Cyber Security, Data Breaches and the Board of Directors

Practical Law Canada Legal Update 9-605-7585 (Approx. 9 pages)

Cyber Security, Data Breaches and the Board of Directors

by Practical Law Canada Corporate & Securities

Responsibility of the Board of Directors

A corporation’s shareholders elect a board of directors to oversee and manage the business and affairs of the corporation. As part of this task, the board appoints officers to run day-to-day operations, proposes strategies and objectives, and implements corporate plans. If the corporation is a public company, the board also oversees corporate compliance with provincial and territorial securities laws, including corporate governance standards and continuous disclosure regulatory requirements.

Federal as well as provincial and territorial corporate laws enshrine the core fiduciary duty and duties of care, diligence and skill of each member of a board of directors. In accordance with their fiduciary duties, each member of a board of directors must demonstrate loyalty towards the corporation and act honestly, in good faith and in the best interests of the corporation (not in their personal interest). In accordance with their other statutory duties, each member of a board must exercise the care, diligence and skill a reasonably prudent person would exercise in comparable circumstances. To learn more about the duties of a board of directors, please see the following Practice Notes (subscription required):

Ultimately, a corporation’s financial, reputational and operational success rests on the board. Those appointed to the board must ensure they have the wherewithal to fulfil their duties as well as have the requisite knowledge and skills to manage the business. As business is constantly changing, board members must regularly educate themselves and upgrade their skill base to perform their jobs accordingly. If not, the corporation may be in jeopardy.

Recent Data Breaches

In the past few years there have been multiple reports of cyber security attacks resulting in significant data breaches at large, international corporations. The direct cause of each attack is similar: hackers or fraudsters access a company’s systems (through employee or vendor access codes or by other means) and upload malware, giving them access to confidential email as well as to customer and payment systems information. The hackers or fraudsters then use the information obtained for their own benefit, victimizing the company’s employees or customers or both.

Many affected by a data breach hold the corporation’s management and board of directors responsible; they feel that the corporation failed to address weaknesses in its cyber security systems and programs. In addition, those affected by the data breach critique the corporation’s handling of the breach, including the lack of timely disclosure to those affected and insufficient remediation efforts.

The consequences of data breaches are quite negative. Consumers or employees victimized by fraudsters experience unauthorized charges on their credit and debit cards and have to spend a large amount of time with credit, bank and other professionals to mitigate their losses. The companies suffer significant monetary costs and financial hardship, including litigation costs and damages awards.

Some of the specific facts and consequences relating to a few recent breaches are set out below.

Sony Pictures Entertainment

In the late fall of 2014, hackers infiltrated Sony Pictures’ operational and email systems. The hackers leaked five unreleased films and publicly disseminated sensitive employee data, including salary information of some of the company’s key executives, employee performance reviews and health care information. The breach also wiped out a portion of Sony’s computer data.

Consequences of the Breach

Sony Pictures expects to lose money on the movies leaked prior to their release date. In addition to loss of future revenues, Sony has had to incur costs to rectify the breach, bring its computer systems back online (some of Sony’s systems were down a week after the attack), conduct an investigation into the breach (with the cooperation of the police and third party advisors), and pay for identity protection services for its current and former employees. On February 2, 2015, Sony disclosed in its third quarter financial results that the cost of investigating and remediating the data breach in that quarter was USD$15 million. Employee morale has also suffered as a result of the breach.

A number of Sony Pictures’ current and former employees have commenced legal action, including a class action, against the company. The class action plaintiffs claim that Sony was aware that its systems were vulnerable but did not take sufficient steps to protect its data. They also claim that Sony Pictures did not take sufficient steps to notify its former employees of the breach and that the identity protection measures provided by the company are inadequate.

Home Depot

From April 2014 to September 2014 fraudsters infiltrated Home Depot’s payment systems resulting in 43 to 56 million North American customers’ payment information and email addresses being compromised. Apparently the fraudsters were able to gain initial access to Home Depot’s payment systems through one of its vendor’s credentials. From there, the fraudsters were able to gain increased access to Home Depot’s systems and upload malware to steal the customer information.

Consequences of the Breach

Home Depot’s share price fell 3.4% immediately after the breach became public. Home Depot disclosed in its SEC securities filings that it spent approximately USD$43 million in its last quarter to remedy the breach (these costs include identity theft protection services provided to customers, costs in conducting an investigation into the breach, and third party advisor costs). A portion of these costs may be recoverable through insurance.

Currently, there are 44 actions, including at least one Canadian class action (yet to be certified), against Home Depot in relation to the data breach. In the first Canadian class action, Lozanski v. the Home Depot Inc. (filed on September 22, 2014), the plaintiffs are seeking CAD$500 million in damages. They claim that Home Depot failed to uncover and disclose the extent of the data breach and that it did not notify its customers about the breach in a timely manner. Plaintiffs’ counsel indicated in interviews with Canadian media that its class action was launched against the company to pressure retailers to come up with solutions to prevent further data breaches.

