Legal Risks Expand for Directors Who Fail to Monitor Companies' Cybersecurity Practices and Compliance
Corporate directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management's response.
November 27, 2019 at 10:00 AM
9 minute read
The trend in many legal quarters toward imposing upon businesses affirmative duties to implement measures to help prevent data breaches and comply with ever-expanding data privacy regulation—and liability if they fail to do so—has brought increased scrutiny of the actions, or more likely inactions, of corporate directors in the cybersecurity arena. A series of cases applying Delaware law, culminating in the June 2019 opinion in Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019), indicate that directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management's response. These developments are of interest to New Jersey attorneys who advise companies on these matters, because many in-state corporations were incorporated in Delaware and because many states, including New Jersey, follow many aspects of Delaware corporate law. In re Merck & Co. Sec., Derivative & ERISA Litig., 493 F.3d 393, 399 (3d Cir. 2007).
Delaware cases decided before Marchand, including the seminal case of In re Caremark Int'l Derivative Litig., 98 A.2d 959 (Del. Ch. 1996), established that directors breach their duty of loyalty if they fail to make a good faith effort to monitor and oversee a company by either "utterly fail[ing] to implement any reporting or information system" that would allow information to reach the board or, if such a system exists, by "consciously fail[ing] to monitor or oversee" the company's operations through that system. Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 370 (Del. 2006). While most so-called "Caremark claims" fail because the plaintiff concedes at least some form of board level monitoring and reporting, the allegations in Marchand presented the type of "utter failure" to monitor a company's "essential and mission critical" compliance issues that would be sufficient to support a Caremark claim. 212 A.3d at 822-24.
The court in Marchand found that the plaintiffs had adequately alleged that the directors overseeing operations at Blue Bell Creameries had no board-level system of monitoring and reporting to oversee a "central compliance issue" of the company, namely whether its sole product—ice cream—was safe to eat. At the pleading stage, those allegations were sufficient to support an inference that the board had "not made the good faith effort that Caremark requires." Id. at 822. While "directors have great discretion to design context- and industry-specific approaches tailored to their companies' businesses and resources," a board must at least "make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting" for "compliance issue[s] intrinsically critical to the company's business operation." Id. at 821. In other words, directors have a duty not only to respond to critical compliance issues that come to their attention, but must also set up a system of monitoring and reporting to ensure that information about those issues reaches them in the first place.
Thus, Marchand involved the directors' failure to monitor, and thus detect, management's failure to comply with food safety regulations and practices, but the court did not define the outer bounds of what constitutes a "central compliance issue" which is "intrinsically critical to the company's business operation" for which a board's failure to monitor opens the door to a Caremark claim. However, the increasing trend of governments everywhere to enact stricter cybersecurity and data privacy laws that impose substantial penalties for their violation, as well as the prevalence of cybersecurity enforcement actions, suggests that at least some aspects of a business's cyber practices—legal, operational and technical—fall within this zone of intrinsically critical compliance issues.
For example, New Jersey has already collected over $6.4 million through data breach settlements in 2019, and the attorney general has stated that privacy enforcement is "clearly something that's very important to the attorney general's office overall." Allison Grande, NJ AG to Keep Privacy Pressure on as Breach Reports Drop, https://www.law360.com. Even beyond the risks associated with government enforcement actions or private litigation, data breaches are massively costly in terms of detection and escalation, complying with breach notification requirements, setting up post data breach processes like help desks or credit monitoring, and reputational harm/lost business. IBM Security, Cost of a Data Breach Report (2019). Finally, data breaches may result in the theft of a business' own confidential information and intellectual property, with potentially crippling financial consequences.
Indeed, one Delaware court has already stuck cybersecurity's toe in Caremark's waters, although perhaps in a limited sense. In In re Facebook Section 220 Litig., the FTC found that Facebook had used inadequate data security measures to protect users' data and entered a consent decree that required Facebook to develop and maintain a sufficient privacy program. No. CV 2018-0661-JRS, 2019 WL 2320842, at *3 (Del. Ch. May 30, 2019). Thereafter, a shareholder brought suit to compel Facebook to provide access to its internal records, which required the shareholder to show a "credible basis" to infer mismanagement or wrongdoing by the board. Id. at *12. The court found that there was "some evidence" that the board had breached its Caremark duties because the board, among other things, "knew of the Company's obligations [to] implement data security measures, knew the Company had not implemented or maintained those measures as required by the Consent Decree and, nevertheless, condoned the Company's monetization of its users' private data in violation of the Consent Decree." Id.
