Among the consequences of a data breach for an organization is the risk of personal liability for board members. Besides the prevention measures that can/must be taken to avoid hacking, directors and management should invest in training, procedures, detection, and response.
Going in the specific, the following can help directors in case their company suffers a cyber attack.
First, paper work: having in place written policies and procedures in connection with data security and having written response plans in effect (including selection of individuals who will be part of the team, and identification of their tasks and rolls).
Second, talking: including cybersecurity in the agenda of every board meeting (before and after the breach). Let’s remember that in the Windham case, a derivative action against the directors (more on this action, here. Text of the decision available here) was dismissed among other reasons because the court found that extensive discussions by the directors at14 meetings from October 2008 to August 2012 including presentations by the General Counsel at every quarterly meeting regarding the breaches and the organization cybersecurity in general supported the board’s exercise of business judgment not to bring actions against the possibly liable directors. The court also found that the Audit Committee had discussed those issues in sixteen committee meetings during this same time period).
Third, specialized competence and dedicated attention is also a plus. For example hiring a board member with particular expertise in cybersecurity and forming a subcommittee for cybersecurity are certainly good measures.
Fourth, fostering a virtuous cybersecurity climate inside the organization through awareness training also helps. And it should be specialized training for different categories of employees (and for the management itself). In particular, management should make sure that compliance officers are not only on top of American privacy law (including industry-specific regulatory guidelines e.g., Gramm-Leach-Bliley Act for financial industry) but also foreign regulation if the business is international (see, e.g., European data protection law, such as Directive 95/1995 and the now finally approved and published GDPR).
Fifth, having strategies in place to mitigate. For example it is useful to establish contacts in advance in case a cybersecurity breach takes place, Management may want to have already established contacts with forensic investigators and media people to step in when a breach occurs. The quicker the answer, the less damage for the organization; hence less likely the directors will have liability.
Sixth, consider a cybersecurity policy but do not sit on it hoping that it will cover everything. It might not or it might not be worthwhile considering your risk.
The attention to the above factors is not only useful to directors to avoiding liability for cyber-breach but also to the organization to quickly and more effectively respond to an incident.
For more information, Francesca Giannoni-Crystal.