Executives, Are you on the Hook for Cybersecurity Liability?
12-May | Written by Vanessa Henri & Oleg Stratiev • Fasken • Montreal, PQ
Chief Information Security Officers (“CISO”) grapple with significant risks and pressure on a day-to-day basis. This pressure is greatly increased during times of crisis, which historically equate to data breaches. When a breach happens, the CISO becomes the commander-in-chief of an army dedicated to identifying, containing and remediating the breach. Nonetheless, the recent weeks have given us another example of a crisis which can be extremely demanding on information security professionals.
The COVID-19 pandemic is first and foremost a human tragedy, but technology is on the front lines of this crisis. Organizations worldwide had to fast-forward the adoption of digital technologies, implement work-from-home policies and protect essential IT infrastructures in a time when resources are already scarce.
Tech organizations also have a heavy burden as they adapt their operations to increased user traffic and new uses that are being made of their technologies. Zoom, for instance, a B2B teleconferencing platform, evolved, within mere days, past B2B and into the B2C space and became the default communication medium for all groups throughout the world. Looking further, students and workers are using many collaboration and digital tools to continue their work, while others are spending their free time online shopping, reading, chatting, playing and streaming content. All these behaviors put immense stress on cybersecurity controls and operations.
As companies around the world grapple with the implications of the pandemic, all the while trying to survive, CISOs are playing a central role in steering their organizations through the crisis, and they’re not alone in this battle. Data Protection Officers, Chief Information Officers, Boards of Directors and other executives with information security responsibilities are also being deployed in the decision-making process. Many of these executives have reached out to us to gain an understanding of their liabilities for their cybersecurity decisions during COVID-19. Our observations reveal that even during normal affairs, these liabilities are not always understood.
In this first article for Cyber Business Review, we decided to begin with two essential questions:
What liability can directors and officers engage in for their decisions regarding information security?
Can performing risk management activities for information security increase directors’ and officers’ liabilities, and if so, what can be done about it?
A quick overview of board governance literature suggests that cybersecurity risks should be treated differently from other risks facing the organization. But, in practice, such a suggestion fails to stand its ground. Boards have long been tasked with protecting their companies from various risks, including cybersecurity risks. Effective oversight of cybersecurity risks could help companies and directors avoid incurring significant damages while successfully mitigate the damages that are inherent to cybersecurity breaches.
As a starting point, directors are governed by the Canada Business Corporations Act (“CBCA”) or an equivalent provincial legislation. In most legislations, the general duties of directors and officers are to act honestly, in good faith, and exercise care, diligence and skill as would a reasonable prudent person in comparable circumstances. We refer to these as the “fiduciary duty” and “duty of care”.
These duties beg the question: Who owns management of the cybersecurity risk at the board and management levels? Of course, not all executives are directors. As we know, boards have been reticent to have CISOs sitting directly at the table. However, executives are empowered to exercise their roles and responsibilities by delegation from the boards of directors. As a result, they must carry their tasks with the same diligence, but they may not have the same liability. This is often enforced through employment agreements. We’ll see that executives do not have the same liability, but would be wise to cover themselves.
So, if the CISO does not own management of cybersecurity risk at the board, who does?
In a nutshell, CEOs are responsible for reporting to the board on any risks facing an organization. I often hear of CEOs referring such questions to other executives, such as CISOs. It’s important to understand that having an expert readily available does not discharge the CEO from his roles and responsibilities to oversee and understand the risks facing the organization at large. Once the CEO reports to the board, all board members are responsible for determining if a risk is accepted, avoided and mitigated.
Such decisions must be consequent with the allocation of adequate resources. Indeed, requiring an organization to mitigate risks without allocating such resources to do so may be considered as a breach of the general duties of board members. The general duties should guide directors’ analysis and decision making at all times, as they are applicable to financial systems and controls through the Enterprise Risk Management (ERM) framework typically applicable to finances. There is no reason to depart from this approach when managing cybersecurity risks.
In order to carry risk management in the financial sectors, boards of directors rely heavily on internal and external audits as well as policies and procedures. These are used to inform directors so that they can make appropriate decisions given their duties. Again, this applies to managing cybersecurity risks. The same types of controls are required - board of directors should ensure they have access to vulnerability assessments, intrusion testings, internal audit results, certifications and similar mechanisms to support their decisions.
This brings us to another key consideration for executives: Information security professionals do not benefit from professional privilege over their activities. In Canada, there are two types of privilege associated with the legal profession that may be helpful; the attorney-client privilege over legal advice and litigation privilege. Each is subject to conditions and different modalities for their application. Generally speaking, the board should establish a legal privilege strategy for protecting their cyber risk management activities, including as required to respond to data breaches. However, keep in mind that none of these privileges are absolute in practice, and we have seen a number of legal cases where the defendant was forced to hand over forensic reports and other evidence relating to a data breach.
