“No”, you say, “they are great business people, and we have an IT department!” That answer could cause you trouble.
With all due deference to your IT department, it is quite possible that its expertise does not include the legal aspects of cybersecurity. It will no doubt ensure appropriate encryption and firewalls, but does it have the authority (or expertise) to advise you on data privacy laws and breach notification requirements? Can it develop compliant notices and work with your insurance company on any claims? It will know how to stop the breach (assuming it is an electronic one) but what then? Do not rely on your IT department to provide legal advice on cybersecurity. This is one of the many tasks that should be handled by your company management, including your board (if you have one). And what if the board fails to do this? Before answering that, consider the obligations of those who operate the company.
Your company officers and board have the ultimate responsibility for running the company. Decisions are made based on the best available information at the time, and as long as this is true the individuals who run the company will generally be protected from claims by the company and its owners. This rule (called the “business judgment rule”) requires that boards and company officers educate themselves in the areas where they are making decisions, but it doesn’t require that they always be right. For example, the President of the company won’t be liable if what looked to all reasonable people like a good investment later on turns out to be a poor one. So, boards and company officers don’t have to be perfect and have a crystal ball to guide them, but they DO need to make a good effort to meet their obligations to the company and the company’s owners.
How does this connect to cybersecurity? Ask the officers and board of Yahoo!. After it entered into a sale agreement with Verizon it was discovered that Yahoo! had experienced a data breach in 2014 involving roughly 500 MILLION users. Some time later it confessed that 2014 wasn’t the first data breach – it had experienced one in 2013 as well involving up to ONE BILLION users. Naturally this caused issues with the Verizon deal, but for the purposes of this blog we are focusing on the multiple lawsuits brought against the board and officers by the shareholders. The owners of Yahoo! sued, claiming that some of the officers and directors had breached their obligations of fiduciary duty and more. Instead of taking care of the data breaches as they should have, the shareholders alleged, the officers and directors tried to cover them up. While the parties settled the lawsuit and the officers and directors denied the allegations, they paid out $29 million dollars to settle the case.
Granted, the Yahoo! cases were complex and much of the behavior alleged was pretty egregious. But the fact that the case was proceeding based in great part on the failures of officers and directors to properly address data breaches should be a tale of caution for all entity officers and boards. You are charged with competency, and knowing (or hiring experts that know) the rules and regulations surrounding cybersecurity is critical. Don’t leave it to the IT department.
Interestingly enough, a bipartisan bill currently before Congress would require that public companies disclose whether any members of their boards are cybersecurity experts. If none are, the company has to explain why not, including the cybersecurity processes it has in place.
For questions on these and other matters please contact Carole Clark Isakson, Computer and Software law attorney at BGS.