Individual Liability of Officers and Directors for a Corporate Data Breach
The hacking of Sony’s private data has been one of the biggest stories in the country over the past couple of months. It won’t surprise anyone to learn that lawsuits have been filed over the breach. Indeed, the plaintiffs in several class action lawsuits are seeking to consolidate their cases into one massive Sony Data Breach Litigation case.
So far, the plaintiffs in those cases haven’t alleged claims against individual Sony officers or directors. This begs a couple of questions: is that something that plaintiffs do? And what kinds of allegations can they bring?
The answer is that a number of plaintiffs have brought claims against officers and directors who worked at companies that suffered data breaches. Typically, they allege that the defendants did not properly manage the company’s cyber risks.
For example, in February 2014, Kevin LaCroix of D&O Diary brought to our attention lawsuits that Target shareholders filed against the company’s officers and directors, arising from the massive theft of Target’s private customer information. The shareholders alleged that the company’s executives and board knew how important the security of private customer information was, and failed to take reasonable steps to put controls in order to detect and prevent a breach. Further, they alleged, the defendants exacerbated the damage by publicly minimizing the breach.