This means that managing cybersecurity risks is a requirement to protect liability, but it can also lead to more liability if the board does not act promptly and in accordance with their general duties whenever risk management activities identify a vulnerability. Failure to do so may result in evidence to allege a breach of the fiduciary duty and duty of care.
So, do the directors always have to make the best decision? No. The decision must be a reasonable business decision in light of all the circumstances which are known, or should have been known - which brings us back to the need to perform risk management activities.
In other words, perfection is the enemy of good. The board is not held to the standard of making perfect decisions in cybersecurity. The court looks to see that the directors made a reasonable decision, not a perfect decision. Provided the decision taken is within a range of reasonableness, the court ought not to substitute its opinion for that of the board even though subsequent events may have cast doubt on the board’s determination.
As long as the directors have selected one of several reasonable alternatives, deference is accorded to the board’s decision. The deference to the decision of the board is known as the “business judgment rule”. The fact that alternative transactions were rejected by the directors is irrelevant unless it can be shown that a particular alternative was definitely available and clearly more beneficial to the company than the chosen transaction. In the context of COVID-19, we expect that courts will interpret the business judgment rule taking into account the urgency and particularities of the crisis.
If the final decision is not protected by the business judgment rule, and is not in accordance with the general duties of directors, this is generally where directors and officers can engage their liability. Over the last few years, numerous claims of cybersecurity incidents have been brought against directors and officers in the United States. Among the most notorious claims, one may remember the claim against the directors of Yahoo! Inc. brought by shareholders and claiming $29M prior for such claims to be settled afterwards.
Whether it is a claim for breach of their duty of care or a shareholder derivative lawsuit, the average claim is that directors and officers allegedly failed to adequately oversee the organization’s cybersecurity before a breach and/or failed to appropriately oversee the organization’s disclosure, investigation, and remediation efforts after the breach. While some of these lawsuits have been dismissed for a variety of technical and procedural reasons, similar claims are expected to continue, particularly as the COVID-19 pandemic leads to an increase in cybersecurity attacks and breaches.
Canada has not yet witnessed high-profile lawsuits against directors and officers in relation to cybersecurity as in the United States. However, directors and officers should not take comfort that such claims will not be made in Canada, nor should they take comfort that they will be able to invoke the technical and procedural defences that have been successful in the United States.
In fact, similar claims could be more readily advanced in Canada as compared to the United States because, in the past few years, we have seen an increase of regulatory guidance of general application and landmark changes in the Canadian legal landscape. For instance, on April 18, 2018, the Canadian government published final regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law. To prevent any risk of lawsuit, directors and officers must ensure that they have regularly updated knowledge not only of the risks faced by their organizations but also of the evolving context in which their actions may be scrutinized.
In the current environment, COVID-19 has created a perfect scenario for hackers seeking to defraud panicked, isolated and, sometimes, emotionally vulnerable targets. The phishing and ransomware attacks (to name two extremely common risks) are likely to affect organizations of all types and sizes. Consequently, directors and officers must be particularly aware of controls and reporting for those well-known risks, as well as any risks unique to their industry.
Under security legislation, companies must inform, inter alia, their shareholders about their financial situation, their earnings and any risk that they expect to face in the year to come. Since cybersecurity is becoming more and more important for companies, and that directors are more educated on the subject matter, companies may be liable for misrepresenting their cybersecurity measures, failing to disclose a material cyber security risk, or failing to disclose a material cyber breach in a timely manner. The materiality of the breach or attack will be analyzed on a case-by-case basis, but even minor attacks may be considered material if they are frequent or numerous.
Here are a few recommendations to protect your liability:
Before you make a decision, make sure that you have all the information you need
Develop a legal privilege strategy to protect information security risk management activities - it may not be unbreakable, but it should be considered as an additional safeguard
Request protection such as liability insurance, commitment to support executives if they’re sued above and beyond liability insurances if relevant, and ensure the final responsibility for information security decisions is placed on the board, not on executives that are not represented at the board
If you must take prompt decisions in the middle of a crisis, ensure that there is a mechanism to review these decisions when time allows for more extensive due diligence. For instance, if you cannot perform the usual information security due diligence for vendors to address urgent needs resulting from a crisis like COVID 19, ensure that contractual requirements are used to ensure vendors will collaborate for a subsequent due diligence and will implement reasonable mitigating factors if non-compliance is identified. If possible, consider publicly available information on a vendor to make a preliminary analysis, even if this means you may not be able to document and follow the usual process in the immediate.