Corporate directors and officers may increasingly be targets of shareholder derivative lawsuits in the wake of the surge of regulatory actions and private litigation around data breaches. While no individual directors and officers have been held liable for the costs of a data breach to date, such lawsuits have been filed. Signals from plaintiffs' attorneys indicate that, if they have their way, the wave will break soon. Corporate leaders need not be caught off guard. As a recent court decision confirms, the risk of individual liability can be mitigated by taking proactive measures.
Data breaches on the rise
2014 was hailed as yet another year of the data breach. A recent study by the Ponemon Institute estimates that 43% of companies experienced a data breach last year, led by high-profile incidents at Target, eBay, Adobe, Snapchat, Michaels, Home Depot, Neiman Marcus and AOL. And, of course, 2014 was capped off by the breach of Sony Pictures Entertainment, which splashed celebrity gossip and entertainment industry chatter across the headlines, as well as business-critical, confidential information regarding company financials and projections and employees' personal information.
Personal liability for directors and officers – Caremark is alive and well
A shareholder derivative action is a lawsuit brought by a corporation's shareholders, ostensibly on behalf of the corporation, and often against the corporation's directors and officers. In its 1996 Caremark decision, the Delaware Chancery Court declared that, in such actions, directors can be held personally liable for failing to "appropriately monitor and supervise the enterprise." The court emphasized that a company's board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so can constitute an "unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss."
The Caremark case has become a beacon across the corporate world for director conduct and now covers officers, including general counsel. Directors and officers must not demonstrate a "conscious disregard" for their duties or ignore "red flags" – failure to do so can result in a director or officer being held personally liable for a corporation's losses. This is because, as the Delaware Supreme Court later clarified in Stone v. Ritter, conduct that evidences a lack of good faith may violate the fiduciary duty of loyalty. And, although Delaware law allows a corporation to waive or limit a director's liability for violations of the duty of care, such waivers or limits are not allowed for the duty of loyalty.
While the Caremark case did not address information assets and corporate duties to protect them, its reasoning is being readily applied by plaintiffs seeking to capitalize on the cybersecurity issues confronting companies today. At least one expert, UCLA Professor Stephen Bainbridge, has suggested that no good reason exists to distinguish past Caremark decisions on lax legal compliance and accounting controls from potential widespread failures to implement and maintain appropriate risk management policies.
Regulators step up pressure
Government enforcement of data security standards has proliferated, and regulatory actions often are cited in subsequent shareholder derivative actions. Such actions are pointed to both as "red flags" that should have led officers and directors to anticipate problems and as measures that reduced corporate value. Leading the regulatory charge, the Federal Trade Commission recently announced its 53rd data security settlement, while noting that the number is "likely to go up."
Other agencies have also staked a claim in the data security regulation gold rush. Among banking industry regulatory agencies, the Federal Financial Institutions Examination Council recently announced a new regulatory self-assessment for banks' cybersecurity risks, and the Federal Deposit Insurance Corporation has declared cybersecurity a main supervisory focus. Building on its 2011 guidance on corporate disclosure obligations relating to "cybersecurity risks and cyber incidents," the Securities and Exchange Commission recently released a risk alert on the cybersecurity preparedness of registered broker-dealers and investment advisers. Subsequently, the frequency with which public companies have reported data breaches has increased dramatically. Likewise, in October 2014, the Federal Communications Commission fined two companies $10 million each for maintaining "unjust and unreasonable" data security practices in violation of the Communications Act of 1934. A senior FCC official noted that it was the agency's first data security enforcement action, "but it will not be the last." And state attorneys general have enforced both state and federal statutes against companies doing business within their jurisdictions. As a result, the risks to enterprises, and therefore the relevance to directors and officers, is increasing dramatically.
The plaintiffs' bar follows suit
Those directly affected by data breaches – consumers and businesses alike – have followed the increase in enforcement actions and brought their own suits, often as class actions. The slew of lawsuits filed against Target Corporation after the 2013 hack of its payment system exposed the financial information of 110 million customers is typical. A class of consumers is seeking damages for Target's alleged negligence in exposing their personal financial information, and a group of banks is seeking reimbursement from Target for the cost of reimbursing fraudulent charges and for replacing credit and debit cards. Last month, a federal judge in Minnesota denied Target's motion to dismiss both cases.
Shareholders seize the opportunity
In the wake of a data breach, companies can face government enforcement, significant fines, litigation settlements or judgments, and declining share prices, all of which are fodder for shareholder derivate lawsuits brought under Caremark. A number of such lawsuits have in fact recently been filed. Although their filing confirms the risks of personal liability that directors and officers face in the event of a data breach, a federal district court's recent decision in a data breach involving Wyndham provides a roadmap for some appropriate proactive measures to help mitigate risks.
