At the beginning of October, Uber's former chief security officer was found guilty of criminal obstruction charges for failing to report a cyber breach to the authorities. This is believed to be the first time a US company executive has been criminally prosecuted over a cyber breach, and he now faces a prison sentence of up to eight years. Earlier this week, the Federal Trade Commission (FTC) announced that it had taken action against the CEO of Drizly (an online drinks delivery business) over the company’s security failures which led to a cyber breach that exposed the personal information of 2.5 million customers.
Given the global nature of regulatory trends and the fact that cyber breaches are increasingly a fact of business life, UK-based directors will be justifiably concerned at the prospect of a potential increase in the risk of personal liability arising from cyber breaches. However, a closer look at the facts of each of these cases suggests that aggravating factors prompted the authorities to target the individuals concerned.
In the first case, the criminal charges against Uber's former chief security office (James Sullivan) arose from the fact that, when the relevant cyber breach occurred in 2016, Uber was already under investigation by the FTC for an earlier cyber breach in 2014. The 2016 breach involved a hacker accessing customer records and demanding a US$100,000 payment, which was ultimately paid by Mr Sullivan's team. Mr Sullivan did not inform the FTC of the incident despite its ongoing investigation, and prosecutors alleged that he also took steps to conceal the incident within the company. Mr Sullivan's actions led to him being fired by Uber.
In the second case, the FTC's decision to take action against the CEO as well as the company itself was driven by the fact that both were alerted to problems with the company's security procedures following a cyber attack two years earlier. Despite this, the company failed to implement basic cyber security measures while publicly claiming to have appropriate protections in place. The FTC's proposed order requires the company and the CEO to implement an information security programme to protect customer data. The FTC stated that this "ensures the CEO faces consequences for the company's carelessness".
Both these cases therefore involved aggravating factors that may place them outside of a 'typical' scenario where directors are faced with a cyber breach and try their best to deal with it honestly and reasonably.
Turning to the UK, while it is the case that directors could face personal liability and regulatory censure as a result of their company suffering or mishandling a cyber breach, we have seen very few attempts to hold directors or senior managers personally liable in such circumstances. To date, legal claims and regulatory action have been mainly directed at the company suffering the breach. However, directors should not be complacent. UK regulators have long made clear their view that cyber security is a board level issue that requires serious and meaningful senior engagement. Directors must therefore assume that, like the FTC, UK regulators will be looking very closely at the conduct of individual directors in relation to any cyber breach suffered by their company and that, if similar aggravating factors were present, action against individual directors might be considered.
In addition, attempts to hold directors personally liable for negligence and breach of duty are becoming more common in the English courts, for example in relation to ESG-related issues. The fact that cyber security is now firmly established as a key business risk means that directors can increasingly expect a cyber breach suffered by their company to result in more pressure to demonstrate that they had taken reasonable steps both to prevent a breach and to prepare to handle any breach that occurred.
Against that backdrop, UK boards would be well advised to heed the FTC's warning: "CEOs who take shortcuts on security should take note".
