Assuring cybersecurity has become a necessity for businesses across all industries. Cybercrime — with over $1 trillion in annual profits — is now the most lucrative illegal global business. Any business with computers and internet access is vulnerable not only from outsiders waiting to pounce but also from within the enterprise as a result of human error or bad intentions. Given the size of this problem, it is not surprising that the National Association of Corporate Directors has stated that to make real progress in the cybersecurity area, businesses must treat cybersecurity as a matter of “corporate best practices” and not just a technology issue. Companies face the risk of substantial damage from loss of customer confidence, decrease in market value and damage to their reputations as well as litigation and regulatory risks in the event of a cybersecurity breach. In October, the Department of Homeland Security sponsored Cybersecurity Awareness Month in an effort to raise awareness and educate Americans about cybersecurity and to increase the resilency of the nation’s cyber infrastructure. Now may be the perfect time for you, too, to refocus on whether your business has adequately planned for the security of its assets.

I. Overview of State and Federal Privacy, Security and Breach Laws -

From a regulatory perspective, federal and state laws create obligations on how companies must protect data and maintain cybersecurity. Under federal law, certain industries have heightened obligations as a result of laws such as HIPAA and Graham-Leach-Bliley. In addition, the federal securities laws, including Sarbanes–Oxley, require that corporate leadership maintain adequate controls over their systems which could be implicated upon a cybersecurity breach. Finally, boards of directors of all companies have fiduciary duties to their companies, such as the duty of care, resulting in individual exposure for corporate leadership upon the occurrence of a loss caused by a cybersecurity breach. While this article is focused on the duties of directors, recent Delaware cases have found officers generally have the same duties as directors.