Adopting written cybersecurity policies
The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches. This decision is the first decision issued in the US in a shareholder derivative claim arising out of data breaches. The decision is important and instructive for board members since it provides examples of approaches to cyber risk oversight which directors and officers may implement to help shield them from liability in the context of data breaches.