After hospitality company Wyndham Worldwide Corporation suffered three data breaches between 2008 and 2010, a shareholder brought a derivative action on behalf of the corporation against Wyndham's board. Coming after the FTC had initiated an enforcement action (which remains pending on appeal today), the plaintiffs in Palkon v. Holmes alleged that Wyndham had failed to implement adequate data security mechanisms and that this failure allowed hackers to steal the data of over 600,000 customers. They seek to assert claims on behalf of the company against its directors and officers for their alleged role in those failings.
In October 2014, a New Jersey court dismissed the case with prejudice, deferring to the board's business judgment that the company should not bring such a case against its officers and directors. In its opinion citing the Delaware case law spawned by the Caremark case, the court highlighted the board's engaged and thorough response to two demand letters and a prior FTC investigation. Specifically, the court found that the board had discussed the breaches at 14 meetings between 2008 and 2012, the Wyndham Audit Committee had discussed the breaches in at least 16 meetings during that same period, and the board had engaged an outside technology firm to assess Wyndham's information security policies. This record of extensive consultation led the court to conclude that the board "had enough information when it assessed plaintiff's claim," and hence that the board's decision not to bring suit was within its broad discretion under the business judgment rule.
Despite not needing to discuss the merits of the plaintiffs' claims (because of its ruling that the plaintiffs had no right to pursue those claims on the company's behalf), the court specifically stated that the plaintiffs' suit fell short of alleging, as Caremark requires, that the board had "utterly failed to implement any reporting or information system [or] consciously failed to monitor or oversee its operations." The court noted that "security measures existed when the first breach occurred," and the board had addressed data security concerns "numerous times."
The Wyndham example thus shows that the risks of shareholder derivative actions against directors and officers arising from a data breach are very real, but also that strong defenses on both the threshold demand requirement and the underlying merits can be presented if companies take appropriate measures both before and again, if necessary, after any data breach.
Moving data security from the server room to the board room
Data security and information governance are increasingly part of the board-level communications as the centrality of information to enterprises continues to grow. But these discussions cannot happen quickly enough—the same Ponemon Institute study that found almost half of U.S. companies experienced a data breach in 2014 also noted that 27% did not have a data breach response plan in place.
Cybersecurity is becoming ubiquitous in the United States and with that saturation comes the potential for greater liability. Because of the klieg lights currently trained on data security, corporate defendants will find it difficult to argue that there were no "red flags," likely opening the door to Caremark just wide enough for waiting plaintiffs to walk right in.
The good news is that, as the Wyndham case confirms, it is possible for directors and officers to take action that will satisfy their Caremark duties. Some measures frequently identified that boards may consider include:
- Hire a Chief Information Security Officer and engage outside technical experts to conduct regular assessments and to educate officers and board members on data security
- Evaluate and/or appoint a board committee to focus on data protection
- Have the board regularly address and deliberate when deciding issues of data security, and carefully document the deliberations to demonstrate appropriate care
- Adopt a security plan that is tailored to the company's specific risk profile (and review and assess those risks systematically on a regular schedule and as needed in response to specific threats)
- Hold information and training sessions to increase awareness at all corporate levels
- Perform gap analyses and comparative benchmarking with peer organizations that hold similar types of information
- Learn from experience. Perfect security doesn't exist but every organization can learn
- Ensure open lines of communication. Often competing pressures may limit IT's ability to deliver security, but by enabling open and direct communication to and with the board and senior management, security risks have a greater chance of being addressed appropriately
- Review D&O insurance and related insurance policies holistically for coverage regarding security incidents and protection of the company's brand, information assets and other assets
Just as no perfect security exists, there are no perfect solutions for officers and directors. Fortunately, the courts have not required perfection. Rather, by being able to demonstrate attention and care, including some or all of the steps set forth above, officers and directors can both help protect the organizations they serve and mitigate the risk of personal liability in this rapidly emerging and increasingly important area.
About the author
Brenda R. Sharton and Gerard M. Stegmaier, are partners at Goodwin Procter LLP. Ms. Sharton chairs Goodwin Procter's Business Litigation Group as well as its Privacy & Data Security Practice. Mr. Stegmaier is a member of the firm's Privacy & Data Security and Technology Company Practices. Beau Barnes, an associate in Goodwin Procter's Litigation Department, also contributed to the piece.