Cybersecurity Trends: Board Liability
by Brandon Graves, Partner
In 2019, the Delaware Supreme Court decided Marchand v. Barnhill, and recognized a duty of oversight that operates as part of the board’s traditional duty of care. “When a plaintiff can plead an inference that a board has undertaken no efforts to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation, then that supports an inference that the board has not made the good faith effort that Caremark requires.”
Plaintiffs spent little time in applying this standard in the context of data breach litigation. In November 2021, shareholders filed suit against SolarWinds as nominal defendant, alleging an “utter failure to implement or oversee any reasonable monitoring system concerning [redacted] cybersecurity risks fundamental to SolarWinds’ only line of business.” The SolarWinds example tracks closely with Marchand; cybersecurity was SolarWinds’ only business and it allegedly had no cybersecurity monitoring program.
That same month, shareholders filed suit against T-Mobile as nominal defendant, alleging that, among other things, “the Individual Defendants failed to implement and maintain internal controls or exercise oversight over the security and safety of customer data stored by the Company despite its centrality to the Company’s core business.” T-Mobile is a little different than SolarWinds; T-Mobile’s main business is selling cellular services, and while data collection is an important part of its business, it isn’t the whole of its business. However, the complaint shows the natural expansion of this doctrine. And what company does not have data or IT systems as a central part of its operations these days?
These legal changes have been mirrored by changes in how boards (and their insurers) address litigation. Also in 2019, Yahoo settled a derivative lawsuit related to a cybersecurity incident for $29 million. The particulars of Yahoo’s breach, and its board’s conduct, make it difficult to draw too many conclusions from its settlement. But Home Depot settled similar litigation even after winning at the motion to dismiss stage, and Equifax reinforced the trend by settling both a shareholder suit and a derivative suit for approximately $180 million combined.
There is a definite trend both in the development of the law and in settlement agreements that increases liability for boards in the wake of a data breach. We anticipate this trend will accelerate as the SEC finalizes its draft rules concerning cybersecurity risk disclosure, the DOJ’s new task force brings additional cases, and insurers show a willingness to pay settlements early on in litigation. Balancing these risks is that the threshold for boards is still low. Marchand involved “no effort” on an issue “intrinsically critical” to business operations. Boards of directors should be able to meet and exceed this floor for cybersecurity in meeting their existing obligations.