Potential Liability of Corporate Boards for Data Breaches
Shareholders of companies affected by major data breaches are increasingly seeking to hold company directors and officers liable for damages and other costs. Legal analysts say the settlement of a Yahoo shareholder lawsuit may establish an important precedent for such cases.
This article examines whether securities class action lawsuits will bring data breach liability to directors and officers.
The Dramatic State of Data Breaches
Massive data breaches affecting major corporations occur all too frequently. High-profile cases over the past few years include:
Marriott International—500 million customer records exposed
Equifax—143 million records
Target—110 million records
Home Depot—56 million records
Wyndham Worldwide—600,000 records
A Wendy’s breach in 2016 affected more than 1,000 locations, but the company never disclosed how many customer accounts were exposed.
According to the Breach Level Index tracker, nearly 15 billion records have been compromised since 2013, at a rate of about 75 records per second. The 2018 Cost of a Data Breach Study from the Ponemon Institute and IBM Security estimates that the global average cost of a data breach is now $3.86 million, with an average cost per compromised record of $148.
Direct costs include business disruption and downtime, incident investigation, restoring IT systems, identifying and notifying victims, legal services, public relations, and more. Long term, organizations that suffer a data breach can experience losses due to customer churn, litigation, fines and other penalties, and higher insurance premiums.
A data breach can also affect shareholder value. Comparitech recently analyzed the stock prices of 24 publicly traded companies over a three-year period starting the day before they disclosed their data breach to the public.
Comparitech found that the stock prices of breached companies fell 2.89% on average approximately 14 market days after the disclosure. While the stocks gained ground over time, they underperformed NASDAQ -3.70% after the first year, -11.35% after the second year, and -15.58% after the third year.
The Caremark Challenge
Traditionally, shareholder lawsuits stemming from high-profile data breaches have come in the form of derivative claims, in which shareholders sue a third party (often a director or officer) on behalf of the company. Specifically, data breach lawsuits are so-called “Caremark claims,” in which shareholders seek to hold directors responsible for “corporate trauma.” The case In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), has become shorthand for this type of lawsuit.
In Caremark, the shareholders alleged that the company’s directors breached their fiduciary duty of care by failing to implement adequate controls to prevent employees’ criminal offenses. The Delaware Chancery Court found that simply failing to detect criminal activity was not evidence of bad faith—plaintiffs would have to establish “sustained or systematic failure of the board to exercise oversight.”
In South ex rel. Hecla Mining Co. v. Baker, 62 A.3d 1, 15 (Del. Ch. 2012), the court further noted that plaintiffs must show that the board “consciously failed to act after learning about evidence of illegality.”
Caremark claims are largely unsuccessful due to this high bar. Derivative actions in the wake of the Wyndham, Target, and Home Depot breaches were all dismissed. A derivative claim against Wendy’s was settled last year, but only for modest attorneys’ fees and an agreement to take preventive cybersecurity measures.
Yahoo’s shareholders sidestepped the Caremark challenge by bringing a securities class action lawsuit in January 2017. Rather than suing on behalf of the company as in a derivative claim, the shareholders sued on their own behalf, alleging that they suffered significant damages due to a “precipitous decline in the market value” of Yahoo’s common shares. The suit sought to impose direct liability on two of the company’s officers for failing to disclose the data breach that resulted from cyberattacks in 2013 and 2014 and the extent of the damage.
At the time the suit was filed, Yahoo had revealed that the 2014 attack exposed the information of about 500 million users. Later it was determined that the two attacks had compromised all 3 billion Yahoo user accounts, making it the largest breach in history.
Ongoing Litigation Related to Data Breaches
The Yahoo breaches first came to light in 2016, when Verizon was in negotiations to buy Yahoo’s core internet business. The securities lawsuit alleged that Yahoo’s stock declined substantially after disclosure of the breach and that Verizon began “considering ways to amend the terms of its deal with Yahoo to reflect the impact of the data breach.” Ultimately, Yahoo was forced to knock $350 million off its sale price to Verizon.
Yahoo moved to dismiss the securities lawsuit amid ongoing settlement negotiations between the parties. After the full extent of the breach came to light, the judge granted the plaintiffs leave to file an amended complaint. On March 2, 2018, Yahoo announced that it would settle the lawsuit for $80 million. The settlement represents the first significant recovery in a breach-related lawsuit.
This case is of particular note for those involved in ongoing litigation related to the 2017 Equifax breach. In January, the judge denied a motion to dismiss Equifax and former CEO Rick Smith from a securities class action suit—the first breach-related claim against a corporate officer to survive a motion to dismiss.
The Yahoo settlement has also prompted other securities class action lawsuits.
On Sept. 27, 2018, shareholders filed suit against educational services company Clegg, Inc. and its CEO for failure to disclose a lack of adequate security measures and internal controls that exposed the company to losses.
On Dec. 1, 2018, Marriott’s shareholders filed a similar suit against the company and several of its officers, just one day after Marriott publicly disclosed its data breach.
Yahoo Case: Important Precedent or Unique Circumstances?
The success of these lawsuits is not a foregone conclusion. The Yahoo case was unique in terms of the scope of the breach and its financial impact. Nevertheless, it has opened the door to a potentially successful avenue for holding directors and officers accountable for breach-related losses.
As data breaches continue to grow in size, cost, and frequency, opportunities in the cybersecurity legal field will continue to increase as well. To learn more about legal opportunities in cybersecurity, read this Law.com article, “Legal Tech's Predictions for 2019 in Cybersecurity and Privacy.” If you’re interested in obtaining a legal education that specializes in cybersecurity, read more about Purdue Global Law School’s EJD program.