How a Sneaky Data Hack Increases Liability Risks for Corporate Directors
Because two of my clients – 360 Advanced and Adsero Security – provide IT data breach auditing and remediation services, I was especially interested when I learned of how a major corporation had been so easily hacked recently.
Directors Facing Increased Liability for Data Breaches
The hackers got inside the corporation’s accounts payable department and had a pretty hefty check sent to them, which was cashed and cleared. The corporation’s vice president for information technology (IT) and his team reported to the board at its monthly directors and management meeting that “everything’s OK now.”
Is it? Could the hackers still be inside, or worse, inside the company’s vendor and partner IT systems?
“Duty of care” Demands Auditing Risks as Hacks Increase
Statistics show that once data thieves are in, they can hide for months undiscovered until they strike again – this time at an even greater cost to the victim and their vendors and partners. Data thieves got inside Target through an air conditioning/heating vendor and loitered at their leisure, and Yahoo! and Equifax still aren’t certain who or how they were breached.
Which brings me back to the corporate board of directors. The corporation victimized by the hackers in this instance has not had an outside, third-party audit of its IT systems and data security processes and protocols by a QSR – Qualified Security Assessor. Could that failure lead to a lawsuit against its officers and directors for failure to exercise the concept of duty of care when there is another future hack? With news of major hacks every day now, should boards be more diligent in ordering management to have such audits?
The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center® (ITRC) and CyberScout®. The Review indicates a drastic upturn of a 44.7 percent increase over the record high figures reported for 2016.
“The growing prominence of cybercrime underscores the significance of cybersecurity and planning as a management issue. Given the technical nature of cybersecurity, a question naturally arises about the role that directors and officers should play,” writes John E. Black Jr., Executive Principal at Skarzynski Black LLC. “There is scant case law explaining the duties of directors and officers for corporate cybersecurity, although the number of lawsuits against directors and officers as a result of cyber breaches is rapidly growing.”
Boards have “Duty of Care”
After the huge data breach at Yahoo!, a group of Yahoo! Shareholders, led by the Oklahoma Firefighters Pension and Retirement System, sued the company, its CEO, co-founder and board alleging dereliction of their fiduciary duty.
So states the Delaware Chancery Court: “It should be apparent that many failures of oversight by directors sufficient to constitute a breach of duty implicate the duty of care. Directors breach the duty of care where they act with gross negligence. In other words, where the directors are informed of potential unlawful acts in a way that puts them on notice of systematic wrongdoing, and nonetheless they act in a manner that demonstrates a reckless indifference toward the interests of the company, they may be liable for breach of the duty of care.”
According to the Legal Information Institute, “The duty of care stands for the principle that directors and officers of a corporation in making all decisions in their capacities as corporate fiduciaries must act in the same manner as a reasonably prudent person in their position would.”
What Will Mitigate the Risk?
With north of a 44% increase in data breaches from 2016 to 2017, one can only imagine what will happen in 2018 and beyond. I could make a pretty strong argument that since virtually every business, corporation, academic institution, hospital and any other organization that manages consumer data has a high probability of being hacked, it would be well within their boards’ “duty of care” to take preemptive action and order a thorough IT/data security audit by an qualified security assessor.
Otherwise, directors surely are on the slippery slope described above by the Delaware Chancery Court when they “are informed of potential unlawful acts in a way that puts them on notice of systematic wrongdoing, and nonetheless they act in a manner that demonstrates a reckless indifference toward the interests of the company.”
With knowledge that a breach is almost a certainty today, a “reasonably prudent person” would take appropriate defensive action to mitigate the risks. Or, would they? Some boards of directors clearly have not, and they risk ending up in in tomorrow’s headlines – and in court.