A recent survey by PricewaterhouseCoopers (PwC) revealed that U.S. executives now consider cyberattacks the number one risk their companies face. Concerns about cybersecurity have moved beyond the Chief Information Security Officer (CISO) to the entire C-suite and corporate boards. Recent developments show executives are right to worry about those attacks because they can result in monetary loss, personal liability, and reputational risk.
Litigation & Governmental Action
Cyberattacks that result in data breaches often lead to litigation, but courts have been quick to dismiss lawsuits when the plaintiff complains only of a fear of identity theft or some other type of future harm. In those instances, courts have held that those plaintiffs lack the required injury-in-fact that conveys standing to bring a lawsuit. Courts also have held that companies are not required to absolutely protect customers’ and employees’ personally identifiable information (PII) but that they only need to take “reasonable” steps to protect the data they maintain.
On the other hand, there is a real concern regarding possible governmental action if it is determined that officers and board members failed to take necessary steps to secure their companies’ computer networks. The Consumer Financial Protection Bureau (CFPB) recently stated that financial institutions may be in violation of the Consumer Financial Protection Act (CFPA) if they fail to take adequate measures to safeguard consumers’ data. The CFPB stated that financial institutions should implement multi-factor authentication, adequate password management, and timely software updates. Although the CFPB did not require financial institutions to implement these recommendations, it did state that failure to implement these simple suggestions could trigger liability under the CFPA.
Reducing Risks for the Company
The lack of a comprehensive federal cybersecurity law complicates the ability of CISOs to take steps to reduce the risk of a lawsuit or governmental action. Nonetheless, there are several steps they can take to reduce these risks:
- Implement protocols and procedures that protect the company’s IT infrastructure from attack. These protocols and procedures include:
- Mandatory employee training on preventing the disclosure of sensitive information
- Third-party cyber assessments for all vendors
- Segregation of sensitive information and
requiring additional authentication to limit access to that information - Routine checks for new risks to the IT system
- Be aware of the details of the company’s privacy policy and ensure the company is actually taking the steps to implement its promises to protect PII.
- Be current with industry-specific laws and regulations that address data breaches and the required notice provisions to ensure those procedures and deadlines are included in the data breach response plan.
- Communicate potential risks and breaches timely to upper management and the Board of Directors so they can take appropriate actions to address those risks and breaches.
- Ensure the company’s data breach response plan is strictly adhered to in the event of a breach.
- Retain counsel experienced with handling data breaches and cybersecurity litigation to help guide the CISO through the breach response process.
Implementing these policies and procedures, along with the CFPB’s recommendations, should help stave off enforcement actions by federal and state regulators in the event of a data breach or ransom attack, in addition to lessening the risk of civil litigation.
Reducing Personal Risks for the C-suite & Boards of Directors
Another concern is that officers and directors risk being personally named in lawsuits brought by customers whose personal data was exposed as a result of the breach and by shareholders against the financial firm. CISOs have immediate responsibility for a company’s cybersecurity, and they would likely be the first target for a plaintiff looking for officers to name personally in a lawsuit. But, in the past ten years, plaintiffs have tried to hold C-suite executives and company directors personally liable. These classes of plaintiffs likely will allege that the officers breached their fiduciary duty to protect the plaintiffs’ personal information or that they unnecessarily exposed the company to liability. If the lapse in cybersecurity can be shown to result from the director’s failure to properly prepare for cyberattacks, there is a narrow path for aggrieved parties to hold directors personally liable: a plaintiff must prove that (1) the board of directors made a decision that resulted in a loss because that decision was ill-advised or negligent, or (2) the board failed to act in circumstances in which due attention would, arguably, have prevented the loss. Attentiveness to known threats and taking reasonable actions to counter those threats will provide strong defenses against personal liability claims against officers and directors.
There are many steps officers and directors can take to reduce the likelihood that they are held personally liable after a cyberattack or data breach. They include:
- Ensuring the directors have sufficient cybersecurity training.
- Conducting regular discussions about cybersecurity as part of board meetings.
- Overseeing the implementation of cybersecurity protocols.
- This can include the adoption of quantum computing and quantum-resistant encryption, zero trust security, and zero-knowledge proofs. Quantum computing and quantum encryption can generate truly random numbers for encryption keys, which prevents hackers from cracking the company’s encryption. Some privacy laws incentivize encryption, like the California Consumer Privacy Act, by stating that a company’s failure to encrypt personal information can result in a direct cause of action by customers in the event of a data breach. Zero trust security is used to mitigate the danger of an insider threat by requiring all users and devices attempting to access the network to verify their identity. Zero-knowledge proofs use a blockchain to protect data transmitted over the Internet.
- Regularly review the status of the company’s cybersecurity protocols to ensure they are up to date.
- Ensure the company’s IT department is vigilant and actively monitors the status of the company’s computer network.
- Require regular reports from the company’s IT department and conduct regular communications with that department regarding potential threats to the network and steps to be taken to protect the data the company maintains.
Working as a team to secure customers’ data will reduce the liability of directors in the event of a data breach.
The PwC survey shows that cybersecurity issues are front-and-center in U.S. executives’ minds. The above-referenced recommendations may not stop all data breaches, but by enacting them, your financial institution will significantly lower the likelihood of litigation after a data breach. Putting these recommendations into service also will help keep the regulators at bay. If litigation or governmental action cannot be avoided after a cyberattack, implementing these recommendations increases the likelihood of a favorable outcome.
Nicholas P. Mooney II and Alexander L. Turner are member attorneys at Spilman Thomas & Battle. They co-chair the firm’s Cybersecurity & Data Protection Practice Group. They both have extensive experience in consumer finance and banking litigation.
Nick can be reached at 304.340.3860 or nmooney@spilmanlaw.com,
and Alex can be reached at 336.955.8352 or aturner@spilmanlaw.com.