Cybersecurity threats are now one of the most significant risks affecting an organization. This is because of the scope of current cybersecurity threats and the magnitude of harm from a cybersecurity incident. According to the Ponemon Institute 2019 Cost of Data Breach Report,1 the average cost of a data breach, among the more than 500 companies surveyed, was $3.92 million. According to statistics published by SCORE,2 almost half of cyberattacks are directed at small businesses, which may not have the resources to sustain a significant cyberattack.
The evolving threats to an organization’s information systems are increasingly malicious and widespread. Hackers use various means to gain access to an organization’s information systems, to steal or misuse confidential information and protected personal information, to divert funds, and to create conditions that can cripple operations and cause other disastrous consequences.
In addition to ongoing threats from cyber-criminals, an organization must take account of the ever-changing, diverse and more restrictive regulation of the personal information handled by the organization. Organizations must comply with a myriad of state data privacy statutes, foreign regulations like the General Data Protection Regulation, and industry-specific regulations. These restrictions increasingly recognize an individual’s right to control his or her personal information, impose strict responsibility on an organization to recognize such rights, and impose potentially harsh consequences for failure to comply. The restrictions include differing definitions of the types of personal information that must be protected. Even an inadvertent security breach that might expose protected personal information to loss can expose an organization to expensive forensic costs, costs of reporting to various enforcement agencies, corrective actions, fines and other compliance costs.
It is easy to see how, for some organizations, especially those handing large quantities of personal information, those in regulated industries, or those that do not have the resources to survive a significant security breach, proper management of cybersecurity risks can be mission-critical. A corporation’s management of these risks begins with its board of directors. It requires a level of diligence unlike that devoted to many company risks. According to PwC’s 2019 Annual Corporate Directors Survey, fewer than 40% of directors say that their board fully understands the cybersecurity risks facing their company.3 In 2018, the Securities Exchange Commission released guidance on cybersecurity disclosures for public companies that recognizes the responsibilities of the board of directors to oversee this significant risk.4 It seems inevitable, therefore, given the prevalence of cyber threats, and the significant harm, that there will be challenges to the measures that a board has taken to address its organization’s cybersecurity risks.
What are the duties, then, of a board of directors of a Massachusetts corporation to address cybersecurity risks? The duties can be found in the applicable corporation statutes and caselaw. The Massachusetts Business Corporation Act, M.G.L. ch. 156D, § 8.30, requires that a director of a Massachusetts business corporation discharge his or her duties in good faith, with the care that a person in a like position would reasonably believe appropriate under similar circumstances, and in a manner that the director reasonably believes to be in the best interests of the corporation. These duties are often referred to as duties of good faith, care and loyalty. A similar standard governs the duties of directors of a Massachusetts nonprofit corporation.5
Commentary following M.G.L. ch. 156D, § 8.30, recognizes that in performing his or her duties, a director must become informed of the background facts before taking action. In discharging his or her duties, a director may, in appropriate cases, rely on others with appropriate expertise. The applicable corporation statute provides that a director of a Massachusetts business corporation or nonprofit corporation may, to the extent the director does not have information that makes reliance unwarranted, rely on information and opinions from: i) officers and employees whom the director reasonably believes to be reliable and competent as to the matter presented; ii) legal counsel or others retained by the corporation as to matters reasonably believed to be within such person’s professional or expert competence; or iii) a board or committee that the director reasonably believes merits confidence.6
If a director of a Massachusetts business corporation breaches his or her fiduciary duties, the director may be liable in a derivative suit initiated by a shareholder.7 While there may be, in appropriate cases, director liability to shareholders or under other laws, a claim of breach of fiduciary duty by a director is often commenced as a derivative action. A director of a Massachusetts nonprofit corporation that is a public charity may be liable in an action by the attorney general, who has authority under M.G.L. ch. 12, § 8, to prevent breaches of trust in the administration of funds given to public charities.
