What the Hack?! Reexamining the Duty of Oversight in an Age of Data Breaches

• Publication year: 2019

What the Hack?! Reexamining the Duty of Oversight in an Age of Data Breaches

Amanda M. Payne
University of Georgia School of Law

WHAT THE HACK?! REEXAMINING THE DUTY OF OVERSIGHT IN AN AGE OF DATA BREACHES

Amanda Marie Payne^*

[Page 727]

Due to the proliferation of electronic data and advancements in technology, data breaches have become commonplace. Data breaches are a threat to corporations of all sizes and can have devastating impacts. Focusing solely on Delaware law, this Note explores how doctrines such as the business judgment rule, exculpation provisions, and heightened pleading standards have left shareholders with limited recourse in holding directors liable for the catastrophic consequences of data breaches. Recognizing that shareholders have been unsuccessful alleging Caremark-type claims arising out of a data breach, this Note argues that the expansion of bad faith in Walt Disney provides alternative ground for shareholders to hold directors liable for data breaches. Nevertheless, this Note concedes that courts will be unlikely to accept that argument. Courts are too wary of opening the floodgates of director liability. Therefore, this Note argues that there are certain risks—such as cybersecurity risks—to which Caremark can be extended without eviscerating the business judgment rule. This Note finally argues that where Caremark applies, the standard should be relaxed in the context of cybersecurity. In an age of data breaches, the time has come for the Caremark standard to have some teeth.

[Page 728]

Table of Contents

I. Introduction..........................................................................729

II. Recent Data Breaches and Their Related Shareholder Derivative Suits.....................................736

A. INTRODUCTION TO DERIVATIVE SUITS............................736
B. WYNDHAM WORLDWIDE CORPORATION...........................738
C. TARGET CORPORATION....................................................739
D. THE HOME DEPOT, INC....................................................741
E. EQUIFAX INC................................................................... 742

III. The Evolution of Fiduciary Duties Under Delaware Law.................................................................745

A. THE DUTY OF CARE.........................................................746

1. The Business Judgment Rule..................................746
2. Exculpatory Provisions............................................748

B. THE DUTY OF LOYALTY...................................................749

1. The Duty of Good Faith...........................................750
2. The Duty of Oversight .............................................. 751

IV. The Pleading Standard.....................................................754

V. Existing Law Provides Alternative Ground for Shareholders.................................................................757

VI. Relaxing the Caremark Standard for Data Breach Liability...........................................................................761

A. OVERVIEW......................................................................761
B. EXTENDING CAREMARK BEYOND LEGAL COMPLIANCE .... 762
C. RELAXING CAREMARK..................................................... 764

1. The Manner of Implementation...............................765
2. Maintaining, Updating, & Enhancing....................766
3. The Mechanisms in Place........................................767

VII. Conclusion.........................................................................769

[Page 729]

I. Introduction

Hardly a day goes by without a news report or headline highlighting another cybersecurity incident or corporate hacking. In fact, since 2005, over 8,000 data breaches have been made public in the united States alone.¹ There were about 12 million records exposed in 791 different data breaches within just the first six months of 2017.² While the sheer volume of data breaches is alarming, they have recently become a common occurrence due to the proliferation of electronic data and advancements in technology.³

Data breaches and cyberattacks are threats to corporations of "all shapes, sizes, locations, and industries."⁴ Cyberattacks are a threat to essentially any business using the Internet as a means of holding "intellectual property, competitive trade secrets, customer information, and other corporate data."⁵ For example, Target experienced a data breach in 2013 in which hackers stole the debit and credit card data of approximately 70 million customers.⁶ In May 2014, hackers stole the personal information of up to 145 million active eBay users.⁷ Just a few months later in August 2014, JPMorgan Chase announced that hackers gained access to the data of 76 million households and 7 million small businesses, including credit card numbers, bank accounts, and social security numbers.⁸ Not even a week after the JPMorgan Chase breach, Home Depot announced that it had also experienced a data breach resulting in

