Attorneys frequently serve as officers and directors of corporations, whether for their own law firms, on a community bank Board, or for a local non-profit organization. In such a capacity, they are required to discharge their duties and responsibilities in good faith and by exercising ordinary care and diligence.1 Kentucky law explains that a director’s obligation requires an assurance that a system of internal control exists that the Board believes is adequate in concept and design to ensure that appropriate information comes to the Board’s attention in a timely manner so that the Board may respond appropriately.2
Enter the age of digitization and all aspects of business now rely upon Internet technology. With the use of such technology also comes the risk associated with it. In the last two years corporations have taken major ‘hits’, both financially and professionally, for cyber attacks that have resulted in the exposure and sale of personal information, medical records, and trade secrets. Shareholder derivative lawsuits have followed against the Boards of these companies seeking damages for the financial catastrophe that follows such a breach.3 As cyber attacks are now the norm in business and commerce, a corporate officer or director must consider cyber security as a part of the fiduciary responsibility owed to the business. As Security and Exchange Commissioner Luis A. Aguilar recently stated, “Boards that choose to ignore, or minimize, the importance of cyber security responsibility do so at their own peril.”
As a corporate officer or director, attorneys are often looked upon to lead the way in bringing potential risks to a Board’s attention. While directors are not responsible to manage cyber security risks, they must oversee the corporation’s system of internal controls to be sure that management is doing the best job possible. Board members generally are not personally liable for a failure of such oversight “... unless there is a sustained or systematic failure of the Board to exercise oversight – such as an utter failures to attempt to assure that reasonable information and reporting system exists....” (Caremark Int’l, Inc. vs. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996)).However, where a Board has not engaged in any oversight of the corporation’s cyber security risk now that this risk is well-known, the directors could be individually liable for breaching their duties as outlined by Caremark.
Claims made against directors in pending shareholder derivative litigation where security breaches occurred have centered on two issues: First, did the directors breach their fiduciary duties by making a decision that was ill-advised or negligent, and second, did the directors fail to act when it knew or had reason to know of a cyber security threat. Allegations against corporate officers and directors have included the following inquiries:
Despite the well-publicized data breaches for commercial businesses such as Target,4 and government breaches at the Office of Personnel Management,5 among others, a recent survey found that nearly one-half of corporate directors had not within the past year discussed the company’s crisis response plan in the event of a breach.6 Similarly, 67% had not reviewed the company’s cyber insurance coverage, if any, and nearly 60% had not discussed hiring an outside security consultant to review its cyber security plan.7
To ensure that an attorney officer or director is fulfilling the good faith obligation in an informed basis, and in a manner that is in the best interests of the corporation, discussion about cyber security issues needs to be held in the Board room on a routine basis, and documented in the corporate minutes. Management of the corporation needs to be asked:
While corporate Boards are comfortable in reviewing financial issues and overseeing management, unfamiliarity with cyber security issues affecting the business requires directors to become educated about the subject. A Board member doesn’t need to know how to configure a firewall, but the director does have a fiduciary responsibility to understand what cyber security risks affect the corporation, and what impact a breach would have upon the organization. Discussions need to take place in the Boardroom so that all directors and officers can attest that management has taken the necessary measures to protect the company’s most critical assets, and can effectively respond to a data breach. Because, as cyber security experts routinely explain, “It’s not a matter of if we have a breach, but only a matter of when it will occur.”