It seems a month does not pass in which some sort of breach of confidential data of a business is not announced to the public.  With the increase in cybersecurity breaches, so increases board members’ exposure to litigation regarding such occurrences.

As a definitional matter, a cybersecurity breach could be described as an event in which confidential information is accessed by one without authority to do so.  The mere accessing of such data may constitute a breach even without its subsequent transmission elsewhere.  In simplistic terms, if the data is such that the person or entity to which it applies has a reasonable expectation of privacy, then accessing that data, without authorization, constitutes a cybersecurity breach.  The most recent example, in widespread public view, of such an event is the Target data breach involving an estimated 110 million customers.

Recent cybersecurity breach litigation appears to be grounded in two areas.  The first area is a “shareholder derivative lawsuit” in which a shareholder brings suit on behalf of a corporation against  a third party, often one or more “insiders”, such as executives or board members, when the third party has refused to act.  The second area, particularly highlighted by the Target litigation, is that brought by consumers and financial institutions against an entity with an apparent duty to safeguard confidential information in its possession.  Additionally, there may be governmental enforcement action in play, such as a Federal Trade Commission enforcement action.

The derivative lawsuit litigation has not met with great success.  In Palkon, Derivatively on Behalf of Wyndham Worldwide Corporation v. Holmes, et. al. (USDC, NJ Civ. Act. No. 2:14-CV-01234 (SRC)), such a case was dismissed with prejudice (10/20/14).  In his opinion, Judge Stanley R. Chesler applied Delaware law to the facts of the case.  He mentions several meetings of the Board and its audit committee to discuss data breaches which occurred in Wyndham’s system between 2008 and 2010 in which the personal information of “over six-hundred thousand customers” was compromised by “hackers” as pointing to positive actions by the Wyndham board to remedy the breach.  The opinion recites the fact that Wyndham’s board rejected demands of shareholders that it bring a lawsuit against the company (a hallmark of a shareholder derivative lawsuit) based on the online breaches.  The rejections of those demands were based upon investigation of the breaches by outside counsel as well as technology firms which also provided recommendations as to future measures to enhance security.  Judge Chesler opined that the refusal of the board to bring suit was not made in bad faith or based upon an “unreasonable investigation”.  Under the “business judgment rule” applicable under Delaware law, the actions by the board helped to shield it from liability.

Target Corporation has been the subject of both a shareholder derivative action and a class action.  Two derivative actions have been filed in the U.S. District Court for the District of Minnesota.  The first, Robert Kulla, Derivatively on Behalf of Target Corporation v. Steinhafel, et. al. alleges breach of fiduciary duty and waste of corporate assets.  The second, Maureen Collier, Derivatively on Behalf of Target Corporation v. Steinhafel, et. al. alleges breach of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control.  The two complaints are essentially the same, with the second asserting additional claims, but the common thread of them is that the Target board failed to take adequate measures to protect confidential consumer information and compounded that failure by “failing to provide prompt and adequate notice to customers” of the breach and lulling them into a “false sense of security” through statements.  The complaints note governmental investigations as well as class action lawsuits as damaging to the company.

The damage to Target noted in the shareholder derivative litigation is set forth from the consumer perspective in a class action lawsuit filed in the Minnesota District Court (MDL No 14-2522 (PAM/JJK).  The suit alleges violations of state consumer laws, violations of state data breach statutes, negligence, breach of implied contract, breach of “Redcard Agreements” (the Target debit card), bailment (by taking possession of confidential information (a “deposit”) consumers had an expectation it would be properly safeguarded), and unjust enrichment. (Target benefitted by purchases made during the data breach which funds were in part supposed to provide security to consumers’ confidential information thereby unjustly enriching Target.)

The financial institutions’ complaint, filed as a consolidated class action in the same Minnesota court, alleges negligence on the part of Target, violations of the Minnesota Plastic Card Security Act, negligence per se, and negligent representation by omission (failure to disclose the weaknesses in its data security systems).  In December, 2014 USDC Judge Paul A Magnuson issued orders in both the consumer and financial institution cases denying Target’s Motion to Dismiss, in part, thereby allowing significant portions of both cases to proceed.

For insight as to what companies and their boards might consider to avoid liability the court’s opinion in In re Heartland Payment Systems, Inc. Security Litigation, Case No. 09-1043. 2009 WL 4798148 (D.N.J. Dec. 7, 2009) is helpful. In Heartland a massive data security breach occurred affecting approximately 130 million consumers.  Heartland’s Motion to Dismiss securities-fraud litigation was granted (although there was a subsequent class action settlement not based on securities matters) based upon the actions Heartland took regarding the breach both before and after its discovery.

Some points to take away from the cases to date by a business:

  • Storing confidential data subject to a breach of its confidentiality may give rise to a lawsuit against the business, its executives, and, in a smaller setting, its ownership no matter the size of the business;
  • Regularly discuss and document steps taken to secure confidential data;
  • Name someone or a committee with oversight of data security and grant them the authority, within reason, to act to protect confidential information and document such actions;
  • Consider conducting a periodic risk assessment by a source outside the business;
  • Document steps taken to remedy reported deficiencies by outside consultants or if remedies are not undertaken, the reasons for such inaction; and
  • Designate a “team” to deal with any data security breaches after they are discovered.  In larger businesses, that may include multiple departments such as legal, public relations, administration, and executive.

From an Information technology (IT) perspective, the IT committee or department head should:

  • Inform executives and the board of what data the business is collecting and where it is stored, assuming the executives and the board are not asking those questions;
  • Use encryption methods for confidential data, if possible;
  • Create “firewalls” or separately store confidential data from other business systems;
  • Password protect confidential data systems and limit access to them to a select few;
  • Immediately notify executives and the board of any suspected data breach; and
  • Determine, in advance, whom to contact to conduct a forensic data review in the event of a cybersecurity breach.

Some larger businesses might consider obtaining cybersecurity liability insurance.  However, not all types of businesses may be eligible for such coverage and the cost of same may be prohibitive.  Also, the amount of coverage may pale in light of the potential losses which a business might incur.  Nevertheless, consideration by a board of directors of the feasibility of obtaining such coverage for a company may weigh favorably in a court’s consideration of liability upon a data security breach at a later time.