Target

Target suffered a three week data breach affecting 42 million of its customers over the 2013 holiday shopping season. The cause of the breach was malware that had been uploaded to Target’s payment systems which compromised customer debit and credit information.

Consequences of the Breach

Target disclosed in its recent SEC filings that it has spent over USD$250 million to investigate and rectify its 2013 data breach, including offering identity protection services to affected customers. In addition, Target recently settled a customer class action for USD$10 million (affected customers can claim up to $10,000 for their losses). Also, as part of the settlement, Target will:

Hire a chief information security officer.
Create and maintain a written information security program documenting possible risks and develop measures by which to analyze its security systems.
Offer security training to educate employees about the importance of safeguarding consumer identifying information.

Four derivative lawsuits (see Derivative Actions (USA)) have also been launched against certain members of Target’s board of directors. In 2014, Institutional Shareholder Services recommended that Target’s shareholders not re-elect certain members of the corporation’s board. Shareholders did not follow this recommendation.

Target’s 2013 data breach also caused it significant reputational harm. At the time the breach was made public, Target was already facing criticism respecting its less than profitable expansion into the Canadian market. The company’s data breach increased public criticism of the company and decreased customer goodwill during its busiest season of the year. Due to these controversies, Target’s CEO resigned within months of the data breach.

Tort of Intrusion upon Seclusion

The significant costs associated with data breaches discussed in Recent Data Breaches are enough to raise board concern, as such costs can waylay corporate profitability for years to come. The province of Ontario’s recognition of a new tort, the tort of intrusion upon seclusion (also known as invasion of privacy), should increase this concern. Under this new tort a person can be found liable up to a maximum of $20,000 for each invasion of privacy it committed. While this amount is modest in an individual sense, class actions based on this tort can bring the damages award into the millions of dollars. In addition, some are seeking to expand the scope of the tort to include vicarious liability of employers. If the tort is expanded, then a corporation could be found liable for its employees’ breaches of confidential information over which the corporation had no direct control. A brief summary of the tort as well as a summary of one attempt to enlarge its scope are set out under Jones v. Tsige and Possible Expansion of the Scope of the Tort.

Jones v. Tsige

In Jones v. Tsige, 2012 CarswellOnt 274 (Ont. C.A.) (Tsige), the Court of Appeal recognized the tort of intrusion upon seclusion in Ontario (not all provinces recognize this tort). In Tsige, a Bank of Montreal (BMO) employee (Ms. Tsige) accessed and reviewed the personal banking records of another BMO employee (Ms. Jones) without Ms. Jones' consent. BMO caught Ms. Tsige and disciplined her for her actions.

Ms. Jones sued Ms. Tsige for damages relating to Ms. Tsige’s invasion of her privacy (Ms. Jones did not sue BMO). In recognizing the new tort, the Court of Appeal found that the cause of action could only be relied upon when a deliberate and significant invasion of privacy occurred. Deliberate and significant invasions of privacy include unauthorized access of a person’s:

Financial records.
Health records.
Employment related information.
Diary.
Private correspondence.

The court also found that access to records relating to a person’s sexual orientation or practices may constitute a deliberate and significant invasion of privacy.

Generally, plaintiffs will only be able to prove non-pecuniary damages and fix the maximum non-pecuniary damages award at $20,000. If a plaintiff can prove pecuniary damages, then the aggregate damages awarded may exceed this amount. In Tsige, the court awarded Ms. Jones $10,000.

Possible Expansion of the Scope of the Tort

In Evans v. Bank of Nova Scotia, 2014 CarswellOnt 7666 (Ont. S.C.J.), the court certified a class action against the Bank of Nova Scotia and one of its employees, Mr. Wilson, relating to a privacy breach affecting 643 of the bank’s customers. The customers’ confidential information was breached when Mr. Wilson copied the customers’ files and delivered them to his girlfriend (who then turned them over to fraudsters). Approximately 150 bank customers experienced identity theft as a result of the breach.

During the certification proceeding, the bank argued that it was not directly responsible for the data breach so the class action should not be certified against it. The court disagreed. Considering that the bank may have created the opportunity for Mr. Wilson to access and distribute confidential customer records (Mr. Wilson’s access to the records was not supervised), it was not plain and obvious that the bank was not vicariously liable for its employees' actions. The fact that the bank did not participate in the identity theft or fraud was (at this point in the class action proceeding) irrelevant. If this action is not settled, a trial court will decide if the tort of intrusion upon seclusion includes vicarious liability of an employer.

Derivative Actions (USA)

It is possible that, in the near future, liability respecting corporate cyber security missteps and data breaches may not be the sole responsibility of a corporation. In the USA, shareholders have commenced derivative actions against directors personally concerning board mismanagement of a corporation’s cyber security systems and board mismanagement of a corporation’s data breach.

Generally, plaintiffs argue that the board failed to adequately oversee the corporation’s cyber security measures before the breach, and failed to appropriately oversee the corporation’s disclosure, investigation and remediation efforts after the data breach. To date, no derivative actions of this type have been successful; however, derivative actions against Target are still pending.

