This article first appeared in the December 2016 issue of PLC Magazine.
Cyber risk, which is a broad concept that encompasses all risks that arise from the use of technology and data, has recently undergone a surge in prominence. This is in part because of a number of high-profile adverse cyber incidents that have brought the issue of cyber risk to the forefront of public attention around the world. Recent statements by governments, such as the UK government's announcement on 1 November 2016 of its long-term investment in a new national cyber security strategy, also highlight the importance of the issue (www.gov.uk/government/news/britains-cyber-security-bolstered-by-world-class-strategy).
At a corporate level, most people are now aware that an adverse cyber incident can have significant consequences for an affected organisation (see feature articles "Cyber security: top ten tips for businesses" and "Cyber security: litigation risk and liability"). National and international news outlets are frequently reporting that companies have incurred regulatory fines and penalties for failing to manage cyber risk adequately, class action lawsuits are increasingly being filed for losses of customer data and significant reputational harm has been incurred as a result of hackings and data breaches (see News brief "Panama papers: time to firm up on cyber security?").
What is less well known is the liability risk that individual directors may face in relation to cyber risk. This article outlines some of the potential liabilities that company directors might incur in a range of jurisdictions around the world. These issues are also prevalent in a broad range of jurisdictions across Europe, the Americas, Africa and Asia-Pacific. Directors of international organisations should familiarise themselves with the risks they face in a global environment is increasingly affected by cyber risk.
Cyber risk and boards
It is clear that although cyber risk is growing in prominence, not all company directors are well informed about the issue. In January 2015, the UK government's FTSE 350 Cyber Governance Health Check Tracker Report found that only 5% of main boards indicated that they regularly and thoroughly review their key information and data assets. Only 1% of boards were described as fully informed and skilled in respect of cyber security. Similarly, a UK government survey conducted by PwC in 2015 showed that just 42% of 9,700 executives in over 150 countries said that their boards are involved in security strategy, and only 25% said that their boards are involved in reviewing security and privacy threats.
Despite this apparent lack of board-level input, it is undeniable that cyber risk affects practically every business. According to a survey commissioned by the government, nearly nine out of ten large organisations have suffered some form of cyber security breach. The cost of a major cyber incident is likely to be significant. For example, studies have shown that the estimated average cost of a data breach in the UK financial services sector is in excess of $4 million. In addition, the global shift towards a digital economy means that cyber security and the protection of personal data are subject to increased legal and regulatory scrutiny.
New legislation in a range of jurisdictions, most notably in the EU under the new General Data Protection Regulation (679/2016/EU) (GDPR), will see organisations being held to higher standards than ever in terms of their use of personal data, with severe penalties for non-compliance (see feature article "General Data Protection Regulation: a game-changer"). Legal developments and shifts towards a more litigious culture relating to cyber risk and, in particular, the use of personal data in various jurisdictions also mean that more litigation is being brought against organisations for matters that relate to cyber risk.
These increased risks can translate into personal liability for board members in a variety of ways (see box "How personal liability may arise"). While the scale and severity of personal liability risks can vary across different jurisdictions, personal liability is possible in all jurisdictions (see box "Protecting directors against personal liability"). It is therefore imperative that directors of organisations that operate internationally familiarise themselves with the potential liability landscape in all jurisdictions in which they are active.
In the UK, directors' fiduciary duties to the company are largely codified under the Companies Act 2006 (2006 Act) (for background, see feature article "Directors' duties: current interpretation and future reforms"). Among other things, directors of UK companies are under a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role (sections 172 and 174, 2006 Act). A board's failure to understand and mitigate cyber risk, for example by failing to implement appropriate cyber security measures, could equate to a breach of these duties. The duty to exercise reasonable care, skill and diligence requires the standard of a reasonably diligent person with the knowledge and skill of the director in question. Directors who fail to manage cyber risk adequately may not reach this standard. Breach of directors' duties can lead to a claim being brought against the directors by the company or by shareholders through a derivative action.
