The Growing Risk of Director Liability for Cyberattacks

by Peter Varlan

Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark[1] claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.

The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability.

The Fruitless Cybersecurity Caremark Claim: Wyndham, Target, and Home Depot

Wyndham, Target, and Home Depot suffered three of the most significant corporate data breaches in the past decade. Following each breach, shareholders attempted—albeit unsuccessfully—to tie the director’s duty to monitor to cybersecurity.

Wyndham, a global hotel chain, and its directors faced a derivative suit following three data breaches in 2008 and 2009. The breaches were the result of a “brute force attack” in which hackers gained access to administrator accounts and then collected personal information of over six-hundred thousand Wyndham customers. [2] Shareholders brought a Caremark claim against the directors, but the district court did not reach the merits of that claim. But in a footnote, the court made clear that a Caremark claim would be difficult to establish in the cybersecurity context, calling the plaintiff’s claim a “novel theory” with “potential weaknesses.”[3]

Target Corporation, during the busy 2013 holiday shopping season, suffered a data breach that exposed the credit card information of forty million customers. The hackers targeted card-swipe devices used at store registers, allowing them to store customers’ credit card information when they used their cards at checkout.[4] While shareholders brought a Caremark claim against Target directors, the case was ultimately settled and dismissed.[5]

The most recent shareholder litigation concerning a data breach involved the multinational home improvement retailer Home Depot. In 2014, Home Depot suffered a breach to its credit-card payment system during which hackers stole financial information of fifty-six million customers. The total cost of the breach to Home Depot was estimated to be nearly $10 billion.[6] The plaintiff’s alleged a Caremark violation because Home Depot had not formally assigned cybersecurity oversight to a committee and did not have a plan in place to immediately remedy the data breach. The court, however, rejected the first claim as too formalistic and the second claim as insufficient to constitute bad faith. [7]

New Rules, New Duties, New Liabilities?

The Wyndham, Target, and Home Depot cases are emblematic of the difficulty shareholder plaintiffs face when alleging director liability for breach of duty to monitor based on harms attributable to cybersecurity weaknesses. Because the duty to monitor is equated with the duty of good faith, a director violates the requirement to exercise continued oversight only when she violates the law or consciously disregards a known duty to act.

Thus far, courts have not found cybersecurity duties clear enough to form the basis for a Caremark claim. The most notable cybersecurity regulation today is set by FTC enforcement actions, which relies on a cost-benefit analysis weighing harm to consumers against the benefits to consumers and their own ability to avoid the harm. [8] But because the FTC has not articulated clear cybersecurity obligations, their enforcement actions have been insufficient to support a Caremark claim.

Two newcomers to cybersecurity regulation may provide the clear guidance needed to sustain a Caremark claim against corporate directors. The New York Department of Financial Services has issued new regulations requiring financial institutions to maintain a cybersecurity program that performs a number of core functions. [9] Financial institutions must also maintain a cybersecurity policy, approved by a senior officer or the board, based on the entity’s risk assessment and covering fourteen specific areas of cyber operations.[10]

Additionally, the Office of the Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation have submitted notice of proposed rulemaking for enhanced cyber risk management standards for large banks.[11] Under these new rules, banks must develop a cyber risk management strategy which must be approved by the board[12] and the board will be required to have adequate expertise on cybersecurity matters. [13] Like the NYDFS regulations, the Federal Reserve’s regulations would specify specific cybersecurity practices for the business. But these regulations go a step further than NYDFS, instructing the board on what reporting systems they must develop and how they must monitor those reporting systems.

 The Future of Cybersecurity and Caremark

The requirements contained within the new NYDFS and Federal Reserve regulations may provide the specificity necessary to form the basis for a Caremark claim following a cyberattack or data breach. Directors should be aware that under these new regulations they may not be as insulated from personal liability as the directors in Wyndham, Target, or Home Depot. Accordingly, boards of directors should look closely at these new regulations and recommend formal assignment of cybersecurity policy to a board committee in order satisfy their duty to monitor and protect against personal liability. Moreover, advisors to directors in industries outside of the financial sector should be alert to new cybersecurity regulations proposed or promulgated by other government agencies.

[1] The duty to monitor, also known as the Caremark standard, imposes liability where directors fail to implement reporting systems or controls or, having implemented systems and controls, consciously fail to monitor them such that they are not informed of risks or problems requiring their attention. See Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).

[2] Palkon v. Holmes, No. 2:14-CV-01234, 2014 WL 5341880, at *1 (D.N.J. Oct. 20, 2014).

[3] Id. at *6 n.1.

[4]  Robin Sidel et al., Target Hit by Credit-Card Breach, Wall St. J. (Dec. 19, 2013), https://www.wsj.com/articles/SB10001424052702304773104579266743230242538.

[5] Shareholder Plaintiff’s Joint Initial Case Management Conference Statement at 2, Kulla v. Steinhalf, No. 14-cv-00203-PAM-JJK, 2014 WL 2116594, at 3 (D. Minn. May 7, 2014). Order, Davis v. Steinhafel, No. 14-cv-203-PAM-JJK, (D. Minn. July 7, 2016).

[6] In re The Home Depot, Inc. Shareholder Derivative Litigation, No. 1:15-CV-2999-TWT, 2016 WL 6995676, at *1 (N.D. Ga. Nov. 30, 2016).

[7] Id. at *4.

[8] 15 U.S.C.A. § 45(n) (West). In assessing the reasonableness of cybersecurity practices, courts have considered the sensitivity of data, the size and complexity of the company’s network, and the cost of additional security measures. See F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255 (3d Cir. 2015).

[9] 23 NYCRR § 500.02 (2017).

[10] § 500.03.

[11] Enhanced Cyber Risk Management Standards, 81 Fed. Reg. 74315 (proposed Oct. 26, 2016) (to be codified at 12 C.F.R. pt. 30)

[12] Id. at 74320-21.

[13] Id. at 74321.

Peter Varlan is a J.D., New York University School of Law, 2017. Student Fellow, Program on Corporate Compliance and Enforcement.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.