What does it mean for board liability in future data breach litigation?
At the time it was disclosed, the Yahoo! email breach was considered massive. The personal information of 1.5 billion users was compromised. In response, lead plaintiff Edward McMahon filed a suit alleging that Yahoo! Inc. intentionally misled investors and certain directors and officers about its cybersecurity practices.
In filing the claim, the plaintiffs were certainly taking a risk. During a 2016 interview, principal litigator Michael W. Stocker of Labaton Sucharow LLP told Forbes Magazine, “The problem for plaintiffs has been that at least so far, even large breaches have mostly not been accompanied by huge hits to share prices—undercutting the ability of investors to show harm.”
Fast forward to 2018, and harm we see. Yahoo agreed to settle the securities class action lawsuit to the tune of $80 million, which should serve as a wake-up call for boards. Why? It’s the first of its kind—a milestone shareholder settlement related to a data breach.
Still subject to court approval, the pending agreement will have implications not just for Yahoo’s directors and officers, said Jeff Dennis, managing partner and cybersecurity practice lead at law firm Newmeyer & Dillion. Like many others, he anticipates that the fallout from the Equifax breach would be more troubling for organizations.
Rather, Yahoo’s shareholder settlement suggests that reform is happening much faster. “The boards are going to be targets,” Dennis said. If there’s truth to that assumption, there are some critical lessons for boards to take away from this news.
This major win for the plaintiffs could be a game-changer when it comes to shareholders suing companies, and it also raises questions about board liability stemming from data breach litigation in the future.
“If you are trying to figure out legal liability after a breach, it’s too late,” Dennis said. There are, however, steps boards can take now to reduce their cyber-risks and legal liabilities, should a breach occur. To start, the board of directors must accept that it is responsible for the oversight of the company’s cyber-risk.
Ambivalent About Accountability
Despite the ever-growing number of companies that have made headlines in the aftermath of a breach, many boards have made little headway with cybersecurity governance. Perhaps the inability to effectively measure the overall cost of a breach has given the false impression that they can’t really be harmed.
How often do people in the industry point to Target as an example of a breach? Yet, no one can really cite Target’s bottom-line loss in dollars or damage to brand. The company isn’t closing stores across the globe. Yes, its name is associated with a major breach that resulted from a compromised third-party vendor. The breach led to some outcry, but the extent of the damage is difficult to quantify.
Aside from that, there has been little evidence to motivate boards to get started on making real changes—until the Yahoo settlement. The settlement amount—$80 million—is a hefty sum, which makes it much more difficult to ignore the reality that litigation continues to pick up steam.
Unfortunately, breaches are a part of everyone’s daily lives. While future cases may not be as attractive, Dennis said the Yahoo settlement has the potential to embolden plaintiff attorneys to take on these kinds of shareholder derivative cases.
Proactive Steps Toward Effective Change
Because they are responsible for cyber as part of their duties in overseeing corporate risk management, boards need to protect themselves. Dennis suggested the following six steps as a way for them to demonstrate that they are taking cyber-risk seriously:
- Do an honest assessment of the company’s cybersecurity posture. Be able to identify the key assets and determine what is being done, or what needs to be done to protect those assets.
- Evaluate the risk by using published standards, such as NIST or individual state standards, like those published by the state of New York.
- Establish initiatives. As a board, require regular feedback on the progress being made. Have a system (such as color coding) for prioritizing which of those are the highest risk. Identify the ones that need to be dealt with right now.
- Make cyber-risk an agenda item at every meeting until the board has a strong handle on it going forward.
- Invest in external risk management. Understand the cyber-risk issues related to contracts with the organization’s vendors and subcontractors.
- Decide whether cyber-insurance is something worth investing in.