boards and black hats - lsuc...cybercrime organizations and drivers • largest group of cyber...

Boards and Black Hats

Director and Officer Liability for

Cybersecurity Breaches

Ryder Gilliland

Ryder practices complex litigation and dispute resolution.

He regularly advises clients on matters relating to fraud,

extortion and security breaches requiring internal and/or

external investigation and corporate reputation

management. In the cybersecurity space, Ryder has

assisted clients with a variety of issues ranging from lost or

stolen data, cyber-extortion threats, malware and phishing

attacks and vendor service provider breaches. He is the

breach coach for leading cyber-insurance provider and

regularly advises clients respecting cyber-breach

preparedness issues. He is a seasoned litigator with broad

experience that includes appearances at the Supreme

Court of Canada in several of the leading access to

information and privacy cases.

Joseph Coltson

Joseph is Managing Director at Duff & Phelps, responsible for Global eDiscovery, Forensic

Services and Information Security.

Prior to Duff & Phelps, Joseph was President and co-founder of Harvester Forensics Ltd. Prior to

starting Harvester, Joseph was a Vice President at KPMG, and is a 16 year veteran police officer

with extensive investigative experience, both traditional and technical.

Joseph has testified at all levels of court proceedings and has been qualified as an expert witness

on a number of occasions in both criminal and civil matters. Joseph is also a seasoned and

successful Investigative Interviewer.

Joseph has extensive experience supporting litigation mandates and project management. He

has worked on several engagements involving active litigation, internal and external

investigations, fraud, arbitrations, tobacco litigation, securities litigation, class actions, Health Care

litigation, IP theft, Cartel investigations and other complex matters.

Joseph has authored many articles on topics related to his practice. His articles have appeared in

a number of different publications.

Outside Duff & Phelps, Joseph has taught and developed Investigative Interviewing, Data

Forensic, eDiscovery, Investigative and Information Security courses and lectures at the

University, College and professional levels. Joseph has instructed Federal Attorneys and civil

litigators on technological evidence on a number of occasions, and has presented to various

Attorney’s Associations on computer forensics.

Joseph hold an icd.d designation from the Institute of Corporate Director’s and a Masters degree.

He holds a number of professional certifications including Certified Forensic Computer Examiner

and Certified Electronic Evidence Collection Specialist and is a past President of the High Tech

Crimes Investigators Association.

Duff & Phelps 3

Managing Director and Global Lead, eDiscovery, Forensic Services and Information Security

U.S. Office

Duff & Phelps, LLC

55 East 52nd Street

Floor 31

New York, NY 10055

T +1 212 871 6284

M +1 647 298 1869

Canada Office

Duff & Phelps Canada Limited

Bay Adelaide Centre

333 Bay Street

14th Floor

Toronto, ON M5H 2R2

T +1 416 361 6740

F +1 647 497 9494

[email protected]

m

• 1. Cybersecurity Risk Background

• 2. Sources of D&O Liability

• 3. U.S. Example Cases

• 4. CSA Guidance

Outline

A Growing Risk

CYBERSECURITY BREACHES

• Numerous high-profile cybersecurity breaches in recent years

– e.g. Ashley Madison:

• Infamous infidelity website, based in Toronto

• Details of 30+ million customer accounts compromised

• Included names, addresses, phone numbers, credit card info, hashed passwords

Context

• Class action lawsuits, mitigation efforts (such as credit monitoring), regulator fines, loss of confidential business information, reputational harm

• Difficult to assess – can vary significantly depending on circumstances

Costs of Breaches

Canadian Directors and Officers

DUTIES AND SOURCES OF LIABILITIES

• Personal liability of directors and officers generally limited

• Common law and statutory exceptions

– Breach of duty of care / fiduciary obligations

– Secondary market disclosure liability

D&O Obligations

• Fiduciary obligation to act honestly and in good faith in the best interest of the corporation

• Exercise reasonable care and diligence

– “Reasonably prudent person” standard

• Under common law and statute

D&O Duty of Care

• Courts reluctant to interfere in business decision-making:– “Provided the decision taken is within a range of reasonableness, the court

ought not to substitute its opinion for that of the board even though subsequent events may have cast doubt on the board’s determination. As long as the directors have selected one of several reasonable alternatives, deference is accorded to the board’s decision”

• Maple Leaf Foods Inc v Schneider Corp (1998) 42 OR (3d) 177 (Ont CA), cited in Peoples Department Stores Inc. (Trustee of) v Wise, 2004 SCC 68 at para 65.

