Individual Liability of Officers and Directors for a Corporate Data Breach

| Jason M. Knott

The hacking of Sony’s private data has been one of the biggest stories in the country over the past couple of months.  It won’t surprise anyone to learn that lawsuits have been filed over the breach.  Indeed, the plaintiffs in several class action lawsuits are seeking to consolidate their cases  into one massive Sony Data Breach Litigation case.

So far, the plaintiffs in those cases haven’t alleged claims against individual Sony officers or directors.  This begs a couple of questions: is that something that plaintiffs do?  And what kinds of allegations can they bring?

The answer is that a number of plaintiffs have brought claims against officers and directors who worked at companies that suffered data breaches.  Typically, they allege that the defendants did not properly manage the company’s cyber risks.

For example, in February 2014, Kevin LaCroix of D&O Diary brought to our attention lawsuits that Target shareholders filed against the company’s officers and directors, arising from the massive theft of Target’s private customer information.  The shareholders alleged that the company’s executives and board knew how important the security of private customer information was, and failed to take reasonable steps to put controls in order to detect and prevent a breach.  Further, they alleged, the defendants exacerbated the damage by publicly minimizing the breach.

Last summer, Judy Greenwald of Business Insurance noted not only the Target suit but another suit against Wyndham Worldwide.  In the Wyndham case, the shareholder litigation against directors and officers followed an enforcement action by the Federal Trade Commission involving a “brute force attack” by hackers.  The Wyndham case was subsquently dismissed before discovery, with the court finding that the board had properly entertained and rejected the plaintiff’s demand to bring a lawsuit on the company’s behalf. 

In its decision, the court noted that the directors were familiar with the “factual underpinnings of the claim,” because they had received a presentation about the breach and the company’s data security at every quarterly meeting from the company’s general counsel.  Further, the board was “free to consider” the potential weaknesses of the plaintiff’s claims, because “security measures existed when the first breach occurred, and … the Board addressed such concerns numerous times.”  Thus, the fact that security measures were in place at the time of the initial hacking was something the board could rely on when deciding not to accept the plaintiff’s demand and bring suit.

Given the court’s reasoning in the Wyndham case and the recurring digital attacks on American businesses, companies, officers, and directors will be wise to consider the best practices to reduce the risks before and after a data breach.  It’s not hard to find recommendations for these best practices from commentators and experts.  The most important thing is to be aware of and proactively address the security of your data before a breach brings on headlines and lawsuits.