Director and officer liability for cybersecurity breaches in Canada and the U.S.
Cybersecurity remains a top priority for boards and senior management across Canada and the United States. They are wise to maintain this focus to protect the organization. Data is critical to company value and strategy, and cyber attacks increase costs and business interruptions.
However, there is also the individual factor: what risk of personal liability exists for officers and directors following a corporate cybersecurity breach?
There are of course legal protections for directors and officers that shield or at least limit their liability. At the same time, the common law has developed to allow plaintiffs to pierce the corporate veil in some circumstances and hold individuals personally responsible. In addition, statutory frameworks are increasingly holding individuals personally for corporate breaches.
Liability in Canada: growing exposure, no cases yet
While common law and statutory avenues exist to pursue individuals for corporate data breaches, there have not yet been any cases decided in Canada involving director and officer liability for cyber incidents.
There are several federal and provincial regimes in Canada which may expose directors and officers to liability in the aftermath of a cyber attack.
Directors and officers owe statutory and common law duties to exercise reasonable care and diligence in running the company, including exercising appropriate oversight over the company’s cybersecurity program. Investors or other stakeholders could pursue such claims against directors and officers through a derivative action, on behalf of the company, to seek to remedy the harms suffered by the company as a result of director or officer negligence.
Under securities law, directors and officers can be held liable for omissions or misrepresentations in the company’s public disclosure, which could include disclosures about the status of cybersecurity incidents, risks and preventative measures.
In Alberta and British Columbia, privacy legislation provides for offences if “an organization or person” obstructs a regulatory investigation into a breach, fails to report an incident that meets the mandatory reporting threshold, or retaliates against employees who raise concerns about the protection of personal information1. There are, however, due diligence defences that would protect corporate representatives who made reasonable decisions even if the regulator disagreed with the course of action. Fines can be up to $10,000 per natural person per offence.
Meanwhile, in Québec, section 10 of An act respecting the protection of personal information in the private sector sets out a more specific compliance obligation that a person:
… carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information … and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, and the quantity and distribution of the information and the medium on which it is stored2.
With the passing of Bill 64, the Québec regulator may impose administrative monetary penalties on “anyone” who fails to report breaches or take appropriate security measures to protect personal data. Penalties can be up to $50,000 per individual per violation. In addition, the Québec Act provides for similar offences, which can attract fines of up to $100,000 per person upon conviction, and up to $200,000 for subsequent offences. While a due diligence defence will be available, the courts will also consider, among other factors, efforts to conceal the violation and any failures to act to prevent foreseeable violations3.
Recent developments in the United States
Meanwhile in the United States, there are increasing attempts to hold directors and officers liable for the impacts of cyber incidents on companies and their shareholders. Most have been unsuccessful to date, but largely for technical or procedural reasons.
Two decisions adjudicating Caremark claims4 shed light on the analysis a court may apply when considering director liability for a data security breach5. In the contexts of food and aircraft safety, respectively, Delaware courts permitted claims to proceed against directors where there was 1) no board committee to address the specific risks and threats; 2) a lack of procedures for reporting from management to the board concerning the company’s compliance practices; 3) presentation to the board of positive events, but not the existence of negative reports; and 4) no regular discussion at board meetings of the risk and threats in question.
In fact, the Delaware Court of Chancery applied the above analysis to claims arising out of a data breach involving Marriott Hotels, observing that directors need to monitor and ensure there is proper oversight for cybersecurity, and unless they act in good faith, they could be held liable6. In this case, allegations that the directors concealed the data breach were not made out.
Major consequences abound. In 2019, a shareholder derivative action against Yahoo for data breaches settled with former directors for $29 million7. The action alleged that the directors failed to put appropriate safety measures in place and made false and misleading statements about their knowledge of the data breaches.This was one of the first successful actions of its kind, and the settlement amount demonstrates just how serious the involvement of directors and officers is to companies handling cyber incidents.
There is potential for liability under U.S. securities law as well, as is playing out with Drieu v. Zoom Video Communications Inc. The rise of Zoom as a primary means of videoconferencing during the COVID-19 pandemic was soon met with a drop in stock prices when news broke that webcams and video feeds could be hacked due to a lack of encryption8. The fraud suit, on behalf of a class of Zoom shareholders, names two of Zoom’s officers as defendants and alleges that the company failed to disclose these privacy issues9.
More recently, on March 9, 2022, the U.S. Securities and Exchange Commission proposed rules that, if adopted, would mandate prescribed disclosures on material cybersecurity incidents, the board’s oversight of cybersecurity risk and management’s role in managing that risk.
Conclusion
As the legal landscape of cyber risk and liability continues to evolve, directors and officers should continue to monitor the growing potential for exposure. Directors’ and officers’ conduct will be scrutinized with the 20/20 vision of hindsight by investors and regulators.
In addition to ensuring directors and executives have—or have access to—cybersecurity expertise, boards of directors and management should:
- update risk management frameworks regularly to identify and manage emerging cyber and data protection risks;
- review incident response plans and hold regular tabletops to practice the plan with all relevant team members and decision-makers;
- discuss whether additional policies and playbooks are required as cyber threats evolve, including how the company will decide whether to pay in response to a ransomware event;
- reassess insurance coverage, particularly with respect to the intersection of cyber and D&O liability policies, coverage limits, and whether regulatory penalties or fines are excluded from reimbursement; and
- ensure that public disclosure of cyber risks is specific to the company, updated regularly and not rendered boilerplate.
These steps will not only help the business protect itself from and respond to cyber attacks. They will also support a due diligence defence if cyber attacks lead to regulatory investigations or litigation against directors or officers personally.
- Personal Information Protection Act, SA 2003, c P-6.5; Personal Information Protection Act, SBC 2003, c 63.
- The Delaware Supreme Court’s 1996 Caremark decision established a legal framework for holding directors personally liable for breaching the duty of loyalty when the directors fail to “appropriately monitor and supervise the enterprise.” Under Caremark, directors may be liable when (i) “a board decision that results in a loss because that decision was ill advised or ‘negligent,’” or (ii) “an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.” In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
- Marchand v. Barnhill, 212 A.3d 805 (Del. 2019); In re Boeing Co. Derivative Litig., No. 2019-0907-MTZ, 2021 WL 4059934 (Del. Ch. Sep. 7, 2021).
- Firemen’s Ret. Sys. v. Sorenson, No. 2019-0965-LWW, 2021 WL 4593777 (Del. Ch. Oct. 5, 2021).
- In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2019 WL 387322 at *2 (N.D. Cal. Jan. 30, 2019) (citing In re Yahoo! Inc. S'holders Derivative Litig., Lead Case No. 17-CV-00787-LHK, ECF Nos. 41-2 (N.D. Cal. 2018).
- Drieu v. Zoom Video Communications Inc., No. 20-CV-02353-JD, 2020 WL 1696810 (N.D.Cal. April 7, 2020).
- Molly Reynolds and Shalom Cumbo-Steinmetz, “Data governance and Canada’s c-suite: are directors and officers liable for cybersecurity failures?” (December 10, 2020), online: www.torys.com/our-latest-thinking/publications/2020/12/data-governance-and-canadas-c-suite.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.