Cybersecurity and the board of directors: avoiding personal liability – Part I of III
By Steven L. Caponi, Contributing author for Compliance Complete
NEW YORK, July 25 (Thomson Reuters Accelus) – The likelihood of a cybersecurity breach hitting one’s company in the near future is as certain as will be the resulting drop in shareholder value, finger pointing, fines, regulatory headaches and civil litigation alleging the board was asleep at the wheel in the face of a known danger. In a letter to the Chairman of the Securities and Exchange Commission from five U.S. senators, including Commerce committee Chairman Jay Rockefeller, the Senators noted:
“Every day, malicious actors attack and disrupt computer networks to steal valuable trade secrets, intellectual property, and financial and confidential information, causing significant damage to the United States Government, our citizens, our business, and our country.”
The question every board member must answer is whether the actions they are taking today to protect their company’s digital assets are sufficient to withstand the Monday morning quarterbacking that will occur after a cyber incident.
This article is the first installment of a three-part series intended to help boards of directors better understand the breadth of their fiduciary obligation to manage the looming cybersecurity threat. Installment II will elaborate on the nature of the cyber threat and the severe impact it is having on American business. Part III will discuss strategies and best practices that directors should adopt to thwart the inevitable cyber attack, position their company to respond to a cyber incident, and minimize the potential of personal liability for failing to meet their fiduciary obligations.
It is axiomatic that directors have a fiduciary duty to protect their corporation’s important assets. Historically, important assets included mostly tangible items (buildings, machinery, factories) or intangible assets (intellectual property, business plans, customer data) that were stored in physical form, such as on paper or on disk drives. Guarding these assets from third parties was fairly straightforward, involving security guards, fences, and locks on filing cabinets. In the event of a security breach, the scope of the harm to one’s company was generally limited by the inability of thieves to abscond unseen with a large volume of tangible assets.
In today’s world, however, many companies maintain their most valuable assets in digital form. Business plans, source code, customer lists, secret formulas, legal documents, and financial projections are routinely transmitted over the Internet via e-mail, accessible from home computers, and stored in cyberspace. Thieves no longer must physically enter a company’s facility to steal. Rather, an individual on the other side of the globe or right next door can, with equal impunity, silently steal a company’s most prized possessions by breaching its network. Most troubling, because thieves make a digital copy and do not steal the original, a theft can go undetected for years – if not indefinitely. Information that once filled floors of locked filing cabinets watched over by tight security can now fit onto an easily concealed portable hard drive.
Due to the evolving nature of the risk, there is a lack of authority discussing the scope of a board’s obligation to address cybersecurity. Obviously, directors’ fiduciary duties will extend to the protection of significant digital assets. The more difficult question to answer is: What are the contours of a director’s fiduciary obligation when it comes to cybersecurity? Can the board simply rely upon its IT department to address cybersecurity, or do directors have an obligation to educate themselves on the nature of their company’s technology? Should boards place responsibility for cybersecurity with the audit committee or establish a separate cybersecurity committee? Should cybersecurity be a topic of every board meeting or addressed only when there is a breach?
As discussed below, the answer to these vexing questions is almost always “it depends”. Like all risks, the extent of a director’s obligation and the amount of attention an issue should receive at the board level will depend on such things as the nature of the company, the foreseeability of an attack, and the potential severity of a cyber breach. In common parlance, how many and how bright are the “red flags”?
State of the law
This article, like other efforts to anticipate developments in the law, seeks to divine how courts will rule when faced with a breach of fiduciary duty claim prompted by a cyber breach. It is necessary to start such a discussion by first considering the allegations likely to be levied against a typical director. Our discussion will rely upon the following vignette:
Company X is publicly traded and engaged in the business of selling green technologies worldwide. The Company’s network is hacked by an outside party who obtains customer information and technical documents related to a more efficient solar cell. Following the public disclosure of the cyber attack, Company X’s share price drops by 9 percent within five days, response costs exceed $10 million, and several consumer class action law suits are filed. Shortly after the breach, several large pension funds initiate derivative litigation against the board of directors alleging that the loss in shareholder value and harm to the company was a direct result of the directors’ failure to proactively address cybersecurity.
Under the above fact pattern, the crux of the derivative suit will rest on one of two theories tied to the failure of directors to pay appropriate attention to cybersecurity. The first theory will blame the loss on a decision of the board that was allegedly ill-advised or negligent. The second theory attributes the loss to the “unconsidered failure of the board to act”under circumstances in which due attention would have prevented the loss.
A challenge to the sufficiency of a board action (i.e. decision) invokes the duty of care and is unlikely to prevail. Absent a finding of bad faith or failure to act rationally, decisions of the board – no matter how questionable with the aid of hindsight – will generally be protected from judicial second-guessing under the director-friendly business judgment rule. Even if one were to establish gross negligence necessary to overcome the presumption granted by the business judgment rule, most companies have adopted charter provisions under the Delaware Code, Title 8 § 102(b)(7), insulating directors from personal liability resulting from a breach of their duty of care.
The second theory, regarding the failure to act, invokes the duty of loyalty and the holdings of Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996) and its progeny. A Caremark claim rests on the presumption that the directors set in motion or “allowed a situation to develop and continue,” which caused the corporation to suffer a loss and “that in doing so they violated a duty to be active monitors of corporate performance.” (Caremark, 698 A.2d at 967). Known as oversight liability, Caremark requires directors to ensure the enterprise maintains reporting systems sufficient to keep the board informed of the risks facing the company and its business performance.
Caremark liability will arise in one of two circumstances: (i) failing to implement any reporting system; or (ii) after implementing a reporting system, consciously failing to monitor or oversee its operations, “thus disabling [the board] from being informed of the risks or problems requiring their attention.” What is critically important for every director to know is that Caremark claims premised on the failure to act in the face of a known duty to act constitute a breach of the duty of loyalty. Under Delaware law, a breach of the duty of loyalty is not exculpated under section 102(b)(7). Goldman Sachs, 2011 WL 4826104, *18 (Del. Ch.). Thus, the failure to address cybersecurity can lead to personal liability.
In Delaware, the case law clearly holds that making no decision can be worse than making a bad decision. A prudent board of directors should conclude that managing cyber risks requires affirmative action by directors to defend against cyber attacks and the proactive implementation of procedures to respond in the event of a cyber breach. The open question facing directors is: What amount of attention should be devoted to cybersecurity?
As noted previously, when courts or juries are asked to decide the appropriateness of board actions, or in some cases their failure to act altogether, the focus will inevitably turn to a discussion of “red flags.” The Caremark standard is focused on whether the board’s actions were commensurate with the magnitude of the risk facing the company. If the risk is negligible given the size of the enterprise, then the board may not have to consider the matter. Conversely, if the risk could jeopardize or seriously damage the enterprise, then courts will expect the matter be given the serious consideration it deserves.
The next installment of this series discusses the “red flags” surrounding cybersecurity, including the nature of the risk posed by cyberattacks, their frequency and the potential impact that attacks can have and are having on businesses both large and small. Armed with this information, directors can begin to assess the cybersecurity risk facing their company and consider what steps should be taken to avoid personal liability and discharge their fiduciary duties.
(Steven L. Caponi is a partner at Blank Rome LLP. His national litigation practice covers all facets of business litigation, including corporate and IP matters, cybersecurity, M&A litigation, and securities litigation. He can be reached at Caponi@BlankRome.com.)
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)