As data breaches become more prevalent, the impact of these breaches on the C-Suite is evolving with directors and officers increasingly becoming the target of lawsuits. The culpability of directors and officers for these breaches and the actions taken by organizations under their leadership on the heels of a breach continue to invite scrutiny.
Most recently, we have seen this with shareholder class-action suits against Yahoo and Equifax. In the Yahoo case, a breach of fiduciary claim was filed because of the company’s failure to disclose various breaches between 2013 and 2016 (1.5 billion user records were stolen) to shareholders until after they voted in favor of Yahoo’s sale to Verizon and for golden parachute payments to be paid to certain individuals, including for specific individual defendants, if the transaction was approved. A shareholder class action suit against Equifax claims that the credit reporting giant issued false and misleading statements following a breach of 143 million customers and did not disclose its failure to protect its data systems and detect security breaches. Upon release of its affected data its stock price materially fell causing investors harm. Litigation is ongoing.
Although plaintiffs in the past have not been successful in their claims against directors and officers (Target, Windham, Home Depot), board and executive-level involvement in cyber risk management is becoming more prevalent, particularly in the post-breach litigation landscape. Directors and officers should be taking practical steps to reduce their liability exposure, including:
- Hiring a Chief Information Security Officer and engaging outside technical experts to conduct regular assessments and to educate officers and board members on data security.
- Evaluating and/or appointing a board committee to focus on data protection.
- Regularly addressing and deliberating when deciding issues of data security, and carefully documenting the deliberations to demonstrate appropriate care.
- Developing mechanisms to detect data breaches as soon as possible. Too many companies fail to implement a robust data breach response and notification plan in advance of an incident.
- Adopting a security plan that is tailored to the company's specific risk profile (and reviewing and assessing those risks systematically on a regular schedule and as needed in response to specific threats).
- Holding information and training sessions to increase awareness at all corporate levels.
- Perform gap analyses and comparative benchmarking with peer organizations that hold similar types of information.
- Ensuring open lines of communication. Often competing pressures may limit IT’s ability to deliver security, but by enabling open and direct communication to and with the board and senior management, security risks have a greater chance of being addressed appropriately.
- Reviewing D&O insurance and related insurance policies for coverage regarding security incidents and protection of the company's brand, information assets and other assets.
RPS can assist you in securing both D&O and Cyber insurance policies for your clients. Just give us a call to discuss your client’s specific needs.