In our last article, we took a high-level view across the landscape of director’s duties on cyber-security, making the case that to guard against such attacks now necessitates a highly integrated and planned, 360-degree cyber-security strategy.
However, from a regulatory perspective, directors’ statutory obligations in relation to cyber security are not yet clearly defined within the UK; rather they are implied by the Companies Act (2006). The decision in Various Claimants v Wm Morrisons Supermarket PLC 01.12.2017 ruled that a company could be vicariously liable for a data breach caused by an employee, even in cases where the disgruntled employee’s sole aim was to injure the employer and the employer was not itself in breach of data protection laws. This has extended the scope of legal liability for data breaches, but it has not addressed the inevitable issue of how much liability rests on the shoulders of the directors of an organisation in which a cyber-security breach has occurred.
How might the future look for directors in the UK in relation to cyber security if regulations become clearer and more specific? To gain perspective, it is helpful to understand how other countries are handling serious corporate cyber breaches, and specifically the degree of personal legal exposure of the directors of such organisations.
Under German law, [PM2]directors can be held liable for breaching their duty. Ensuring the robustness of the IT infrastructure, security of data, and protection from cyber risks are all classed as director’s duties.
German law has always emphasised a cautious approach to IT risk – for example, Data Protection Officers have been a fixture in German organisations since 2001, 17 years prior to the GDPR coming into force, and are a mandatory appointment for organisations with more than nine people handling personal data.
The level of IT security monitoring expected of German companies is high, and directors can be held personally liable if a security breach is found to have been caused by human error or a failure in the company’s IT security practices.
United Arab Emirates (UAE)
Directors in the UAE can be held personally liable for incidents relating to cyber risk. It is common practice in the region for directors to be added to a civil claim for a cyber security breach and allegations of mismanagement under UAE Companies Law are increasing.
Under Article 162, UAE Federal Law No 2 of 2015 on Commercial Companies, directors of a company, either public or private, are liable to the company, its shareholders, and third parties for certain acts, including errors in management. This is a wide-ranging offence, and although there is little case law on the subject, there is no reason to conclude breaches in cyber-security management would not be covered.
In 2017, the ASX 100 Cyber Health Check Report found that in Australia, in most cases, Boards are directly responsible for ensuring management are accountable for cyber risk. Although 88% of Boards receive cyber security reports annually, 54% regard these as being too basic for their needs. In addition, two-thirds also say they don’t yet have a set of standard cyber security metrics, or don’t know if they do.
To date, no Australian director has been prosecuted by the Australian Securities and Investments Commission (ASIC) or been party to a civil class action claim for a cyber breach, but this is because the circumstances have not been present to trigger an action. However, Australian directors are at high risk of being held liable for cyber security breaches, because the regulator can bring an action for ordinary negligence. Business judgment cannot be used as a defence, as the decision to bring a prosecution would relate to regulatory compliance. In addition, unlike the United States, no loss to the company needs be shown for a civil claim to be brought for breach of duty of care.
The United States
Directors and executives in the United States face a plethora of personal liability relating to breaches of cyber security. Cybersecurity is now the leading liability concern for directors and officers (D&O), following the coming into force of the GDPR and the California Data Privacy Protection Act.
Regulations vary at State level, but director fiduciary duty law is largely influenced by Delaware law, due to the large number of corporations established there.
Section 141(a), Delaware General Corporation Law establishes that directors owe a duty of care and loyalty to the company. Stone v Ritter 911 A 2d 362, 370 (Del 2006) held that ‘loyalty’ includes a duty of ‘oversight’. In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 971, the Court of Chancery formulated the following standard for assessing the liability of directors where the directors are unaware of employee misconduct that results in the corporation being held liable:
“Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation, as in Graham or in this case, . . . only a sustained or systematic failure of the board to exercise oversight such as an utter failure to attempt to assure a reasonable information and reporting system exists will establish the lack of good faith that is a necessary condition to liability”.
Shareholders can also bring claims against directors for breach of fiduciary duty. Actions are usually based on the claim “by failing to implement adequate information security policies, the directors allowed a breach to occur which damaged shareholders through decreased stock prices”.
The increased threat of cyber security and data protection breaches, the trend internationally, through case law and regulation to hold directors liable if such breaches occur as a result of mismanagement and/or negligence, and the decision in Various Claimants v Wm Morrisons Supermarket, all point to the inevitability that directors in the UK are at risk of becoming personally liable in certain circumstances. As such, it is imperative that cyber security now be ranked among the most pressing of business risks, and, therefore, that directors not only have a full understanding of its implications but take positive action to mitigate that risk through business and cultural change, and ongoing monitoring, and refinement.
Lineal is a global leader in providing flexible cyber security support. To find out more about our cyber security services, please call us on +44 (0)20 7940 4799 or email firstname.lastname@example.org.