There was a time when an organization's senior leadership could legitimately claim ignorance when a cyberattack occurred, but those days are long gone.
The seriousness of cybercrime is no longer “new” information. In 2022 alone, there were over 1,800 reported data breaches. Those breaches represented billions of exposed records and more than 400 million people affected. When you factor in unreported breaches, the numbers are beyond staggering.
When a healthcare organization, government office, school, or similar organization is entrusted with sensitive data, the expectation is that the data will be kept private. When data is stolen, the consequences are devastating. On top of the disruption of business, fines, and bad publicity for the institution itself, we are also starting to see senior leaders, including Board of Directors named in lawsuits based on data breaches. If you’re a board member, you must go above and beyond to ensure vulnerabilities are being addressed and compliance requirements are being met.
Setting the Stage for Liability
In the landmark 1996 Caremark Case, a court in Delaware ruled directors can be held personally liable for failure to “monitor and supervise” an enterprise. While this decision was not speaking directly about cyber incidents, the case is often cited as legal precedent for legal action against board members if negligence results in a cyber incident.
In 2014 the Securities and Exchange Commission (SEC) Commissioner Luis Aguilar stated that boards have a duty to ensure corporate cybersecurity, to better educate themselves about cybersecurity, and to regularly manage cyber risk. This is another example that is often given regarding a board’s duty when it comes to cybersecurity protection, and we have started to see regulations imposing greater requirements on boards, including that they sign off on an organization’s cyber strategy.
According to a 2022 Harvard Business Review article titled, “Is your Board Prepared for New Cybersecurity Regulations?” Dr. Keri Pearlson and Chris Hetner point to new SEC requirements for public companies that are coming soon. Those changes are expected to include disclosure requirements regarding the organization’s cybersecurity governance capabilities and whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks. This not only enables action against negligent public companies but will set the stage for similar requirements from other regulatory bodies.
"Boards have a duty to ensure corporate cybersecurity, to better educate themselves about cybersecurity, and to regularly manage cyber risk."
- Jay Longley, Senior Consultant, Public Sector Specialist
Naming Boards in Lawsuits
Data breach litigation has become increasingly complex in the absence of a federal privacy law. This uncertainty opens the door to possible liability of corporate directors and officers for data breaches.
All organizations, nonprofits and for-profits alike, have an obligation to abide by applicable statutory regulations and legal precedent. Directors must uphold their fiduciary duty by swiftly addressing data privacy vulnerabilities or breaches and upholding strong cybersecurity measures.
In claims against the directors of Target and Home Depot a few years ago, the courts dismissed personal liability claims because cybersecurity monitoring was not considered a ‘known duty’ that was directly part of the boards’ duties. However, recent rulings, and the pervasiveness of cyberthreats have changed those expectations.
In California, a judge approved what is likely the first, but certainly not the last, California Consumer Privacy Act (CCPA) settlement against directors where plaintiffs have been awarded monetary damages. The ruling cited the growth of the cybersecurity industry, frequency and complexity of data breaches, and the extreme risk that data breaches pose to companies as a basis for establishing director fiduciary duty for cybersecurity measures.
As a result of the 2021 Colonial Pipeline hack, plaintiffs filed Dickerson v. CDPQ Colonial Partners, L.P. a class action suit asserting a negligence claim against the owners of the pipeline for failing to prevent the data breach.
Similarly, when criminal charges were filed against Uber’s former security chief officer James Sullivan, board members were also investigated. The guilty verdict against Sullivan in 2022 was not necessarily the end of the story; time will tell if anyone else will be held personally responsible for the coverup of Uber’s 2016 data breach.
How Can I Ensure I Am Doing my Duty as a Board Member?
Understanding what your responsibilities are as a board member, and ensuring your organization is protected, is critically important. We are here to help. Contact us today to discuss how to safeguard your systems and demonstrate that you are doing your due diligence to protect your organization.