Defending the Data – A Director’s Cybersecurity Duty
Hackers are hard at work trying to steal your information. That is a fact of modern life, whether you are an individual making purchases with your personal credit card or a Fortune 500 company managing many millions of customer records. Indeed, a company that maintains it has not been hacked probably doesn’t realize the full extent of the attacks it faces or how successful hackers may have been already. Moreover, the fallout from successful cybersecurity breaches is not limited to lost information. From 2014 through the second quarter of 2015, companies reported over 2,429 data breaches containing more than 1.25 billion records of personal information, according to a study published by data security firm Gemalto. IBM recently reported that in 2015 the average corporate cost of data breaches reached $154 per record and more than $3.75 million per incident.
Regulators and plaintiff lawyers alike pay increasing attention to data breaches in an environment where the technology and the legal obligations change rapidly. Keeping ahead of both the threats and the evolving laws and regulations is challenging. In the United States alone, the list of interested regulators is expansive and includes the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General, each with potentially distinct requirements and agendas. Security breaches reviewed by these authorities have led to a variety of adverse actions against well-established corporations and their directors, including Facebook, Home Depot, and Target. Reasonable safeguards and notice requirements also vary significantly by industry, particularly in healthcare and financial services, as well as by the kind of Personally Identifiable Information (or PII) involved. For companies with a global presence, especially those with European customers, the compliance challenges multiply, as do the accompanying uncertainties.
Despite the highly technical and complex nature of the problem, these issues should be discussed and addressed at the board level. As former Securities Exchange Commissioner Louis A. Aguilar observed at a recent Cyber Risks and the Boardroom Conference: “[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.… [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Because the applicable rules and standards typically require the company to “evaluate and adjust” the security program over time, safeguards that may be state-of-the-art today can become an alleged basis for liability in a changed environment.
Recent rulings and a settlement in FTC v. Wyndham Worldwide Corporation relating to claims for allegedly sloppy security practices demonstrate the growing challenge boards face with cyber risk oversight. In that case, the extended fallout from several relatively small attacks from 2008 to 2010 (affecting approximately 500,000 customer credit cards) has taken more than five years and many millions of dollars in legal fees to resolve. Unsuccessful claims asserted against the company’s directors also demonstrate the real possibility that if directors do not react swiftly and assertively (as the Wyndham directors did), they may face the prospect of personal responsibility for their failures.
In a world where hackers are constantly refining their attacks and reassessing the different vulnerabilities that can be exploited, there simply is no “one size fits all” approach. Nevertheless, the list below identifies issues that directors should consider, as well as some proactive steps to consider:
- Add cybersecurity to the list of risks evaluated by the committee of the board that evaluates enterprise risks;
- Develop company procedures and a communication plan (sometimes known as a security incident response plan) to be implemented in the event of a data breach;
- Add cybersecurity expertise to the board in the form of an experienced director or outside advisors (including experienced counsel);
- Create reporting lines from the company’s most senior IT executives, CISO, and in-house counsel responsible for cybersecurity to the company’s directors;
- Establish a “tone at the top” that instills a company-wide awareness of security risks;
- Consider and explore purchasing cyber insurance to mitigate exposure to risks;
- Regularly consult with third-party technical, legal, and training specialists on cyber security and related compliance issues; and
- Act promptly if cyberattacks or intrusions occur. Many states have their own prompt notice provisions that must be observed.
While the nature and extent of future attacks is unforeseeable, it is certain that hackers are focused on attacking most companies. All directors therefore must be persistently vigilant in this evolving technical and legal environment.
David R. Owen and Bradley J. Bondi are partners at Cahill Gordon & Reindel LLP. They advise global corporations and financial institutions, boards of directors, audit committees, and officers and directors in significant matters, including those involving cybersecurity, data protection, and regulatory investigations. Travis Scheft, an associate at Cahill, assisted with this article.