[Page 730]

56 million stolen payment cards and 53 million pilfered e-mail addresses.⁹ Other notable data breaches include: Sony in 2011; LinkedIn, Living Social, and Tumblr in 2012; Yahoo, Adobe, and Apple in 2013; UPS and Twitter in 2014; Deep Root Analytics, MySpace, and health insurance company Anthem in 2015; the U.S. Securities and Exchange Commission in 2016; and InterContinental Hotels Group, Verizon, River City Media, Snapchat, and most notably, Equifax Inc. in 2017.¹⁰

Well-publicized data breaches can have devastating impacts on businesses. In its 2017 Cost of Data Breach Study: Global Overview, the Ponemon Institute estimated that the average total cost of a data breach for a company is $3.62 million dollars, with an average cost of $141 for each lost or stolen record that contains sensitive or confidential information.¹¹ Aside from costs incurred in investigating, notifying, and responding to data breaches, companies also indirectly incur significant reputational costs due to negative publicity, impending litigation, and a lack of shareholder and consumer loyalty and trust.¹² As a result, companies' profits and relationships with investors and other third parties are often negatively affected by data breaches.

The last decade has witnessed an uptick in government responses to data breaches. For example, the Securities and Exchange Commission, the Department of Justice, the Department of Homeland Security, the Federal Trade Commission, the Federal Communications Commission, the Financial Industry Regulatory Authority, and the Consumer Financial Protection Bureau, among

[Page 731]

others, have begun to make cybersecurity a priority.¹³ Nevertheless, Congress remains "hesitant to pass legislation requiring the whole private sector to adopt certain cybersecurity standards and best practices."¹⁴ Indeed, the United States does not have a general data-security statute.¹⁵

Some states have stepped in to fill this regulatory void. In 2017, for example, the New York Department of Financial Services (DFS) enacted a cybersecurity regulation that requires "banks, insurance companies, and other financial services institutions regulated by DFS" to have a cybersecurity program, written cybersecurity policies, a Chief Information Security Officer, and various controls and plans in place to ensure data safety.¹⁶ Additionally, "nearly all states have enacted so-called 'data breach notification laws.'"¹⁷ For example, Delaware recently amended its data breach notification law in August 2017.¹⁸ Delaware's law, like the notification laws of other states, "requires companies to notify affected Delaware residents of a breach involving their personal information within 60 days . . . after determination of a breach" and "to provide a year of free credit monitoring."¹⁹

With respect to public corporations, cybersecurity regulations are lacking. In October 2011, the Securities and Exchange Commission

[Page 732]

issued cybersecurity guidance for companies.²⁰ This guidance is unfortunately non-binding.²¹ However, the Commission believes that the "disclosure requirements may impose an obligation on registrants to disclose such risks and incidents."²² The guidance recommends that corporations consider the following six disclosure obligations when deciding whether to disclose a data breach: (1) risk factors; (2) management's discussion and analysis of financial condition and results of operations (MD&A); (3) description of business; (4) legal proceedings; (5) financial statement disclosures; and (6) disclosure controls and procedures.²³

In February 2018, the Commission reinforced and expanded upon the october 2011 guidance by providing an interpretive release outlining its "views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies."²⁴ The release addresses the following: "(1) the materiality of a cybersecurity risk or incident, (2) the timing of disclosures relating to a cybersecurity incident, (3) disclosures about board oversight, (4) insider trading, (5) cybersecurity policies and procedures, (6) cybersecurity assessments, (7) acquisitions, and (8) regulatory and litigation risk."²⁵ The release makes clear that the Commission "expect[s] companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences."²⁶ Furthermore, where a company has become aware of a material cybersecurity incident, the Commission "expect[s] it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities."²⁷

[Page 733]

Following the February 2018 release, the Commission settled for the first time a case involving charges for failure to disclose a cybersecurity incident. On April 24, 2018, the Commission "announced that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it...