By: Craig Zawada, K.C., Kelsey Sonntag, and Janelle Anderson
Anyone overseeing a business probably has cyber attacks near the top of their risk list. The frequency of incidents is increasing, and the consequences can be an existential risk for an organization. But beyond the risks to the business, can others – like corporate directors and officers – face liability after a cyber incident?
It is commonly assumed the answer is no. After all, incorporation is designed to create limited liability so participants apart from the corporation itself are shielded from exposure. That is the theory, but there are many cases where the corporate veil might be pierced. That expanded liability can extend to directors in certain cases. And even though no Canadian directors have yet incurred liability for cyber incidents, the risk is there, and United States decisions point to how it could happen. Even if unsuccessful, dealing with a claim can cost time, money and headaches.
Outside of cyber incidents, there are many instances where corporate participants, such as directors and officers, can face liability. Sometimes the liability is statutory, such as provisions in the Income Tax Act that impose personal responsibility against directors for amounts like employee source deductions. There are also cases, and some statutes, assessing personal liability in situations involving negligence or failing to obey proper responsibilities.
The legal landscape already recognizes director liability, so it will not be a stretch to extend it to cybersecurity lapses. This is still unlikely, given corporate limited liability, but it is not impossible.
The American cases, while involving different precedents and statutes from those in Canada, highlight the risks. There are more similarities than differences between our systems, and it will not be a stretch for a court in Canada, with appropriate facts, to levy responsibility against a board or individual directors.
One case, SEC v. SolarWinds Corp et al[1], highlights the threats to officers and directors. That case arose from an attack in late 2020 against monitoring and management software sold by SolarWinds and used by thousands of enterprises and government agencies worldwide.
After investigating, the United States Securities Exchange Commission brought a civil action against the company and its Chief Information Services Officer. The SEC alleged that the company and the CISO made materially misleading statements and omissions about SolarWinds’ cybersecurity practices and risks in public disclosures.
This marked the first time the SEC had charged a CISO individually. In July, 2024, a judge tossed out most of the SEC’s claims, and it may be that personal liability is off the table in this case. But the very fact that charges were even brought demonstrates the need for directors and officers to heed their statutory and common law duties.
What might those duties include? Again, some US cases, while not in the cybersecurity realm, provide clues for Canadian courts. In re Caremark International Inc. Derivative Litigation[2] is often cited for establishing conditions for director oversight liability under Delaware law, but has largely been narrowly applied. Caremark established a high bar, such as proving that a majority of the board must be responsible for any oversight failure. In the past 5 years or so, though, such actions have been allowed, suggesting that the bar for establishing liability might be dropping. For example, in In re Boeing Company Deriv. Litig.[3], a Caremark claim was sustained at the pleadings stage, prior to a settlement among the parties.
There was also a further Caremark claim that, while dismissed, observed that “[t]he corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place…”[4] Although escaping liability in that case, the court clearly indicated that directors cannot be silent on or blind to the risks involved and the control environment required to appropriately mitigate those risks.
There are other decisions as well. For example, a 2019 action against Yahoo for data breaches settled with former directors for $29 million USD, showing how serious the involvement of directors and officers is to companies handling cyber incidents: In re Yahoo! Inc. Customer Data Sec. Breach Litig.[5]
Thus, there is ample evidence that directors could be liable for cyber incidents if they are not prudent. Given the prevalence of cyber attacks, and the extreme losses potentially involved, it seems to be a matter of time before a director or officer in Canada faces liability.
How to avoid this risk is the natural question. The answer rests primarily on the normal approaches and protections that directors should employ on every issue, all the time: monitor security risks and controls, closely question management about cybersecurity regimes, and get sufficient answers so the directors have reasonable assurance that security risks are appropriately mitigated. That “reasonable assurance” is crucial. Directors are not expected to be perfect and know everything about operations. That is management’s job. But directors must conduct sufficient oversight to be satisfied:
- there is appropriate expertise at key levels of the organization as well as resources to support the implementation of the security program;
- public disclosures have been thoroughly reviewed to ensure that there are no misrepresentations or omissions, especially relating to cybersecurity practices; and
- insurance coverages have been evaluated and material cybersecurity incidents promptly disclosed.
These are big tasks, naturally, especially for non-IT experts. But if the expertise is not at the board level, it may need to reach outside to get independent assistance.
Directors’ errors and omissions insurance for risks is available, including for cyber attacks. This is important and necessary, but not sufficient. For one thing, the level of insurance needed might be so high that it becomes cost prohibitive. Like the Yahoo case, where tens of millions of dollars were paid just for a settlement, it is easy to see how damages can far exceed any affordable insurance.
Another problem with insurance is that it is remedial rather than preventive. Nothing can stop someone from starting a lawsuit that includes directors as named defendants, no matter how weak the claim might be. But even if it is shut down relatively early in the litigation process, there is a high degree of expense and stress that goes with any litigation, as well as reputational damage. Even if you have implemented good controls and due diligence practices, you have a risk of a personal lawsuit. That risk, and the chance of financial responsibility, goes up exponentially if directors have not implemented proper risk management processes for everything, including cybersecurity.
Plus, we have not even mentioned specific legislation which might arise that would specifically impose director liability for cyber incidents. For example, House of Commons Bill C-26 has started Second Reading in the Senate and imposes many cybersecurity obligations on private sector businesses in critical federal infrastructure areas, such as transportation, telecommunications, nuclear, pipelines and banking. Directors of any company in these sectors face exposure from s. 72.138 of the Bill:
72.138 An officer, director or agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.
In other words, personal liability is specifically built into the legislation. If the law is passed, directors will have even more responsibilities and risks to manage that dramatically increase the personal liability risk.
Other steps might be required depending on the organization, its environment and even the people involved. Boards should always be getting independent legal advice on these matters, and Procido is experienced in guiding boards and management on such risks. Feel free to reach out to our Governance Group for more information.
[1] U.S. District Court, Southern District of New York, No. 23-09518
[2] 698 A.2d 959 (Del. Ch. 1996)
[3] 2021 WL 4059934, (Del. Ch. Sept. 7, 2021)
[4] Firemen’s Retirement System of St. Louis v. Sorenson (Marriott) 2021 WL 4593777 (Del. Ch. Oct. 5, 2021)
[5] Case No. 16-MD-02752-LHK (N.D. Cal. Jul. 21, 2020)
Disclaimer
This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice. Contact Procido LLP (www.procido.com) if you require legal advice on the topics discussed in this article.