Can Data Breach Liability Extend to the Boardroom and C-Suite?

Every day we seem to wake up to news of another massive data breach affecting millions and millions of consumers. 2017 was no stranger to this news cycle, adding major corporations like Intercontinental Hotels Group (IHG), Chipotle, Kmart, Blue Cross Blue Shield/Anthem, Verizon, Equifax, Whole Foods Market, and Uber to the list of companies suffering (or announcing) a data breach. The biggest question facing corporate directors and officers (as well as considerations the plaintiffs’ bar is taking in to account) is what can be done to prevent data breaches, and who is responsible when one occurs.

With an ever-rising tide of data breach victims, an increase in class-action and/or derivative lawsuits is bound to follow. As we have seen, the first significant litigation filed as a result of a data breach (or failure to disclose a data breach) came in the form of a shareholder derivative action against the directors and officers of Wyndham Worldwide (a major owner and operator of hotels around the world) in February of 2014. A similar action brought against the board of Target followed that same month. In each case, allegations centered around the defendant’s failure to (1) implement adequate internal controls to defend against a potential data breach, and (2) maintain appropriate oversight with respect to the company’s cybersecurity risk.

Despite the courts’ apparent reluctance to allow these types of cases to move forward, plaintiffs do not seem to be deterred from continuing to file new actions in an attempt to find creative ways to attach liability. For example, in November of 2017, within 48 hours of Uber’s public announcement that it had suffered a massive data breach affecting an estimated 57 million customers in late 2016, two separate class-action lawsuits were filed. What the Uber example highlights is the fact that allegations will continue to evolve; where allegations of breach of fiduciary duty have failed, perhaps allegations of failure to appropriately disclose a data breach and misstatements concerning the state of a company’s cybersecurity preparedness, may succeed.

In addition to what’s happening in state and federal court, in February of this year, the US Securities and Exchange Commission (SEC) released guidance meant to aid public companies in the proper disclosure of cybersecurity risks and data breaches. On the heels of this guidance, the SEC recently handed down a $35M fine against the company formerly known as Yahoo for failing to disclose its 2014 data breach. Although some may see this as a breakthrough in holding companies responsible for data security failures, many believe the fine lacks teeth by failing to hold directors and officers accountable, and is yet another sign that the regulatory agencies tasked with enforcing US data privacy laws continue to be reluctant to hold individual company executives and boards of directors liable.

While the need for greater regulation in the areas of cybersecurity and data breaches seems overwhelming, as more and more data breaches are exposed to the public, companies should be on notice that better and more creative arguments are being crafted for holding a company (and its officers and directors) responsible for its data security failures. Ultimately, judicial and regulatory pressure will push companies to be better prepared in all aspects of their cyber security risk management programs, but developing a comprehensive risk management program (including third-party supply chain risk) to help minimize liability is an essential first step.

With the right tools, dynamic data, and in-depth insights, organizations can pinpoint where their weaknesses lie and work to minimize and protect themselves and their consumers from the ever-increasing risks. Learn more about the Cyber Risk Exchange that industry leaders like Blackstone, Aetna, and ADP rely on to help them manage their third-party ecosystems.

 

ELLIS ROSENZWEIG

CYBERGRX GENERAL COUNSEL

Leave a Reply