In evaluating whether a director has satisfied his or her duty of care, courts are deferential to the business judgments made by the directors regarding business risks. In the leading Massachusetts decision involving the duty of care, Harhen v. Brown,8 the Massachusetts Supreme Judicial Court (SJC) recognized that absent a conflict of interest, a director’s compliance with the duty of care should be evaluated under the business judgment rule. According to the SJC in Harhen v Brown, the business decisions of disinterested directors are protected because directors are presumed to act in the best interests of the corporation.9 An early Massachusetts decision, Spiegel v. Beacon Partners,10 recognized that even if a director acts imprudently, but in good faith, the director is not ordinarily liable unless there is clear and gross negligence.11
The more extensive decisions of the Delaware courts, regarding the responsibilities of directors of Delaware corporations, may provide guidance as to how Massachusetts courts may react in an appropriate case. Like Massachusetts, the Delaware courts’ application of the business judgment rule is deferential to a board’s decisions. However, there are limits where the board does not adequately perform its oversight responsibilities.
In a leading decision involving Delaware law, In re Caremark International Inc. Derivative Litigation,12 the court stated that “compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed.” The court explained that exposing directors to second guessing by judges or juries would injure investor interests in the long run.
Recent Delaware decisions have revealed limits on the protections afforded by the business judgment rule. Those limits may be significant in determining how a board should address cybersecurity risks. These decisions have recognized that a failure of directors to provide sufficient oversight, which includes adequate reporting systems and monitoring systems, can constitute a breach of the director’s duty of good faith or loyalty, exposing the director to liability in shareholder derivative suits. In Caremark, the court stated that a director’s obligation includes a duty to attempt in good faith to ensure that an adequate information and reporting system exists, and that a sustained or systematic failure of the board to attempt to ensure reasonable information and reporting systems would establish the lack of good faith that can lead to director liability.13
Two 2019 Delaware decisions have emphasized the importance of active board oversight and monitoring where substantial risks are involved. The Delaware Supreme Court’s decision in Marchand v. Barnhill14 involved a recall and shutdown of operations by an ice cream manufacturer following a listeria outbreak. In this shareholder’s derivative action, it was alleged that the directors breached their fiduciary duties. The Delaware Supreme Court found that for a significant risk, such as the contamination risk faced by this ice cream producer, an utter failure to attempt to ensure that a reasonable information and reporting system exists is an act of bad faith and breach of the directors’ duty of loyalty. The court said that bad faith is established when the directors completely fail to implement reporting or information systems or controls, or, having done so, consciously fail to monitor their operations. The court said that Caremark requires that the board make a good-faith effort to put in place a reasonable system of monitoring and reporting about a corporation’s central compliance risk.
The Oct. 1, 2019, Delaware Court of Chancery decision in In Re Clovis Oncology Inc. Derivative Litigation15 involved claims that the board of directors ignored red flags indicating that a corporation was incorrectly reporting a drug’s clinical trial results, which jeopardized the Food and Drug Administration’s approval of the drug. The court noted that where a corporation operates in an environment where externally imposed regulations govern operations, like those involved with Clovis, which were mission-critical, the board’s oversight function must be more vigorously exercised. The court found that the plaintiff properly pleaded a claim of breach of fiduciary duties sufficient to support a Caremark claim.
What does this all mean for directors’ duties to oversee and monitor cybersecurity risks? It seems undisputed that a failure to properly manage cybersecurity risks or take account of or properly comply with various applicable data security regulations can be mission-critical to some organizations. This is especially true for an organization that handles large volumes of personal information, or does not have the resources to withstand a significant cybersecurity breach. In addition, management of these risks requires an organization-wide approach. In a situation where a board of directors has failed to oversee cybersecurity risks, or has taken a superficial approach to these risks, it is easy to see how a plaintiff might seek, in reliance on the principles expressed in the Caremark, Marchand and Clovis decisions, to hold the directors accountable for breaching their duties of good faith and loyalty.
