Directors Risk From Data Breaches

Consistent with a board’s oversight duties, directors should give regular attention to whether the corporation has instituted adequate controls and procedures to mitigate the risk and harm of a data breach. The failure to undertake such efforts could, in theory, expose directors to liability for the corporation’s costs arising from a breach.

It seems unlikely, in light of the high profile cyber attacks of the past few years, that directors of a public corporation could be found liable for utterly failing to implement any reporting or information system or controls for data security. Even relatively modest efforts to enhance data security, with board involvement or awareness, are likely to preclude a claim premised on an “utter failure” to implement controls.

A different issue is raised by an oversight claim – whether “having implemented such a system or controls, [directors] consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention,” as one precedent has phrased it. Shareholder plaintiffs’ lawyers frequently allege that directors knowingly ignored “red flags” alerting them to misconduct or defects with the corporation’s controls, but such claims are rarely successful.

While internal controls and the monitoring of data security will not prevent all attempts to breach a corporation’s cyber-defenses, oversight by directors before such a breach occurs will be a powerful tool in shielding them from oversight liability arising from such a breach.