Directors are likely to come under increased scrutiny in future in relation to cyber risk given new developments in English law. Recent case law has established that claims may be brought in tort for misuse of private information and that claims may be brought by third parties in relation to contraventions of the Data Protection Act 1998, even in circumstances where the claimant has not suffered pecuniary loss (Google Inc v Vidal-Hall and other  EWCA Civ 311; see News brief "Claims for misuse of information: the DPA comes of age"). While these claims are usually brought against the company rather than the individual directors, they are likely to bring into the spotlight the question of whether directors have complied with their duties to manage cyber risk.
Legislative change will also have an impact on the potential liability risk in the UK. The GDPR will apply in all EU member states from 25 May 2018 and the UK government confirmed on 24 October 2016 that the UK will implement it in May 2018, irrespective of the UK's future relationship with the EU. The GDPR will impose onerous standards on organisations that control or process personal data. Certain incidents relating to personal data will need to be notified to the data privacy regulator within 72 hours and notification to affected data subjects will need to be made without undue delay.
Penalties for non-compliance will be severe, being up to the higher of €20 million or 4% of the organisation's worldwide turnover. The responsibility for compliance with the GDPR will, in practice, fall on the organisation's directors, which will add to the burden that directors already face in discharging their duties to the company. In addition, the Information Commissioner's Office, the UK's data privacy regulator, is already empowered to request personal undertakings as to future conduct from senior board members to ensure that the company complies with its data protection obligations going forward.
The Network and Information Security Directive (2016/1148/EU) (NIS Directive) is another piece of EU legislation that will require organisations in certain industry sectors to implement minimum cyber security standards (see box "NIS Directive"). While it is as yet unclear how the NIS Directive will be implemented in the UK, this is something that directors in the relevant industry sectors will need to consider in detail.
Further legislative change may also be on the horizon in the UK. In a meeting to discuss the UK's draft Digital Economy Bill in October 2016, the Information Commissioner recommended imposing personal liability and accountability on directors of companies that violate data protection laws. Directors should monitor this possible development closely.
Directors of regulated entities also need to be aware that a failure to manage cyber risk adequately could equate to a breach of their personal regulatory obligations. In the financial services sector, the Financial Conduct Authority will closely scrutinise the acts of directors who fall within the definition of a senior manager for the purposes of the UK financial services regulatory regime, and will take action if a director fails to discharge his regulatory duties as a result of not properly managing the cyber risk that the organisation faces (see Briefing "Senior managers and certification regime: food for thought for in-house lawyers").
Directors of listed entities are also responsible for the company making appropriate disclosures under the Listing Rules. Disclosures may be required in the event of an adverse cyber incident and directors may ultimately be held responsible for any non-compliance.
Under German law, directors can be held liable for breach of their duties, which include a duty to ensure that the IT infrastructure of a company is sufficiently protected in order to ensure the security of data and the avoidance of cyber risks. Directors are therefore obliged to ensure that they incorporate the necessary technical and organisational measures that are set out in the German Data Protection Act (Bundesdatenschutzgesetz) and the German IT Safety Act (Bundessicherheits- und Informationstechnikgesetz).
German law requires companies that have a high level of dependence on their IT systems to take a more cautious approach towards cyber risk. A higher level of monitoring will also be expected in order to guarantee adequate IT security, and any failure to protect the company's systems adequately due to organisational fault or personal failure may lead to directors incurring liability to their company.
While directors of German companies may face liability to the company for breach of their duties, third parties can, generally speaking, only bring claims against the company rather than against individual directors. However, claims may in some circumstances be brought against a director directly, if that director has committed deliberate wrongdoing or acted with gross negligence in relation to a cyber incident which has led to a third party incurring loss. In practice, there have not been many cases where a director or an executive of a company has faced personal liability for matters relating to cyber risk, however, the liability risk does exist.
The GDPR and the NIS Directive will also affect the potential liabilities of directors and executives for matters relating to cyber risk (see The UK above).