A judicial finding that a director failed to exercise good faith or loyalty in the oversight of cybersecurity risks can have significant implications. Directors are often protected by exculpatory charter provisions that protect the director from liability for monetary damages from a breach of the director’s duty of care — however, these protections may not be available if there is a lack of good faith or breach of a duty of loyalty. Likewise, protections under indemnification provisions in bylaws or under an agreement, or under directors’ and officers’ liability insurance, may not be available to a director who breaches his or her duty of good faith or loyalty.
A board of directors must take regular and well-informed measures to oversee the organization’s protection against cybersecurity risks. Effective board oversight of cybersecurity risks requires technical knowledge of the specific ways in which an organization and its data are vulnerable, and the protections that are available. Because security breaches largely occur through employee actions, or actions by third parties with whom an organization contracts, addressing these risks also involves putting in place effective programs that affect employees and outside contractors. An organization’s programs must be regularly tested and reviewed for adequacy against evolving risks. Finally, if there is a breach, an organization’s incident response plan can have a significant effect on the consequences. If the organization handles large volumes of personal information in an industry where such information is heavily regulated, or where the organization has had significant prior breaches, the board may have heightened duties to oversee and monitor security measures.
Therefore, the measures taken by the board should include the following:
- Make adequate time available at board meetings for discussion of cybersecurity risks.
- Make sure that the board has available the proper technical resources and expertise. This could mean having a director or directors with expertise in information technologies and cybersecurity risks, appointing a special committee that has this expertise, or engaging third parties with proper expertise. The board should have advice regarding industry best practices.
- Understand the scope of the risk as it affects the organization, including where data is stored, the regulations that govern the data held by the organization, and where the organization is vulnerable to cyber threats.
- Make sure that management understands this risk and is handling it appropriately. The board should require management to keep the board regularly informed of management’s assessment of cybersecurity risks, programs employed by the organization, compliance practices, and specific incidents. A third-party assessment or audit of how management is handling the risks may be appropriate in some circumstances.
- Make sure that the organization has tested its procedures, trained personnel and developed an effective incident response program.
- Consider if the cybersecurity risks are adequately insured.
- Revisit the cybersecurity program regularly, and whenever there are significant changes.
- Make sure the minutes reflect the discussions of the board.
These are just some of the measures that may be taken to protect a corporation’s information assets. In today’s world, a board cannot afford to leave to others full management of the organization’s cybersecurity risks. General counsel to an organization can play a leadership role in making sure that these issues are escalated to the proper levels and managed appropriately.
David A. Parke is a partner with Bulkley, Richardson and Gelinas LLP in Springfield. His practice has been focused on general corporate and business matters.
1 See “IBM Security, Cost of a Data Breach Report 2019,” by Ponemon Institute, p. 3.
2 See Oct. 11, 2018, Press Release at www.score.org.
3 PwC’s 2019 Annual Corporate Directors Survey, p. 12.
4 S.E.C. Release No. 33-10459, 34-82746 2018 WL 993646 (Feb. 21, 2018).
5 M.G.L. ch. 180, § 6C.
6M.G.L. ch. 156D, § 8.30; M.G.L. ch. 180, § 6C.
7 The Massachusetts Supreme Judicial Court has recognized that a director of a Massachusetts corporation that is not a close corporation owes fiduciary duties to the corporation, and not to the shareholders. See International Brotherhood of Electrical Workers Local No. 129 Benefit Fund v. Tucci, 476 Mass. 553 (2017).
8 431 Mass. 838 (2000).
9 431 Mass. at 845.
10 297 Mass. 398 (1937).
11 297 Mass. at 411.
12 698 A.2d 959, 967 (Court of Chancery 1996).
13 698 A.2d at 970, 971.
14 2019 WL 2509617 (Supreme Court of Delaware 2019).
15 2019 WL 4850188 (Del. Court of Chancery 2019).