By: Mike Wolak and John Goselin
With the recent filing of a shareholder derivative action against several directors and officers of The Home Depot following the company’s severe data breach in 2014, questions concerning the adequacy of board oversight over cybersecurity risks will be at the forefront of derivative claims that are expected to increase in frequency following data breaches at publicly-traded companies. Indeed, with cyber-attacks growing in number and strength, directors and officers must incorporate cybersecurity management into their risk oversight functions to ensure they are adequately discharging their fiduciary duties to the corporation and its shareholders.
The derivative complaint, filed in federal court in Atlanta in August 2015, alleges that eleven current and former directors and officers of The Home Depot breached their fiduciary duties of loyalty and good faith by failing to adequately oversee the company’s cybersecurity functions and ensure that information concerning more than 50 million customers was protected. The complaint alleges, among other examples, failure to ensure the use of sufficient firewalls and antivirus software, failure to ensure that network access was monitored, and failure to ensure that customer information was encrypted. The complaint claims the data breach damaged the company by exposing it to massive consumer litigation, regulatory investigations, and millions of dollars in related fees and costs.
While state corporation law, such as Delaware's, which governs the Home Depot litigation, is careful not to permit shareholders to use the duty of oversight to second-guess every well-informed business decision adopted by the board of directors, inadequate oversight over corporate risk can serve as a basis for individual board member liability where (i) the directors consciously failed to implement any reporting or information system or controls; or (ii) the directors, having implemented such system or controls, consciously failed to oversee its operations and thus failed to be informed of risks. The seminal Delaware case defining the scope of the board’s duty of oversight is In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
The Home Depot litigation, like the derivative lawsuit filed by shareholders following the Target data breach, is premised on the “inadequate oversight” theory of liability first articulated in Caremark. Experts expect this trend to continue as derivative actions become more common following data breaches. In the wake of this trend, boards must proactively manage cybersecurity risks by implementing and adequately documenting procedures to prevent and prepare for data breaches. With this in mind, companies should consider the following:
- Educate the company’s directors and officers on cybersecurity risks, including the use of outside consultants and experts to keep the board informed and updated regularly as to new cybersecurity threats and control measures.
- Establish a committee of directors and officers, or appoint one director, to assume responsibility for cybersecurity oversight.
- Ensure that all activity related to cybersecurity oversight is documented and retained, including minutes of board and committee meetings.
- Perform a cybersecurity risk assessment to evaluate the company’s current monitoring and controls regarding the security and protection of its electronic information and data, including using outside consultants and experts to assess where the current controls may be vulnerable to cyber-attacks.
- Establish a cybersecurity management plan consisting of policies and procedures designed to prevent data breaches.
- Establish a response plan for an actual breach that is consistent with the best practices for companies in the same industry. FMG’s new Data Breach Toolkit is available to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and to respond effectively if one happens.
- Ensure that the company has adequate cybersecurity insurance coverage, including coverage for directors and officers alleged to have breached their fiduciary duties in connection with a data breach.
With public companies facing a growing threat of cyber-attacks and resulting data breaches, directors and officers will be exposed to an increasing number of claims by shareholders alleging that the board failed to adequately oversee its cybersecurity functions. It is thus critical that boards minimize their liability exposure by incorporating cybersecurity management into their oversight functions and document all aspects of cybersecurity oversight to help ensure that they properly discharge their fiduciary duties.