but enterprises are only beginning to fully appreciate the breadth of risks as- sociated with cybersecurity.5
The shock factor that accompanied major breaches of the last decade at com- panies such as Target, Sony and Equifax may have worn off for many consum- ers, but significant questions remain unresolved, including the issue of post- breach liability, as the law continues to adapt to rapid technological change. Cy- bersecurity has become a routine topic for board meetings, where directors are confronting how to quantify intangible enterprise data risk, the adequate level — and cost — of cybersecurity precautions for their organization’s risk portfolio and, perhaps most importantly, how and whether to identify, shift, remediate or accept these risks.
For an example of the varied array of legal consequences cybersecurity crises present, one need only look to the July 22, 2019 Equifax settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), 50 state and territorial attorneys general and numerous civil consumer- fraud class actions.6 However, the po- tential exposure for cybersecurity crises does not stop with the company itself. Plaintiffs’ attorneys (and many regula- tors) have not so subtly set their sights on a predictable “villain” to take the fall — corporate directors and officers. Between rapid technological change and emerging legal standards, hindsight bias as well as victim shaming and blam- ing are pervasive systemic challenges to fostering more effective cybersecurity oversight and accountability.7 While the decided case law has not definitively fixed blame on directors and officers, that day could be coming soon in the wake of re- cent 2019 case law. As to shaming, be- tween headlines and regulatory activity, often rooted in breach notification laws, a blame-focused culture has emerged which can obscure the broader public policy issues involved.8
Against this backdrop, corporate officers and directors are increasingly confronted with Benjamin Franklin’s adage suggesting that a failure to plan adequately is a plan to fail (adequately).
Accordingly, prudent corporate officers and directors, and the organizations they serve, may benefit, before and after incidents, from proactive and easily de- monstrable efforts to protect corporate intangible assets and interests, especially where cybersecurity risks are deemed “enterprise critical.” This article explores and seeks to explain how and why cyber- security has become a pervasive topic for corporate boards and executive teams and examines comparative legal sources influencing corporate governance in cy- bersecurity and information assurance. We begin by discussing a traditional legal avenue for director and officer liability under Delaware law — shareholder deriv- ative lawsuits and fiduciary duties claims under Caremark.9 We then examine key shareholder derivative lawsuits that have proceeded under Caremark theories over the past decade. Next, we discuss two recent Delaware case law develop- ments — the Marchand and Clovis cases — that may give special vitality to claims rooted in alleged deficiencies in officer and director oversight and suggest that related cybersecurity claims may increase in frequency in the future. We then look at enforcement actions brought by fed- eral agencies — principally the FTC and the Securities and Exchange Commis- sion (SEC) — and illuminate how data security efforts and related privacy con- cerns have been enforced retrospectively, including in emerging cybersecurity- focused securities class-action cases.10 These other considerations often pro- vide guidance on how law enforcers view what constitutes reasonable or adequate cybersecurity. In each of these areas, we hope one thing becomes clear — courts will increasingly use 20/20 hindsight to evaluate the fact-intensive inquiries posed by duty-of-oversight claims in ar- eas deemed “mission critical.” Finally, we outline the principles set forth in the recent National Association of Cor- porate Directors (NACD) Cyber-R isk Oversight and Director’s Handbook Series, and offer guidance, which we believe can provide principles-based ap- proaches for corporate directors and of- ficers seeking to proactively address cy- bersecurity risk.
II. TRADITIONAL AVENUE OF DIRECTOR AND OFFICER LIABILITY UNDER CAREMARK
Shareholder derivative actions (in which shareholders bring a lawsuit on behalf of the corporation itself) have emerged as a primary tool for seeking to hold corporate directors and officers liable for cybersecurity incidents. These actions are largely brought against the corporation’s own directors and offi- cers.11 To bring a derivative suit under Delaware law “a shareholder must either (1) make a pre-suit demand by presenting the allegations to the corporation’s direc- tors, requesting that they bring suit, and showing that they wrongfully refused to do so, or (2) plead facts showing that de- mand upon the board would have been futile.”12 Once the demand requirement is satisfied, the most probable strategy to force direct accountability among the corporate directors and officers in the wake of a cybersecurity crisis is an over- sight liability claim alleging breach of fi- duciary duties.
Throughout the last decade, a number of shareholder derivative lawsuits have been lodged in the wake of major data breaches. In most of these cases, courts have ruled in favor of corporations, of- ficers and directors. However, as Greg- ory Watts argues in his article “I Got a Bad Feeling About This”: Are Caremark’s Walls Closing In on Directors, several 2019 Delaware court opinions portend an uncertain future for director deci- sions related to “mission critical” regula- tory issues given that “[t]he standards for pleading and proving a Caremark claim . . . appear to be loosening.” 13
A. Fiduciary Duties – Care, Loyalty and Beyond
Under Delaware law, “[c]orporate of- ficers and directors . . . stand in a fidu- ciary relation to the corporation and its stockholders.”14 Specifically, in making decisions on behalf of the corporation, di- rectors owe the corporation and its stock- holders the fiduciary duties of care and of loyalty.15 The duty of loyalty also en- compasses the duty to act in good faith.16 Under Delaware law, when reviewing any fiduciary duty claim, “[i]t is a presump- tion that in making a business decision,
SPRING 2020 DELAWARE LAWYER 15