The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.
In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.
Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.
And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.
The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.
On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.
Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.
Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.
Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.
Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.
Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line. Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.
Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.
North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
Hackers are hard at work trying to steal your information. That is a fact of modern life, whether you are an individual making purchases with your personal credit card or a Fortune 500 company managing many millions of customer records. Indeed, a company that maintains it has not been hacked probably doesn’t realize the full extent of the attacks it faces or how successful hackers may have been already. Moreover, the fallout from successful cybersecurity breaches is not limited to lost information. From 2014 through the second quarter of 2015, companies reported over 2,429 data breaches containing more than 1.25 billion records of personal information, according to a study published by data security firm Gemalto. IBM recently reported that in 2015 the average corporate cost of data breaches reached $154 per record and more than $3.75 million per incident.
Regulators and plaintiff lawyers alike pay increasing attention to data breaches in an environment where the technology and the legal obligations change rapidly. Keeping ahead of both the threats and the evolving laws and regulations is challenging. In the United States alone, the list of interested regulators is expansive and includes the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General, each with potentially distinct requirements and agendas. Security breaches reviewed by these authorities have led to a variety of adverse actions against well-established corporations and their directors, including Facebook, Home Depot, and Target. Reasonable safeguards and notice requirements also vary significantly by industry, particularly in healthcare and financial services, as well as by the kind of Personally Identifiable Information (or PII) involved. For companies with a global presence, especially those with European customers, the compliance challenges multiply, as do the accompanying uncertainties.
Despite the highly technical and complex nature of the problem, these issues should be discussed and addressed at the board level. As former Securities Exchange Commissioner Louis A. Aguilar observed at a recent Cyber Risks and the Boardroom Conference: “[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.… [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Because the applicable rules and standards typically require the company to “evaluate and adjust” the security program over time, safeguards that may be state-of-the-art today can become an alleged basis for liability in a changed environment.
Recent rulings and a settlement in FTC v. Wyndham Worldwide Corporation relating to claims for allegedly sloppy security practices demonstrate the growing challenge boards face with cyber risk oversight. In that case, the extended fallout from several relatively small attacks from 2008 to 2010 (affecting approximately 500,000 customer credit cards) has taken more than five years and many millions of dollars in legal fees to resolve. Unsuccessful claims asserted against the company’s directors also demonstrate the real possibility that if directors do not react swiftly and assertively (as the Wyndham directors did), they may face the prospect of personal responsibility for their failures.
In a world where hackers are constantly refining their attacks and reassessing the different vulnerabilities that can be exploited, there simply is no “one size fits all” approach. Nevertheless, the list below identifies issues that directors should consider, as well as some proactive steps to consider:
Add cybersecurity to the list of risks evaluated by the committee of the board that evaluates enterprise risks;
Develop company procedures and a communication plan (sometimes known as a security incident response plan) to be implemented in the event of a data breach;
Add cybersecurity expertise to the board in the form of an experienced director or outside advisors (including experienced counsel);
Create reporting lines from the company’s most senior IT executives, CISO, and in-house counsel responsible for cybersecurity to the company’s directors;
Establish a “tone at the top” that instills a company-wide awareness of security risks;
Consider and explore purchasing cyber insurance to mitigate exposure to risks;
Regularly consult with third-party technical, legal, and training specialists on cyber security and related compliance issues; and
Act promptly if cyberattacks or intrusions occur. Many states have their own prompt notice provisions that must be observed.
While the nature and extent of future attacks is unforeseeable, it is certain that hackers are focused on attacking most companies. All directors therefore must be persistently vigilant in this evolving technical and legal environment.
David R. Owen and Bradley J. Bondi are partners at Cahill Gordon & Reindel LLP. They advise global corporations and financial institutions, boards of directors, audit committees, and officers and directors in significant matters, including those involving cybersecurity, data protection, and regulatory investigations. Travis Scheft, an associate at Cahill, assisted with this article.