American businesses are under attack on a daily basis by hackers trying to steal just about anything of value that can be stored and transmitted electronically. Because information technology and connectivity are keys to success in today’s economy, this means that a broad range of vital corporate assets can be at risk, such as customers’ private financial data, a company’s competitively-sensitive strategic plans, and the core intellectual property underlying a company’s products and processes.
Cybersecurity has become a critical issue for corporate America. Given the ubiquitous nature of the risks and the potentially high stakes of data breaches, it is incumbent upon business leaders to exercise due care in overseeing an appropriate response to cyber threats. If they fail to do so, they may find themselves answering to shareholders and regulators about what went wrong when a cybersecurity breach causes harm to their business.
Shareholders looking to lay blame for a damaging cyber event might pose at least two general questions to corporate officers and directors. First, having entrusted corporate assets to the care of these leaders, shareholders will want to know, “How did you let this happen?” Second, feeling blindsided, shareholders might also ask, “Why did you mislead us into thinking that these risks were under control?” The answers to these questions will often determine whether a data breach can support a legal claim against the company and/or the officers and directors.
The first question goes to the adequacy of the company’s security measures, and whether directors and officers properly exercised their oversight function and made appropriate decisions in light of information reasonably available prior to the event. The answer could fall anywhere along a spectrum where, at one end, all reasonable efforts were made to avoid a cyber breach, and at the other end, officers and directors simply ignored the issue and allowed valuable corporate assets to be left unguarded. Shareholders looking to bring a legal claim about such matters, usually in a derivative lawsuit, will often face an uphill battle in establishing a breach of the fiduciary duty of care to the corporation. The road will be steeper where the record reflects that directors and officers were well informed about cybersecurity issues and made rational decisions about how the company should address them.
The second question may be grist for a shareholder class action, should the cyber event cause a drop in the company’s stock price. This “loss causation” element is an important caveat, since some of the most widely-reported cyber breaches to date have not been associated with appreciable stock losses for the companies involved. This may be because there is not yet a reliable record of comparable events to allow the stock market to assess the financial impact of a cyber breach – or, alternately, investors may believe that the risks are already priced into the stocks of susceptible businesses.
The leading court case to date to analyze cybersecurity issues in the securities context resulted in a dismissal for the defense in In re: Heartland Payment Systems, Inc. Securities Litigation (PDF). There, an undetected malware attack resulted in the theft of consumer credit card information. However, the court noted that the mere occurrence of such a data breach does not by itself demonstrate a lack of due attention to cybersecurity. The court also observed that the company had not asserted that its network was immune from security breaches, pointing to cautionary statements in the company’s SEC filings warning of the possibility of a breach and the potential consequences of a breach. In the absence of a misleading affirmative statement about the company’s security measures, the court also found that the company did not have a duty to disclose a prior security breach that did not directly result in disclosure of consumer information.
Since Heartland, however, the SEC has focused more attention on the nature and quality of cybersecurity disclosures, including publication of “disclosure guidance” by the Division of Corporate Finance in October 2011. SEC Chair Mary Jo White has referred to cybersecurity as a “hot topic” that is of increasing concern for the Commission. In a May 2013 response to a Congressional inquiry, the SEC reported that it has undertaken a continuing review of cybersecurity disclosures for compliance with its guidance, and had thus far issued comments to about 50 companies in a variety of industries. To avoid running afoul of the SEC (and giving shareholders a possible hook for a lawsuit), a public company should give due consideration to this guidance when drafting its disclosures.
In summary, today’s corporate counsel need to be attentive to cybersecurity issues, and help ensure that: (1) procedures are in place to assess cyber risks and develop appropriate security measures; (2) senior management and the board of directors receive meaningful information about cybersecurity issues so that they may properly exercise their duty of care; and, (3) shareholders receive appropriate disclosures about the company’s cybersecurity risks.