Spilman Thomas & Battle, PLLC
  October 10, 2022 - Charleston, West Virginia

Cybersecurity Is Everyone’s Responsibility
  by Nicholas P. Mooney II, Alexander L. Turner

as published in West Virginia Banker magazine, Fall 2022

A recent survey by PricewaterhouseCoopers (“PwC”) revealed that U.S. executives now consider cyberattacks the number one risk their companies face. Concerns about cybersecurity have moved beyond the Chief Information Security Officer (“CISO”) to the entire C-suite and corporate boards. Recent developments show executives are right to worry about those attacks because they can result in monetary loss, personal liability, and reputational risk.
 
Litigation & Governmental Action
 
Cyberattacks that result in data breaches often lead to litigation, but courts have been quick to dismiss lawsuits when the plaintiff complains only of a fear of identity theft or some other type of future harm. In those instances, courts have held that those plaintiffs lack the required injury-in-fact that conveys standing to bring a lawsuit. Courts also have held that companies are not required to absolutely protect customers’ and employees’ personally identifiable information (“PII”), but that they only need to take “reasonable” steps to protect the data they maintain.
 
On the other hand, there is a real concern regarding possible governmental action if it is determined that officers and board members failed to take necessary steps to secure their companies’ computer networks. The Consumer Financial Protection Bureau (“CFPB”) recently stated that financial institutions may be in violation of the Consumer Financial Protection Act (“CFPA”) if they fail to take adequate measures to safeguard consumers’ data. The CFPB stated that financial institutions should implement multi-factor authentication, adequate password management, and timely software updates. Although the CFPB did not require financial institutions to implement these recommendations, it did state that failure to implement these simple suggestions could trigger liability under the CFPA.
 
Reducing Risks for the Company
 
The lack of a comprehensive federal cybersecurity law complicates the ability of CISOs to take steps to reduce the risk of a lawsuit or governmental action. Nonetheless, there are several steps they can take to reduce these risks:
 

 
Implementing these policies and procedures, along with the CFPB’s recommendations, should help stave off enforcement actions by federal and state regulators in the event of a data breach or ransom attack, in addition to lessening the risk of civil litigation.
 
Reducing Personal Risks for the C-suite & Boards of Directors
 
Another concern is that officers and directors risk being personally named in lawsuits brought by customers whose personal data was exposed as a result of the breach and by shareholders against the financial firm. CISOs have immediate responsibility for a company’s cybersecurity, and they would likely be the first target for a plaintiff looking for officers to name personally in a lawsuit. But, in the past 10 years, plaintiffs have tried to hold C-suite executives and company directors personally liable. These classes of plaintiffs likely will allege that the officers breached their fiduciary duty to protect the plaintiffs’ personal information or that they unnecessarily exposed the company to liability. If the lapse in cybersecurity can be shown to result from the director’s failure to properly prepare for cyberattacks, there is a narrow path for aggrieved parties to hold directors personally liable: a plaintiff must prove that (1) the board of directors made a decision that resulted in a loss because that decision was ill-advised or negligent, or (2) the board failed to act in circumstances in which due attention would, arguably, have prevented the loss. Attentiveness to known threats and taking reasonable actions to counter those threats will provide strong defenses against personal liability claims against officers and directors.
 
There are many steps officers and directors can take to reduce the likelihood that they are held personally liable after a cyberattack or data breach. They include:

 
Working as a team to secure customers’ data will reduce the liability of directors in the event of a data breach.
 
The PwC survey shows that cybersecurity issues are front-and-center in U.S. executives’ minds. The above-referenced recommendations may not stop all data breaches, but by enacting them, your financial institution will significantly lower the likelihood of litigation after a data breach. Putting these recommendations into service also will help keep the regulators at bay. If litigation or governmental action cannot be avoided after a cyberattack, implementing these recommendations increases the likelihood of a favorable outcome.
 
 
 




Read full article at: https://www.spilmanlaw.com/dataentry/resources/attorney-articles/technology/cybersecurity-is-everyone’s-responsibility?feed=Attorney-Articles