Personal Involvement and Liability of Officers and Directors When it Comes to Cyber Security

Directors and officers of corporations have, as most of you know, fiduciary duties to act in the best interest of the corporation. To meet these duties, officer and directors must exercise a high degree of care in the operation and management of the corporation, to avoid self-dealing, to be transparent and to generally act in a way that protects the interest of the corporation. This duty extends to their oversight of the operations of the corporation. Acting in conscious disregard for their duties or ignore facts that appear as red flags could potentially expose them to personal liability. These cases typically arise through a shareholder derivative lawsuit brought by the company’s shareholders on behalf of the corporation. Where shareholders allege that directors and/or officers have violated their duty of oversight (i.e. a breach of their fiduciary duties), courts have coined this a Caremark claim after the case In re Caremark International Inc. Derivative Litigation, (1996) 698 A. 2d 959.

As we witness ever more cyber security breaches and “cyber incidents”, directors and officers are increasingly expected to pay close attention and to actively take steps to protect their companies from such threats. There are signs that plaintiff’s counsel are looking closer at shareholder derivative actions to go after directors and officers personally after a breach. We are also seeing steps being taken at the public level where a recent bill has been introduced, for public companies only at this point that would require companies to disclose the cyber security experience of its directors and if they have none, explain why the company does not believe it is necessary for the Board to have such experience. Senate Bill 592.

The question then becomes what can officers and directors do to minimize or eliminate personal liability from a cyber security incident. Here are some suggestions:

  • Make sure that the company has adequate D&O and Cyber insurance;
  • Make sure that they are actively involved in Board meetings, reports and committees and that they document, through minutes or otherwise, their involvement;
  • Hire a Chief Information Officer or someone else charged with overseeing the security infrastructure of the company;
  • Engage outside experts to assess and mitigate any potential weaknesses, regularly;
  • Have the Board and officers meet regularly to discuss cyber security (and document it!);
  • Adopt a security plan and a response plan in the event of a breach; and
  • Make sure that everyone knows who to call (and who not to contact) in the event a breach is discovered.

Too many times we see directors who agree to serve on the Board of a company and then “check out”; engaging only when necessary or asked. It is important that directors and officers ask questions and push for cyber security protection to protect the company. If there is a security breach, directors and officers can jump in and try to help the company navigate that or at least oversee its actions and responses.

Taking an active role when it comes to cyber security will go a long way towards protecting the company and its shareholders and mitigating exposure to personal liability.

If you have further questions about your duties as an officer or director or other corporate matters, please contact Brandon Smith at (bds@sfcounsel.com), Bill Scherer at (wms@sfcounsel.com) or Heather Sapp at (hgs@sfcounsel.com).

– Written by Brandon Smith