To Limit Liability from Cyber Events, Boards Should Review Current Litigation, SAFETY Act

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

March 10 — In the face of increasing cyber attacks, directors and directors can limit their exposure to liability by taking a page from ongoing litigation and by relying on an obscure 13-year-old statute addressing terrorist events, attorneys from Pillsbury Winthrop Shaw Pittman LLP said March 10.

Although there haven't been that many shareholder derivative lawsuits filed over hacking incidents, “I would expect more to be filed” as more and more companies come under attack, said Sarah Good, a partner in Pillsbury's San Francisco office, during a Practising Law Institute webcast.

In the meantime, much can be learned from the experiences of Wyndham Worldwide Corp. and Target Corp., both of which had to defend against shareholder derivative lawsuits after breach incidents, Good said.

Brian Finch, a partner in Pillsbury's Washington office, also noted that directors and officers should look to the 2002 Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act.

The statute “is a functional stamp of approval with respect to your cybersecurity policies and procedures, and will be a powerful argument in the toolkit of a board in rebuffing shareholder litigation,” Finch said.

Three Breaches 

A shareholder derivative action was filed against Wyndham in February 2014 as a result of breaches on three separate occasions between 2008 to 2010 in which the personal information of some 600,000 customers was stolen.

In October 2014, the U.S. District Court for the District of New Jersey granted Wyndham's motion to dismiss the action. The court concluded that the board's decision that it would not be in the best interests of the company to pursue litigation should stand.

The plaintiffs have filed an appeal over the ruling. Wyndham also is litigating a lawsuit filed by the Federal Trade Commission over the breaches.

Target, for its part, is facing a consolidated derivative lawsuit over a hacking incident that may have compromised the credit card data and other personal information of as many as 110 million people. The lawsuit has been stayed pending the outcome of an investigation by the company's Special Litigation Committee into the complaints.

Good observed that shareholder derivative litigation is difficult to mount because of the substantial protection provided by the business judgment rule and its presumption that directors act in the best interest of the company. However, the problem is that if these cases survive motions to dismiss or pleading challenges, defendants may have to shell out “humongous” damages.

Good said that generally shareholder derivative litigation related to cyber breaches may allege, among other shortcomings, the failure to:

• remedy “known security vulnerabilities”;

• use common anti-hacking methods, such as user passwords;

• adequately manage network devices;

• employ reasonable strategies to detect and prevent unauthorized access; and

• adequately restrict third-party vendor access.


Board, Committee Meetings 

With respect to Wyndham's case, Good noted that Judge Stanley R. Chesler remarked on the 14 meetings held by the board and the 16 meetings held by its audit committee to discuss cybersecurity measures.

She also said it was interesting that Target elected to establish a SLC, which can lead to multi-million-dollar investigations involving “tons of documents” and “lots of interviews.” Companies involved in derivative lawsuits related to other matters generally do not go that route, she said.

Target's committee may be a “recognition” that even if it had a strong legal argument against the lawsuit, the company may not win a motion to dismiss without mounting an investigation and digging into the allegations, Good said.

Based on the Wyndham and Target experiences, boards must show that they took reasonable steps to fulfill their fiduciary duties to shareholders in preparing against cyber attacks, Good said. She suggested that in particular, boards should have a robust and periodic process for considering cyber issues, and should document such meetings.

In addition, boards should consider establishing a subcommittee dedicated to cybersecurity matters, Good said. She also suggested that cybersecurity experts be retained to evaluate the company's cyber protection and other security controls.

Boards can no longer rely on corporate management to handle and address cybersecurity, Good added. “Boards need to question and dig in deeply into the issues.”


Meanwhile, the SAFETY Act, enacted as part of the 2002 Homeland Security Act, eliminates or reduces tort liability for sellers of Department of Homeland Security-approved technologies with respect to lawsuits arising after a terrorist attack, Finch said.

One advantage of the act is its broad definition of a “terrorist” event, which encompasses cyber attacks, Finch said. “It is the broadest you will find in the U.S. Code.”

In addition, the people under attack don't have to identify the group or individual that conducted the attack, or show an intent to cause injury, Finch continued.

Companies must apply to DHS to obtain SAFETY Act protections, Finch continued. He added that there are two forms of liability protection under the statute: “designation” and “certification.”

Under “designation,” claims may be filed only in federal court, damages are capped at a level set by DHS, and there is a bar on punitive damages and prejudgment interest, Finch said. Under “certification,” companies that sell or deploy cyber technology have a rebuttable presumption of immunity from liability, he said.

The SAFETY Act safe harbor can be used to mitigate claims related to negligence, third-party liability and failure to take reasonable steps, Finch said. In addition, the only way to circumvent the act's certification shield is to show fraud or willful misconduct in submitting an application to DHS, he said.

And that's just “not going to happen, Finch added. The application is “just too rigorous a process.”

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at


Request Corporate on Bloomberg Law