Privacy, Technology and Perspective
Cyber Liability for Directors and Officers. This week, let’s revisit the topic of privacy and cybersecurity liability for executives and boards of directors. Earlier last year, we had predicted that this area would get hotter, and indeed it has. For background, and specific information about Caremark claims, you can read our previous post, entitled “CEO Indictment and Derivative Litigation May Foretell the Next Chapter in Privacy and Cyber Liability,” by clicking on the following link:
Let’s summarize where we are today:
CEO Liability: Drizly – The FTC has taken action against Drizly’ CEO for that company’s privacy and cybersecurity failures and proposed a consent order that is meant to follow the CEO into his future businesses so that he is forever bound to data security obligations. You can read more about the FTC’s action against Drizly and its CEO by clicking on the following link to our Privacy Plus+ post, entitled “FTC takes Action Against Drizly and its CEO: Will Protecting Data Become a Priority for CEOs?”:
Chief Security Officer Criminal Liability: Uber – In early October, Uber Technology Inc’s (Uber) former Chief Security Officer (CSO) Joseph Sullivan was convicted of criminal obstruction of a Federal Trade Commission (FTC) investigation and misprision of felony (knowing of a felony yet taking active steps to conceal it), after attempting to coverup a data security breach despite a pending FTC investigation. Sullivan had been assisting the FTC with that investigation, but he did not report the new data breach. Rather, he instructed his staff to conceal it, asked the hackers to sign non-disclosure agreements in exchange for $100,000 in Bitcoin, which he routed through the company’s “bug-bounty” program. There were more twists and turns in this case, but what seems notable is that Uber’s then-CEO may have also learned about the breach, as well as one or more Uber lawyers (and Sullivan himself was a lawyer). Yet, only when a new CEO took control of the company and discovered that Sullivan had lied did Uber report the 2016 breach to the FTC. After that, Sullivan apparently took the fall (where other senior officials did not). Was he a “Chief Scapegoat Officer” or were his lies his responsibility alone? The answer isn’t clear, but Sullivan’s conviction is. You can learn more by reading the following press release from the U.S. Attorney’s Office for the Northern District of California.
The following links are similarly illuminating:
• Criminal complaint in US v. Sullivan: https://www.justice.gov/d9/press-releases/attachments/2020/08/20/3-20-mj-71168jcs.pdf
• Indictment in US v. Sullivan: https://www.justice.gov/d9/pages/attachments/2022/06/28/sullivan_indictment.pdf
• Superseding indictment in US v. Sullivan: https://www.justice.gov/d9/pages/attachments/2022/06/28/sullivan_superseding_indictment.pdf
Board Liability: SolarWinds – Since the hack of SolarWinds by the Russian Foreign Intelligence Service, numerous derivative actions have been filed against the company and its directors. While some of these actions remain pending, SolarWinds’ most recent 8-K reflects a $26M settlement paid by the company on behalf of its officers and directors. The 8-K expressly states that the settlement payment will be funded by the applicable directors’ and officers’ liability insurance. To review that 8-K, you can click on the following link:
Interestingly, the settlement follows a dismissal by the Delaware Chancery Court of a Caremark claim against the SolarWinds board of directors for failure to oversee its operations. Although the plaintiffs alleged that the Board failed to monitor the company in a way that prevented cybercrime, the Court found that the facts pleaded did not plausibly show that the Board lacked oversight of its “mission critical” cyber risks where it had a committee that considered cyber issues, and by 2019, an express charge that required the committee to discuss cyber and data security issues with management. See Construction Industry Laborers Pension Fund et al. v. Bingle et al., C.A. No. 2021-0940-SG (Del. Ch. Sept. 6, 2022), a link to which follows:
Our thoughts: Many companies are overdue for consideration of corporate governance related to data privacy and cybersecurity. The above-referenced cases provide poignant illustrations of what can go wrong. They may foretell a future where regulators and plaintiffs’ lawyers are hyper-focused on holding management and directors accountable for failures and lack of transparency. This seems likely especially when considered alongside the recent proposed amendments by the Securities and Exchange Commission (SEC) and the New York Department of Financial Services (NY-DFS), which suggest that regulators expect the Board and management to take full responsibility for cyber risk. Cybersecurity and privacy matters not only pose material risks to companies, but they may pose personal liability risks for the directors and officers handling them. It is time for every director and officer to insist upon transparency and better governance, including processes for informing the Board about material cybersecurity and privacy issues. SolarWinds also suggests that directors (and companies) should also ensure that they carry robust Director & Officer Insurance coverage.
For more information, you can visit the following links:
• SEC’s press release, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies”: https://www.sec.gov/news/press-release/2022-39
• SEC’s proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: https://www.federalregister.gov/documents/2022/03/23/2022-05480/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
• NY-DFS’s Proposed Second Amendment, 23 NYCRR 500: https://www.dfs.ny.gov/system/files/documents/2022/10/rp23a2_text_20221109_0.pdf
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.