The Wall Street Journal reported that global expenditure on cybersecurity reached an unprecedented $188 billion in 2023 and is projected to increase to nearly $215 billion in 2024. Simultaneously, the United States experienced a surge in cybersecurity breaches, with 3,205 incidents reported in 2023, marking a 78% increase from the prior year and surpassing the previous peak in 2021 by 72%. Unfortunately, increased spending on cybersecurity has not correlated to decreased cybersecurity breaches.
Certainly, data breaches have resulted from increasingly sophisticated ransomware, whether created through state-sponsored efforts or by the colloquially named “ransomware-as-a-service”. Accordingly, a company’s cybersecurity program necessarily must involve the efforts of the company’s IT department to prevent such attacks from the outside. But most data breaches do not result from brute-force attacks. Instead, they result from human error. So, a company’s cybersecurity program must holistically protect against the enemy within. It must protect the company from itself.
So-called “social engineering” exploits human error to gain private information, access or valuables – in cybersecurity parlance, to gain access to company data. Employees may visit websites and download malicious code, may click to malicious links, or use poor authentication by failing to use complex passwords. Companies must also make sure that those with whom they interact do not create the weakest link for exploitation by malicious actors. Therefore, any robust program must also include proper vendor management, supervision and access control. The multifront cybersecurity battle results in correlating cost increases for cybersecurity, but not necessarily a correlating decrease in cybersecurity attacks, incidents or data breaches.
The surge in cybersecurity risk and the theft of personal data has prompted a panoply of legislation, rulemaking and, in some cases, litigation and settlements. No longer is cybersecurity relegated to the exclusive realm of a company’s IT department. One underlying trend has been the increasing requirement that the C-suite and board be involved in a company’s cybersecurity. For example, the Federal Trade Commission (FTC) generally made its thoughts clear with respect to upper management involvement in cybersecurity in its blog post, “Corporate Boards: Don’t Underestimate Your Role in Data Security Oversight”. More specifically, in its amended Safeguards Rule, the FTC required that a company’s board be directly involved – a qualified individual must report to the board regularly (at least annually) and include an overall assessment of the company’s compliance with its information security program.
The SEC’s recent regulations echo the FTC’s position, requiring disclosure in Regulation S-K, Item 106, that the registrant describe the board’s oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. States have followed suit. For example, the New York Department of Financial Services regulations similarly provide that, for an entity having a board of directors or equivalent, the board (or an appropriate committee) must exercise oversight of and provide direction to management on the entity’s cybersecurity risk management, and have sufficient expertise and knowledge (or advice from qualified persons) to exercise cybersecurity oversight. California’s latest California Consumer Privacy Act draft regulations require a covered company to perform annual, independent cybersecurity audits and file some of the audit results with the California Privacy Protection Agency. And, some recent data breach settlements from federal and state regulators have included a requirement of personal sign-off and involvement from company management.
As legislation, regulations and settlements increasingly require board involvement in cybersecurity, company boards walk a fine line between strategic oversight and actual hands-on, day-to-day management of cybersecurity and consumers data. Even in the absence of the new regulatory requirements, the failure to disclose inadequate cybersecurity procedures and data management have found their way into shareholder derivative litigation. The standards and protections set forth in the seminal case of In re Caremark International Inc. Derivative Litigation and its progeny set a high bar against individual director and officer liability. Accordingly, for cybersecurity breaches, individual liability has not found much traction because personal liability arises only where there was a failure to institute information reporting mechanisms or security controls or a conscious failure to manage such measures so that the director is unaware of illegal or legal (but highly risky) corporate activity that has a high likelihood of causing damage to the corporation.
Beyond that, some have predicted that the rules and regulations promulgated by state and federal regulators could lead to efforts to impose direct personal liability on corporate management, and that civil lawsuits could name not only the company but also the board. The potential dollars at issue in a data breach situation encourage such creative theories. For example, in California, victimized consumers whose unencrypted and unredacted data has been exfiltrated may recover damages between $100 and $750 per consumer per incident or actual damages (whichever is greater) if the business has failed to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Fortunately, such direct claims against management have neither significantly materialized nor should they survive the high legal standards for imposing individual, direct liability on directors and officers. In United States Liability Insurance Co. v. Haidinger-Hayes Inc., the California Supreme Court addressed such standards in an insurance company’s suit against its corporate agent and the agent’s president. The California Supreme Court (The Court) held that corporate management cannot be held vicariously liable for the acts of the corporation, and that directors or officers of a corporation do not incur personal liability for torts of the corporation merely by reason of their official position, unless they participate in the wrong or authorize or direct that it be done. The Court recognized that the duty corporate directors and officers owe flows to the corporation they serve, such that they are not responsible to third persons for negligence amounting merely to nonfeasance and a breach of duty owing to the corporation alone. In other words, the act must also constitute a breach of duty owed to the third person, and more must be shown than breach of the officer’s duty to the corporation to impose personal liability to a third person. But, as later courts explained, a person’s mere status as a director or officer of a corporation does not immunize them from their own torts.
With regard to cybersecurity and data breach, the combination of this new and evolving regulatory backdrop with the typical size of a data breach encourages creative theories directed at directors and officers. Theories of management liability will continue to evolve alongside developments that define data subjects’ relationship with their data and alongside developments that reevaluate data subjects’ relationship with companies who control, process, store and share such data. Each legislative, regulatory, and legal development appears designed to nudge closer the relationship between company management and a company’s data subjects and their data.
Company boards and their advisors should closely monitor the effect of the regulatory environment on both increased cybersecurity obligations as well as any potential directional shift of board duties. To fend off new and creative theories of individual liability, a company must have a robust cybersecurity program that involves the boardroom. Any such program should involve:
- Identification and appointment of sources within upper management who have expertise in cybersecurity and who have clearly defined responsibilities.
- Receipt of timely and adequate briefings on cybersecurity.
- Awareness of developments in cybersecurity standards and management applicable to the data the company holds.
- Reevaluation of the company’s insurance portfolio to manage cybersecurity risk not only to the company but also to the company’s directors and officers.
This post was originally published on 3rd party site mentioned in the title of this site