United Arab Emirates
Under United Arab Emirates (UAE) law, directors and executives of a company can face personal liability for matters relating to cyber risk.
The board of directors of a public joint stock company is liable to the company, its shareholders and third parties for certain acts (Article 162, UAE Federal Law No 2 of 2015 on Commercial Companies). These include all acts of fraud, misuse of power, breach of the UAE Commercial Companies Law or the company's articles of association, or an error in management. These provisions also apply equally to limited liability companies.
There is little reported case law providing guidance on how the UAE courts interpret the potential application of certain provisions under UAE company law and, in particular, the scope of an error in management. However, it is a potentially wide-ranging offence that is not necessarily limited to acts of deliberate or serious wrongdoing. It may, therefore, be applied to a failure to manage cyber risk properly.
In addition to the general liability provisions under the UAE Commercial Companies Law, UAE law also sets out certain areas that may expose a director or executive to criminal sanctions, which include using or disclosing company secrets.
Directors and executives should be mindful that potential criminal liability exists, not only under the law as set out above, but also under the Penal Code and the Cybercrimes Law for the unauthorised disclosure of personal information. Reportedly, in March 2015, three executives at a customer service centre in the UAE were all temporarily imprisoned on the grounds of a breach of privacy in connection with the installation of CCTV.
Sector and zone regulation
In addition to federal laws, companies operating in certain sectors or free zones within the UAE may be subject to specific regulation. This includes telecoms operators, who have to comply with the Telecommunications Regulatory Authority's Consumer Protection Guidelines, including provisions on the protection of subscriber information, and businesses operating in the financial services free zones of Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). Both of these free zones have specific data protection legislation which applies to companies operating within those zones.
While there is currently no specific data protection law in the UAE, it has been reported that a draft federal privacy law is under consideration. This law, if enacted, may include more direct responsibilities and liabilities for company directors in relation to data breaches.
As mentioned above, the UK Information Commissioner has recommended imposing personal liability and accountability on directors of companies that violate data protection laws. While the UK legislation would not be directly enforceable in the UAE, both DIFC and ADGM openly take a lead from European and UK legal developments in this area and their respective data protection regimes are modelled on the current EU legislation. It is possible that a formal adoption of these measures in the UK may be reflected in future updates to the regulations in DIFC or ADGM, or both.
Under US law, directors and executives of a company face a range of personal liabilities for matters relating to cyber risk.
While the laws vary at the individual state level, director fiduciary duty law in the US is largely influenced by Delaware law because of the large number of companies established in Delaware. Because of Delaware's importance in corporate law generally, Delaware's laws on these issues often shape standards used in interpreting other states' laws.
Under Delaware law, directors owe fiduciary duties of care and loyalty to the company (section 141(a), Delaware General Corporation Law). Case law has established that the fiduciary duty of care requires directors to act with a degree of care that ordinary careful and prudent men would use in similar circumstances (Graham v Allis-Chalmers Mfg Co 188 A 2d 125, 130 (Del 1963)). Under this standard, directors must act on an informed basis, in good faith and in the honest belief that the action was in the best interests of the company (Smith v Van Gorkom 488 A 2d 858, 872 (Del 1985)). The duty of loyalty has been interpreted and applied in case law to incorporate a duty of oversight, a breach of which occurs if directors "utterly fail" to implement any reporting or information systems or controls or if, after implementing these systems, directors fail to monitor or oversee the operation of these plans (Stone v Ritter 911 A 2d 362, 370 (Del 2006)). This standard could be applied in the context of adverse cyber incidents.
Following a data breach, a company's board of directors may also be subject to litigation brought by shareholders claiming a breach of the directors' fiduciary duties. A number of these derivative actions have recently been filed following high-profile data breaches. These actions are typically based on claims that, by failing to implement adequate information security policies, the directors allowed a breach to occur which damaged shareholders through decreased stock prices.
While the claim in relation to one high-profile breach, in which three separate data breaches of payment card information affected more than 619,000 customers, has been dismissed, others are still pending. Although claimants in these cases face a high pleading standard, the cases can create significant legal expenses for the defence, and frequently lead to resignation by various board members or company executives.
