A recent discovery ruling in the Target Corp. data breach litigation has raised the stakes for corporations and their officers and directors when faced with a cyberattack. The ruling, issued on May 27, 2015 by Magistrate Jeffrey J. Keyes, requires Target to disclose details of similar breaches between 2005 and 2010, including the time frame for the attack, the methods used to access information, measures the company considered and instituted to prevent future breaches, and the extent of the financial fallout.
The Target breach grabbed headlines following the 2013 holiday season as news leaked that hackers had installed malware in Target’s security and payments system and captured the credit card information of approximately 70 million shoppers. All too predictably, a series of lawsuits followed that have been consolidated before a federal judge in Minnesota.
This discovery ruling—the most recent development in the Target data breach cases—opens the door to greater scrutiny of corporate cybersecurity decisions and focuses on how past breaches were handled by both senior management, and importantly, by corporate boards.
While the ruling technically applies only to the cases brought by the financial institution plaintiffs in the Target case—banks that had issued the now-compromised credit cards—plaintiffs can be expected to seize upon this ruling and use it as a tactic to argue for similar discovery in other data breach cases. Of particular note are the consequences in class actions and in shareholder derivative suits, where the conduct of corporate leaders is front and center. The ruling opens the door to tough questions about corporate behavior: how were past breaches handled? Were the breaches adequately remediated? Were reasonable internal controls put in place to manage future cyber risks? And, perhaps most importantly, were “red flags” or early warnings of the breach ignored?
Cyberattacks are only becoming more brazen and more prevalent, and data breach litigation is on the rise. Plaintiffs in these suits will use the most recent Target ruling to argue that a company’s actions need to be evaluated not only with respect to the existing breach but also with respect to past, or even merely attempted, breaches.
The decision also serves as a reminder of what companies should already be doing. Specifically, there are at least three steps companies should take with respect to their cybersecurity, if they have not already done so.
First, companies should have a data incident response plan in place before a breach occurs. A company’s plan should take into account what kinds of data need to be protected, who is likely to try to steal or acquire that data, and who the relevant stakeholders are in the event the data is lost or stolen. Companies should also have their outside counsel and data forensics teams selected and on speed dial.
Second, companies should evaluate their insurance needs for cybersecurity issues. A standard commercial general liability (CGL) policy may ultimately cover some data breach claims, but it could require time and money to establish that coverage, a lesson Sony learned the hard way after North Korean hackers infiltrated its systems. Sony lost its coverage dispute with its CGL carrier at the trial court and settled the dispute before the appeal was heard. A specialized cyber policy can help avoid a situation like Sony’s. In addition, public companies should consider what disclosures they make to investors about cybersecurity risks in light of their insurance coverage.
Third, knowing that plaintiffs in other data breach cases will likely seek discovery of prior breach incidents, companies must adopt and document clear policies that outline the steps being taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors and specify the frequency with which security policies are updated.
Cyberattacks are not going away. Companies that proactively adopt sound cybersecurity policies and practices will find it far easier to defend themselves when their businesses come under attack.
Craig A. Newman is a partner at Patterson Belknap Webb & Tyler LLP and chair of its Privacy and Data Security Practice Group. Scott Caplan is an associate in the Privacy and Data Security Practice Group at Patterson Belknap Webb & Tyler LLP.
Private company CEOs often try to achieve their business visions with minimal resources. Although those CEOs may want to take the pivotal step of having a corps of experts on tap to help grow the business, the company may not yet be ready to add independent members to its fiduciary board of directors, either because of the expense involved or for personal reasons. For these CEOs, a properly comprised and structured advisory board may be the right vehicle to provide needed expertise and outside perspectives. Advisory boards can be a cost effective way to gain critical skills in areas outside of management’s core competencies and to gain objective and unbiased counsel. In addition to providing informed, non-binding guidance, an advisory board can provide a safe place for a CEO to develop new ideas, and it can help foster a spirit of innovation that will take a business through the next stages of growth.
