Cybersecurity Risks Reviewed: Directors And Officers Must Be Proactive And Prepared

As recent events have made abundantly clear, threats to corporate cybersecurity are an issue that companies, their boards and their managers cannot afford to ignore. Cyberattacks and other threats to data security are alarmingly common. In its ''2014 Data Breach Investigations Report,'' Verizon confirmed there were more than 63,000 cybersecurity incidents in 2013, resulting in more than 1,300 confirmed data breaches.1 The Ponemon Institute, a data security research firm, estimates that cybercrime costs more than $113 billion a year worldwide and that the average cost to a company of a data breach is $3.5 million.2 More and more business systems are networked, and so long as the Internet continues to play an expanding role in commerce, both the motive and opportunities for cybercrime will expand alongside it.

The highly publicized data theft suffered by Target in November 2013 is just one example of the tremendous costs that a cyberattack can inflict on a company's bottom line, as well as its reputation. More than 110 million customer records were stolen in that attack, including the data from more than 40 million credit and debit cards.3 And although Target's data breach is remarkable for its size, it is otherwise typical of an increasingly common threat and serves as a useful illustration of the variety of costs that a data breach can inflict on a business and its leaders. Target has spent $87 million on data breach-related expenses through May 2014, and these costs are ongoing.4 They include internal investigation costs, additional call center staffing, legal and professional fees, and compensation to payment card networks for fraud losses. But these direct costs do not represent the totality of the risks that data breaches pose to companies. This article explores some of the many risks that directors and officers must consider in planning for and responding to a cyberattack.

Reputational Risk

Companies face serious reputational risk in the wake of a data breach, which could create significant economic loss. For example, after announcing its recent breach, Target experienced a 46 percent drop in net profit during the holiday shopping period. And although consumers have largely returned to Target's stores, some companies may not easily regain their customers' trust. During an SEC roundtable on cybersecurity in March, one panelist opined that a single incident of customer loss due to data intrusion would probably bring down an investment manager or securities broker-dealer because the loss of customer confidence in the financial services industry could be irreparable.5

Litigation Risk

Significant data breaches almost inevitably will be met with litigation, which often becomes a drawn-out and expensive distraction from a company's day-to-day operations. In its year-end report, Target disclosed that more than 80 actions have been filed in courts nationwide. Sony similarly faced almost 60 lawsuits after a 2011 cyberattack on its PlayStation network.6 Reviewing even a small number of these lawsuits demonstrates the multiplicity of legal claims that a company may face after a data breach. A sampling of the various types of litigation risks are described briefly below.

Direct Consumer Economic Loss

Companies may face litigation seeking to recoup direct economic losses sustained by the customers or individuals whose data is breached. In Target's case, the bulk of the losses from fraudulent use of the stolen payment card information have fallen on the issuers of those cards, and as losses have mounted, a number of banks and card issuers have sued to recoup their costs. One such complaint alleges that it has cost banks more than $172 million just to re-issue stolen payment cards and cites an analysis by the investment bank Jefferies estimating that the total losses from the data theft may total more than $1 billion.7

Violation of Data Privacy Laws

Even in data breaches that do not involve banking or credit card information, or where there are no fraud losses, there can still be substantial exposure to litigation by individuals whose personal information was compromised. In Target's case, dozens of lawsuits have been brought on behalf of consumers, seeking damages for negligence and for violations of state data privacy laws.8 Forty-six states, plus the District of Columbia, have passed data privacy laws requiring entities sustaining a data breach to promptly notify any individual whose personal information was, or was reasonably believed to have been, compromised.

Although the precise...