The most recent derivative action dismissed by the American courts was Palkon v. Holmes, Case No. 2:14-cv-01234 (D.N.J.D.C.). A shareholder of Wyndham Worldwide Corporation (Wyndham) commenced the action after Wyndham suffered a series of data breaches between 2008 and 2010. The plaintiff claimed breach of fiduciary duties, waste of corporate assets and unjust enrichment. The claim was against 10 of Wyndham’s directors and officers.

The court dismissed the plaintiff’s action finding that Wyndham’s board had acted reasonably and in accordance with their fiduciary duties. Below are examples of steps taken by Wyndham’s board of directors that supported the court’s conclusion:

During the relevant period (2008 to 2010), the board regularly discussed cyber security, and Wyndham’s data breaches, at board meetings.
The board received regular presentations at board meetings from Wyndham’s general counsel relating to the company’s cyber security efforts and Wyndham’s data breaches.
Wyndham’s audit committee regularly discussed matters relating to cyber security and data breaches at committee meetings.
Wyndham had hired a third party technology firm to investigate the data breaches and recommend security enhancements to its systems.
Wyndham’s data breaches were being investigated by the Federal Trade Commission; this investigation caused the board to educate itself about data breaches and cyber security measures.

Note that no shareholder derivative actions have yet been commenced in Canada (where derivative actions require leave of the court and judicial approval of any settlement claim). However, if this cause of action starts to gain traction in the USA, shareholders may start to launch these proceedings in Canada. Accordingly, boards of directors should take protective actions, such as those noted above (and those discussed in Best Practices) to protect themselves from personal liability.

Regulatory Oversight

The proliferation of data breaches in North American consumer markets has caused government regulators to increase their monitoring of corporations' activities respecting data breaches and cyber security generally. Two Canadian initiatives are summarized below.

The Digital Privacy Act (Bill S-4)

In 2014, the federal government introduced Bill S-4, the Digital Privacy Act, which, if passed, would amend the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) to require corporations (regulated under PIPEDA) to notify those who may be at risk of significant harm by a data breach promptly after the breach. Corporations must also notify the Privacy Commissioner of any data breaches. In addition to the notification requirements, if the Bill is passed, corporations would be required to maintain written records for every data breach. Corporations that do not comply could be subject to a fine of up to $100,000. A committee of the House of Commons is currently studying the Bill.

CSA Staff Notice 11-326

In September 2013, the Canadian Securities Administrators (CSA) issued CSA Staff Notice 11-326: Cyber Security (Notice). The Notice recommends that reporting issuers become knowledgeable about data breaches and cyber crime and that they take appropriate action to protect confidential information and promote reliable operations. In accordance with the Notice, reporting issuers should:

Educate employees of the importance of cyber security and the employees’ role in maintaining client information and computer systems.
Follow industry best practices from industry associations and recognized information security organizations.
Conduct third-party vulnerability and security tests of their security systems on a regular basis.

The Notice also recommends that public corporations consider whether their cyber crime risks, incidents and security controls should be disclosed in their prospectuses or continuous disclosure filings.

Best Practices

Considering the role and responsibilities, including fiduciary duties and other statutory duties, of a corporation’s board of directors, as well as the financial, reputational and litigation costs (including potential litigation costs against a director personally), and increased government monitoring of cyber security measures and data breaches, it becomes evident why board oversight of a corporation’s cyber security systems and management of data breaches are critical.

Below is a list of some practices boards can use in their oversight of cyber security and data breach matters (including steps boards can take to protect directors from personal liability):

Ensure that cyber security and data privacy matters are regularly discussed at board meetings. Request management create presentations and provide briefings on these matters to educate the board (see Palkon v. Holmes).
Maintain written records of the board (for example, include discussions respecting cyber security measures and data breaches in minutes of meeting) and task management in each of the corporation’s departments to maintain written records respecting cyber security and data breaches.
Delegate control of cyber security measures and data protection programs to a board committee. The audit committee may take on this task as part of its oversight of the corporation’s financial controls and procedures or the board may create a data protection committee.
Hire third party consultants to audit the corporation’s cyber security systems and ask them to provide recommendations to make them better (see Palkon v. Holmes).
Oversee management’s drafting of cyber security standards, programs and policies. Ensure they are compliant with law and are being benchmarked against industry best practices.
Oversee management’s creation of a business-wide crisis management team to manage data breaches when they occur. Oversee management’s creation of a plan to assist the crisis management team in handling a data breach. Ensure the team practices implementing the plan, and updates the plan when necessary.
Hire a chief information security officer who has significant experience in information technology and cyber security.
Oversee management’s creation of a culture that views cyber security matters as everyone’s concerns; review employee training and awareness programs on the topic.
Ensure the corporation is adequately insured against data breaches, including checking that the corporation’s director and officer indemnity insurance covers cyber security and data breaches.

End of Document

Also Found In

Resource ID 9-605-7585

Published on 24-Mar-2015

Resource Type Legal update: archive

Jurisdiction

Canada (Common Law)