Cyber Risks: Bigger, Brighter Spotlights on U.S. Boards
Cyber Risks: Bigger, Brighter Spotlights on U.S. Boards
The board of directors is the pinnacle of an organization. It guides the strategic direction of an organization and provides needed governance and oversight for executive leadership. As the number of massive data breaches have increased significantly in recent years, boards have increasingly faced scrutiny over their fiduciary duties and role in safeguarding the organization from risk, including risks derived from the digital domain. Shareholder and class-action lawsuits have increasingly gone beyond the executive leadership and aimed at the director level, with greater and greater success. While every data breach scenario may appear to be unique, the types of impacts and the severity thereof are becoming ever-more evident and predictable. One such impact-trend that is developing is the liability of the board of directors.
Board Director Duties and Rising Regulations
Legal and regulatory scrutiny on boards has grown over the past several decades. In the landmark 1996 Caremark Case, a Delaware court ruled directors can be held personally liable for failure to “monitor and supervise” an enterprise. While not cyber-related, the case set a potential legal precedent for legal action against a board of directors in the event of cybersecurity negligence resulting in breach or incident. In a 2014 speech, then-Securities and Exchange Commission (SEC) commissioner Luis Aguilar clarified that boards have a duty to ensure corporate cybersecurity, to better educate themselves about cybersecurity, and to regularly manage cyber risk. Furthermore, recent regulations by the New York State Department of Financial Services and other regulatory entities have begun to impose greater requirements on boards, including that they sign off on an organization’s cyber strategy and certify the strategy with regulators. As momentum swings in this direction in both state and national legislatures, lawmakers have even clamored for jail time for senior executives and board members for failure to protect customers.
In Their Favor: The Wyndham and Target Breaches
Until recently, Federal rulings in U.S. data breach cases have largely favored boards. Wyndham Hotels and Resorts suffered three breaches of customers’ payment card information between 2008 and 2010 that resulted in nearly $10 million in fraudulent charges. While shareholders brought a derivative suit against the board in February 2014, it was dismissed in a Federal District Court on the grounds that the board behaved appropriately in initiating nearly a dozen meetings and launching internal inquiries to remedy the breach. Similarly, the Target board of directors survived the fallout from its December 2013 breach, wherein hackers stole the payment information of nearly seventy million individuals. A 2014 shareholder suit was dismissed by the court on the grounds the board had taken appropriate actions. Target’s board was reelected with little opposition, but agreed to hire an executive to execute a “comprehensive information security program” and advise the board on its implementation.
Changing Currents? The Home Depot, Yahoo, and Equifax Breaches
Three recent cases indicate the potential shift in board liability when it comes to cyber breaches. When Home Depot suffered a data breach of payment information in 2014, shareholders filed a lawsuit arguing in part that the board’s disbanding of its cyber risk committee represented negligence. While a Federal district court initially dismissed the suit, on appeal the company settled for just over $1 million to cover plaintiff legal costs, and would later settle a class action lawsuit with financial institutions for $25 million. Likewise, when Yahoo suffered the largest data breach ever—with Russian-sponsored hackers compromising all 3 billion user accounts between 2013 and 2014—the company’s successors settled both a class action lawsuit and a shareholder derivatives lawsuit. Verizon—Yahoo’s new owner—and Altaba—the residual non-acquired Yahoo holdings—agreed to pay $29 million in the shareholder derivatives case and a further $80 million to the class action lawsuit. These payments appear to be the first major board-directed settlements related to a data breach.
Most recently, as credit agency Equifax faces ongoing civil lawsuits for the 2017 breach that compromised the personal sensitive information of more than 127 million Americans, multiple shareholders and class-action lawsuits have merged into a broader suit against the company. Unlike previous cases, a federal court refused to dismiss the lawsuit entirely, instead limiting its scope to the CEO—as former chairman of the board—and the company itself. While the new board chairman and two other directors were reelected in 2018, they faced major opposition, with nearly one-in-three shareholders voting against them (versus the corporate average of one-in-one hundred). The final verdict in the Equifax class action and other lawsuits remains to be seen, but the board will likely face significant pressure to reach a settlement.
CyberVista is Here to Help
As cybersecurity concerns grow and massive data breaches continue, boards of directors will likely come under increased shareholder, regulatory, and legal scrutiny to maintain strategic cybersecurity guidance. Better understanding the legal, regulatory, and cyber risk landscapes can help boards guide their organizations and ensure greater protection against cyber threats. To better understand these and more cybersecurity-related challenges facing boards and executives, CyberVista is here to help. Our Resolve program is designed to quickly get senior executives up to speed on essential cyber compliance issues and ways to mitigate cyber risk. Be sure to check out our Digital Cyber Risk Seminars, which come with our complimentary Executive Cyber Briefings — a monthly newsletter that wraps the latest cybersecurity headlines, and explains how they impact your business — and our Practice What They Breach offering, a cyber risk tabletop exercise that will test leadership’s decision making during a data breach scenario.