Boards of Directors have several fiduciary duties to uphold. Meeting such duties requires addressing cybersecurity and data loss. While this rapidly evolving area has its own unique challenges, boards, as well as the legal officers who advise them, face the same question about how to address cybersecurity, data loss, and data theft as they do any other critical ssue-are they acting prudently, reasonably, and responsibly? More and more boards are now asking themselves, and the legal counsel who advise them, these questions and placing cybersecurity and data theft risks at a higher level of priority than even physical disasters. The factors highlight 10 areas boards and their legal advisors should consider before their companies are faced with a real-world cyber threat.
1. The stakes to share value and the bottom line are high. Cybersecurity and data theft may sound like abstract concepts, but they have impacts-including financial ones-in the real world. It’s been estimated that the global cost of cyberattacks in 2011 was $388 billion in direct financial loss and the cost of recovering from the attacks. Losses can take the form of stolen intellectual property or trade secrets, data destruction, disruption of critical systems, or even damage to physical assets. They also can include the exposure of customer and employee personal information. Any of these scenarios can result in material losses impacting a company’s reputation, bottom line, and share price.
2. The hackers are two steps ahead of you already. While today’s headlines are focused on standard types of data breaches and hacking activity-viruses, malware, physical break-ins, etc.-the next generation of threats, such as heretofore unforeseen attacks (so-called “zero day attacks”), has yet to make it into the public consciousness, but directors and their advisors have to be aware of them. The constantly mutating tactics cyber criminals employ will pose a serious challenge to any company that uses electronic systems. This means boards and their advisors, including GCs, will need to focus their attention on risk mitigation in this area for decades to come.
3. Cyber and data loss threats pose merger risks. Acquiring companies may be subject to significant losses and boards may be exposed to shareholder suits should adequate cybersecurity and other data protection measures not be taken in the context of corporate M&A activity. If a company acquires a target with a malware-infested IT system without appropriate due diligence to avoid that outcome, there is a potential for a wide range of liabilities. Cybersecurity and other data protection methods should be added to the long roster of criteria a board and its legal and business advisors use when evaluating a potential acquisition and acquisition documents should contemplate and provide for appropriate representations, warranties, and indemnities related to cyber thefts and attacks.
4. Lost or stolen intellectual property or customer or employee information can turn a deal from sweet to sour. Imagine your company acquires a target for hundreds of millions of dollars. Then their systems are hacked and the blueprints for the widget that made the company attractive are stolen. Knockoffs flood the market and the company’s value evaporates. Or imagine your company is about to launch a new software program, but it is swiped from your servers days before launch. Similar issues may arise if sensitive customer or employee data is exposed. Among the many questions that will be asked – by many, including investors, business partners and regulators – in the aftermath, is whether or not the board and its legal advisors acted with reasonable care to prevent such incidents.
5. There is a maze of state and federal data protection and data loss notification requirements to navigate.With State Attorneys General and an assortment of federal agencies, including the Federal Trade Commission, having a hand in data protection, breach notification, and disclosure requirements, companies should have plans in place for how to respond in a timely fashion should a breach occur (and, of course, be well-versed on its legal compliance obligations beforehand). The myriad disclosure and notification requirements and cybersecurity obligations will only grow and enforcement activity is likely only to increase, so it is incumbent on companies and their counsel to stay abreast of these developments.
6. The failure to be fully informed of and proactive against cybersecurity and data loss risks could lead to litigation. Companies, directors, and corporate managers could be exposed to litigation risks and potential liability for compromised data, systems, and infrastructure resulting from a cyberattack or data loss. Such claims could include third-party claims for breach of contract, breach of warranty, and/or statutory or common law legal requirements under both state or federal law; claims by state and federal regulators for failure to comply with specific data protection and cybersecurity laws (as well as more general unfair and deceptive trade practice-type laws), shareholder claims for breaches of fiduciary duty in failing to take appropriate steps to protect the company’s assets, and business from cyber theft or other cyberattacks; and for publicly traded companies, investor securities law claims and SEC actions for failing to adequately disclose cyber risks.
7. If the breach doesn’t get you, the litigation will. Even in those instances where a company or its directors are successful in defending a claim following a cyberattack or data loss, such litigation is likely to be expensive and a time-consuming distraction for management and the board. Beyond this, the cyberattack and the resultant attention from related legal proceedings could result in serious reputational harm.
8. There are federal programs available to help mitigate corporate liability through the SAFETY Act. Companies can gain valuable protections offered through an advanced approach to the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (known as the SAFETY Act). This law provides tort liability protections for products and services that can be used to detect, defend
against, or respond to cyberattacks. It is essential that boards and their legal advisors be aware of
these programs and assess their applicability to cybersecurity products and services they either
procure or deploy on their own.
9. Insurance coverage is available through traditional or tailored policies. The demand for cybersecurity/data loss-specific coverage is incredibly high, placing pressure on availability, though some forms of traditional-and widely available-coverage such as Commercial General Liability may provide coverage for some types of claims. However, insurers are quickly working exclusions into these kinds of policies. Working with experienced coverage counsel can ensure the right kinds and amounts of coverage are in place.
10. Outside counsel comes with the benefit of attorney-client privilege.While there are armies of consultants at the ready to advise companies should a cyber or data loss incident occur, only legal counsel can offer the shield of attorney-client privilege, thereby ensuring that sensitive information about investigations cannot be used in litigation. Having your cybersecurity/data privacy attorney on speed dial is a good idea.
Is liability inevitable or can steps be taken to mitigate or eliminate it?
Cybersecurity and data loss liability and litigation is in a similar stage as environmental law in the
1970s: there has been a broad awakening that liabilities exist-and that they may be vast.
Companies have no choice but to assess their exposure and plan accordingly. That means in
today’s technology, dependent of business environment, it has become imperative that boards (or
their equivalents) and their business and legal advisors devote appropriate attention to
cybersecurity issues as a matter of good corporate practice and appropriate risk management.
This could mean causing management to (i) undertake a thorough cyber/data loss risk assessment
that includes both company-specific risks and risks to critical third parties that would adversely
impact the company, and (ii) identify and implement best practices relevant to the company’s cyber
and data loss risks.
Most importantly, boards and their senior management, including GCs, have to be aware of the
threats and have management take measures to mitigate them. Failure to do so could easily lead to
losses and liability.
By Divonne Smoyer, Brian E. Finch, & Emanuel Faust
Questions? Ask GTSC’s Strategic Advisor!
Brian Finch
Partner, Dickstein Shapiro LLP
[email protected]
(202) 420-4823
DISCLAIMER
The GTSC Legal Limits Brief is made available by GTSC for educational purposes only as well as to provide you with general informaiton and a general understanding of the law and legal changes that may impact your business, not to provide specific legal advice. No attorney client relationship is established with GTSC or our legal strategic partners by reading this brief. This information shold not be used as a substitute for competent legal advice from a licensed professional or attorney. Copyright © 2013. All Rights Reserved.
The survey collects data on the type and frequency of computer security incidents in which a computer was used as the means of committing a crime against the company or as a conduit through which other intrusion and/or criminal activity was perpetrated. It also collects data about the type and size of the company, cyber security practices, and computer infrastructure.
AGENDA AT A GLANCE
Keynote: Dr. Phyllis Schneck, Deputy Under Secretary for Cyber Security, NPPD, DHS
I’m pretty good. I know that you can’t always tell the difference from the real messages and the fake ones that I dangle in front of you. It doesn’t take long for me to gather lots of personal information about you — what you like, who you follow, what you purchase online and which websites you visit.
Brian E. Finch
Graham (Rusty) Mathews