Category Archives: Featured Fellow Post

The Growing Risk of Director Liability for Cyberattacks

by Peter Varlan

Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark[1] claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.

The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability. Continue reading

DeCoster v. United States: Testing the Limits of the Responsible Corporate Officer Doctrine

by Jason Driscoll
This post is the first part of a multi-part post by the author.

Over the last decade, the Food and Drug Administration and the Department of Justice have revived the use of the Responsible Corporate Officer (“RCO”) doctrine in an attempt to increase compliance with the Food, Drug, and Cosmetic Act (“FDCA”). Two recent cases—United States v. Purdue Frederick Co.[1] and United States v. Quality Egg, LLC[2]—illustrate the regulators’ new approach: impose strict criminal liability on individual corporate officers and seek enhanced sanctions in the name of effective deterrence. However, while the Supreme Court has upheld criminal fines premised on the RCO doctrine,[3] the Court has not yet opined on the legality of more serious penalties such as long-term debarment or imprisonment. The Court now has that opportunity. In DeCoster v. United States,[4] the Quality Egg defendants (Jack and Peter DeCoster) have filed cert. petitions asking the Court to review the lawfulness of their prison sentences and the RCO doctrine altogether. For anyone concerned about the expanding scope of corporate officer liability, this case could mark a turning point. Continue reading