The outcome of pending cases involving large companies, or any other similar cases that may be filed, will have a significant role in how the law develops because, to date, very few cases relating to data breaches have been filed. As more cases are filed and resolved, the landscape identifying how courts will view fiduciary obligations in the context of data breaches will become clearer and better developed.
Directors and executives of a company can face personal liabilities for matters relating to cyber risk under Canadian law.
The Canada Business Corporation Act RSC 1985 (CBCA) requires every director to exercise their powers and duties with the care, diligence and skill that a reasonable prudent person would exercise in the same circumstances. Directors' duties of care include good faith efforts to ensure that controls for known risks are implemented, as well as ensuring that monitoring and reporting systems are in place in relation to those risk controls. The CBCA provides for shareholder derivative actions for breaches of duties owed by directors to the company and the recovery of monetary damages on behalf of the company (section 239(1)).
Public companies face particular exposures relating to cyber risk in Canada. Directors face liability for omissions or misrepresentations in public disclosures and a notice published by the Canadian Securities Administrators on 26 September 2013 stated that issuers should consider whether their cyber-crime risks, any cyber-crime incidents they may experience, and any controls they have in place to address these risks, should be disclosed in a prospectus or a continuous disclosure filing (CSA Staff Notice 11-326).
In addition to possible regulatory proceedings against directors for failures to disclose properly a material fact or a misrepresentation in a disclosure document concerning a material cyber risk or incident, directors also face potential liability to shareholders in securities class actions.
Statutory liabilities for directors under privacy statutes in Canada also exist, although they are limited to only some jurisdictions. For example, breaches of Quebec's privacy statute can lead to monetary fines against directors who ordered or authorised the collection or holding of personal information without taking reasonable security measures necessary to ensure the protection of that information (An Act respecting the protection of personal information in the private sector RSQ c P-39.1). Similarly, officers face monetary fines under Ontario's Personal Health Information Protection Act 2004 for the wilful collection of health information without reasonable steps in the circumstances to ensure protection of that information where the officer authorised the collection or had the authority to prevent it but knowingly refrained from doing so.
Directors and executives of a company may also face personal liabilities in relation to cyber risks under South African law.
A failure to implement appropriate cyber security or cyber risk management measures could constitute a breach of directors' fiduciary duties. These fiduciary duties were established by way of the common law, and have largely been codified by the Companies Act No 71 of 2008 (Companies Act). Directors could therefore conceivably face personal liability to the company and to third parties for a breach of these duties that relates to cyber risk.
A breach of directors' fiduciary duties could lead to claims being brought against directors and executives in contract or tort. This is partly due to the wide scope of the South African common law principles which stipulate that any person who contravenes the Companies Act is liable to any other person for any loss or damage suffered by that person as a result of that contravention.
Depending on the particular circumstances, a breach of fiduciary duty could lead to regulators taking action against directors or executives. This would depend on the particular regulatory framework and industry within which the company operates. Under South African law, there are mechanisms which allow complaints to be made to the Companies and Intellectual Property Commission (CIPC). CIPC can investigate these complaints and various mechanisms allow action to be taken against a company or its directors.
Right to privacy
Depending on the particular circumstances, directors and executives may face personal liability as a result of having breached privacy law in South Africa. The right to privacy is protected under the common law in South Africa. South Africa has also passed the Protection of Personal Information Act 3 of 2013 (POPI). While no commencement date has been set for the implementation of POPI in its totality, steps have been taken to, for instance, establish the office of the Information Regulator. Under POPI, regulatory action may be taken against an organisation or person for any contravention. Depending on the nature of the contravention, a director may face civil fines, administrative fines, penalties and even a period of imprisonment.
