Panelists: Boards Must Meet Fiduciary Duties, Have Info. Reporting System in Place

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Susan Bokermann

April 16 — Boards of directors have a fiduciary obligation to assure a reasonable information reporting system for cybersecurity threats and breaches, said speakers during a panel titled “Director Oversight Liability in the Cybersecurity Age” at the ABA Business Law Section spring meeting in San Francisco.

This can be an issue for some companies because “most directors cannot even spell ‘IT,'” said Frances Floriano Goins, partner at Ulmer & Berne LLP, during the April 16 panel.

The panelists discussed best practices for both preparing and responding to cybersecurity breaches.

Board Oversight

Boards need to get ahead of the curve when it comes to cybersecurity breaches, said Goins. Oversight responsibility always comes back to the board, she said. As such, there are a number of steps the panelists agreed that boards can take to prepare for a breach.

Boards need to take responsibility for educating themselves about these issues, said Goins. This can include trainings for directors, setting up an enterprise risk management board committee or simply considering what peer companies have done. Goins said looking to see what other similarly situated companies are doing is important because “that may become the standard of care.”

Boards should also be asking the management certain questions in order to prepare for a breach, said Dave Garrett, managing director at Stroz Friedberg. He suggested that boards ask the management:

1. How have you prepared for a security incident?

2. Do you have a dedicated person or team to deal with cybersecurity and information technology?

3. How do we keep the business going if breached? Is there a disaster plan as if it were a natural disaster?

4. How do we keep up with the ever-changing nature of cybersecurity threats?

5. How much money are we spending on this issue, and is it enough?

 

There are also structural changes that can be implemented to help prepare for a breach, said Goins, including purchasing insurance.

There are four types of insurance intended to cover these issues, said Emy Donavan, vice president at Axis Capital. These are:

• director and officer liability insurance,

• errors and omissions insurance,

• cyber liability insurance, and

• bond insurance.

 

Impossible?

Despite all of the preparation advice, the inevitability of a cybersecurity breach was recognized as a given among the panelists. “Prevention is almost impossible,” said Brett Amron, co-managing partner at Bast Amron LLP. However, he said that how a board responds to a breach is just as important.

In the case of Target, the “board effectively fell asleep.” They delayed notifying customers for about two weeks, and when they did they provided misinformation because they didn't wait for the conclusion of the investigation. “[Companies] need to be patient,” said Garrett. It's best to wait a couple extra days until the investigation is complete in order to ensure the facts are correct.

In contrast, after Wyndham learned of its breach, the board held about 14 meetings to discuss the breach, and the audit committee met at least 16 times, said Amron. He said that Wyndham's quick reaction, coupled with the fact that it already had cybersecurity measures in place, allowed it to weather the breach, and the subsequent shareholder derivative lawsuit, more appropriately. 

Fiduciary Obligation

In In re Caremark Int'l Inc. Derivative Litig., the Delaware Chancery Court held that only a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exsits—will establish the lack of good faith that is a necessary condition to liability.”

“[To establish director liability is] a high test, and it's supposed to be,” said Lewis Lazarus, partner at Morris James LLP. The Delaware Supreme Court has emphasized that a bad outcome does not equate to bad faith, as illustrated in its holding in Stone v. Ritter, which requires that directors know that they are not discharging their fiduciary obligations.

Lazarus said that you “can't expect the board to know what every employee is doing every day,” but that the board has to have a system of reporting in place in order to fulfill its fiduciary obligations. “They can't do nothing.”

To contact the reporter on this story: Susan Bokermann in Washington at sbokermann@bna.com

To contact the editor responsible for this story: Kristyn Hyland at khyland@bna.com