Here are ten steps you can take to establish an effective advisory board:
Focus on purpose. Think about why you want an advisory board. This sets the tone for the board building process. Reasons typically include wanting to hear independent and objective opinions, using board members’ skills and experiences to bring new perspectives on problems and discussions, increasing credibility with lenders and the public, or increasing accountability (sometimes called the “nudge factor”). Furthermore, if a private company is also a family business, the board may serve as a mediator when business matters and family matters are in conflict.
Analyze intellectual capital. Performing a self-assessment helps you decide what skills and experience to look for when assembling an advisory board. Review your company’s strategic plan. If there’s not a written strategic plan, consider the company’s growth opportunities and your vision for the future. Ask: What strengths already exist within the management team that will help realize the company’s goals? What experience is lacking that might prevent success?
Determine readiness. A formal advisory board is a good idea for any company, but the CEO must be willing to spend time forming the board, preparing for board meetings, and debriefing after meetings. The five stages of a private company board are: the kitchen table board; an informal board of advisors;a formal advisory board; an advisory board that operates similar to a board of directors; adding independent directors to the statutory board.
Define roles. The advisory board provides independent perspectives and unbiased advice to the CEO, acts as a sounding board on current issues and strategy helps to avoid groupthink, and provides objectivity when the advocates for a decision are involved in its justification or are its beneficiaries. The advisory board is not family, not friends, not management, not paid accountants, lawyers or bankers. It is also important to establish guidelines for how the board, management, outside experts, and family interact, if at all.
Establish a recruiting method. Finding great candidates begins with identifying the skills that would best complement the management teams’ skills—and in turn help to generate shareholder value. Also consider other attributes that may be helpful, e.g. whether or not past positions held is important, if community involvement or a specific education degree would be beneficial. Finally, think about who you know that has these attributes. Ask trusted advisors such as your lawyer or accountant for referrals. When it comes time to interview candidates, prepare by determining who you want to be involved in the interview process, and when.
Document operating procedures. Although an advisory board is not a formal entity with decision-making authority, it does require some formally established operating procedures to ensure that everyone is on the same page. Meeting dates need to be calendared in advance, agendas need to be set, advance meeting materials should be sent to the board members, and the CEO needs to schedule time to debrief after the meeting. These operating standards, sometimes called governance guidelines or a statement of purpose, should be distributed to advisory board members during orientation. These guidelines should also cover topics such as advisor responsibilities, terms, and confidentiality.
Decide on compensation. Advisory boards prepare for meetings and share their time and experiences and therefore should be paid. Typically, compensation is minimal, but members don’t accept an advisory board appointment because of the pay. Compensation does, however, demonstrate that the company values that member’s time, talent, and contributions.
Orient and launch. Prior to the first meeting, it is important to have an orientation session with all of the members of the board, together to ensure that everyone understands the business and its objectives. Furthermore, an orientation session serves the purpose of establishing a boardroom culture and sets the tone for future meetings.
Evaluate effectiveness. Just as CEOs evaluate the usefulness of strategies and tools, the effectiveness of the advisory board must be evaluated each year. Assessing performance helps the board to adjust its practices so that it can best help the CEO increase stakeholder value.
Coordinate terms.Setting term limits up front is a good practice to ensure that the professional perspectives represented on the board remain fresh and objective. While the number of years that equals a term varies, a three-year term limit is often used. Terms should be staggered so that every member doesn’t depart in the same year. This minimizes disruption and ensures that some continuity in thought leadership is maintained.
Though it might not be an easy decision, seeking out outsider perspectives is a great boon to any business. Using this board building process will allow the formation of an effective advisory board that is tailored to your company will create a stronger, more viable business.
Denise Kuprionis is president of The Governance Solutions Group, a board advisory practice, and is an NACD Board Leadership Fellow. She serves as a trustee of the Cincinnati Children’s Hospital Medical Center and the SC Ministry Foundation, and is on the board of advisors at Best Upon Request.
