The Risk Manager, Winter 2016

Attorneys frequently serve as officers and directors of corporations, whether for their own law firms, on a community bank Board, or for a local non-profit organization. In such a capacity, they are required to discharge their duties and responsibilities in good faith and by exercising ordinary care and diligence.1 Kentucky law explains that a director’s obligation requires an assurance that a system of internal control exists that the Board believes is adequate in concept and design to ensure that appropriate information comes to the Board’s attention in a timely manner so that the Board may respond appropriately.2

Enter the age of digitization and all aspects of business now rely upon Internet technology. With the use of such technology also comes the risk associated with it. In the last two years corporations have taken major ‘hits’, both financially and professionally, for cyber attacks that have resulted in the exposure and sale of personal information, medical records, and trade secrets. Shareholder derivative lawsuits have followed against the Boards of these companies seeking damages for the financial catastrophe that follows such a breach.3 As cyber attacks are now the norm in business and commerce, a corporate officer or director must consider cyber security as a part of the fiduciary responsibility owed to the business. As Security and Exchange Commissioner Luis A. Aguilar recently stated, “Boards that choose to ignore, or minimize, the importance of cyber security responsibility do so at their own peril.”

As a corporate officer or director, attorneys are often looked upon to lead the way in bringing potential risks to a Board’s attention. While directors are not responsible to manage cyber security risks, they must oversee the corporation’s system of internal controls to be sure that management is doing the best job possible. Board members generally are not personally liable for a failure of such oversight “... unless there is a sustained or systematic failure of the Board to exercise oversight – such as an utter failures to attempt to assure that reasonable information and reporting system exists....” (Caremark Int’l, Inc. vs. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996)).However, where a Board has not engaged in any oversight of the corporation’s cyber security risk now that this risk is well-known, the directors could be individually liable for breaching their duties as outlined by Caremark.

Claims made against directors in pending shareholder derivative litigation where security breaches occurred have centered on two issues: First, did the directors breach their fiduciary duties by making a decision that was ill-advised or negligent, and second, did the directors fail to act when it knew or had reason to know of a cyber security threat. Allegations against corporate officers and directors have included the following inquiries:

  1. Did the Board fail to implement an effective cyber security program that addressed the potential risks to the corporation?
  2. Did the Board monitor its cyber security program to make sure it was current on cyber security risks in the marketplace?
  3. Did the Board assure itself that management was implementing and maintaining internal controls to protect personal and financial information of the business?
  4. Did the corporation have a breach response in place and was the Board in agreement that reasonable steps would be made to notify clients and customers if the company’s information security system had been breached?
  5. When a breach occurred, did the Board require management to comply with state and federal notification statutes, and oversee information disseminated to shareholders and third parties to confirm that it was not materially false or misleading?

Despite the well-publicized data breaches for commercial businesses such as Target,4 and government breaches at the Office of Personnel Management,5 among others, a recent survey found that nearly one-half of corporate directors had not within the past year discussed the company’s crisis response plan in the event of a breach.6 Similarly, 67% had not reviewed the company’s cyber insurance coverage, if any, and nearly 60% had not discussed hiring an outside security consultant to review its cyber security plan.7

To ensure that an attorney officer or director is fulfilling the good faith obligation in an informed basis, and in a manner that is in the best interests of the corporation, discussion about cyber security issues needs to be held in the Board room on a routine basis, and documented in the corporate minutes. Management of the corporation needs to be asked:

  1. What are our corporations’ most valuable assets? (Information? Money? Trust from clients?)
  2. How is our cyber security plan protecting these assets? Is there more that can be done?
  3. Do we have employee policies on using our company’s Internet, cloud system, and website? Are employees being trained on these policies? Are employees aware of cyber risks for the business, and trained to identify them on our systems?
  4. What cyber security controls are in place for third party vendors? Do we monitor those controls? Do we audit the third party vendors to be sure they use those controls?
  5. Do we have sufficient staff, and have we budgeted sufficient funds, to address cyber security risks for the business? Is an outside consultant needed to discuss these issues with the Board?
  6. Do we have a data breach response plan in place? Who is responsible for its implementation? Have we tested the plan? What role does the Board have in that plan? How do we directors respond to clients and the public about data breaches?
  7. Do we have cyber liability insurance? If we do, then what does it cover? If we don’t have cyber liability insurance, why did management decide not to purchase it?

While corporate Boards are comfortable in reviewing financial issues and overseeing management, unfamiliarity with cyber security issues affecting the business requires directors to become educated about the subject. A Board member doesn’t need to know how to configure a firewall, but the director does have a fiduciary responsibility to understand what cyber security risks affect the corporation, and what impact a breach would have upon the organization. Discussions need to take place in the Boardroom so that all directors and officers can attest that management has taken the necessary measures to protect the company’s most critical assets, and can effectively respond to a data breach. Because, as cyber security experts routinely explain, “It’s not a matter of if we have a breach, but only a matter of when it will occur.”

Endnotes

  1. Kentucky Business Corporation Act (“KBCA”) KRS 271B.8-300(1); KRS 286.3-065.
  2. KRS 271B.8-300(2).
  3. Shareholder derivative litigation for data breaches currently are pending against directors of Target Corporation; Wyndham Worldwide Corporation; TJ Companies, Inc., and Heartland Payment Systems, Inc., to name a few.
  4. The breach at Target was the result of hackers exploiting the heating and air conditioning vendor it utilized.
  5. Foreign hackers obtained personnel information, including fingerprints from past and present federal government employees.
  6. Internet Security Alliance, NACD, “A cyber security action plan for corporate boards,” Navigating the Digital Age: The Definitive Cyber Security Guide for Directors and Officers, Claxton Business & Legal, Inc. (October 2015).
  7. Id.