In the performance of their duties, boards should remain cognizant of the legal threats that may arise in the event of a cybersecurity breach. In recent years, federal and state regulatory bodies have increased their focus on the cybersecurity practices of companies before, during and after a breach. Boards of directors will be expected to take a proactive role in supervising their companies’ cybersecurity controls and should account for applicable regulatory mandates or guidance in ensuring that such controls are appropriate.
In the realm of private litigation, the most likely legal threat to boards is shareholder derivative litigation brought in the aftermath of a breach. These suits, which have been filed following high-profile data breaches against companies such as Wyndham Worldwide and Target, typically allege that boards and executive management breached their duties of care and loyalty, wasted corporate assets and were unjustly enriched leading up to and in the wake of the data breach. If a board is informed and used reasonable business judgment, its decisions should be protected by the “business judgment rule.”[1]
Although directors do not have to become cybersecurity experts and may rely on information and reports from management and others regarding cyber risk, boards should be informed of the cyber risks facing the company and be satisfied that appropriate controls are in place. Boards should receive regular reports on issues such as the evolving cybersecurity threat and the company’s response, the incident response plan and other material cybersecurity issues.
In the event of a breach, boards should be informed about the scope of the breach and its business and legal implications, and should be updated as events unfold. Finally, because any regulatory inquiries or litigation would likely rely on written documentation of board supervision, the company should maintain a full record of the information provided to the board and the board’s consideration of cyber-related issues.
The board may want to engage outside counsel to evaluate the board’s meeting minutes and other materials with an eye toward production in the inevitable shareholder litigation. Outside counsel can also educate the board on its duties and present at a full board meeting on the adequacy of its materials and efforts.
[1] The business judgment rule is a legal doctrine grounded in the presumption that corporate officers and directors act in the best interests of the companies they serve and which protects their good faith, informed and reasonable business decisions from being second-guessed by courts. See, e.g., Palkon v. Holmes, et al, No. 2:14-cv-01234 (SRC), (D.N.J. Oct. 20, 2014) (dismissing derivative complaint against Wyndham Worldwide directors and officers for failure to adequately plead that the shareholders’ demand was refused in bad faith or without a reasonable investigation given the business judgment rule’s protections).
Key Takeaways for All Board Members:
- Be informed of the cyber risk facing the company and be satisfied that appropriate controls are in place.
- Be aware that legal threats may arise in the event of a cybersecurity breach.
- Take a proactive role in supervising your company’s cybersecurity practices.
- Ensure that cybersecurity controls account for applicable regulatory mandates.
- Require regular reports on evolving cybersecurity threats and your company’s response.
- Be sure that you are kept informed in the event of a breach.
- Consider hiring an outside consultant to audit the board’s meeting minutes to ensure they would support the company during shareholder litigation.