Although Facebook may provide a glimpse into the future, it does not suggest that every failure to monitor and appropriately respond to every aspect of a business' cyber and data privacy compliance leaves directors open to liability for breach of their fiduciary duties. Some cyber-related operations are more important to a company's business than others, with different legal and business-related consequences depending upon circumstances. Moreover, some cyber and privacy laws are specific and require particularized actions. Many others are more general and nebulous.
Although security is relative, a legal standard for "reasonable" security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords or the like) and instead adopts a fact-specific approach to business security obligations that requires a "process" to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.
Rhoads and Litt, ABA Cybersecurity Handbook, Second Edition 73 (American Bar Association, 2018).
Given these variables, no bright-line rule emerges defining a board's fiduciary duties to oversee cybersecurity and data privacy compliance. Moreover, while Caremark, Facebook and Marchand collectively impose a duty to implement a reasonable reporting system concerning intrinsically critical compliance issues, no specific system of monitoring is required, and courts have been reluctant to permit shareholders to second-guess the adequacy of such a system or the sufficiency of a board's response to information that comes to its attention. For example, in Rojas on behalf of J.C. Penney Co. v. Ellison, the court found that the directors had adequately established a reporting system regarding their company's compliance with advertising regulations because it had an audit committee tasked with overseeing legal and regulatory compliance, and required, at a minimum, yearly meetings with the company's general counsel as well as discussions with management about "material issues regarding the Company's financial statements or accounting policies or its compliance with law or regulation." No. CV 2018-0755-AGB, 2019 WL 3408812, at *9 (Del. Ch. July 29, 2019).
Similarly, in In re The Home Depot Shareholder Derivative Litigation, Home Depot suffered a breach of its credit card reading system starting in April of 2014 that cost the company nearly $10 billion. 223 F. Supp. 3d 1317, 1322 (N.D. Ga. 2016). Two shareholders argued that the board had been informed on multiple occasions that Home Depot was not compliant with Payment Card Industry Data Security Standards, but it did not take adequate action to quickly remedy the situation. The court, applying Delaware law, found that the board acted appropriately by approving a plan that would have achieved compliance by February 2015, and thus, even if "the implementation of the plan was probably too slow, and … would not have fixed all of the problems Home Depot had with its security," the board's response must simply be reasonable, not perfect, and therefore the shareholders had failed to adequately plead that the directors breached their fiduciary obligations. Id. at 1327.
These cases suggest a dichotomy between boards that do nothing to monitor companies' compliance with critical requirements, and those that try in good faith but perhaps fail to catch or resolve issues before they cause problems. Although one can envision potential liability under circumstances where a monitoring program is so ineffective on its face as to amount to no program at all, or where the board's response to information concerning a compliance issue is so woefully inadequate that it could not reasonably fix the problem, the key takeaway can be found in the oft-repeated movie line, "Don't just stand there! Do something!" If at least some aspects of cybersecurity and data privacy are intrinsically critical to the company's operations, then the board must actively seek information to monitor the company's compliance, and, if information concerning a cybersecurity issue comes to the board's attention, it must act in good faith to address it, even if that means merely approving management's existing plan. To do otherwise would fly in the face of a growing risk of liability.
Robert Egan is a partner with Archer Law in Haddonfield. He is the chairperson of the firm's Commercial and Business Litigation Group. Nicholas Franchetti is an associate at the firm, focusing his practice in the area of commercial litigation.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSocial Media Policy for Judges Provides Guidance in a Changing World
3 minute readBank of America's Cash Sweep Program Attracts New Legal Fire in Class Action
3 minute read'Something Really Bad Happened': J&J's Talc Bankruptcy Vote Under Attack
7 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250