Jarrett Kolthoff | December 27th, 2019

Business Journal Ask the Expert Column – Book of Lists

I understand that recent legal decisions have potentially increased Board Member liability as it relates to cybersecurity. Do you have any insights into these cases? 

There was a time, really not so long ago, when corporations, organizations, hospitals, government offices and more were considered innocent victims if they were attacked by cybercriminals. But those days are gone. And gone forever.  
Now, court rulings are more commonly siding with consumers, private individuals, and shareholders, while demanding more accountability and oversight from Board Members, in the event of a breach or cyber incident. It’s a trend that’s not only here to stay, but most likely one which will continue to expand, creating an extreme level of both liability and culpability for those residing at the highest levels of their respective organizations. 

Legal Opinions Every Board Member Should Read and Know 
The Delaware courts have recently become a hotbed of legal change for Boards of Directors, thanks to two important cases. In early 2019, the Delaware Supreme Court ruled on Marchand v. Barnhill, while on October 1, 2019, the Delaware Chancery Court handed down a decision on the Clovis Oncology Derivative Litigation
Each of these cases is significant because they both broaden potential liability for breaches of the duty of oversight for Board members, relating to a broad range of issues including cybersecurity and personal privacy. 
Oversight Alone Is No Longer Considered Adequate 

In Marchand, the Court underscored that Boards which fail to establish oversight procedures for their organizations’ mission critical functions can be held liable for breach of their Caremark duties. Cybersecurity, the protection of critical data, and the safeguarding of personal information can all be considered mission critical functions as they relate to Caremark duties. 

In the Clovis Oncology Derivative Litigation case, the Chancery court, citing Marchand, held that Boards must first demonstrate that they have made  
good faith efforts to implement an oversight system, while also showing  
that they monitor the system – particularly when the organization operates in a highly regulated industry.  

What These Outcomes Mean For You 

Space limitations do not allow for full explanations of both Marchand and Clovis; however, it’s critical that all Board Members make themselves familiar with these cases.  
While any Caremark actions claiming breach of the duty of oversight are considered onerous to litigate, they are no longer viewed as virtually impossible to win. 
The decisions based upon these cases establish that Board responsibilities now include both the establishment of and the monitoring of processes to oversee “mission critical” compliance requirements. Additionally, these decisions establish that Boards who do not fulfill their oversight requirements can be held liable for breaches of fiduciary duties. 
To draw an analogy concerning possible breaches of fiduciary duties, a door which was previously all but closed, has now been slightly opened, and may soon be kicked off its hinges. If your cybersecurity protocols do not contain strict governance for oversight as well as monitoring, now is the time to make these critical changes.