For good or ill, activists now are important players in the investor ecology, with increasingly successful records for changing a board’s makeup. At Egon Zehnder, we identified 58 incidents of investor activism against S&P 500 companies over the last two years. Of those, 16 contests involved changes to board composition, urging a “no” vote on the management’s slate of directors or proposing, or threatening to propose, an alternative slate. And of those, only six concluded in favor of management, resulting from the activist slate being withdrawn before a vote or management’s victory in a vote.
It is not surprising, then, that many boards are evaluating their plans for responding to an activist slate this proxy season. Broadly speaking, however, there are really only two possible courses of action a board can take. One path is to accept the reality of activist scrutiny and build it into the nominating committee’s ongoing work. The nominating committee needs to look at the board with an objective eye and identify how its composition might give an activist a foothold, such as directors with conspicuously long tenures or directors whose experience is unaligned with the company’s business and its strategic direction. The nominating committee must then design a director succession plan that identifies, cultivates, and elects candidates with the desired competencies. Doing so is not a guarantee against activist action, but having a carefully chosen board with relevant backgrounds and perspectives deprives activists of a clear weakness to exploit.
Because board seats turn over intermittently and because competition for directors is so high, fully executing this strategy can take several years. In the meantime, an activist investor may well decide to put forth its own slate. When that happens, the nominating committee must shift into high gear. In the 16 activist initiatives involving changes to board composition, the median campaign length was found to be only 77 days—just 11 weeks from the initial announcement to some sort of resolution. And six of those 16 initiatives concluded in less than one month.
Of course, the company could stick with its current slate and hope it receives the necessary votes. But once activists have sown the seeds of doubt in the minds of other investors, events have shown that change is more or less preordained. It is simply a matter of whose change will prevail.
Because time is of the essence when faced with an activist slate, it is incumbent upon boards to watch closely for tremors that might precede such an action. Besieged boards might feel blindsided, but successful activist attacks rarely come out of the blue. Seven of the companies that were subject to investor activism on board composition were the targets of initiatives from more than one group. For example, while Starboard’s Jeff Smith may be the one credited with replacing the Darden board, that upheaval only followed an initial salvo from Barrington Capital Group. Once the board gets the faintest sense that it is the object of activist interest, it needs to move quickly to examine its composition and reshape it as needed.
When the battle is joined, boards must ensure they do two things. First, they must reach beyond their usual networks in identifying new director candidates. Expanded networks are more likely to allow the board to draw upon candidates with a wider range of perspectives and experiences. Furthermore, the wider pool of candidates (and connections to candidates) is essential if a company can hope to quickly assemble a slate that doesn’t look quickly assembled.
Once the company has its nominees, it then must convince the investor community to give its support. Here it is particularly helpful to steal a page from the activist playbook. Activists know that no matter how good their slate may be, their real power lies in their ability to sway a majority of investors to their side. As a result, the best activists are also the best communicators. They make sure that the story they tell is clear and compelling and then tell that story relentlessly. If management has been less than successful, it is because they have been out-maneuvered in the court of investor opinion. Management must make sure that the story they tell about their slate is even more compelling than that put forth in support of the activist candidates, and it must be told with the same energy and clarity.
The bottom line is that nominating committees must build strong director succession plans that result in boards that are clearly relevant for the challenges and opportunities the business is facing. Their only choice is whether to do so preemptively and with the luxury of time or, instead, with their back to the wall and the clock ticking.
George L. Davis co-leads Egon Zehnder’s Global Board Practice and is a trusted advisor across a host of corporate governance matters, with particular focus on leadership succession planning and board effectiveness. Kim Van Der Zon leads the U.S. Board Practice of Egon Zehnder International and has expertise in CEO succession. She has successfully served Fortune 500 clients across a broad spectrum of global companies from financial services and consumer packaged goods to pharmaceuticals and technology.