The cybersecurity scare: there are actions that directors can take to keep themselves within the protection of the business judgment rule.

• Author: Raymond, Doug
• Position: LEGAL BRIEF

Attentive directors can hardly be blamed for thinking that the sky is falling. Derivative litigation against directors (measured as a percentage of such lawsuits against public companies) has been increasing, ISS and others have been much more active in criticizing--and seeking to unseat--incumbent directors, and there has been a steady stream of new rules and regulations that create ever-increasing burdens on the directors. And on top of this, the board's liability for a "cyber-attack" has become almost a cause celebre. Clearly, cyber-attack incidents can cause real damage to a company's brand and reputation, and may lead to significant financial losses, as well as dissipate customers' trust and goodwill. The costs of such attacks include not only loss of reputation and the costs of compensating customers, but also the real possibility of regulatory actions and the near certainty of massive litigation.

There have been highly publicized cases over the last few years asserting breach of fiduciary duty and seeking to hold the directors (or their D&O insurers) liable for failing to prevent a significant data breach. However, the plaintiffs in these cases have generally been unable to get around the protection afforded to the board by the business judgment rule.

The business judgment rule is the presumption that the directors, in managing the affairs of the corporation, are acting in good faith in the corporation's best interest. It also presumes that directors when acting are doing so on an informed basis. The rule is designed to protect directors from the risk that they will be liable for making a poor business decision by plaintiff's second-guessing with the benefits of hindsight. As such, the business judgment rule is a presumption that is difficult for plaintiffs to overcome. However, it is possible for a board to be so careless that the business judgment rule no longer affords its protection. Absent a conflict of interest or other breach of the duty of loyalty, this requires the board to have been essentially grossly negligent in discharging its oversight responsibilities.

Thus, under current principles, when a cyber-attack occurs, the board should be protected from liability unless it has utterly failed to implement a reporting or information system covering protection of sensitive data, or consciously failed to monitor or oversee the corporation's defenses against an attack, thus making it impossible to be informed on the issues. If...