Reported data breach incidents are on the rise, exposing intellectual property, trade secrets, customer data and financial information – often resulting in serious damage to the company’s brand and reputation, along with costly litigation and governmental investigations. The risk to corporate assets from hackers breaching network security is obviously serious. For example, a U.S. company suffered a security breach resulting in 38 terabytes of intellectual property and other sensitive data stolen from its computers. In another instance, the FBI reported in 2011 that a company lost 10 years’ worth of research and development data valued at $1 billion – virtually overnight. And of course in late 2013, Target experienced a massive data breach, resulting in more than 80 lawsuits, as well as multiple federal and state investigations by regulators, and the resignations of the CIO and the CEO.
Underscoring the significance of the risk posed by cyber criminals, the chair of the SEC, Mary Jo White, said during a cyber security roundtable in March that cyber threats are “of extraordinary and long-term seriousness. They are first on the [SEC’s]…list of global threats, even surpassing terrorism.”
Director and Officer Responsibilities and Risks
In the data protection and cyber security space, director and officer duties are extensive, and, while still evolving, they generally include the following:
– The duty to allocate adequate resources to ensure that a viable corporate cyber/information security system exists and is commercially reasonable;
– The duty to exercise due care, act as a prudent person and make informed business judgments about the security of information possessed by the corporation; and
– The duty to ensure a legally compliant response and remediation plan is in place in the event of a data breach.
When a company experiences a major data breach, the business, its officers and its directors should be prepared for litigation. For example, recent data breaches at both Target and Wyndham Worldwide Corporation were followed by shareholder lawsuits against directors and officers. The lawsuits include allegations that the leaders and board members failed to direct and implement sufficient cyber security protections against such data breach incidents.
Some Ways to Protect the Company and Limit D & O Exposure
– Regularly review and assess whether the company’s security procedures are reasonable, with sufficient resources, under the circumstances. Consider the following proactive steps as part of this review:
• Use the federal government’s recently-published “Framework for Improving Critical Infrastructure Cyber Security” as a basis for evaluating your company’s computer security plan, or for establishing one;
• Establish a qualified Cyber Security Committee of the Board of Directors;
• Designate and hire a qualified Chief Information Security Officer;
• Mandate regular reporting by the Cyber Security Committee and the Chief Information Security Officer to all directors and officers, ask questions, and stay informed so that you can make informed business judgments on these issues;
• Direct that an inventory and data mapping be conducted to identify where protectable data is located within the company, in order to assure that commercially reasonable security measures have been taken to protect it. Consult the FTC web site for computer system security tips (http://business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems);
• Require an immediate assessment of your vendors’ security practices and address data security requirements in your contract with them;
– Direct the creation of an appropriate data breach response team.
– Evaluate existing insurance coverage and/or the need to supplement it (i.e., with D&O insurance or CyberRisk insurance).
– Ensure that your company complies with insurance provisions which require notice to the insurer as a critical prerequisite to funding your defense in litigation or paying any resulting judgment.
– Understand your right to have the company defend and/or indemnify you by reviewing applicable corporate documents, such as the Articles of Incorporation and By-Laws, and understanding applicable exceptions to those rights.