Cyber liability: boards in the crosshairs
May 2015 | EXPERT BRIEFING | RISK MANAGEMENT
financierworldwide.com
Cyber risk is shaking corporate boards by the collar. Last year, the number of worldwide data security incidents of any type soared to 42.8 million, a 48 percent increase from the previous year, according to the 2015 Global State of Information Security Survey. In the United States, the number of tracked data security breaches hit a record high of 783 in 2014, compromising at least 85.6 million records, according to Identify Theft Resource Center (ITRC). Clearly, no enterprise in any industry anywhere in the world is immune from a data breach.
In the latest development for executive management, shareholders at two US companies have filed derivative-action lawsuits in an effort to hold their organisations’ directors and officers liable for those breaches. The federal judge hearing the first of those lawsuits to be resolved – filed against Wyndham Worldwide Corp. and its board – has dismissed that case.
The Wyndham ruling was a significant legal victory for the defendants, but it also provides an important lesson for boards on every continent. In the high-stakes game of data security and cyber liability, the ruling underscores the importance of boards taking the lead in examining and promoting policies designed to protect the private information that third parties entrust to organisations. Those efforts, however, should go beyond the hacking risk at the centre of the Wyndham case and include all data security threats.
The Wyndham case concerned three hacking attacks (between 2008 and 2010) against the corporate parent and its hotels. The attacks, which compromised the personal information of about 600,000 customers, triggered a US Federal Trade Commission investigation and two separate shareholder demands that the board investigate the breaches and sue the company.
The board denied both shareholder demands. In responding to the second one, it noted that it had met 14 times and its Audit Committee had met 16 times between October 2008 and August 2012 to discuss data security and propose improvements, which Wyndham began implementing after the second attack.
Dissatisfied with the board’s response, a shareholder filed a derivative-action lawsuit against the company and its board in February 2014. The plaintiff alleged that the company failed both to implement adequate data security measures and disclose the breaches in a timely manner, resulting in reputational harm to the company and significant legal costs. Given those allegations, the board should have sued the company, the shareholder alleged.
In dismissing the case in October 2014, a US federal judge ruled that under the business judgment rule, courts give boards wide latitude on how to respond to shareholders’ demands. When a board rejects a demand, a shareholder who responds with a derivative-action lawsuit must demonstrate that the board’s decision was, among other things, based on an unreasonable investigation. In rejecting that allegation against Wyndham’s board, the court noted the 30 meetings the board and its audit committee held on data security. The court explained that the board “was free to consider” those meetings, the security measures Wyndham already had in place when the first breach occurred, and the measures the company subsequently implemented as “potential weaknesses” that could doom any legal action the shareholders might take against the company.
The ruling provides a general idea of what sufficient board oversight of data security policy entails. But judges in different jurisdictions, not only in the United States but around the world, could set more rigorous guidelines. That is critical, especially given that most boards globally remain uninvolved in their organisations’ data security policies, according to the Global State of Information Security Survey.
The Wyndham ruling also addressed only breaches resulting from hacking attacks. While hacking was the leading cause of breaches in 2014, it accounted for only 29 percent according to ITRC. That means 71 percent were attributable to a combination of other causes, including subcontractors or other third-parties, accidental exposures, employee negligence, insider theft and lost equipment.
Additionally, the Wyndham case highlights only a few costs associated with a breach: defending against a lawsuit and a regulatory action. A victimised organisation also faces other third- and first-party costs. Third-party costs include indemnification of various parties – customers, employees and business partners – whose private information was compromised. First-party costs include victim notifications and retaining a law firm to guide the company through the dozens of victim-notification laws around the United States, a forensic firm to investigate how the breach occurred, a professional negotiator to handle any extortion demands, and a public relations firm to protect the company brand. A victimised company also might have to establish a special customer call centre.
And a hacking attack that shuts down a key company website or an operation could result in business interruption losses.
Boards, therefore, should consider a series of best practices designed to ensure their organisations are taking reasonable steps to protect private data from all kinds of risks. Those practices include: (i) developing a formal, comprehensive information security and privacy policy that is regularly reviewed and updated. The plan should include the basics of protecting private individual information not only stored on company servers but also accessible from mobile devices; (ii) routinely conducting penetration tests of the data security system, inspecting for weaknesses and security holes; (iii) establishing an incident response plan which should identify the internal team responsible for reacting to a breach; (iv) having network security and privacy legal counsel on retainer and a post-data breach vendor under contract to assist in coordinating the company’s response; and (v) creating a business continuity plan that is reviewed and tested annually.
If the company is large enough, appoint a chief privacy officer and a chief information security officer, each with direct reporting relationships to the board. For smaller companies that use the cloud, contract with a cloud provider whose operations have been audited; since most cloud providers offer one-sided indemnity agreements with smaller companies, cyber liability insurance protection should be considered.
The Wyndham case and data security breach trends highlight the importance of corporate boards understanding their organisations’ cyber liability risks and being a proponent for company policies designed to both harden data security and trigger immediate loss mitigation responses if a breach occurs. In examining cyber liability, courts may give boards a wide berth under the business judgment rule, but jurists will want to see evidence of reasonable board judgment and action.
Anthony Galban is senior vice president for the Chubb Group of Companies. He can be contacted on +1 (908) 903 4590 or by email: galbant@chubb.com.
© Financier Worldwide
BY
Anthony Galban
Chubb Group of Companies