• First Reference
  • About us
  • Contact us
  • Free Coronavirus FAQ 🔬
  • Free Newsletter 📨
  • Get PolicyPro Free Trial 🎉

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / Cybersecurity in the boardroom: The new reality for directors

By Occasional Contributors | 4 Minutes Read June 25, 2014

Cybersecurity in the boardroom: The new reality for directors

data-securityNot long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks—and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow—cybersecurity has become an increasingly challenging risk that boards must address.
The board’s role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit—Case number 14-cv-14-cv-203—alleging Target’s board members and directors breached their fiduciary duties to the company by failing “to maintain proper internal controls” related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target “to be exposed to millions of dollars of potential liability in class-action lawsuits,” and through “substantial damage” to “the company’s sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust.”
Wyndham Worldwide Corporation and certain of its officers and directors are also defending against a similar cybersecurity-related derivative lawsuit—Case number 2:14-cv-01234—related to the three data breaches the company sustained from April 2008 to January 2010. That complaint alleges, “In violation of their express promise to do so, and contrary to reasonable customer expectations” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint alleges further that the individual defendants “failed to ensure that the company and its subsidiaries implemented adequate information security policies,” and the company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
The actions of Wyndham are also being held to scrutiny in a Federal Trade Commission (FTC) enforcement action—which just survived a significant motion to dismiss in April—alleging Wyndham violated Section 5(a) of the FTC Act, which prohibits “acts or practices in or affecting commerce” that are “unfair” or “deceptive” (Case number 2:13-cv-01887). According to the FTC’s complaint, Wyndham and certain subsidiaries failed “to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The fact that this complaint was allowed to proceed foreshadows future regulatory enforcements actions against companies for maintaining inadequate cybersecurity measures.
It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board’s role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization’s cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that “starts at the keyboard” and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies.
While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow:

  • Develop a high-level understanding of cyber-risks facing the company through briefings from senior management and others;
  • Consider retaining outside consultants to evaluate the company’s security risk management;
  • Ensure that the company has at least one committee that is responsible for overseeing and understanding cybersecurity issues, controls and procedures;
  • Ensure that the vendors the company retains have adequate security measures in place to protect data and that there are sufficient contractual clauses between the company and the vendor regarding such security;
  • Facilitate a culture that views cybersecurity as a business issue that all employees should understand and participate in. As part of that, companies should consider employee training and awareness programs;
  • Include a cyber-expert on the company’s board of directors or receive regulator reports from a cybersecurity expert that are discussed at board meetings;
  • Ensure the company has an updated plan to respond to a cybersecurity attack, should it experience one. As part of that, senior management should become familiar with the legal and contractual requirements to determine what steps they would be required to take if the company fell victim to a data breach;
  • Ensure that the applicable directors and officers’ insurance covers data breach lawsuits, and
  • Directors may consider the guidance provided by the Cybersecurity Framework released in February by the National Institute of Standards and Technology in response to U.S. President Barack Obama’s Executive Order 13636, which was intended to be used by companies to create a cybersecurity program.

Although the risk of shareholder lawsuits cannot be eliminated entirely, taking one or more of the aforementioned steps may reduce the likelihood of directors being held accountable in data breach lawsuits against the company. The fact of the matter is that directors no longer can bury their heads in the sand with respect to cybersecurity issues because the likelihood of a breach hitting one’s company—and an ensuing lawsuit challenging the board’s role in that breach—is almost a certainty.
By Dana L. Post and Cheryl Howard
Originally published on The International Association of Privacy Professional (IAPP)
Dana Post is special counsel, e-discovery and data management at Freshfields Bruckhaus Deringer US, LLP. Dana’s responsibilities include advising clients on their e-discovery obligations including the preservation, collection, processing, review, and production of electronic information. She also advises companies on data security issues and issues arising in cross-border litigation, including the data protection laws. Dana is a member of The Sedona Conference – Working Group 6 International Electronic Information Management, Discovery and Disclosure and the International Association of Privacy Professionals.
Cheryl Howard is senior associate at Freshfields Bruckhaus Deringer US, LLP

  • About
  • Latest Posts

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

  • Genetic Non-Discrimination Act upheld by the Supreme Court: Implications for insurers - September 21, 2020
  • Let’s talk about assumptions and risk - September 11, 2020
  • Treat cyber as a business risk - August 31, 2020

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Not for Profit, Privacy / cyber-risks, cybersecurity, Cybersecurity in the boardroom, data breaches, Directors and officers, insurance, IT department, managing cybersecurity risks, risk management, risk of shareholder lawsuits, security risk management

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2021 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy