A recent court opinion underscores the importance for a company’s board of directors to assess cybersecurity. As we’ve explored in several prior posts, directors are charged with exercising fiduciary duties, including the duties of care, loyalty, and oversight.
It is this latter duty – the duty of oversight – that resulted in a plaintiff filing a lawsuit against against his corporation and the corporation’s board of directors for failing to exercise proper oversight that purportedly harmed the company.
The opinion provides valuable insight into steps that directors may undertake to minimize potential liability (both to the company and personally) for such claims. For instance, the court noted the asserted claims were potentially weak because the company implemented cybersecurity measures before the first data breach.
Further, the board addressed security matters “numerous” times before the breach. Moreover, the corporation took time to enact security policies, reviewed those policies, and even hired outside technology firms to issue recommendations on enhancing security. Had the company not taken such proactive steps, including before the breach occurred, the outcome certainly could have been different.
While there is no one-size-fits-all approach to data and cybersecurity, given the increasing threat such issues pose to companies, a board should at the very least consider data and cybersecurity in fulfilling it’s fiduciary duties. Such consideration may result in no action being taken, or it may result in consulting with privacy counsel, technical experts, or insurance professionals to insure against cyber-related liabilities (including costs related to forensic analysis, breach notification, business downtime, credit monitoring services, and third-party claims).