Shareholder cyber litigation: What boards must know

Since 2015, corporate directors and members of the board of directors have faced an increase in the threat of cyber-related litigation, as well as an increased number of lawsuits filed against them. These lawsuits range from traditional shareholder derivative lawsuits to class action lawsuits to stock-drop securities fraud related lawsuits. Board members must understand the threats of litigation and take proactive steps to protect themselves.

Equifax Breach Fallout

The Equifax data breach affected more than 145 million U.S. customers making it one of the largest and most catastrophic data breaches in U.S. history. The size and depth of this data breach, as well as the widely criticized response from the company, has reshaped the conversation surrounding data breach response and board member liability. The breach elicited a strong response from both federal and local lawmakers and helped lead to new laws and regulation, such as the California Consumer Privacy Act of 2018. A handful of U.S. senators also introduced a bill requiring executives to serve jail time if they intentionally covered up a breach, and many congressional leaders supported the notion of a national data breach notification law.

In addition to the response from lawmakers, a wide array of litigation was also launched against Equifax. More than 240 putative class action lawsuits were filed against Equifax, and Equifax also faced suits from investors unhappy with the stock price decline following the breach.

Types of Lawsuits against Board Members

Board members must understand that they not only face exposure from consumer-related lawsuits, but board members also face direct exposure from shareholder lawsuits. A derivative lawsuit allows a shareholder to hold corporate directors and management accountable for their actions by bringing a lawsuit on behalf of the company when the company failed to bring such a suit itself. To do so, the shareholder(s) would file a claim on the company's behalf, with any money recovered going to the corporation, not the individual shareholder, because the violation only harmed the organization.

The shareholders of Yahoo! Inc. brought such a lawsuit alleging that the former officers and directors of the company breached their fiduciary duties in the handling of consumer data during a series of cyberattacks from 2013 until 2016 affecting three billion Yahoo user accounts. The former officers and directors agreed to pay $29 million to settle the charges, and the Santa Clara Superior Court affirmed the settlement making it the first court to award monetary damages to a company in a data breach-related derivative lawsuit. Fortunately, for Yahoo! Inc., its insurance carrier will be funding the entire settlement.

In addition to derivative shareholder lawsuits, massive data breaches have also led to stock-drop securities fraud lawsuits. These lawsuits allege that the corporate directors and/or management misrepresented their data security posture, or covered up a breach in public statements or SEC filings. The Equifax investors suing for the stock price decline is an example of such a suit. Needless to say, cyber breach incidents have prompted various forms of litigation and increased board members, senior executives, and management's exposure related to it.

The PayPal Ruling

Like many state courts in the nation, federal courts are also grappling with how to handle stock price-drop suits. One such suit was initiated against PayPal after it made public disclosure of a data breach incident, potentially affecting 1.6 million customers, at TIO Networks Corp. -- a subsidiary that PayPal had recently acquired. The public disclosures triggered a 5.75 percent drop in PayPal's stock price, so plaintiffs' shareholders filed suit alleging that the public disclosures were materially misleading, and that the corporate officers knew that the disclosures were misleading.

On Dec. 13, 2018, the U.S. District Court for the Northern District of California granted PayPal's motion to dismiss the case. The judge found that the plaintiff shareholders had failed to sufficiently allege that PayPal's officials intended to defraud the shareholders when they made public disclosure of the problem.

While many corporate directors will view this as a welcome result, the court will allow the shareholders to amend their complaint to cure the deficiencies, which led to the dismissal. Thus, this matter is far from resolved. This ruling makes clear that courts will entertain these types of lawsuits if an intent to defraud is sufficiently pled, so companies must be careful as to how they describe their privacy/cybersecurity policies and be equally as careful with their description of a breach and the company's response thereto.

Takeaways for Board Members

So, what should board members do to protect themselves? First and foremost, all company leaders should educate themselves as to the very real cyber threats that exist, as well as board oversight responsibilities with respect to cybersecurity, and ensure that the proper cybersecurity insurance policy has been procured. The $29,000,000 Yahoo! Inc. settlement underscores the importance of having adequate, comprehensive insurance in place. In addition, regular audits should be conducted (in conjunction with the company's security engineers and IT leaders) as to the status of a company's defenses and preparedness to deal with a variety of cyberattack vectors. The burgeoning array of litigation directed at board members also demonstrates the importance of accurately describing privacy and cybersecurity policies, as well as the importance of quickly and honestly dealing with a data breach. No company can be totally protected from every possible cyberattack; however, board members will be well served to acknowledge the threats, take proactive steps to protect their companies from attack, and if an attack occurs, be prepared to efficiently respond to an attack.