Cyber Lawsuits Are Targeting Boards of Directors

Before cyber-breaches were that big a deal – or at least it before they were making headlines and costing some major companies multi-millions of dollars – a decision in Delaware’s chancery court paved the way for today’s emerging rules for liability after a breach, says this article from cybersecurity company CyberVista. That ruling, in the 1996 Caremark case, expanded the notion of the board’s duty of care, and even though cybersecurity wasn’t what the board in the Caremark case was alleged to have failed to care about, the precedent is widely regarded as operative when the question of responsibility for cybersecurity failure comes to the fore. Another milestone in the development of this trend occurred in 2014, when then SEC commissioner Luis Aguilar explicitly stated that boards of directors have cybersecurity responsibility. A summary look at some of the major cybersecurity lawsuits in the very recent past shows how rapidly this trend has advanced. In the Wyndham Hotels and Target breaches, the boards went largely unscathed, but in some other matters – namely Home Depot, Yahoo and Equifax – that’s not the case. “Shareholder and class-action lawsuits,” says this post, “have increasingly gone beyond the executive leadership and aimed at the director level, with greater and greater success.”