The role of the Board of Directors has necessarily adapted to include an increased focus on risk management. In our digital world, cyber-attacks are now a pervasive risk and the perceived lack of board oversight has garnered scrutiny by consumers, regulators, legislators, litigants and the media.
News headlines in 2013 and 2014 underscore that the frequency and magnitude of cyber-attacks is greater than ever. Large scale cyber-attacks have left corporate victims scrambling to remedy their financial and reputational injury. Over the past number of months, a number of high-profile examples of security breaches – including the release of millions of customers’ credit card information and email addresses – have appeared on front pages in newspapers around the world. It is clear this issue affects both private and public companies and can dramatically impact the integrity of the capital markets. The cost to remedy a cyber-attack can easily run into the millions of dollars, not to mention the reputational cost and threat of litigation, which are far more difficult to quantify.
Risk of Class Action Litigation from Cyber Attacks
In Ontario, several class actions have been certified or partially certified, where the alleged wrong is premised on the collection and subsequent loss of customer information.
In Evans v. Bank of Nova Scotia, a bank employee provided his customers’ confidential information to his girlfriend, who used it to commit identity theft. The affected bank clients are now suing the employee and the bank.
In Condon v. Canada, the Ministry of Human Resources and Skills Development Canada lost a hard drive that contained the names, birthdays, addresses, student loan balances and SINs of 583,000 people. An action was commenced against the Ministry. Over the summer of 2014, the action was partially certified based on breach of contract and the tort of intrusion on seclusion.
These class proceedings are in early stages, and they serve as examples of the risk of collection of electronic customer information.
Third Parties Holding Data is not Immunization from Risk
In the age of electronic commerce, it is not uncommon for third parties to hold information about a company’s clients. In 2013, the Canadian Securities Administrators announced that it was launching an investigation into the Investment Industry Regulatory Organization of Canada (IIROC) after one of its staff members lost a portable device containing information about investment dealer clients.
The confidential information pertained to IIROC member firms, but was possessed by IIROC. The IIROC example illustrates that companies are not immune to risk if their customer data is possessed by a third party. Indeed, providing information to a third party can increase the risk.
The Risk to Boards of Directors
Despite the high-profile examples of the costly impact of cyber-security breaches, a survey issued in 2012 by Carnegie Mellon University CyLab suggests that many boards are not actively addressing cyber risk management, including insisting upon and reviewing security program assessments and policies, reviewing budgets, delegating responsibilities for privacy and security, and being informed regularly of breaches and new risks. Not only does this leave a company exposed, but it also leaves a board exposed to potential shareholder activism.
Boards can minimize their chance of crisis and reduce corporate and director exposure by overseeing the risk management process and ensuring their companies have a clear response plan in the event of a cyber-attack. In a recent speech on the topic, Luis A. Aguilar, a Commissioner of the U.S. Securities and Exchange Commission (SEC), outlined that Boards should, at a minimum, have a clear understanding of who has the primary responsibility for cyber-security risk oversight and ensuring the adequacy of the risk management practices. He also recommended the creation of a separate enterprise risk committee on the board, mandatory cyber-education and regular reporting to the board. Boards should also consider obtaining cyber insurance coverage. A company’s response after a breach of security is just as important as a preventative plan. Boards should ensure that management has a deliberate response plan consistent with best practices for the industry and the goals of the company.
Another key development is the move toward potentially enhanced disclosure requirements for cyber-security risks and practices. The Canadian Securities Administrators suggest that issuers should consider whether the cyber-security risks they face, any cyber-security incidents they may experience, and any controls they have in place to address these risks, are matters that need to be disclosed in a prospectus or a continuous disclosure filing. The SEC has made similar suggestions for U.S. public issuers.
As cyber-attacks become more frequent and more sophisticated, the need for a proactive strategy has never been more important. Directors should make themselves aware of their company’s policies for protection of confidential information, and work to ensure that their policies follow the best practices in the industry. Directors and officers should also ensure that there is adequate liability insurance coverage in the event of a cyber attack.