“Boards that choose to ignore, or minimise, the importance of cybersecurity oversight responsibility, do so at their own peril,” said Luis A Aguilar, commissioner at the US Securities and Exchange Commission (SEC), in June 2014.
Cybersecurity risk is so pervasive that it is causing an evolution of board members’ ethical and fiduciary duties to require they stay reasonably informed of cybersecurity risks and exercise appropriate oversight in the face of those now well-known risks.
Efforts to hold members personally responsible for failing to comply with these duties are underway by legal and regulatory authorities, with protection for investors and data subjects injured by cybersecurity incidents. While these efforts have not yet been successful, the trend will likely change. Members can comply with these obligations by leading from the top to create a security-focused culture and ensuring the company implements an appropriate cybersecurity risk-protection programme.
Attacks are inevtiable
In October 2014, Robert Mueller, director of the FBI, said: “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” Statistics affirm this statement. In May 2014, a study by FireEye examined 1,217 organisations around the world and found 97 per cent of those organisations had been breached in the preceding six months.
The words ‘data breach’ became part of many people’s vocabulary in 2014 as they learned about Target, Home Depot, eBay and Michaels breaches. It became solidified when the year closed with news of the catastrophic Sony breach. The trend has continued in the first quarter of 2015. Anthem is likely the largest healthcare data breach in US history. Shortly afterwards, the global banking breach of more than 100 banks in 30 countries potentially earned cybercriminals $1 billion. Given the lucrativeness of cybercrime, this trend will surely continue.
For years, cybersecurity professionals have said: “It is not a matter of if a company has a data breach, but when.” The familiarity the business community now has with this statement explains why board members’ duties regarding cybersecurity are evolving. It is no longer reasonable for anyone – certainly a board member – to not be familiar with the threat of cybersecurity risk.
“The initial breach of the company’s systems is not what causes the harm… it’s the inability to quickly detect, mitigate and respond to it”
Companies have a duty to prepare
While the situation may sound hopeless, there are several reasons why it is vital for companies to prepare. Ninety per cent of the data breaches from the first half of 2014 could have been prevented by better cybersecurity practices, according to a study by the Online Trust Alliance. Of those breaches, many were phishing attacks that can be minimised with education and training. In some cases, basic preparation can be more effective than expensive and complicated tools.
In many cases, the initial breach of the company’s systems is not what causes the harm. Instead, it is the inability to quickly detect, mitigate and respond to the breach that causes the problems. While companies may not always be able to prevent data breaches, by implementing reasonable measures to detect, mitigate and respond to breaches, companies minimise their impact. This may explain why, in the author’s experience, following a breach, authorities always want one question answered: “What steps did the company take to prepare before the breach occurred?”
A cybersecurity risk-protection programme can lower a company’s risk of breach and, should one occur, lessen its negative impact. Documented evidence of the programme will help show authorities the company took reasonable measures before the breach. This can help dissuade them from assessing severe penalties. This can also be very valuable for public relations, which can be vital for minimising the negative impact on the business.
Cybercriminals are highly motivated, often skilled experts, who continue refining their techniques as defenses adapt. To combat this, the programme should include experts from different disciplines who understand cyber risk and work together as a team with the company. An effective programme is not a one-time event. It is an ongoing process that should include these phases: overall cyber risk assessment; strategic planning for findings; implementation and training; effectiveness and readiness testing; and regular reassessment and refinement to adapt to new threats.
Duty of care requires companies to prepare
In early data breach lawsuits, plaintiffs had little success and their cases were dismissed quickly. The trend is changing. Courts are allowing these cases to proceed as seen by the December 2014 ruling in the Target breach litigation. In that ruling, the court found companies have a duty to safeguard customer data, not disable security features that would prevent a data breach and heed warnings of an attack and respond appropriately.
While the courts address companies’ duty of care, so too do administrative agencies, such as the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC) and the Federal Financial Institutions Examination Council (FFIEC). The courts and agencies are reaching the same conclusion – companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.
Evolution of board’s duty
The board’s duty is also evolving. To encourage compliance with these duties, agencies are directing their message to corporate boards and emphasising cybersecurity’s importance as a pillar of corporate governance. Data breach lawsuits test new theories aimed at board members to reach directors and officers liability (D&O) insurance, members’ perceived deep pockets and pressure members, believing they will encourage settlements if they too are defendants.
Also increasing are shareholder derivative suits against directors and officers of companies following a data breach. These too have been unsuccessful, so far. Recently, pre-breach diligence by the board of Wyndham Worldwide Corp saved it from changing the trend by persuading the court to dismiss the case against it on 20 October 2014 in Palkon v. Holmes.
The court found the board had satisfied the business judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks. The well-documented history of diligence and compliance showed the board had discussed cybersecurity risks, company security policies and proposed security enhancements in 14 quarterly meetings and had implemented some of those cybersecurity measures. The board’s diligence likely kept it from changing the trend.
While efforts to hold board members responsible for company breaches generally have been unsuccessful, like other data breach-related trends, this too will likely change. Looking at the bigger cyber issues picture, the trend is moving toward holding responsible those who are perceived as having been in a position of control and finding in favour of those who are perceived as the victim. In this context, those in control are often the board and the perceived victims are either individuals whose personal information was compromised or shareholders of the company who lost millions as a result breach-related expenses.
The board is charged with these responsibilities because it has the ability to bring about the needed changes. It can do the following things to uphold its ethical and fiduciary duties to the company, minimise its cyber risk and avoid being a lawsuit target.
First, establish a company culture that focuses on security. Second, stay reasonably informed of cybersecurity risk issues. Third, exercise appropriate oversight by ensuring compliance with an adequate cybersecurity risk protection programme.
A wise board will heed this warning.
About The Author:
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud and intellectual property law. Shawn is a frequent author and speaker on these issues and has used social media to help build his practice. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.