regulatory agencies, breach notifications, and claims for damages for breach of contract and tort, but directors can also be held personally liable for cybersecurity breaches.
Can directors be held personally liable for cybersecurity breaches?
Yes, a director may be personally liable for cybersecurity breaches in some cases. While no individual director has been held liable for a cybersecurity breach to date, lawsuits making these types of accusations have been filed, and it may only be a matter of time before one succeeds. The primary personal liability risk for a director is through derivative actions brought by injured shareholders. While the Business Judgment Rule generally insulates directors from personal liability, that protection is not absolute and can be rebutted.
Regulators and lawmakers are cracking down on cybersecurity practices
In addition to plaintiffs, regulators are also stepping up their response to cybersecurity breaches and increasing cybersecurity requirements for businesses. Numerous agencies have levied fines and filed lawsuits over cybersecurity-related issues, including the FTC, FCC, and SEC. For example, in 2014, the FCC fined two companies $10 million each for “unfair and unreasonable” data security practices in violation of the Communications Act of 1934.
In 2021, at least 45 states have introduced or considered cybersecurity bills or resolutions, more than 250 in all, and at least 35 states have enacted cybersecurity-related laws. At the federal level, lawmakers have introduced at least 18 new bills related to cybersecurity. For example, him Cybersecurity Disclosure Act of 2021 would require companies to disclose whether the board has any cybersecurity knowledge or experience and, if not, to disclose what aspects of the company’s cybersecurity were considered when evaluating nominees for board membership.\
What can a Board of Directors do to protect itself from cyber attacks?
Directors must prepare in advance to prevent the effects of cyberattacks and mitigate the risk of personal liability. Generally speaking, boards should implement a reporting system and monitor or oversee the operation of that system to avoid personal liability under care mark. In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996). On care markShareholders filed a derivative lawsuit against the board after the company was required to pay approximately $250 million for violations of federal and state health care laws and regulations. ID. in 960–61. The Delaware Court of Chancery held that directors can be held personally liable for failing to “properly control and supervise the company.” ID. at 961. The court emphasized that the board must make a good faith effort to implement an adequate information and reporting system and that failure to do so may constitute an “inconsiderate failure of the board to act in circumstances in which the attention due could possibly have prevented the loss.” ID. in 967. While care mark did not address cybersecurity directly, the court’s reasoning in care mark it is applicable to the board’s involvement, or lack thereof, with cybersecurity.
Additionally, companies and boards must implement greater protections to avoid further liability under other legal theories, such as negligence. For example, as a result of the Colonial Pipeline hack, plaintiffs have filed a class action lawsuit asserting a negligence claim against the pipeline owners for failing to prevent the hack. Dickerson v. CDPQ Colonial Partners, LPCase No. 1:21-cv-02098-MHC, WL 2009109 (ND Ga. 2021).
10 questions boards should ask to protect themselves against cyber attacks:
- What are our most important assets and what are our biggest cybersecurity risks?
- What is our cybersecurity and data protection plan?
- What layers of protections do we have?
- Do our communication systems (phone, email, messaging, etc.) use end-to-end encryption?
- Does our cybersecurity system work across all of our platforms, devices, tablets, phones, and laptops, including personal devices?
- How do we know if there has been a cybersecurity breach?
- What is our response plan?
- What is the role of the board in the event of a cybersecurity incident?
- Do we regularly benchmark ourselves against others in the industry and assess our cybersecurity measures against alternatives on the market?
- Is our investment in cybersecurity enough?
10 steps boards should take for protection:
- Make sure there is a cybersecurity expert on the board (see pending House bill, Cybersecurity Disclosure Act of 2021);
- Hire a chief information officer (CIO) and/or a chief information security officer (CISO): having the right people is crucial;
- Appoint a cybersecurity board committee;
- Engage outside experts to conduct regular cybersecurity assessments, including penetration tests;
- Educate directors, officers, and all other employees about cybersecurity;
- Regularly address and deliberate on cybersecurity issues and document discussions; Having an incident response plan in place before a crisis means the business can better respond and minimize the impact of a cyber incident;
- Adopt and employ a cybersecurity system and plan that is specifically tailored to your company’s most important assets and risks;
- Take out cybersecurity insurance and make sure it adequately covers potential risks for your company;
- Periodically assess potential cybersecurity threats and protections; and
- When a breach occurs, determine the scope of the breach, assess exposure, and comply with notification requirements.
Article written with the help of Cranfill Sumner LLP employee Devin Honbarger.