Home > Property & Casualty > Cyberliability governance – early guidance for corporate directors

Cyberliability governance – early guidance for corporate directors

wyndham_lockWhen confidential personal or medical information is compromised or a computer network is breached, the event is typically described as a “failure” of data or network security. That is not an attractive characterization in realms where blame is assigned. Facing predicted increases in cyber-related shareholder lawsuits, corporate boards and their legal advisers have sought to determine what corporate directors and officers must do to avoid the personal liability that can result from shareholder claims. In an earlier blog post and white paper, I discussed the changing D&O risks associated with cybersecurity exposures. WGA’s Cyber Risk Hub also has an extensive section on cybersecurity corporate governance.

A case decided in October 2014 has provided an early indication of what level of board attentiveness will be sufficient to protect directors from liability. Between April 2008 and January 2010, hospitality company Wyndham Worldwide incurred three breaches that collectively resulted in the theft of credit card data for more than 600,000 customers.

A shareholder purporting to act derivatively on behalf of the company alleged that the directors, CEO and general counsel of Wyndham breached their fiduciary duties and wasted corporate assets by not establishing sufficient internal controls to protect customers’ confidential information and by concealing the breaches from shareholders. In accordance with the applicable law governing shareholder derivative claims, Wyndham shareholder Dennis Palkon first sent a letter to the board demanding that Wyndham investigate the breaches and sue the responsible company personnel for damages. The Wyndham board appointed its audit committee to investigate the matter, and the audit committee consulted with outside counsel in connection with its investigation. After its investigation, the board declined to sue, noting to Palkon that his assertions were similar to those earlier made by another shareholder and rejected by the board. Unlike the earlier shareholder, Palkon responded to the board’s rejection by filing a claim derivatively on the company’s behalf.

In Palkon v. Holmesa New Jersey federal district court was charged with determining if the shareholder plaintiff could proceed with his claim. The court noted that even before the first breach in 2008, Wyndham had implemented cybersecurity defenses that the board discussed several times. The board had also held 14 quarterly meetings at which the breaches were discussed, as well as the company’s cybersecurity policies and possible additional security measures. The board’s audit committee, appointed by the board to investigate the breaches, met at least 16 times to discuss the matter and the company’s cybersecurity practices. In addition, Wyndham had begun to implement security enhancements recommended by a firm it had hired to review its practices and suggest improvements. Because of the FTC investigation and litigation that followed the breaches, Wyndham’s board had extensive experience in addressing complex cybersecurity matters, including the remediation of cyber breaches.

Citing the Wyndham board’s extensive involvement in assessing the company’s cybersecurity practices, its response to the FTC investigation and litigation over the previous three years, and its procedures in investigating and responding to the two shareholder derivative demands, the court determined that the Wyndham board’s refusal to pursue a claim against the purportedly responsible personnel was entitled to the protection of the business judgment rule. It dismissed Palkon’s claim.

While the Palkon decision provides some helpful guidance to corporate boards and their legal advisers, it is not a robust and stable road map for the avoidance of D&O liability. There are many reasons why corporate directors should not take great comfort from this decision. While it was significant to the Palkon court that Wyndham had begun implementing cybersecurity defenses before the initial breach, the level of oversight that was adequate in 2008 — ages ago in cyber-time — would certainly be insufficient today. The nature and extent of cybersecurity breaches are changing rapidly, and expectations about the necessary level of corporate preparedness and response are changing as well. For example, many have suggested that the NIST Framework, which envisions extensive cybersecurity practices and procedures for companies as large and diverse as Wyndham will establish a de facto baseline for evaluating the adequacy of a company’s cyber engagement in lawsuits against directors and officers.

It is important to remember that shareholder derivative claims represent only one vector for claims against directors and officers. There have not yet been many federal securities claims — with different liability standards than state breach of fiduciary cases — against directors and officers, because most data and network security breaches have not resulted in sustained steep stock price drops for the affected companies.

Corporate legal advisors have been helping their clients develop practices and procedures designed to help shield directors and officers from liability. Among other things, it is very clear that from both an operational and governance perspective, cybersecurity preparedness is a highly dynamic process that requires continuous assessments and fresh judgments in light of changing circumstances. What works today will almost certainly be insufficient before long. Companies and their boards must be nimble in their evaluations and judgments in order to meaningfully reduce their risk of liability for cybersecurity breaches.

About the Author
John Doernberg is a Vice President at WGA and the firm’s Cyber Practice Leader. He works with inside and outside counsel as a Claims Advocate for WGA clients on policy negotiation and the handling and settlement of claims. He also a resource on privacy, information security and risk management issues. Prior to becoming an insurance broker in 1995, he practiced corporate law in New York and Boston for 12 years.

617.646.0336 | JDoernberg@wgains.com | Connect with John via LinkedIn

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s