consent decrees remains a mainstay of cybersecurity practitioners.108
With each new Section 5 case, the FTC has further refined and identified facts, behaviors and controls relevant to officer and director oversight of cybersecurity. 1. Facebook
In July 2019, the FTC issued a record- breaking $5 billion fine against Face- book and, for the first time ever, required corporate governance changes to address alleged data-misuse issues. Specifically, the FTC accused the company of failing to adequately protect users’ privacy and comply with a 2012 consent decree with the agency.109 In addition to the high monetary penalty, the consent order im- posed new restrictions and obligations on Facebook.110 Under the settlement terms, the company is required to: “Ex- ercise greater oversight over third-party apps and app developers; Establish and maintain a new, comprehensive data se- curity program; Complete a rigorous pre- release privacy assessment before rolling out new or modified products and ser- vices; Subject itself to quarterly report- ing and biennial assessments of its new privacy program by independent third- party assessors; Appoint an independent committee of the board of directors fo- cused on privacy, which is appointed by an independent nominating committee; and Designate compliance officers ap- proved by the new board committee who are tasked with ensuring and certifying privacy and data security compliance.”111 Moreover, the settlement requires ex- ecutive certifications. This could lead to considerable changes in the accountabil- ity of executives, as they are increasingly turning to experts or committees with specific expertise to avoid liability. A fail- ure to implement FTC-required controls in any capacity is problematic, and could easily fuel allegations for a Caremark claim against a company under a consent order.112
This settlement clearly illustrates that direct financial consequences, in addi- tion to reputational injury, will increas- ingly threaten organizations whose data governance practices are considered in- adequate. In levying a record-breaking penalty and instituting corporate gover-
nance changes in the absence of any real, concrete injury, the FTC signaled that corporations will be subjected to height- ened scrutiny for how they handle infor- mation assets moving forward.
2. Equifax
Similarly, the Equifax global settle- ment, referenced supra, required Equifax to pay at least $575 million in connection with a massive 2017 data breach. Accord- ing to the FTC’s complaint, the attackers accessed roughly “147 million names and dates of birth, 145.5 million SSNs, 99 million physical addresses, 20.3 million telephone numbers, 17.6 million email addresses, and 209,000 payment card numbers and expiration dates, among other things” after defendant neglected to patch a vulnerability in its system.113 However, in addition to the $575 mil- lion settlement payment, the settle- ment required Equifax “to implement a comprehensive information security program requiring the company to take several measures including: Designating an employee to oversee the information security program; Conducting annual assessments of internal and external se- curity risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections; Obtaining annual certifications from the Equifax board of directors or relevant subcommittee at- testing that the company has complied with the order, including its information security requirements; Testing and mon- itoring the effectiveness of the security safeguards; and Ensuring service pro- viders that access personal information stored by Equifax also implement ade- quate safeguards to protect such data.”114 These enhanced control measures track the FTC’s prioritization of cybersecurity in 2019 and outline several effective cy- bersecurity practices for directors and of- ficers to consider.
B. Federal Securities Law Claims and Investigations
Both the SEC and plaintiffs’ attorneys have increasingly used federal securities law as a mechanism to seek accountabil- ity in the wake of cybersecurity incidents. Recent enforcement actions in both
realms have indicated that federal securi- ties laws are another area of considerable exposure for director and officer liability as the magnitude and frequency of inci- dents continues to grow.
1. SEC Enforcement
The SEC wields its civil law author- ity to address cybersecurity enforcement actions. While no existing disclosure requirements specifically address cyber- security for issuers, in 2011, the SEC’s Division of Corporation Finance issued guidance regarding disclosure obliga- tions relating to cybersecurity risks.115 Specifically, the guidance explains that federal securities laws “in part, are de- signed to elicit disclosure of timely, com- prehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”116
In September 2017, the SEC estab- lished a Cyber Unit with a focus on cyber-related enterprise. On February 21, 2018, the SEC issued interpretive guidance on public company cyberse- curity disclosures.117 The SEC explained that the guidance was “reinforcing and expanding upon the staff’s 2011 guid- ance.”118 However, the guidance went further in two areas: “the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity con- text.”119 This enhanced guidance sig- naled that the SEC has prioritized the regulation and enforcement of cyberse- curity activities.
Notably, the SEC launched an inves- tigation and entered into a $35 million settlement with Yahoo! in connection with a series of data breaches and the company’s response. The SEC found that “Yahoo senior management . . . did not properly assess the scope, busi- ness impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings.”120 Yahoo’s own 2016 Annual Report asserted that the in- dependent committee “did not conclude that there was an intentional suppression of relevant information,” but the report conceded that “certain senior executives did not properly comprehend or inves-
SPRING 2020 DELAWARE LAWYER 21