There is a higher court than courts of justice and that is the court of conscience. It supersedes all other courts.
—Mahatma Gandhi
Introduction
In recent years, the legal landscape around cybersecurity and data breaches has shifted significantly, placing increasing responsibility on corporate boards to oversee cyber risk management. This evolution reflects a growing recognition that cybersecurity is not merely an IT issue but a critical component of corporate governance and risk management. Chapter 3 of my book, Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage, delves into this transformation, highlighting critical legal cases that underscore the emerging standard of care for boards concerning cybersecurity.
The Emergence of a Legal Standard of Care in Cybersecurity
The concept of a “standard of care” in cyber risk management is becoming increasingly relevant as courts hold boards of directors accountable for failures. This article discusses several foundational and recent legal cases that have set the stage for greater board accountability, particularly for public companies. The legal principle of fiduciary responsibility, which includes the duty of care, requires directors to act with the watchfulness, attention, caution, and prudence that a reasonable person would use in similar circumstances. Boards must ensure that their organizations have robust cyber risk management programs.
The Board’s Responsibility in Cyber Risk Oversight
One of the top three responsibilities of a board is providing risk management oversight. This responsibility has become more complex as cyber threats have increased frequency and severity. Stakeholders expect boards to deeply understand their company’s operations and risks, including cybersecurity-related ones. When boards fail to provide adequate oversight, they expose their organizations—and themselves—to significant legal and financial risks.
The chapter comprehensively analyzes several high-profile cases where boards were accused of failing to fulfill their fiduciary duties related to cybersecurity oversight. For instance, the 2013 data breach at Target, which compromised 41 million customer payment card accounts, led to shareholder derivative lawsuits. Although the courts ultimately dismissed these lawsuits against Target’s officers and directors, the case highlights boards’ critical role in overseeing cyber defenses.
Vital Legal Cases: Target, Yahoo, Equifax, and Beyond
The chapter reviews several vital cases that illustrate the evolving legal landscape:
- Target (2013): The data breach at Target led to multiple lawsuits, including shareholder derivative actions that accused the board of failing to oversee the company’s cybersecurity program adequately. Although the lawsuits were dismissed, they underscored the critical importance of board oversight in cybersecurity.
- Yahoo (2014 and 2016): Yahoo’s massive data breaches resulted in a $29 million settlement, marking one of the first significant recoveries in a data breach-related derivative lawsuit. The case suggests that stronger cybersecurity protections have created a corporate cybersecurity standard of care, making it imperative for boards to act proactively.
- Equifax (2017): The breach at Equifax affected 147 million consumers and led to numerous lawsuits. Notably, the court denied a motion to dismiss claims against Equifax’s former CEO, who was alleged to have personal knowledge of the company’s inadequate cybersecurity systems. This case represents the first significant data breach-related claim against a corporate officer to survive a motion to dismiss.
These cases and others discussed in the chapter indicate that directors and officers of major corporations may face increased personal liability in connection with data breaches. The court’s decisions in these cases are shaping a new standard of care for cybersecurity, with significant implications for boards.
The Caremark Standard and Its Application in Cybersecurity
The chapter also explores the Caremark standard, a legal doctrine established by the Delaware Court of Chancery in 1996. This standard imposes liability on directors under two circumstances: (1) when they fail to implement any reporting or information system or controls and (2) when they consciously fail to monitor or oversee the operation of these systems. The chapter discusses how recent cases, such as those involving SolarWinds and Marriott, have applied the Caremark standard to cybersecurity oversight.
In the SolarWinds case, for example, the court found that the plaintiffs failed to demonstrate bad faith liability on the part of the directors, despite allegations that the board had not discussed cybersecurity for two years leading up to a significant cyberattack. Similarly, in the Marriott case, the court dismissed claims that the board had failed to conduct cybersecurity due diligence before acquiring Starwood Hotels and Resorts. These rulings suggest that while Caremark claims remain difficult to prove, the growing importance of cybersecurity may lead to more successful claims in the future.
The Role of Regulatory Frameworks and the SEC
The chapter concludes by discussing the implications of new regulatory frameworks, such as the U.S. Securities and Exchange Commission’s (SEC) 2023 rule on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” These regulations are expected to create “positive laws” that will further define the responsibilities of boards in overseeing cybersecurity risks. Boards that fail to meet these responsibilities could face increased scrutiny and potential legal action.
In addition to SEC regulations, the chapter highlights the importance of effective compliance programs. Drawing on the U.S. Sentencing Guidelines and the Department of Justice’s (DOJ) “Principles of Federal Prosecution of Business Organizations,” the chapter emphasizes that boards must ensure their organizations have robust cybersecurity risk management programs as part of their overall compliance efforts.
Conclusion: A Call to Action for Boards
The legal cases and regulatory developments discussed in this chapter serve as a wake-up call for board directors. As cyber threats continue to evolve, boards must take proactive steps to enhance their oversight of cyber risk management. These steps include ensuring their organizations have effective cybersecurity programs, staying informed about relevant legal cases, and preparing for regulatory changes.
Boards that fail to take these steps may face significant legal and financial liabilities. As the courts continue to “pick up the cyber pace,” it is clear that cybersecurity is now a critical component of corporate governance—and boards must rise to the challenge.
While these court cases raise awareness and attention to enterprise cyber risk management (ECRM), more must be done to increase C-suite and board accountability. See my recent post, Accountability for Cyber Risk Management: A Critical Imperative for C-Suite Executives and Board Members, for examples of how we might achieve much-needed increased accountability.
This article provides a brief preview of Chapter 3 and my book. To learn more, including specific, tangible actions you may take to prepare for a cyber incident becoming a court matter, order your copy of Enterprise Cyber Risk Management as a Value Creator today.