Data Protection: Are Shortsighted C-Suite Executives and their Boards Breaching Fiduciary Duties?
If I were a Chief Information Security Officer, I would be horrified at the message sent from C-Suite executives in a poll released by Threat Track Security Inc. on July 31, 2014. If I were a C-Suite executive or a member of a board of directors, I would be wondering whether I am properly exercising my fiduciary duties when it comes to protecting against data breaches.
In the Threat Track report, nearly half the responding executives, all of whom work for companies who employ a chief information security officer (CISO), espoused the view that a CISO should bear all of the blame for any organizational data breaches. Heaping insult on injury, more than half of the respondents to the report would not give the CISO cybersecurity purchasing responsibility – thereby stripping the CISO from the ability to obtain the very tools necessary to effectively do his/her job. Incredibly, however, 74% of those responding also harbored the feeling that a CISO should not even be part of an organization’s leadership team, and a staggering 61% didn’t believe that the CISO could be successful in a leadership role outside information security. On the bright side, 52% of respondents believed that CISOs “provide valuable guidance to senior leadership related to cybersecurity,” but at the same time 28% said that their CISO had made decisions that had negative effects on the company. In short, the message to CISOs is, “If a data breach occurs, we’re going to point to you, but we’re not going to give you the autonomy and decision making authority to protect yourself or the enterprise, and, frankly, we don’t think you belong in our club anyway.”
As data breaches become more prevalent – a September 4, 2014 headline included investigation of a “massive” data breach involving HomeDepot™ - and an October 24, 2014 headline trumpeted investigation of a data breach at Staples™ - C-Suite executives are going to face ever-increasing pressure from shareholders and customers to get a handle on how data is gathered, stored and protected. Those same executives, and their boards of directors will face increasing scrutiny by class action plaintiffs’ lawyers who seek to exploit the cavalier attitudes revealed in the Threat Track report.
Under prevailing corporate law, corporate directors have duties of care, loyalty and good faith. Directors also have a duty of oversight which is derived from the duty of good faith contained in the duty of loyalty. As noted in the Caremark decision, “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that the failure to do so in some circumstances, may, in theory, at least render a director liable for losses caused by non-compliance with applicable legal standards.” Since Caremark, the Delaware Supreme Court in Stone v. Ritter, has explained that liability for a breach of oversight may exist where “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.” Where directors have, in this sense, “abdicated their functions, or absent a conscious decision, failed to act” they will not be protected by the business judgment rule.
These high hurdles are not stemming the filing of breach of fiduciary duty lawsuits relating to data breaches. Plaintiffs’ lawyers are testing the pleading standards in more creative ways to see if they can be overcome. For example, claims in lawsuits filed in Minnesota against directors and officers arising from the alleged Target™ data breach are replete with allegations of “the failure to implement a system of internal controls to protect customers’ personal and financial information” and “the failure to implement adequate internal controls to detect and prevent the breach . . . .” Similar suits allege managers’ “failure to supervise” and assert that directors and officers “consciously disregarded responsibilities” and otherwise failed to act in good faith. Investigation will undoubtedly focus on exactly what industry standards were, or should have been, followed, and what the board and officers did, or failed to do, in acting to protect customer data.
These ever-increasing efforts to chip away at the protections afforded directors and officers should foster a closer, not more distant, relationship between the C-suite and CISOs. It is imperative for directors and officers to take a more hands-on role in understanding and implementing controls to protect the enterprise and the information it gathers from unauthorized access. To do that, directors and officers must embrace the knowledge and experience of their CISOs, and work together with them to assure access to tools and information needed to protect the businesses for which they are responsible. Otherwise, I fear the attitudes expressed in the Threat Track report could provide some evidence of the “utter failure” necessary to establish liability.
 http://www.threattracksecurity.com/resources/the-role-of-the-ciso.aspx. “No Respect. Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers.”
 In re Caremark Int’l, Inc. Derivative Litigation, 698 A.2d 959, 970 (Del Ch. 1996) (emphasis added).
 Stone v. Ritter, 911 A.2d 362, 370 (Del. Supr. 2006).
 Aronson v. Lewis, 473 A.2d 805, 813 (Del. Supr. 1984).