Director and officer liability for cybersecurity: practical steps for boards and management

Google’s shareholder data privacy lawsuit

In February, Google proposed to settle a U.S.-shareholder class action relating to a cyber vulnerability for US$350M—one of the larger cyber-related securities settlements in history.

Background

The settlement is the result of a cyber vulnerability that spanned from 2015-2018, which had allowed third-party developers “potential” access to Google+ social media profile information without users’ knowledge, including names, addresses, interests and other personal data. While Google had obtained internal legal advice that the issue was likely to attract regulatory attention, the vulnerability didn’t meet the company’s internal disclosure thresholds. As a result, management decided not to disclose the “privacy bug”, and subsequent continuous disclosure said there had been no material changes to its risk factors.

After the privacy bug became public, multiple lawsuits followed. Shareholders brought a claim for the loss of shares value, naming Alphabet (Google’s parent company) and several officers and directors as the defendants. After nearly six years of litigation, the parties proposed a US$350M settlement on the stipulation that the company engaged in no wrongdoing.

D&O disclosures thought to be materially misleading

The crux of the allegations was that, while no major cyber incident resulted from the vulnerability, Google+ user data was exposed for the entire three-year period, which the company was aware of and did not disclose. The shareholders argued that Google was required to set forth any material changes from risk factors as previously disclosed (through the SEC’s Form 10-Q). Accordingly, they claimed that the company’s Form 10-Qs for the first two quarters of 2018 were materially misleading because they did not disclose additional data security risks related to the privacy bug or the additional risks that would be incurred if Google’s concealment of the bug was exposed.

The developing role of D&O liability in the U.S. (and its potential application in Canada)

The Google case is the most recent wave in a rising tide of U.S. securities litigation targeting both companies and individuals following cybersecurity incidents. While cybersecurity cases against D&O have not yet proceeded to trial in Canada, the U.S. developments provide an indication of where Canadian litigation may follow in the coming years, and where securities and privacy regulators may focus enforcement actions.

Take, for example, the SEC charges against SolarWinds and its CISO. A malicious breach of SolarWinds’ software led to a major cybersecurity incident in 2020, affecting corporate and government clients. It was alleged that SolarWinds was aware of the vulnerabilities in its system that led to the 2020 cyber-attack as early as 2019, and its earlier disclosure was misleading. SolarWinds settled its securities class action in 2022 for US$26M.

In 2023, the SEC charged SolarWinds on allegations of fraud, insufficient controls and incomplete disclosure, as well as the CISO for alleged failure to escalate risks internally. Among other relief sought, the SEC is seeking to bar the CISO from acting as a director or office of other companies.

A bellwether for future Canadian litigation

These recent cases follow a line of U.S. decisions in the last five years that outline consistent themes where directors and officers were held to their oversight of cybersecurity risk, setting the stage for similar Canadian class actions to follow. In these recent cases, lawsuits have been permitted to proceed against directors and officers on the following grounds:

• The Delaware Court of Chancery permitted class actions against directors in two cases where there was a lack of demonstrable oversight of cybersecurity risk, such as regular reporting processes and appropriate safety measures.
• In Drieu v Zoom, shareholders of Zoom sued the company and two of its officers, alleging they withheld information on cybersecurity vulnerabilities.
• In Laboratory Corporation of America Holdings v Berberian, both directors and officers allegedly neglected their fiduciary duties by failing to prevent data breaches, including a breach at a third-party service provider to the company.

Management and directors on both sides of the border can seize on these themes as focus areas for cybersecurity governance.

Practical insights for directors and officers

Canadian companies also face corporate governance, privacy and securities regulatory, and reputational risk imperatives to closely monitor cybersecurity risk. As privacy law reforms across the country provide more avenues for personal liability, directors and officers have increased reason to review internal incident response protocols, risk management frameworks and external communications protocols.

Below, we outline cyber risk mitigation tips to help companies exercise their oversight function.

• Thoroughly document and annually review the company’s cyber risk assessment and mitigation processes, considering both the management’s role (such as which officers are responsible and which management committees are involved), the board’s oversight of these processes, and how the cyber risk framework intersects with the company’s enterprise-wide and third-party risk frameworks.
• Identify the individual(s) or committee(s) responsible for cyber strategy oversight, including internal reporting on vulnerabilities and cybersecurity resources, and monitoring for industry trends and regulatory reforms. If the board doesn’t have a standing committee on cybersecurity, prepare in advance to create an ad hoc committee to manage major cyber incidents by preparing terms of reference, identifying members, management, and external advisors who will be called on as resources, and discussing the factors that will trigger the establishment of the committee.
• Seek internal feedback, expert advice and benchmarking to assess whether the company has allocated sufficient resources for cybersecurity assessment, threat monitoring and improvement in light of the company’s risk profile.
• Officers should candidly report on cyber vulnerabilities, weaknesses and mitigation strategies to the board, even when they don’t meet strict materiality thresholds or may have resulted from employee error.
• Directors should have appropriate training on cyber risk to effectively examine whether management’s reports on the risk landscape are current and sufficiently specific to the company, sector and industry. How does the company track isolated cybersecurity events to identify systemic risks or recurring events that collectively become material risks?
• Review the scope and quantum of insurance coverage to ensure that D&O and cyber policies adequately address the costs of incident response, litigation and regulatory proceedings. Boards may benefit from additional education on how management determines what cyber insurance is appropriate, and management should consider providing annual updates to the board on how it has assessed appropriate insurance, what risks and expenses are covered, and which external advisors (e.g., an insurance broker) and cyber incident scenarios supported the assessment.