A prior blog post on corporate governance and cybersecurity mentioned recent high-profile cyberattacks on companies like Sony, Home Depot, Target, and Yahoo, and discussed the growing role the board of directors has in overseeing a corporation’s cybersecurity risk management. ((See Andrew Norwich, Examining the Board’s Oversight Duties in the Cybersecurity Context, MBELR Online (Mar. 31, 2017), http://mbelr.org/examining-the-boards-oversight-duties-in-the-cybersecurity-context/.)) That blog post ended noting that, given the complexity of cybersecurity, the severe consequences an attack can have on corporations, and the role of the board in this area, perhaps it is time for Delaware courts to better align fiduciary duty standards with evolving expectations of shareholders and cybersecurity “best practices” and regulations by adding meaning to the Caremark standard. ((Id.)) This blog post argues that courts can – and should – act in this area. In particular, I argue that courts can use industry standards, comprehensive cybersecurity best practices, and cyber regulations from agencies like the SEC to determine what it means for directors to discharge their duties in this area in good faith.
Revisiting Caremark and Stone
In Stone, The Delaware Supreme Court articulated that an oversight breach occurs only when the board either (1) “utterly failed to implement any reporting or information system or controls,” or if (2) “having implemented such a system or controls, consciously fails to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” ((Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 371 (Del. 2006).))
The low standard articulated by these prongs renders the test nearly toothless. ((See Anne Tucker Nees, Who’s the Boss? Unmasking Oversight Liability Within the Corporate Power Puzzle, 35 Del. J. Corp. L. 199, 224 (2010).)) The first prong requires either “sustained or systematic failure” or “utter failure” for the standard of care to be violated. ((Id.)) This standard of care for directors regarding oversight is very low. Very few corporations will have no cybersecurity measures in place, and most competent boards likely regularly discuss cybersecurity measures. Does that mean they are discharging their fiduciary duties? At bottom, it’s debatable, and I believe courts should demand more of directors. At the very least, courts should add meaning to the definition of a “conscious failure” of directors in their oversight duties.
In the Wyndham case ((Palkon v. Holmes, No. 2:14-cv-01234, 2014 WL 5341880 (D.N.J. Oct. 20, 2014).)) mentioned in my last blog, as well as similar suits against Target ((In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304 (D. Minn. Dec. 2, 2014).)) and Home Depot ((In re The Home Depot, Inc. S’holder Derivative Litig., 2016 WL 6995676 (N.D. Ga. Nov. 30, 2016).)), shareholders alleged glaring deficiencies in cybersecurity standards and monitoring, yet these allegations were not enough to get past the procedural hurdles that make it so difficult for shareholders to challenge director action. ((Home Depot, supra note 8, at *10; Target, supra note 7, at 1314; Palkon, supra note 6, at *6-7.))
In the Target case, for example, the shareholders alleged that Target’s point-of-sale security, which was a type designed to protect credit and debit card information, was not even in compliance with the industry norm, which itself has come under increasing scrutiny for being too lax in today’s cyber climate. ((Target, supra note 7, at 1313.)) It was the same story in Home Depot, where shareholders alleged a number of deficiencies that even the CEO acknowledged in addition to the fact that 75% of Home Depot stores did not have encryption security installed. ((Home Depot, supra Note 8, at *3.)) Further, after the breach it took the company six days to install the security system in these remaining stores. ((Id.)) But in these cases, both because of procedural hurdles and because of the substantive standards of what it takes to allege that directors acted in bad faith, shareholders were not able to meaningfully challenge the directors. For the courts, that the directors took some action—received reports, had plans in place, etc., was enough for them to discharge their duties. ((Home Depot, supra note 8, at *10; Target, supra note 7, at 1314; Palkon, supra note 6, at *6-7.)) In today’s cybersecurity climate, boards should do more, and courts should allow shareholders to hold them account outside of director elections.
Caremark repeatedly mentions a director’s “obligation to be reasonably informed,” the duty to “exercise reasonable oversight,” and the necessity to “assure a reasonable information and reporting system.” ((In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970-71 (Del. Ch. 1996).)) Increased awareness by boards about the importance of cybersecurity as well as heightened government and regulatory scrutiny in this area should drive what it means for directors to be reasonably informed. Indeed, in Caremark itself, Chancellor Allen noted that federal law was relevant to understanding director governance responsibilities under state law. ((Id. at 968.)) For shareholders to be able to challenge directors in this area, courts need to look outside of the Caremark line of cases to determine what truly is reasonable conduct in this area.
Admittedly, courts have difficulty selecting the right standard in order to add meaning to Caremark. But including conscious disregard of industry standards and norms seem like a good start. As mentioned, in both Target and Home Depot the shareholders alleged that each company was not even in compliance with basic industry norms related to payment security. ((Home Depot, supra note 8, at *2; Target, supra note 7, at 1313.)) And in Target, the shareholders alleged that had the directors monitored this security system as it was designed to be monitored, the breach might have been detected far earlier than the 18 days it actually took. ((Target, supra note 7, at 1310.))