In Australia, the emerging view is that managing cyber risk falls under the risk management umbrella of boards of directors. All directors and officers have a key responsibility to ensure that companies adopt appropriate risk management strategies to protect the company and its shareholders. Although there is little authority at this stage for how regulators and courts will deal with the issue as it relates specifically to cyber risk, it is anticipated that, in the event of a cyber incident, the directors' and officers' conduct will be assessed in the context of their overall duties to the company and shareholders and their overall risk management function.
When managing and controlling a company, directors and officers have a fundamental non-delegable duty to exercise reasonable care and diligence under Australian law, both under section 180 of the Corporations Act 2001 (Cth) and the common law. Although currently untested in the context of cyber risk, in interpreting the scope of this duty the courts have increasingly imposed a high standard of care on directors and officers, requiring them to understand intimately and manage actively all risks associated with the company.
The primary corporate regulator, the Australian Securities and Investments Commission (ASIC), has the power to bring an action against directors and officers for a breach of their duties. The consequences are potentially serious, and include a declaration of contravention, pecuniary penalties, compensation orders and disqualification of the director or officer from managing a corporation.
In addition to direct regulatory action brought by ASIC, a failure by directors and officers to take reasonable steps to prevent, or respond appropriately to, a cyber incident may also give rise to civil proceedings, either by affected individuals or, if it is in the best interests of the company to do so, in the form of a derivative action brought by shareholders. Private litigation often follows regulatory investigations, as these investigations typically expose the inner failings of the company and provide the relevant evidence and roadmap necessary to formulate an action.
Australia has an active securities class action culture, fuelled by a well-developed plaintiffs bar and litigation funding industry. It is likely that the question of directors' liability arising out of a cyber incident's impact on a company's share price may be tested in the courts, although this has not yet occurred to date.
All Australian companies publicly listed on the Australian Securities Exchange (ASX) have an obligation to inform the ASX of any information that a reasonable person would expect to have a material effect on the price or value of the company's securities. Directors and officers of publicly listed companies should carefully consider whether they have an obligation to notify the ASX of a cyber incident and, if so, the timing and content of this notification.
There are various industry-specific disclosure obligations that exist should a cyber incident occur, and directors and officers should be aware of the obligation to notify regulators and affected individuals of cyber incidents. For example, financial services companies regulated by the Australian Prudential Regulation Authority must notify the regulator of major IT security incidents. A failure to notify is a strict liability offence and penalties of up to AU$36,000 may apply.
All organisations subject to the Privacy Act 1988 (1988 Act) have an obligation to maintain the security of personal information. In general, organisations that have a turnover of more than AU$3 million annually, as well as some small businesses such as private health service providers and businesses that buy and sell personal information, are subject to the 1988 Act.
The Australian government has recently introduced draft legislation which, if enacted, would require organisations and agencies subject to the 1988 Act to notify the Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs (the Privacy Amendment ( Notifiable Data Breaches) Bill 2016). A failure to do so will be deemed to be an interference in the privacy of affected individuals, and penalties of up to AU$1,800,000 will apply.
Various legislative regimes that impose civil penalties on companies for contravening the relevant regulatory requirements also have in place ancillary liability provisions under which directors and officers could be held personally liable where it can be shown that they were involved in the contravention; that is, through aiding, abetting, counselling or procuring the relevant contravention. An example of this legislation is the Competition and Consumer Act 2010, which makes it an offence for a company to engage in misleading or deceptive conduct. A director or officer could be personally liable if it can be shown that he was involved in the misleading or deceptive conduct. While ancillary liability may be difficult to establish, the liability mechanism nevertheless exists and directors and officers should be wary of any representations they make about the company's state of cyber security.
Ffion Flockhart is a partner, and Steven Hadwin is an associate, in the London office; David Navetta is a partner, and Kris Kleiner is an associate, in the Denver office; Dino Wilkinson is a partner in the Abu Dhabi office; Steve Tenai is a partner in the Toronto office; Christoph Ritzer is of counsel in the Frankfurt office; Elsa Jordaan is a director in the Johannesburg office; and John Moran is a partner, and Reece Corbett-Wilkins is an associate, in the Sydney office, of Norton Rose Fulbright.