Your organization will in all likelihood suffer a cyberattack. According to a recent study by Accenture, the average Canadian organization faces about 96 cyberattacks per year, nearly one third of which result in a security breach. The aftermath of cyberattacks often leaves a wake of victims whose personal information has been breached, and correspondingly massive exposure for the companies that have been attacked.
By now, directors (hopefully) know that they have to take reasonable steps in connection with preventing and responding to cyberattacks. If they fail to do so, not only do they compromise the viability of the company which they oversee but they risk personal liability.
Decoding what specific steps one should take as a director is critical. A series of United States decisions dismissing shareholder claims against directors provides guidance for directors on this potential exposure.
In a November 2016 decision in The Home Depot case, specific guidance was given for directors. In that case, the shareholders alleged that directors failed to implement adequate data security mechanisms; failed to exercise proper oversight of cybersecurity issues; and failed to adequately respond to cybersecurity threats. The steps taken by Home Depot’s board of directors which led to the court's dismissal of the claim against them included:
Determining exactly what amounts to "reasonable" and "defensible" conduct by directors in the context of data security is further informed by the United States decisions in Wyndham v Holmes, 14-CV-01234 (SRC) [Wyndham] and Davis v Target Corporation,14-CV-00203-PAM-JJK [Target]. In those cases, reasonable and defensible conduct by the directors included:
While the shareholder claims against directors have not yet succeeded, directors should not underestimate their potential exposure. In the cases discussed above, the courts dismissed the claims on the basis that the directors took all reasonable steps in the circumstances. What is reasonable is an evolving standard and directors must continually update themselves as to their obligations. In this regard, directors are advised to consult counsel on a regular basis to minimize their potential exposure in this increasingly risky area.
The Bennett Jones Cybersecurity Team comprises a group of highly skilled partners and associates in the area of cybersecurity.