Cyber risks and the impact on company directors
July 2014 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
A series of high profile data breach incidents have put the spotlight on the increasing regularity of such incidents, the significant associated costs and the potential exposure to boards of directors. As businesses grow increasingly reliant on computers, the internet and the data that flows on and from these technologies, they also increasingly expose themselves to the risk of data breaches.
Cyber-attacks and data breach incidents are becoming increasingly diverse and sophisticated and of increasing public interest. High profile publicity seeking attacks can bring a company’s IT systems to a standstill but many attacks, not seeking publicity, simply target valuable user and client information held on these systems.
Data breaches can leave directors and officers of attacked companies vulnerable to civil suits for breaches of privacy legislation, corporate regulation or claims of misleading and deceptive conduct. In this regard, there are lessons to be learned from recent high profile incidents and the resultant legal actions against companies and their directors.
The most high profile incident in recent years was the attack of Sony’s PlayStation Network in April 2011. Hackers stole encrypted credit card details of 77 million users and the breaches cost Sony a reported US$170m.
A month after the breach was announced, Sony’s share price on the New York Stock Exchange dropped 6 percent. A significant factor in the drop related to Sony’s poor handling of the incident, including its inability to identify the scope of the attack until well after it had occurred.
Sony and its affiliated companies were hit by over 58 class-action lawsuits commenced in various jurisdictions, including California and New York, which accused Sony of negligence and breach of contract for allowing the theft of personal data. The key issue in these cases was not whether Sony was liable but whether damages could be established.
However the UK Information Commissioner’s Office, responsible for upholding information rights and data protection in the UK, fined Sony $378,000 for a serious breach of UK data protection laws.
In October 2013 Adobe announced a major data breach that included the theft of passwords and identifying information. Adobe subsequently admitted the breach affected over 38 million accounts (later confirmed at closer to 152 million customers, making the Adobe breach the largest ever disclosed) and involved the theft of Acrobat source code.
After the initial announcement Adobe’s share price immediately dropped 1.4 percent, but recovered in the weeks following. However, there is concern that Adobe did not follow best practice for securing passwords as it failed to ‘salt’ its data (where a secret code is added to every password to make encryption algorithms harder to decipher).
The breaches also occurred on Adobe’s heavily promoted cloud platform, which is spread across numerous jurisdictions, which raises the possibility of multi‑jurisdictional legal action against Adobe. At the time of writing only one civil action has been launched, but it is understood Adobe is preparing for the worst.
In December 2013 Target (US) disclosed a cyber-attack that resulted in around 40 million payment card numbers being stolen. Target made a further announcement in January 2014 that data from 70 million accounts had also been stolen.
It is suspected that Target’s system was breached (via third party contractor sites) as early as November 2013, which went undetected for weeks until the US Secret Service informed Target of suspicious activity. Attackers have described Target’s systems as ‘astonishingly open’ and unsecure.
The incident is suspected to be the result of a ‘memory scraping attack’ which Visa had reportedly warned Target of earlier and for which Visa had recommended various countermeasures. It is unclear if Target had implemented the recommended countermeasures, but even these may not have been sufficient to repel the attacks which were more sophisticated than previous incidents.
Target has stated that its fourth-quarter earnings had taken a hit since it disclosed the data breach and anticipated a 2.5 percent decline from previous sales forecasts for the fourth quarter (noting that the announcement was only made in December 2013).
The SEC is currently investigating whether Target breached disclosure guidance guidelines and Target has been hit with over 70 class action lawsuits. These include at least two shareholder derivative actions against the directors and officers and the company regarding their failure to take reasonable steps to protect customers’ personal and financial information and, particularly, their failure to implement any internal controls to detect and prevent data breaches. The actions also claim that Target, its directors and officers failed to provide prompt and adequate notice to customers and the company statements that were released created a false sense of security among affected customers, which aggravated the damage caused.
While many of these class actions will likely fail (particularly consumer based actions), there is considerable interest to see how the shareholder derivative actions progress.
The risk to directors
The above incidents show how data breach incidents are leading to claims against directors and officers, as well as the company itself. The US and EU are leading the way with mandatory data breach notification and disclosure requirements, focusing on protecting information held by companies and mandating that privacy and data protection policies be put in place and implemented. However, the rest of the world is at various stages of following suit.
Directors will increasingly be held to account for any failures to have adequate privacy and data protection policies in place, including under the traditional duties imposed on directors, such as those of continuous disclosure and due care and diligence. Cyber risk and data integrity will become a key consideration of the risk management strategies of many companies and directors will be expected to assume responsibility for such. In addition, for listed companies, there are usually obligations imposed on them to inform the stock exchange of any information that a reasonable person would expect to have a material effect on its price or value.
Actions could come from shareholders or customers who, for example, purchased shares or products and relied on a company’s risk management and data protection privacy promises. In California, for example, litigants have already used misleading or deceptive conduct legislation (common in many jurisdictions) to bring proceedings against companies that have not fully implemented their stated privacy or risk management policies.
Further, where regulatory bodies find directors did not implement best practices to protect data from potential breaches, a plaintiff could use this finding to bring a misleading or deceptive conduct case against the company.
Directors should not only be concerned about any damages awarded, but also the associated costs, including a lower share price, reputational damage and defence costs. However, a hurdle for plaintiffs is the need to show that a director’s (or company’s) actions has caused them actual harm. While this may be satisfied if the customer were a victim of actual credit card fraud (or other tangible loss), this has been a considerable stumbling block in the US for many consumer plaintiffs.
A checklist for board members
To address the rising concerns about cyber risk, directors must start to consider and act on a number of areas, as outlined below.
Who is in charge of cyber security within the company? Are there checks and balances by having the duties divided between relevant teams (i.e., the privacy officer and the information security officer) and what role does board oversight play? In particular, in respect of board oversight, there should be a director who takes the lead on/responsibility for information security (whether informally or formally).
Has the company mapped the network (i.e., IT system network) against information security functions and protections, identified the likely external and internal threats and the interplay between physical and cyber security? In particular, if the company has programs such as BYOD (i.e., Bring Your Own Device), what are the policies and safeguards applied to such devices and how does the company ensure that the policies are implemented company‑wide in practice?
What is the company’s incident response plan and how well is it disseminated through the organisation? Does it cover all the matters (including regulatory notifications) that it should cover? In addition, practical matters such as how to communicate with all relevant stakeholders, including customers and suppliers, should be addressed.
Finally, what insurance does the company carry for cyber security and data privacy breaches? Is it an up-to-date policy and does it cover the matters identified as part of the network and threat mapping? What are the policy limits and exclusions on the insurance coverage? In particular, is it a purpose built cyber security and privacy breach policy that fully covers the company or is it simply an ‘add on’ best fit available ad hoc addendum to an existing policy?
Ensuring the above are properly addressed will go a long way to ensuring directors have exercised their duties to protect the company, its shareholders and other stakeholders.
Jacques Jacobs and Alec Christie are partners, and Nitesh Patel is a solicitor, at DLA Piper Australia. Mr Jacobs can be contacted on +61 2 9286 8284 or by email: email@example.com. Mr Christie can be contacted on +61 2 9286 8237 or by email: firstname.lastname@example.org.
© Financier Worldwide
Jacques Jacobs, Alec Christie and Nitesh Patel
DLA Piper Australia