The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches[1]. This decision is the first decision issued in the US in a shareholder derivative claim arising out of data breaches. The decision is important and instructive for board members since it provides examples of approaches to cyber risk oversight which directors and officers may implement to help shield them from liability in the context of data breaches.
Cybersecurity in the boardroom: The new reality for directors
Not long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks—and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow—cybersecurity has become an increasingly challenging risk that boards must address.