A recent Business Advocate post, Directors Can Be Held Liable If Boards Are Not "Cyber-Prepared" summarized the responsibility of public, private, and not-profit Boards to ensure that proper cybersecurity measures are adopted.
Specifically, Boards must take certain steps to:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Further, the recent Palkon v. Holmes, No. 14-CV-01234 (D.N.J.) decision teaches Boards that the Business Judgment Rule can protect officers and directors from liability when they demonstrate direct involvement in cybersecurity issues before and after any cyber-events occur. Such preparedness will also be essential to address any prospective regulatory concerns and enforcement actions.
On the other end of the spectrum, while not a "cyber" case, is a recent decision from the Third Circuit Court of Appeals. In re: Lemington Home for the Aged, No. 13-2707 (3d Cir. 2015) offers a cautionary tale to public, private, and non-profit board members who recognize potential organizational and governance risks, but fail to address them. The Lemington Home provided non-profit nursing home care for African-American seniors since 1883, but, because of service deficiencies and long-standing financial troubles, it ultimately sought bankruptcy protection and closed. The Committee of Unsecured Creditors filed an adversary proceeding against the CEO, CFO, and all 15 former directors, claiming breach of fiduciary duty, breach of the duty of loyalty, and deepening insolvency.
Pennsylvania's fiduciary duty standards are consistent with most states and, among other things, imposes upon officers and directors the fiduciary duties of care and good faith: requiring that they perform their duties in good faith and in the best interest of the corporation with the care, including reasonable inquiry, skill and diligence, an ordinary person would take under similar circumstances. In so doing, directors and officers can rely on information, opinions, reports, or statements, including financial statements prepared by others. However, while officers and directors are protected by the Business Judgment Rule, they typically are not considered to have acted in good faith when they have knowledge about a situation which would cause their reliance to be unreasonable.
In 2013, the jury awarded compensatory damages of $2,250,000; punitive damages of $350,000, individually, against five Directors; and punitive damages of $1 million against the CFO and $750,000 against the CEO. The Third Circuit found that fiduciary duties were breached and, recognizing the "tort of deepening insolvency," that the defendants deepened the insolvency of the institution and damaged any financial viability for the organization. Accordingly, it affirmed the liability findings and the punitive damages awards against the officers, but vacated the award of punitive damages against the Directors stating that the requisite “malice, vindictiveness and a wholly wanton disregard of the rights of others” could not be established for punitive damages.
The Third Circuit found that the evidence supported the jury’s findings that the directors did not exercise reasonable care in allowing the named officers to remain in their roles, and that fiduciary duties were breached when the Board failed to take action to remove them once the results of their mismanagement were clear. For example, it was known that proper financial records were not maintained, that the facility had numerous service deficiencies, and several independent reports documented administrative shortcomings. Thus, “[t]his [was] not a case where directors, acting in good-faith reliance on ‘information, opinion, reports or statements’ prepared by employees or experts, made a business decision to continue to employ an Administrator whose performance was arguably less than ideal..." Rather, the "directors in this case had “actual knowledge of  mismanagement, yet stuck their heads in the sand in the face of repeated signs that residents were receiving care that was severely deficient.”
Failing to properly identify, detect, and protect the entity from organizational risks before they occurred and failing to properly respond when such failings were exposed subjected the officers and directors to immense personal liability. Again, In re: Lemington Home for the Aged is not a cybersecurity case. But, it is an extremely instructive fiduciary duty case and is an example of the sort of legal analysis that Courts will conduct when a proper cybersecurity case is before it. Palkon v. Holmes shows us what officers and directors can do to protect themselves and their organization from liability; In re Lemington Home for the Aged provides a preview of what can happen to an organization, and its officers and directors, if proper cyber-risk management and security protocols are not put in place and consistently monitored by management and the Board.
In light of the bipartisan data privacy efforts at both the federal and state levels, and President Obama’s new data privacy agenda, increased regulation is evitable. And, with increased regulation comes increased regulatory scrutiny, enforcement actions, and litigation. Officers and Boards must recognize these factors and protect themselves appropriately. As Palkon and In re Lemington Home demonstrate, the difference between officers and directors being liable for harms resulting from cyber-events is proper "cyber-preparedness."