C-Level Executives May Be Liable For Cyber Breaches, Warns LeClairRyan Attorney
Tuesday, November 8th, 2016
When cybercriminals attack retailers and other businesses – potentially placing the data of millions of people at risk – C-level executives like CEOs and CIOs may lose their jobs and could be exposed to crippling lawsuits, warns Christopher A. Wiech, a partner in national law firm LeClairRyan's Atlanta office.
There may be a lack of understanding and communication across the C-Suite when it comes to cybersecurity practices, says Wiech, a member of LeClairRyan's Privacy and Data Security Practice who explores these issues in a recent blog, The C-Suite's Perspective on Cybersecurity and Liability. His post appears in the firm's Information Counts blog, which focuses on privacy, data security, information technology, e-commerce and other digital issues.
A good defensive plan begins with an understanding how your organization gathers, stores, accesses and utilizes its data, Wiech notes. "Also be aware of any government regulations that apply, as well as industry or other standards that address data gathering, storage, protection and use, like PCI data compliance standards," he advises. "You need to be diligent, because your actions will be closely scrutinized in the event of a hack or other data breach."
The first notable case against the C-suite following a data incident was In re Heartland Payment Systems, Inc. Securities Litigation, where the plaintiffs alleged that the C-Suite concealed a cyber attack. "The court dismissed the lawsuit, recognizing that 'the fact that a company faces certain security problems does not of itself suggest that the company does not value data security,'" relates Wiech. "Central to the court's analysis in Heartland were the actions taken by the CEO and CFO before and after the data incident."
Despite that, a recent IBM cybersecurity survey of more than 700 C-Suite executives across 18 industries and 28 countries found that although 94% believe that their company will "experience a cybersecurity incident" in the next two years, only 65% said they were confident about their company's cybersecurity plans. Also troubling: 60% of the Chief Financial, HR, and Marketing Officers surveyed said they are the "least involved" in cybersecurity measures, even though they are the individuals responsible for data most coveted by cybercriminals.
Part of the challenge is the lack of a "bright line" data security standard, putting executives on notice of exactly what their organizations should be doing when it comes to cybersecurity, according to Wiech. "There is no generalized standard for data security; it is a question of business judgment," he explains. "A court or jury will generally consider whether or not the executive made an informed, diligent decision on behalf of, and in the best interests of, the company and its shareholders – the Business Judgment Rule – but those decisions are made on a case-by-case basis."
Even though C-Suite executives are protected by the business judgment rule, "plaintiffs have not been deterred in their attempts to hold directors and officers personally liable for the fallout from massive data incidents," he cautions. "But CEOs, CIOs and other top executives can take some steps to increase their company's cybersecurity, while potentially creating a stronger defense in case of a lawsuit."
The CEO, CIO and other top executives should meet on a regular basis, and may consider working with the Board of Directors to create a cybersecurity committee, he advises. "Your cybersecurity committee should include representatives from marketing, IT and other technical specialists, as well as internal and external legal advisors," Wiech says. "The committee could address issues like the ways you are protecting your digital and other assets, while considering who has access to your data, and what your legal and other responsibilities are and to whom they're owed. Also, consider third-party vendors and others who handle your data, and what their security procedures are. Finally, do you have processes in place if a data breach does occur? You need to plan for it before something happens."
A C-suite cybersecurity strategy should also be balanced, he notes.
"A company can build a vault around its data that may be nearly impossible to penetrate, but then you may be unable to use it in a real-time manner, negating or minimizing the business value of the data," warns Wiech. "Cybersecurity is no longer just an IT issue, nor is it defensible to be naïve about cybersecurity. A diligent C-Suite and boardroom should be cognizant of their company's cybersecurity risks, routinely discuss those risks, and rely on and follow the advice of experts to mitigate those risks."