Cyber security counsel for the board: good business and self-protection
June 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Risk is a primary cause of loss of sleep for directors. In 2016, cyber security is at, or near the top, of the list for corporate risk. But cyber breaches also raise the potential for personal exposure to directors. In the wake of the plethora of high-profile cyber attacks we have seen over the past few years, outside cyber security counsel, technical expertise and training for the board are quickly becomingimperatives for boards in order to manage risk to the corporation’s information assets and directors’ personal risk to shareholder derivative law suits.
Regulatory risk is always a board concern, and in 2014 the Securities and Exchange Commission (SEC) sounded a very public warning about board inattention to information security when Commissioner Luis Aguilar stated, “Boards that choose to ignore or minimise the importance of cyber security oversight obligations do so at their peril”. Treasury Secretary Jack Lew, the cabinet official to whom the SEC reports, put a fine point on board oversight of information assets in his remarks to the Alpha Conference in July 2014, stating, “While CEOs, top company executives, and board members have been getting more involved in cyber risk management, cyber security cannot be the concern of only the information technology and security departments. It should be the responsibility of management at all levels”.
This is, at base, good business practice. The board’s primary responsibilities comprise protection of corporate assets and oversight of risk to those assets. Information is perhaps the primary asset of most corporations, and threats to its protection are among the most serious risks a board must address. Yet, many boards leave cyber security to management almost exclusively, deeming information safeguards an IT province, or one that is so technical that it is beyond the board’s expertise. That is a dangerous perspective for the company, and one that may expose directors to personal risk. It is only a matter of time (and probably a short time) until individual directors are held personally responsible for a massive data breach.
But wait, doesn’t the business judgment rule, in effect, insulate directors for actions and decisions taken in the best interest of the company? The rule is not, and perhaps never was, absolute. A failure to become knowledgeable about and consider (with documented consideration in the board minutes) the organisation’s information systems and threats to those systems, may expose directors to personal risk in a shareholder derivative lawsuit if a court were to find that disregard of the boards’ obligations of risk oversight can be considered bad faith on the part of the directors. It’s not a far-fetched possibility, but this risk can be mitigated, as detailed below.
Directors do not enjoy absolute immunity for their decisions, even in the face of the business judgment rule. The obligations of directors require them to be informed about assets and risk to those assets, financial as well as information assets. In In re Walt Disney Litigation, directors were the subject of a shareholder derivative lawsuit stemming from the termination package given to Michael Ovitz. The court found no personal liability on the part of the directors specifically because the board had taken certain actions to become informed about Mr Ovitz’s contract and its generous termination package. The court noted that the business judgment rule does not insulate directors for actions or omissions that are not in good faith. This was not news in the world of corporate governance.
But the court went further, holding that bad faith can include a failure to act in the face of knowledge of risk of actions taken to waste or reduce assets, or conscious disregard or deliberate indifference to risk or corporate waste. Lawyers who work with these standards generally agree this is a case-by-case determination based on actions or inaction of the particular board and what it knew at the time it acted or decided to do nothing. In other words, the protection of the business judgment rule is fact-dependent and not absolute.
The Disney court found, after many days of testimony by directors and other witnesses, that the directors were not liable because, among other things, they “did not take an ostrich-like approach” to Mr Ovitz’s termination package and its potential effects upon the assets of the corporation. Fast-forward to 2014, and a similar analysis was applied to a derivative action arising from a massive data breach of credit card numbers of Wyndham hotels guests. The United States District Court for the District of New Jersey, in Palkon vs. Holmes, dismissed the Complaint filed by shareholder Dennis Palkon, who had alleged that the board had not sufficiently considered the circumstances of the breach and his demand that a lawsuit be filed, but not before bringing some of the same qualifications of the business judgment rule the Disney court had raised to bear on questions of the board’s consideration of cyber security safeguards.
The court took note of the protections of the business judgment rule and observed that “the shareholder must raise a reasonable doubt” that the refusal to consider the demands of the shareholder “w(as) made in bad faith or based on an unreasonable investigation”. It held that the Wyndham directors were entitled to its protection due to the reasonableness of its investigation; that is, because of actions the board had taken and documented with regard to the breach. The court noted that the board had retained outside counsel and consultants to advise it of the technical and legal issues; considered and discussed the breach several times, said discussions having been duly recorded in the minutes of the meetings of the board; and that the board was “well versed” on the issues.
The Wyndham board, then, earned the benefits of the business judgment rule by retaining outside experts, becoming educated on the issues in the cyber breach and considering and documenting actions to be taken in light of the events and reasons for decisions not to act. This result may not have been possible if the board had taken an “ostrich-like approach”, which a failure to become informed about cyber security generally and this breach in particular may have been considered.
In the interest, then, of mitigating corporate asset risk and personal exposure on the part of the directors from a derivative shareholder lawsuit, a board should take and document a number of steps that would better enable the directors to carry out their risk oversight obligations while at the same time providing defensibility for a potential shareholder derivative law suit. Firstly, they should retain outside counsel and technical consultants for education and advice on cyber security and assiduously document the advice they give at board meetings, on a quarterly basis at a minimum. They should also consider adding a director with cyber security expertise to the board, if practicable. They should ensure that adequate time is spent at board meetings on cyber security issues and that this time is documented in board minutes.
Boards must also consider and review the assets and resources management has devoted to cyber security and, with advice of counsel and consultants, ensure that management has the assets and resources it requires to appropriately safeguard information assets, including the level of cyber risk insurance. Boards must become mindful of management’s periodic assessments of security risks and its protocols and preparedness for cyber breaches. They should also ascertain with management (and advised by board counsel) when and how disclosures of a cyber breach will be made to affected individuals and to federal and state regulators.
Apple’s Vice President of Software Engineering Craig Federighi, recently stated, “Security is an endless race – one you can lead but never decisively win. Yesterday’s best defences cannot fend off the attacks of today or tomorrow”. Fortunately, the law agrees to the extent that perfection is not the standard of liability for cyber attacks and data breaches. But the law does require that corporate boards take reasonable steps to be cognisant of the issues that affect their obligation to manage cyber risks. Boards can’t do this alone. They would be well advised to obtain a degree of defensibility, especially in this cyber-attack-per-week era, by obtaining and documenting legal counsel and technical advice as to the risks and exposures to their organisation’s digital assets. It’s a matter of personal, as well as corporate, protection.
Kenneth N. Rashbaum is a partner at Barton LLP. He can be contacted on +1 (212) 687 6262 or by email: email@example.com.
© Financier Worldwide
Kenneth N. Rashbaum