late enterprises from many of the con- sequences of inevitable security compro- mises.
B. Better Practices to Satisfy Legal Obligations
The NACD principles provide a very helpful starting point for boards and their advisers seeking to understand and effectively oversee cybersecurity-related risk. However, the patchwork of legal and regulatory enforcement actions outlined above identifies specific areas of potential breakdowns and inevitable compromises which may call into question a corpora- tion’s cybersecurity program, its cyber incident response and its oversight of both. Examining these case studies and utilizing the NACD’s recommendations can help inform corporate governance and cybersecurity oversight in relation to overall corporate risks and objectives. Taken together, this approach can help demonstrate the “good faith” required of boards.
Further, the enforcement actions out- lined above in conjunction with recent Delaware Caremark decisions signal that passively enacting cybersecurity plans or including boilerplate cybersecurity language in board actions may not suf- fice as courts look for active engagement by the board in “mission critical” areas. One need only look to the cases outlined throughout this article to determine that the presence of a cybersecurity program alone may be insufficient to protect of- ficers and directors from claims. While there is no one-size-fits-all approach, the appropriate measures will largely depend on the organization itself, the nature of the risks it faces, and the board’s consid- ered judgment about the acceptability of those risks — a staple of prudent risk management models.
V. CONCLUSION
In the age of information, cybersecu- rity and the protection of information as- sets is increasingly an area that is intrin- sically critical to many companies and is properly addressed in the boardroom. The emerging litigation and enforcement trends identified above signal that direct financial consequences, beyond repu- tational injury, will remain a growing threat to organizations moving forward.
With additional civil penalty authority available under the California Consumer Privacy Act in July of 2020, aggressive enforcement will only mount for those deemed unprepared. Considering some or all of the steps outlined in this article, directors and officers can position them- selves to effectively discharge their fidu- ciary duties and help the organizations they serve succeed. 
NOTES
1. The views contained in this essay represent solely the views of the authors in their individual and private capacities and are not necessarily the views of their firm or of any particular client.
2. See Davey Winder, Data Breaches Expose 4.1 Billion Records in First Six Months of 2019, FORBES (Aug. 20, 2019), https://www.forbes. c o m / s i t e s / d a v e y w i n d e r / 2 0 1 9/ 0 8 / 2 0 / d a t a - breaches-expose-41-billion-records-in-first-
s i x - m o n t h s - o f - 2 0 1 9/ # 3 1 e 8 7 c f 5 b d 5 4
3. 60 Minutes: Interview of James Comey, CBS (Oct. 2014), https://www.cbsnews.com/ news/james-comey-fired-fbi-director-in- 2014-60-minutes.
4. 2019 Cost of a Data Breach Report highlights, IBM (July 23, 2019), IBM, https://newsroom.ibm.com/2019-07-23- IBM-Study-Shows-Data-Breach-Costs-on- the-Rise-Financial-Impact-Felt-for-Years (“The annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, analyzes data breach costs reported by 507 organizations across 16 geographies and 17 industries.”).
5. “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” Security Tip (ST04-001). What is Cybersecurity?, CISA (NOV. 14, 2019), https://www.us-cert.gov/ ncas/tips/ST04-001.
6. Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, FTC (July 22, 2019), https://www.ftc.gov/news-events/ press-releases/2019/07/equifax-pay-575- million-part-settlement-ftc-cfpb-states- related. The settlement addressed claims against Equifax Inc. in connection with its 2017 data breach.
7. See Matthew Syed, Black Box Thinking: Why Most People Never Learn from Their Mistakes - But Some Do (2015) (highlighting the long-term adverse systemic consequences in aviation and healthcare due to blame- based accountability, oversight systems, and psychological fallacies, including hindsight bias, which have inhibited information sharing and process improvement.).
8. Danny Yadron, Executives Rethink Merits of Going Public With Data Breaches, WALL ST. J., (Aug. 4, 2014), https://www.wsj. com/articles/a-contrarian-view-on-data- breaches-1407194237.
9. In re Caremark Int‘l Inc. Derivative Litig., 698 A.2d 959, 960–64 (Del. Ch. 1996).
10. See Lawrence J. Trautman & Peter C. Ormerod, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach, 66 Am. U. L. Rev. 1231 (2017).
11. See Spiegel v. Buntrock, 571 A.2d 767, 772–73 (Del. 1990) (“A basic principle of the General Corporation Law of the State
of Delaware is that directors, rather than shareholders, manage the business and affairs of the corporation.”)
12. In re Citigroup Inc. S’holder Derivative Litig., 964 A.2d 106, 120 (Del. Ch. 2009). In addressing a decision made by the board, the courts apply the two-step test announced in Aronson v. Lewis. See 473 A.2d 805, 814 (Del. 1984), overruled by Brehm v. Eisner,
746 A.2d 244 (Del. 2000). However, “where the board that would be considering the demand did not make a business decision which is being challenged in the derivative suit” the three-step test established in Rales v. Blasband applies. See 634 A.2d 927, 933–34 (Del. 1993).
13. Gregory L. Watts, “I Got a Bad Feeling About This”: Are Caremark’s Walls Closing In on Directors?, ABA (Dec. 10, 2019), https:// www.americanbar.org/groups/litigation/ committees/class-actions/articles/2019/ fall2019-are-caremarks-walls-closing-in-on- directors/.
14. Guth v. Loft, Inc., 5 A.2d 503, 510 (Del. 1939).
15. Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 370 (Del. 2006).
16. Id.
17. Aronson, 473 A.2d at 812.
18. In re Walt Disney Co. Deriv. Litig., 907 A.2d 693, 749 (Del. Ch. 2005), aff’d, 906 A.2d 27 (Del. 2006) (quoting Brehm v. Eisner, 746 A.2d 244, 259 (Del. 2000)) (internal quotation marks omitted).
19. Gram v. Allis-Chalmers Mfg. Co., 188 A.2d 125, 130 (Del. 1963).
20. McPadden v. Sidhu, 964 A.2d 1262, 1274 (Del. Ch. 2008) (Conduct that is grossly negligent is “conduct that constitutes reckless indifference or actions that are without the bounds of reason.”).
21. Smith v. Van Gorkom, 488 A.2d 858, 868, 893 (Del. 1985). See 1 Del. Corp. Law & Practice § 15.03 (2019) (defining the business judgment rule as follows: ”A decision by a board of directors (i) in which the directors possess no direct or indirect personal
interest, (ii) which is made (a) with reasonable awareness of all reasonably available
material information, and (b) after prudent consideration of the alternatives, (iii) which is in good faith, and (iv) which is in furtherance of a rational corporate purpose, will not
be interfered with by the courts, either prospectively by injunction, or retrospectively by imposition of liability for damages upon the directors, even if the decision appears to have been unwise or have caused loss to the corporation or its stockholders.”)(citing to Gagliardi v. Trifoods Int’l, Inc., 683 A.2d 1049 (Del. Ch. 1996)).
22. Id. at 869.
23. Darian M. Ibrahim, Individual or Collective Liability for Corporate Directors?, 93 IOWA L. REV. 929, 935 (2008).
24. DEL. CODE ANN.tit. 8, § 102(b)(7) (2008) (enacted 1986) (However, this is “provided
 SPRING 2020 DELAWARE LAWYER 25