Another alternative would entail judging directors’ conduct against important, comprehensive, flexible cybersecurity frameworks and looking to insights from regulatory enforcement proceedings. The last few years have seen tremendous action in this area, as governments and private entities have often worked together to design frameworks companies can use to assess their cybersecurity practices and design cybersecurity systems that work for their particular organizations. For instance, former President Barack Obama called for the development of a voluntary Cybersecurity Framework that, after numerous workshops and input from government and private actors, came to be known as the NIST Framework. ((Press Release, Office of the Press Secretary, Statement by the President on the Report of the Commission on Enhancing National Cybersecurity (Dec. 2, 2016), https://www.whitehouse.gov/the-press-office/2016/12/02/statement–president–report–commission–enhancing–national-cybersecurity.)) The “Framework’s creators were tasked with developing an approach that could adapt to future, unknown technologies while also allowing the Framework to be used across industries” that would also “mature over time, allowing areas of improvement to be recognized and accounted for in the future.” ((Id.))
The Framework takes a “risk-based approach for organizations to detect, mitigate, and respond to cyber threats” and is adaptable enough to “scale across borders, acknowledge the global nature of cybersecurity risks, and evolve with technological advances and business requirements.” ((Nat’l Inst. Of Standards & Tech., U.S. Dep’t of Commerce, Framework For Improving Critical Infrastructure Cybersecurity 1 (2014), https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.)) The Framework offers guidance on implementation and is specifically designed to be flexible enough for adaption by a host of organizations. ((Id.)) Ultimately, the Framework “provides an excellent basis for organizations to implement leading practices as they seek to improve their cybersecurity— not simply do a ‘one-time fix’ to their IT systems, but to assess and manage the risks to their valuable information intelligently and systematically.” ((Center for Responsible Enterprise and Trade, Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation 16 (2016), https://create.org/resource/cyber-risk-navigating-rising-tide-cybersecurity-regulation/.)) Courts can compare director action against leading practices to see how they stack up. If directors fall short of even grappling with and trying to meet evolving standards (or determining why other standards or practices make more sense in their position), or if they impose monitoring systems and then fail to keep up with best practices, such behavior could be considered a breach of their oversight duties.
Regulatory action can provide insights to courts as to what constitutes acceptable practices in this area. For instance, the United States Securities & Exchange Commission (SEC) has recently stepped up its enforcement action against corporations for having lax data security policies and procedures. A prominent example is the SEC’s proceeding against Morgan Stanley Smith Barney LLC in which the SEC found Morgan Stanley violated Rule 30(A) of Regulation S-P, also known as the “Safeguards Rule.” ((See In the Matter of Morgan Stanley Smith Barney LLC, 2016 SEC LEXIS 2142 (June 8, 2016).)) Specifically, the SEC found that Morgan Stanley’s policies and procedures related to portals that allowed its employees access to confidential customer information were not reasonable, that Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on legitimate business need. ((Id., at 6-8.)) The SEC further found that Morgan Stanley did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of these portals. ((Id.)) Ultimately Morgan Stanley settled and agreed to pay a $1 million penalty. ((Id., at *15.)) It’s possible that courts can look to already-existing regulations for corporations in particular industries to help them determine what constitutes a breach of the duty of loyalty in the oversight context.
While the director’s fiduciary duty of loyalty has been a fundamental feature of corporate jurisprudence, the contours of the duty have evolved over time. The traditional notion of loyalty is “typically implicated when directors engage in self-dealing, or when they take personal benefits if those benefits are not shared with all the shareholders.” ((Andrew S. Gold, The New Concept of Loyalty in Corporate Law, 43 U.C. Davis L. Rev. 457, 459 (2009).)) Caremark, decided in 1996, reflected a departure from outdated theories of board fiduciary duties and introduced the concept of “red flags” and a board’s legal duty to create and monitor effective oversight systems. ((See Caremark, supra note 14.)) Indeed, the Delaware Supreme Court’s clarification of Caremark in Stone was considered by scholars “[a]n important new category of director liability” merely eight years ago. ((Gold, supra note 27, at 459.))
Given that cybersecurity monitoring is now certainly within the board’s purview, it is time for Delaware law to grow. Increasingly, the United States government, its regulatory agencies, and international governments are demanding more of corporations to protect sensitive data and the financial and reputational well-being of the corporation. Shareholders’ expectations as to what constitutes good corporate governance are evolving as well. Caremark standards should be adapted to allow meaningful shareholder challenges to director conduct that might be considered bad faith considering evolutions in cybersecurity practices and standards. Such reforms would better balance the legitimate deference owed to directors as managers and overseers of the corporation while also allowing shareholders to seek accountability when breaches do occur.
Latest posts by Andrew Norwich (see all)
- Delaware Courts Should Add Meaning to Caremark’s Board Oversight Standards in the Cybersecurity Context - April 8, 2017
- Examining the Board’s Oversight Duties in the Cybersecurity Context - March 31, 2017
- What’s Next for Merchants and Consumers After the Second Circuit’s Decision in United States v. American Express? - January 22, 2017