Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Susan Bokermann
April 16 — Boards of directors have a fiduciary obligation to assure a reasonable information reporting system for cybersecurity threats and breaches, said speakers during a panel titled “Director Oversight Liability in the Cybersecurity Age” at the ABA Business Law Section spring meeting in San Francisco.
This can be an issue for some companies because “most directors cannot even spell ‘IT,'” said Frances Floriano Goins, partner at Ulmer & Berne LLP, during the April 16 panel.
The panelists discussed best practices for both preparing and responding to cybersecurity breaches.
Boards need to get ahead of the curve when it comes to cybersecurity breaches, said Goins. Oversight responsibility always comes back to the board, she said. As such, there are a number of steps the panelists agreed that boards can take to prepare for a breach.
Boards need to take responsibility for educating themselves about these issues, said Goins. This can include trainings for directors, setting up an enterprise risk management board committee or simply considering what peer companies have done. Goins said looking to see what other similarly situated companies are doing is important because “that may become the standard of care.”
Boards should also be asking the management certain questions in order to prepare for a breach, said Dave Garrett, managing director at Stroz Friedberg. He suggested that boards ask the management:
1. How have you prepared for a security incident?
2. Do you have a dedicated person or team to deal with cybersecurity and information technology?
3. How do we keep the business going if breached? Is there a disaster plan as if it were a natural disaster?
4. How do we keep up with the ever-changing nature of cybersecurity threats?
5. How much money are we spending on this issue, and is it enough?
There are also structural changes that can be implemented to help prepare for a breach, said Goins, including purchasing insurance.
There are four types of insurance intended to cover these issues, said Emy Donavan, vice president at Axis Capital. These are:
• director and officer liability insurance,
• errors and omissions insurance,
• cyber liability insurance, and
• bond insurance.
Despite all of the preparation advice, the inevitability of a cybersecurity breach was recognized as a given among the panelists. “Prevention is almost impossible,” said Brett Amron, co-managing partner at Bast Amron LLP. However, he said that how a board responds to a breach is just as important.
In the case of Target, the “board effectively fell asleep.” They delayed notifying customers for about two weeks, and when they did they provided misinformation because they didn't wait for the conclusion of the investigation. “[Companies] need to be patient,” said Garrett. It's best to wait a couple extra days until the investigation is complete in order to ensure the facts are correct.
In contrast, after Wyndham learned of its breach, the board held about 14 meetings to discuss the breach, and the audit committee met at least 16 times, said Amron. He said that Wyndham's quick reaction, coupled with the fact that it already had cybersecurity measures in place, allowed it to weather the breach, and the subsequent shareholder derivative lawsuit, more appropriately.
In In re Caremark Int'l Inc. Derivative Litig., the Delaware Chancery Court held that only a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exsits—will establish the lack of good faith that is a necessary condition to liability.”
“[To establish director liability is] a high test, and it's supposed to be,” said Lewis Lazarus, partner at Morris James LLP. The Delaware Supreme Court has emphasized that a bad outcome does not equate to bad faith, as illustrated in its holding in Stone v. Ritter, which requires that directors know that they are not discharging their fiduciary obligations.
Lazarus said that you “can't expect the board to know what every employee is doing every day,” but that the board has to have a system of reporting in place in order to fulfill its fiduciary obligations. “They can't do nothing.”
To contact the reporter on this story: Susan Bokermann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kristyn Hyland at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)