D&O in the Crosshairs

Boards and senior management are in the crosshairs of cyber security. Consumers, shareholders, regulators and legislators seem fed up with the endless stream of cyber attacks that have fueled headlines. Their patience seems to be waning.

Verizon faced a shareholder proposal from the New York State Common Retirement Fund and Trillium Asset Management, which called for linking executive compensation to the company’s success at protecting its networks and assets from cyber attacks. “Executive compensation is already linked to key metrics such as earnings per share, free cash flow and revenue,” said Jonas Kron, Trillium’s senior vice president. “Cyber security and data privacy are equally important, mission-critical concerns.”

The proposal was triggered, in part, by Verizon’s 2017 acknowledgement that all three billion user accounts of its latest acquisition, Yahoo, had been compromised in data breaches a few years before, making it the largest known breach in history. Verizon’s announcement came four months after the company paid $4.48 billion for Yahoo—which reflected a $350 million reduction in price after the breach of 1.5 billion Yahoo users was revealed before the acquisition closed. (Verizon did not know at the time that twice as many user accounts had been breached.) In April 2018, the Securities and Exchange Commission also fined Altaba, the new name for the part of the Yahoo business that wasn’t transferred in the Verizon deal, $35 million for failing to inform investors about the 2014 breach.

Although Verizon reported that the Trillium/NY Common proposal failed on a vote before shareholders in May 2018, the concept has not been lost on other shareholder activists and SEC staff. Indeed, the proposal noted that a parliamentary committee in the United Kingdom had made a similar recommendation.

Patience with cyber breaches might be waning because of a growing awareness that initial reports often don’t reflect the full extent of the breach. Several serious cyber attacks in 2017 were worse than first reported. For example, although losses for Merck and Federal Express’s TNT Express division were first estimated at $300 million each after they were hit by the NotPetya malware, The Wall Street Journal reported in June 2018 that the losses were actually $400 million for Fed Ex and $670 million for Merck. The Equifax breach was also initially underreported, though not by nearly as much; The Washington Post detailed in March 2018 how Equifax repeatedly updated the number of consumer records breached from its initial estimate of 143 million records to 147.9 million.

Blatantly lax internal policies and procedures are other reasons why patience over cyber breaches is running out. Shortly after the latest numbers on the Equifax breach came out, the SEC charged Equifax’s chief information officer with insider trading due to his sale of nearly $1 million of Equifax shares between the time of the breach and its public disclosure. Equifax also reported that four executives, including its chief financial officer, sold shares worth $1.8 million prior to the disclosure, but the company said these execs were unaware of the breach at the time. This announcement caused many cyber-security experts to wonder about the effectiveness of Equifax’s incident response plan, since best practices require executives and board members to be informed.

Nationwide, companies are still struggling to understand how they should govern cyber security. Generally, boards treat cyber security the same as other board issues and assume the business judgment rule will protect them against shareholder lawsuits. Under the rule, directors’ decisions are respected by courts as long as they appear to have been made in good faith, with the care of a reasonable person, and in the belief the decision is in the best interests of the company.

So far, this has been a sound conclusion. In a number of shareholder derivative suits following highly visible breaches, courts relied on the business judgment rule when examining whether management was negligent in managing cyber risks and dismissed cases against Heartland Data Systems, Target, Wyndham, and Home Depot. A similar suit filed against Wendy’s was recently settled. That’s the good news.

Here’s the bad news: a new type of lawsuit makes directors and officers more vulnerable. Kevin LaCroix, author of the well-regarded D&O Diary, noted that, since the 2016 Wendy’s suit, “plaintiffs’ lawyers have not filed any further data breach related shareholder derivative lawsuits…[but] have continued to file data breach related lawsuits…in the form of securities class-action lawsuits.” In the past year, securities class-action suits were filed against Equifax, Yahoo and PayPal. Securities class-action suits regarding breaches generally allege a company made materially false or misleading statements about its cyber-security program in its public filings or omitted material facts about the security of its data, causing the statements to be misleading to investors.

The suit against Yahoo alleges the company made false and/or misleading statements because it failed to disclose that users’ personal information was not encrypted, making it vulnerable to theft, and a data breach involving such information could “foreseeably cause a significant drop in user engagement with Yahoo’s websites and services.” Thus the complaint alleges that “Yahoo’s public statements were materially false and misleading at all relevant times.”

The Equifax and PayPal lawsuits allege that executives and officers failed to maintain adequate security measures to protect systems and data and to detect breaches, resulting in materially false and/or misleading statements to investors, who were injured by a drop in stock price after the breach. Securities class-action suits have not been filed in previous breaches because the share price was not impacted enough to justify such a suit. Equifax’s stock price dropped around 40% following its breach, but PayPal’s dropped only about 6%. LaCroix called the PayPal suit “event-driven litigation,” noting, “Certainly if a stock price drop on the order of magnitude that PayPal experienced is enough to attract a lawsuit, we could expect to see more of these kinds of lawsuits in the months ahead.”

Although there are standards and best practices on cyber governance, they have not received the attention they deserve at the C-suite and board levels, primarily due to reliance on the business judgment rule. (Refresher tip: see my September 2017 article discussing governance standards and best practices.) The securities class-action suits, however, usher in an entire new line of reasoning, backed up by losses shareholders have had to pay for.

Some experts now predict that cyber-governance standards, which outline specific responsibilities for directors and officers, and regulations that mandate board and executive governance of cyber security (such as those promulgated by the New York Department of Financial Services), will raise the bar for oversight of cyber security above the business judgment rule and open the door to D&O liability claims. Their conclusion is worth repeating: this development will effectively place a corporation’s D&O insurance program directly in the crosshairs when corporate management fails to live up to those heightened duties. D&O insurers should be forewarned.