Cybersecurity and hacking incidents continued to dominate headlines in 2016—not only did they continue to impact corporations but they also played a role in the U.S presidential election. At the same time, various states have introduced, considered or adopted cyber-related legislation, including legislation applicable to certain industries that are more sensitive to cybersecurity breaches (e.g., New York proposed a cybersecurity regulation that applies to financial institutions licensed or regulated by the New York State Department of Financial Services). Federal agencies, including the U.S. Securities and Exchange Commission (“SEC”), the Federal Trade Commission and the U.S. Department of Justice (“DOJ”), are also playing key roles in regulating the area of cybersecurity.
At least since the SEC’s CF Disclosure Guidance: Topic No. 2 – Cybersecurity in 2011, which clarified how companies should evaluate and disclose cybersecurity-related matters, and then-SEC Commissioner Luis A. Aguilar’s 2014 speech, which emphasized the board’s responsibility to “[ensure] the adequacy of a company’s cybersecurity measures”—cybersecurity has become a recurring theme for companies and the board. As a result, companies and their boards should establish an incident response plan for potential cybersecurity incidents, which includes, for example, cross-organizational teams and contingency communications plans. We highlight below several recent developments in the cybersecurity area that are particularly relevant to boards.
Shareholder Litigation and Board Fiduciary Duties
In July and November of 2016, two separate shareholder derivative lawsuits related to cybersecurity incidents at Target and The Home Depot, respectively, were dismissed. These lawsuits alleged breaches of fiduciary duties, among other claims, by the directors. A similar lawsuit against the directors and officers of Wyndham was also dismissed in 2014. In all these cases, the courts showed deference to the directors’ actions by applying the “business judgment rule,” and found that the plaintiffs failed to show that the directors have “utterly” or “completely” failed to monitor or oversee the implementation or operation of systems and controls to protect against cybersecurity incidents in breach of their fiduciary duties. In addition to the procedural hurdles of a derivative lawsuit, these cases illustrate the significant hurdles that the plaintiffs must overcome in such lawsuits. They also help define the parameters of what boards should do to help insulate themselves against a successful shareholder derivative suit involving cybersecurity incidents:
- The board or a committee designated by the board should be responsible for the oversight of the company’s cybersecurity matters and the company’s bylaws or committee charter should reflect these duties and responsibilities. The designated committee should meet regularly, receive periodic cybersecurity reports and give regular briefings to the full board.
- The board or the committee, as applicable, should oversee the implementation of appropriate systems and controls to protect against cybersecurity incidents and, once implemented, continue to be informed about their effectiveness and any need for changes. The board should approve plans to address any known security weaknesses in a timely and reasonable manner.
- Upon any report of a cybersecurity incident or an alleged breach, the board or the relevant committee should meet frequently to discuss. The board and the company should also conduct a reasonable investigation in good faith (if needed, by engaging outside advisors/counsel and/or delegating to an independent committee) before making a decision on the proper course of action.
Despite the company-favorable results from these recent lawsuits, boards should proactively encourage measures to minimize liability from cybersecurity incidents. As more companies experience cybersecurity incidents, the courts’ standard of what constitutes “utter” or “complete” failure may evolve to require more action or oversight by directors.
Confidential Information and Director Communications
In September 2016, former Secretary of State Colin Powell’s personal email account was hacked, and thousands of his emails were published on the internet. The leaked emails included those that he received as a director of Salesforce.com, including one email that contained a confidential presentation identifying 14 possible acquisition targets. This incident demonstrates that electronic communications to and from directors can be especially sensitive because they often contain material non-public information about the company that, if hacked, could be used for insider trading, affect on-going deal negotiations or reveal company strategy. The risks are exacerbated when the directors use personal email addresses hosted on commercial email servers to send and receive company-related emails, as these services are outside of the company’s control and may not have the robust security features that corporate email servers have. To minimize these risks, companies should consider the following:
- Review their policies to require that directors use only official corporate email addresses, instead of personal email addresses, for company communications.
- Provide encrypted laptops or mobile devices on which directors can access board presentations and other sensitive company documents.
- Set up a web portal that the directors can securely access to receive messages and materials related to the company.
- Incorporate email security training as an essential element of the directors’ on-boarding process and ongoing director training.
M&A and Cybersecurity Diligence
In September and December of 2016, Yahoo! announced that it discovered cybersecurity incidents in 2014 and 2013 that affected a significant number of accounts. At the time of these announcements, which had not been disclosed during the negotiation of the deal, Yahoo! was the target in a proposed acquisition of its core internet business. The Yahoo! incident underscores the growing importance of cybersecurity diligence in corporate transactions and, at the same time, the limits of traditional due diligence investigations in discovering cybersecurity breaches. As a result, it is likely that cybersecurity issues will play a bigger role in corporate transactions:
- There will be more focus on cybersecurity diligence, particularly in M&A transactions involving companies in the information technology industry or with large amounts of personally identifiable information.
- Cybersecurity diligence may require engaging a third-party expert to perform a technical analysis to identify any undisclosed incidents and/or risks, depending on the industry or the nature of the company’s operations.
- Parties will negotiate more extensively over cybersecurity-related provisions in agreements, including representations and warranties and closing conditions.