Despite the increase in data breaches and cyberattacks involving large corporations, efforts to hold directors and officers personally liable for these events have largely been unsuccessful. However, recent developments in two high-profile data breach cases suggest that the relative safety directors and officers have previously experienced from cybersecurity-related suits may be coming to an end. On January 4, 2019, the Superior Court of California approved a $29 million settlement in consolidated derivative litigation brought against directors and officers of Yahoo, Inc. arising out of two data breaches compromising sensitive information of over one billion Yahoo users. See In re Yahoo! Inc. Shareholder Litig., Case No. 17-CV-307054, (Cal. Supp. Ct Jan. 4, 2019). This settlement, which includes a court-approved plaintiff’s counsel’s fee of $8.6 million, represents the first significant recovery in a data-breach related derivative lawsuit targeting directors and officers for breach of fiduciary duty.
In another closely-watched data breach case against the credit rating firm Equifax, Inc. and certain of its officers and directors, on January 28, 2019, the Northern District of Georgia granted in part and denied in part a motion to dismiss a securities class action arising out of a cyberattack in which criminals gained access to sensitive information of 143 million Equifax customers. See In re Equifax, Inc. Secur. Litig., Case No. (N.D. Ga. Jan. 28, 2019). Although the court granted the motion to dismiss with respect to most of the officers and directors, it denied it as to the Equifax’s former CEO, who was alleged to have personal knowledge of the inadequacies in Equifax’s cybersecurity system. This ruling makes Equifax the first major data-breach related claim against a corporate officer to survive a motion to dismiss.
These cases, along with the increase in cybersecurity-related derivative and securities actions, indicate that directors and officers of major corporations may face an increased risk of personal liability in connection with data breaches. Companies should bear this risk in mind when analyzing the protections afforded their officers and directors by their insurance programs.
Large corporations have historically protected their officers and directors from personal liability by availing themselves of a Delaware statute that permits corporations to insulate their directors from any alleged violation of the duty of care through a specific exculpatory provision in the certificate of incorporation. See 8 Del. Code § 102(b)(7). This provision, however, cannot limit liability for violations of the duty of loyalty, for bad faith acts or omissions, or for knowing violations of the law. See id. Moreover, despite general protection from liability for breaches of the duty of care, directors may still face liability for failure to monitor liability-creating activities within the corporation under a “Caremark claim,” which derives its name from In re Caremark Int’l Derivative Litigation., 698 A.2d 959 (Del. Ch. Ct 1996). Under the Caremark standard, a lack of good faith can be established when directors have either (1) utterly failed to implement any reporting or information system or controls; or (2) despite having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus preventing themselves from receiving information about risks requiring their attention. See Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). In either case, liability requires a showing that directors failed to act in the face of a known duty to act. See id.
The high bar created by the Caremark standard has protected directors from personal liability in several prominent data breach cases. For instance, Wyndham, Target, and Home Depot suffered three of the most significant corporate data breaches in recent years. Shareholders of each corporation brought derivative claims against the directors seeking to tie the duty to monitor under Caremark to the corporations’ cybersecurity systems. The courts granted the defendants’ motion to dismiss in each case on the ground that directors’ cybersecurity-monitoring duties were not clear enough to form the basis for a Caremark claim. See Palkon v. Holmes, Case No. 2:14-CV-01234 (D.N.J. Oct. 20, 2014); Davis et al. v. Target Corp., Case No. 14-CV-203 (D. Minn. July 7, 2016) (adopting SLC recommendation to dismiss action); In re Home Depot, Inc. Shareholder Deriv. Litig., 223 F. Supp. 3d 1317 (N.D. Ga. 2016).
Now, however, a series of prominent and widely-publicized data breaches, combined with the growth of a cybersecurity industry designed to assist corporations in protecting against cyberattacks, may have created a corporate cybersecurity standard of care that would support a Caremark claim. In other words, the very development of stronger cybersecurity protections and controls may have created a known duty to act. The Yahoo data breach derivative litigation could be a harbinger of this trend. Many of the suit’s allegations assert a bad-faith failure by the directors to adequately monitor the corporation’s cybersecurity system, including through their failure to adequately fund the corporation’s data-security infrastructure and through their refusal to approve necessary security updates. Plaintiffs alleged these lapses left Yahoo’s systems vulnerable to attack. The lawsuit also alleged that the directors failed to implement adequate security measures in response to the first data breach. The fact that the suit resulted in a court-approved $29 million settlement, which was fully funded by insurance, indicates that the plaintiffs, defendants, insurance carriers, and the court all agreed that the defendants faced a significant risk of liability.
Likewise, the Equifax data-breach-related securities suit contains numerous allegations of inadequate board oversight of the corporation’s cybersecurity systems. The plaintiffs claimed that the company’s cybersecurity system was “dangerously deficient” and that the directors and officers failed to implement appropriate security protocols, failed to remediate known deficiencies, and failed to adequately monitor vital systems and networks. The plaintiffs also alleged that the board ignored numerous warnings that its data security measures were inadequate. In its ruling on the motion to dismiss, the court determined that these inadequacies made the company’s assurances to investors concerning the security of Equifax’s systems materially misleading. The court also determined that the CEO’s alleged personal knowledge of the deficiencies in Equifax’s cybersecurity systems established the requisite scienter with respect to the alleged misrepresentations concerning the company’s data security. The court therefore allowed the claims against the CEO personally to move forward.
Given the increasing risk of personal liability for directors and officers and the considerable damages demanded in high-profile data breach litigation, it is important that a company’s directors and officers insurance program adequately protect those individuals from cybersecurity-related liability. This protection is imperative with respect to derivative litigation, as Delaware law precludes a corporation from indemnifying its directors for payment of judgments or settlements in a derivative action. See 8 Del. Code § 145(b). Furthermore, any director who has been found liable to the corporation is not entitled to indemnification of defense costs unless a court specifically determines that the director is entitled to such indemnification despite the finding of liability. Thus, a company’s Side-A directors and officers insurance program, which provides coverage for non-indemnifiable loss, may be the only protection standing between directors and catastrophic personal liability as a result of a data-breach-related derivative action settlement or judgment.
As a result, risk managers and their coverage counsel should carefully evaluate every directors and officers insurance program for any potential gaps in coverage relating to a cybersecurity event. These gaps may arise from provisions directly referencing cybersecurity, such as an explicit cyber-related exclusion, or from the unanticipated operation of other exclusions and limitations that could be implicated by particular cybersecurity-related claims.