FW moderates a discussion on D&O liability in data privacy and cyber security situations between Richard Bortnick, a shareholder at Christie, Pabarue and Young, Jonathan Fairtlough, a managing director at Kroll, and Ann Longmore, an executive vice president at Willis.
FW: In your opinion, what are the key risks to D&Os arising from data and security breaches in the United States? Could you outline any recent ‘cyber liability’ cases of note?
Bortnick: Like other entrepreneurs, lawyers are typically on the look-out for the next big thing, economically speaking. You can count American securities fraud lawyers among these entrepreneurs. For many years, they prosecuted cases involving alleged accounting fraud. Then LIBOR became a significant source of litigation and the real estate bubble burst. Logically, it would seem that cyber- and technology-related risks and exposures are in plaintiffs’ lawyers’ sights. Best practices filter throughout an organisation from the top down. If D&Os ignore or even fail to account for the gravity of cyber, technology, and privacy risks and exposures, they are setting themselves up to be sued. The costs of a proactive loss avoidance and remediation strategy can be dwarfed by the response costs for those companies that haven’t created, implemented and properly tested such an approach. It should be a no-brainer. Sadly, it’s not. Which, of course, is music to the ears of lawyers, both plaintiff and defence.
Fairtlough: Leaders that fail to address cyber threats risk loss of income, loss of business reputation, and potentially loss of their position. Regulators and investors will hold management accountable for poor risk management. Look at the reality in just one field – healthcare. The Office of Civil Rights for Department of Health and Human Services has received over 85,000 complaints of HIPAA privacy violations this year. Of these, 30,000 required corrective action and 518 have been referred for criminal prosecution. The breaches compromised the data of over 28 million people. In August, Affinity Health Plan settled for $1.2m over failure to wipe copier data exposing 533,000 records. If your entity creates, receives, maintains or transmits PHI on behalf of a covered entity, HIPAA now governs your business.
Longmore: Cyber data and security breaches, if they are material to the firm and the business of the organisation, can result in D&O claims brought by shareholders and potentially regulators. Notably examples of shareholder actions include Heartland Payment Systems – an early shareholders’ securities class action brought back in 2008 following a stock drop after the disclosure of a significant data breach. The case was dismissed due to the plaintiff’s failure to sufficiently allege that the company had made false or misleading statements relating to its data security. Importantly, this decision pre-dates the US SEC’s cyber disclosure guidance, suggesting that outcome of such a case might be different. In TJX Companies, Inc., shareholders brought a derivative suit following a significant data breach. The case settled back in 2010.
FW: What steps can D&Os take to prevent data breaches and cyber intrusion? What are the particular challenges and costs associated with mitigating these risks?
Fairtlough: Executives need to understand that perimeter cyber security can be strong, and breaches will still happen. A strong IT defence is still needed, but to achieve meaningful risk-based protection, businesses need to move from a 'boundary-based' mentality to the more nuanced and realistic viewpoint of 'defence in depth'. A company should institute additional controls and monitoring mechanisms to recognise intruder activity within systems, and to record what intruders do in the system. Track access to the crown jewels of corporate data. Examine workflow and policies to ensure that monitoring systems are geared to review the actions of employees, contractors, temporary workers, vendors or other third parties. The costs for risk mitigation are soft – they involve tasking monitoring responsibilities properly, ensuring regular training, and constantly reviewing data security policies.
Longmore: In today’s world, we have recognised that it is a matter of 'when' and not 'if' when it comes to cyber intrusions for most firms. To determine what preventative measures are best for an organisation, D&Os must first have an understanding of the challenges facing the institution. Fortunately, the National Institute of Standards and Technology (NIST) has begun to release its Preliminary Cybersecurity Framework to assist in understanding and reducing cyber security risks. Beginning with critical infrastructure – such as technology, telecommunications, finance, healthcare, transportation and the like – the NIST framework will include standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritised, flexible, repeatable, and cost-effective approach of the framework will help the board understand and participate in decision making as respects cyber security. Importantly, we expect the framework to facilitate board understanding and discussions of these risks in a robust manner not previously achievable.
Bortnick: In a nutshell, develop, implement and regularly update cyber security best practices. As such, it is imperative to spend capital up front to avoid the severe – and potential company threatening – negative impact of a cyber incident. At the outset, companies should look to attorneys who carry the attorney-client privilege to assist in creating and implementing a best practices-driven cyber incident avoidance and response plan on a company-wide basis. Virtually all entities, large and small, maintain clients’, customers’ and employees’ personally identifiable information, financial information and, in some cases, personal health information. And every such entity is a cyber incident away from losing their clients’, customers’ and employees trust – and business. Perhaps most importantly to a company’s senior management, the institution of a strong, company-wide cyber risk management program will cost a fraction of the expense and repercussions of a cyber incident. In other words, you can pay me now or pay me later. And if it is later, a company may have far bigger problems than trying to simply put the horse back in the barn.