Why Cybersecurity Isn’t Just an IT Issue
Welcome to “E-Careful,” where we’ll highlight developing risks, claims, insurance issues, and best practices involving cyber risks and electronic data.
According to the results of a recent survey by Experian and the Ponemon Institute, risk managers now indicate that cyber risks pose a greater threat than other insurable business risks, such as fires and other natural disasters. With that in mind, welcome to “E-Careful,” where we’ll highlight developing risks, claims, insurance issues, and best practices involving cyber risks and electronic data.
With the holiday season behind us, many consumers may find themselves still closely monitoring their checking and credit card statements, albeit for a different reason this year. According to initial reports, a late December 2013 data breach involving national retailer Target may have affected as many as 70 million consumers. The breach received significant media coverage, and a number of media outlets quickly latched on to the possibility that the U.S. may be lagging behind Europe on debit and credit card security because of Europe’s use of “smart chips” instead of magnetic strips, a debate that likely will reignite.
But make no mistake, these are not just questions for a company’s IT department or even its best risk managers. These are questions that also can implicate a company’s directors and officers (and, in turn, their D&O liability insurer) because of fiduciary obligations that directors and officers may owe to their companies in addressing cybersecurity. Based on well-settled law regarding directors’ and officers’ fiduciary obligations, taking no action to guard against potential cyber threats may be far worse than taking the wrong action.
For example, under Delaware law, an affirmative act by the board implicates the duty of care and the business judgment rule, which generally protects board action so long as the board did not act in bad faith or irrationally. Although the presumption of the business judgment rule can be overcome where it is shown that the board has acted with gross negligence, most companies have charter provisions insulating directors from personal liability for a breach of the duty of care.
Inaction by the board is treated more harshly, however. Where a board fails to act, its omission triggers the duty of loyalty. The duty of loyalty, also known as oversight liability, requires directors to ensure that sufficient reporting systems are maintained to keep the board informed of risks facing the company. The board may be held liable if it fails to exercise appropriate oversight in the face of a known risk. Such liability is not exculpable under Delaware law.
Anyone defending a director or officer undoubtedly would face an uphill battle contending that cyber risks are not “known” risks. Thus, the most conscientious directors and officers likely will be those who take affirmative steps to defend against these risks and implement mitigation procedures in the event of a data breach. Still, the question remains: What are the steps and procedures that can combat cyber risks and potentially help avoid D&O claims?
Unlike many countries, the U.S. currently does not have comprehensive cybersecurity legislation. At the federal level, data security laws have emanated from legislation applying to different industries, such as health care (HIPAA), the financial services industry (GBLA), and even operators of websites directed to children under the age of 13 (COPPA). And although nearly all states have adopted data breach notification laws, only a few states have adopted generally applicable data security laws.
Despite the lack of comprehensive cybersecurity legislation, guidance is currently available to directors and officers on cybersecurity issues. For example, the Payment Card Industry Data Security Standard (PCI DSS)—created jointly by the major credit card associations—requires businesses that accept American Express, Diners Club, Discover, MasterCard, and Visa to comply with significant security obligations.
Additionally, in response to an executive order by President Obama, the National Institute of Standards and Technology (NIST) has been working with owners and operators of critical infrastructure (e.g., power generation, transportation, and telecommunications organizations) on developing a voluntary cybersecurity framework. The framework is designed to help organizations reduce cyber risks. NIST published a preliminary cybersecurity framework in October 2013 and is providing a period of time for public comment. NIST plans to release the official framework this month.
Although it was developed for businesses involved in critical infrastructure, NIST’s cybersecurity framework is expected to contain practical advice for companies of all sizes and in all industries, which can be adopted as best practices. Thus, all directors and officers should consider reviewing this framework, as it may become a new standard of care.
Additionally, the SEC’s disclosure obligations for cyber risks and incidents may offer guidance to directors and officers. The SEC’s Division of Corporation Finance has issued disclosure guidance relating to cybersecurity. Although the guidance applies only to companies that are required to issue periodic reports to the SEC, even directors and officers of nonreporting companies may find it a useful tool for internal assessment of cyber risks.
Directors and officers also should monitor recent enforcement activity by the Federal Trade Commission (FTC) and state attorneys general. The FTC is charged with enforcing Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts affecting commerce.” Section 5 does not specifically mention data privacy or cybersecurity, but the FTC has interpreted its jurisdiction to extend to those areas, bringing a number of administrative enforcement actions that can create headaches under D&O liability insurance policies. Likewise, state attorneys general have brought enforcement actions under unfair and deceptive trade practices laws, as well as under data breach notification laws.
In sum, directors’ and officers’ legal obligations regarding cyber risks arguably may be derived from many sources. As legal obligations continue to evolve and expand, and as cyber threats continue to mount, prudent corporate leaders must proactively address cybersecurity within their companies and continually monitor the developing legal landscape. And D&O liability insurers may wish to evaluate these matters when assessing the insurability of current and potential insureds.