While no individual directors and officers have been held liable for the costs of a data breach yet, it is not for lack of trying.
Ms. Sharton’s opinion as a litigator with two decades plus of experience is that it is only a matter of time before one of these suits is successful and that will start an avalanche of litigation.
Ms. Sharton believes that the 1996 Caremark decision which found that directors can be held personally liable for failing to supervise the corporation can be extended to data breaches pretty logically. This decision has been extended to cover officers as well.
In addition, as regulators step up the pressure and issue consent decrees and fines, this can for the basis for a lawsuit against directors and officers. For the first time, the FCC fined two telephone companies $10 million each for “unjust and unreasonable” data security practices (see article).
After Wyndham Hotels had 3 data breaches in as many years, a shareholder filed suit alleging that the company’s data security practices were lacking. The suit was dismissed, but only because the company was able to show that the data breaches were discussed at 14 separate board meetings and 16 audit committee meetings.
Below are some of Ms. Sharton’s recommendations for boards to consider (the complete list is in her article, linked above):
- Hire a Chief Information Security Officer and engage outside technical experts to conduct regular assessments and to educate officers and board members on data security.
- Evaluate and/or appoint a board committee to focus on data protection.
- Have the board regularly address and deliberate when deciding issues of data security, and carefully document the deliberations to demonstrate appropriate care.
- Perform gap analyses and comparative benchmarking with peer organizations that hold similar types of information.
- Review D&O insurance and related insurance policies holistically for coverage regarding security incidents and protection of the company’s brand, information assets and other assets.
Bottom line is that it is likely that unless a company can show that they are being proactive, the directors, personally, may become the next target for lawsuits. Delaware law allows a company to waive or limit a director’s personal liability for violations of the duty of care, they cannot waive liability for violations of duty of loyalty.