Cyber security from the top down: directors take on the challenge of data security risks

January 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

With the ever-increasing business risk relating to cyber security, there is an evolving expectation that directors will not only understand the risk, but also will implement reasonable measures to protect consumer and personal data, as well as intellectual property and technological infrastructure. Data breaches are no longer solely the purview of the information technology department. Breaches can have a substantial impact on a company’s operations and reputation, and can result in litigation and costly out-of-pocket expenses related to the necessary responses to a breach. The far-reaching effects of data breaches have resulted in cyber security becoming one of the primary risk concerns of directors of public companies. Furthermore, increasing shareholder litigation against directors for failing to stop or control data breaches and for failing to adequately manage the aftermath of breaches, illustrates that directors must also take into account possible personal risk of liability in the wake of a data breach.

While cyber security may be a relatively new risk for directors, the legal standards applicable to determine potential director liability were first articulated by the Delaware Court of Chancery almost two decades ago. The decision of the court in In re Caremark Int’l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996), focused on allegations of corporate directors’ duty of oversight. The Caremark court held that this theory was one of the “most difficult” theories of directory liability to sustain. As the evolving duty was later refined by the Delaware Supreme Court, a breach of the duty of oversight has come to require that the directors “(a) … [have] utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention”. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). While this test sets a high bar for plaintiffs, directors defending such claims will be best protected if they can establish that they understand both their company’s technological risks and the pertinent regulatory landscape, and that they have established and enforced corporate programs designed to counter the risk.

There are three basic components to establishing an effective cyber security program. First, companies must elevate cyber security risk to a board-level issue. Since 2011, the US Securities and Exchange Commission has identified cyber risk and breaches of cyber security as items for discussion and disclosure by public companies. As such, directors cannot delegate the responsibility for assessing and protecting against this risk solely to the information technology group – as businesses have traditionally done in the past. Most public company directors are aware that they are expected to understand and guard against the impacts of cyber security risk on their businesses. Still, the educational process is in its infancy. In a recent NYSE Governance Services survey, 20 percent of directors said they lacked confidence in their boards’ understanding of cyber security risk.

The challenge for directors is to ensure that they are receiving appropriate information internally about cyber risk. To effectively consider the full scope of cyber security issues within a business, senior management, lawyers, risk management personnel and public relations professionals will often need to be involved in the analysis and discussions. Directors must have a process in place to continuously assess the unique threats their businesses face, since, while the level and types of threat varies from business to business, no business is immune. A logical starting point to understanding the peculiar issues that affect an individual business may be to obtain a third-party security assessment of the strengths, weaknesses and vulnerabilities of that company’s information technology infrastructure. Alternatively, a company may perform its own internal assessment using the National Institute of Standards and Technology’s ‘Framework for Improving Critical Infrastructure Cyber Security’ or a similar framework. Some boards have also considered adding a director with technological expertise, similar to the addition of directors with financial expertise, following the increased regulation imposed after the recent financial crisis. Either way, boards must find a way to educate themselves on the risks before they can properly address them.

Secondly, directors must become educated on the particular laws and regulations governing data security in their own industries. For instance, financial companies are subject to Gramm-Leach-Bliley’s requirements, while hospitals, pharmacies, clinics and applicable vendors, to name a few, are subject to the Health Insurance Portability and Accountability Act and its corresponding privacy and security obligations for protecting patient data. Federal law is the source of many data security obligations, but obligations also arise from many other sources, including contractual requirements. Most notably, companies that store, process or transmit credit card data are subject to the Payment Card Industry Data Security Standards via contract. Although many companies are not in industries that are subject to any of these requirements, it is a mistake to conclude that such companies do not have any legal obligations relating to data protection and cyber threats. For example, any company that suffers a breach affecting social security numbers may have an obligation under state data breach notification statutes. Even the loss of a username and password can trigger obligations to disclose a breach to the owner of the affected credentials under certain state laws.

There are many different sources of legal obligations related to cyber security and many companies are subject to more than one regulatory regime. Directors will benefit from being familiar with all of the applicable laws, so they can develop a cyber security strategy designed to address all legal requirements and prioritise security measures.

Thirdly, companies should conduct a full-scale review of their insurance policies, as traditional commercial general liability policies may not cover liabilities arising from a data breach. Companies looking for insurance coverage for a breach should consider a specialised cyber liability policy. Not all such policies will include the same coverage, however, so it is important to understand the company’s unique cyber security risk and to assess whether a proposed policy includes adequate protection. This will include considering whether there is coverage for lawsuits against directors and officers, credit card breaches, or the compromise of a third-party vendor such as a cloud computing provider.

The threat of attacks against corporate data and information systems is not going away. Boards that position their companies to avoid potential breaches and that are prepared for a breach should one occur, will reap legal and operational benefits in the long run. Fully prepared companies will be less vulnerable to attack and more resilient in their responses. The result will be companies better positioned to take advantage of technology, with better protected corporate and consumer data and technology systems.

Frances Floriano Goins is a partner and chair of the Data Privacy & Information Security Group, and Gregory Stein is vice chair of the Data Privacy & Information Security Group, at Ulmer & Berne LLP. Ms Goins can be contacted on +1 (216) 583 7202 or by email: fgoins@ulmer.com. Mr Stein can be contacted on +1 (216) 583 7446 or by email: gstein@ulmer.com.

Frances Floriano Goins and Gregory Stein

Ulmer & Berne LLP