Board members sits at a table in a meeting room showing personal liability

Personal Liability for Directors Who Disregard Cybersecurity

In recent months, a trend has begun to emerge among plaintiffs’ lawyers seeking to file cybersecurity incident-related shareholder derivative lawsuits – attorneys are increasingly now filing claims specifically based on failures surrounding duty of oversight. In November of 2021, a shareholder derivative lawsuit was filed against T-Mobile USA’s board of directors, pointing to a lack of monitoring and acting upon obvious red flags. Kevin M. Lacroix excellently outlines this trend in The D&O Diary. Directors should take notice.

With directors serving as fiduciaries of the company, they are mandated not only to address cybersecurity threats and remediation, but to consistently and regularly monitor cybersecurity practices and correctly relay that information to all stakeholders. The abovementioned T-Mobile case involves whether effective internal controls were in place while also questioning whether the directors abetted each other in breaching their duties. These are serious allegations with potentially serious consequences for both the company and the individual directors.

It’s clear that not all directors possess adequate or even elementary knowledge of information technology, let alone cybersecurity and proper precautions and defenses. However, a board of directors is obligated to either possess or find that talent from third parties and include them in ongoing governance. In turn, boards can then make proper decisions and communicate necessary, relevant information to employees and stakeholders. An organization’s cybersecurity readiness also ensures it maintains compliance with the slew of regulations and requirements surrounding data breach notifications and protecting customer data, etc.

It is the responsibility of every board member to ensure the board is fully engaged in cybersecurity practices as well as its testing/improvements along the way – directors can no longer get away using the excuse that they are not subject matter experts. Many directors have come to realize this. A global survey conducted last year among directors and officers indicates that they themselves consider cyberattacks and data loss to be among the top risks their organizations face.

Whether a director’s focus is on a compensation committee or some other non-IT role, they still must realize that cybersecurity is not simply an IT issue. Data breaches and ransomware attacks obviously have potentially devastating impacts that result in huge losses in so many different ways – from revenue to reputation and much, much more. But as we now see in recent lawsuits, personal liability is a dramatic and new concern.

Whether internal or external stakeholders, no one wants to experience the ramifications of a cyberattack. These recent lawsuits seem to be an indicator that individual board members can (and should) become a helpful, powerful force toward minimizing cyber risk, which is why there continues to be more and more emphasis on alleging their responsibility if a cyber incident takes place.

At least initially, there are three basic questions every board should ask:

  1. Does the board currently review how preparing for a data breach can lower the cost of a data breach response? If so, does this preparation include establishing a cross-functional incident response team, preparing an incident response plan, and testing the team and plan?
  2. Does the board currently ask the organization’s most knowledgeable employees to review and answer its cybersecurity-related questions?
  3. Does the board ask those same individuals to appear before it and explain each answer with enough detail that members can make an informed decision on appropriate actions?

These initial questions provide correct direction and conversation toward ensuring resilience as well as less likely individual liability among directors.