Business Judgment Rule

• Shareholders can seek to bring action against directors in the name of the corporation

• Requires leave of the court

– Must be “in the interests of the corporation or its subsidiary”

• High threshold, comparatively rare

Derivative Actions

• Public corporations (issuers) liable under securities laws for:

– Misleading statements or omissions

– Failure to disclose material changes

• Directors and officers who authorized, permitted, or acquiesced in the violation also personally liable

Secondary Market Liability

United States Examples

DERIVATIVE ACTIONS

• TJX (2006)

– In-store networks poorly secured, below Payment Card Industry data security standards

– 94 million customer credit and debit cards compromised plus personal info of customers making returns

U.S. Examples: Derivative Actions

• TJX (2006)

– Louisiana Municipal Police Employees’ Retirement System v Alvarez

– DE Chancery Ct

– Settled for $595,000

– Compare to total estimated cost: $256 million (including settlements with consumers, states, banks and credit card companies)


• Wyndham Worldwide (2010)

– Global hotel chain

– Three separate attacks between April 2008 and January 2010

– Personal information of 600,000+ customers breached


• Wyndham Worldwide (2010)

– Palkom v Holmes et al

• US Dist Ct NJ

– Dismissed: business judgment rule applied


• Target (2013)

– 40 million credit and debit card numbers

– 70 million addresses, phone numbers, and other personal information of customers

– Company had installed malware detection tool which had raised alarm – but were ignored by security team


• Target (2013)– Kulla v Steinhafel; Collier v Steinhafel

• US Dist Ct MN

– Derivative actions against Target’s directors

– Special Litigation Committee struck

– 21-month investigation, concluding actions were not in company’s best interest

– Action dismissed


• Home Depot (2014)

– 56 million credit and debit cards

• Canada and US

– Most store networks below Payment Card Industry data security standards – company was slowly upgrading


• Home Depot (2014)

– Bennek v Ackerman; Frohman v Ackerman

• US Dist Ct GA

– Dismissed: Business judgment rule applied– “…what the Plaintiffs are asking the Court to conclude from the presence of these “red

flags” is that the Directors failed to see the extent of Home Depot’s security risk and therefore made a “wrong” business decision by allowing Home Depot to be exposed to the threat of a security breach. With hindsight, it is easy to see that the Board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one. But this decision falls squarely within the discretion of the Board and is under the protection of the business judgment rule.”


United States Examples

SECONDARY MARKET LIABILITY

• Heartland Payment Systems (2007)

– Payment processor, 130 million credit and debit cards stolen


• Heartland Payment Systems (2007)

– In Re Heartland Payment Systems Inc. Securities Litigation (US Dist Ct NJ)

– Plaintiffs alleged CEO and CFO concelaed existence of breach when they said “We’ve never had anything close” to the TJX hack and misrepresented overall state of security

– Dismissed: Not misleading as breach did not result in major financial cost; never asked to specify about general cybersecurity


• Home Depot (2014) – Bennek v Ackerman

– Plaintiffs alleged that 2012 proxy circular created false impression of care in statement that audit committee would now be overseeing infrastructure risks

– Dismissed: plaintiffs unable to point to any specific statements in the proxy that were materially misleading or false


• 2017 UK Digital Economy Bill

• Personal liability for directors and officers who fail to pay fines for breaches of Data Protection Act 1998

• Presently under debate

Legislative Liability?

Avoiding Liability

CSA GUIDANCE

• 2013 Staff Notice 11-326– Brief, awareness-oriented

– “Issuers, registrants and regulated entities who have not considered the risks of cyber crime to date should consider how they can best address the risks of cyber crime.”

CSA Staff Notices

• 2016 Staff Notice 11-322– Begins by noting “Since the 2013 Notice, the cyber security

landscape has evolved considerably, as cyber attacks have become more frequent, complex and costly for organizations.”

– Provides long list of recommendations and guidance material

– Notes intention to continue monitoring the issue and promote coordination efforts

CSA Staff Notices

• manage cyber security risk exposures that arise from using third-party vendors for services;

• consider methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority;

• consider whether to share information about cyber incidents with Market Participants;

• communicate, collaborate and coordinate with other entities;

• establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and

• treat cyber security programs as living

• manage cyber security at an organizational level with responsibility for governance and accountability at executive and board levels;

• organize its cyber security activities at a high level: Identify, Protect, Detect, Respond, and Recover;

• establish and maintain a robust cyber security awareness program for staff;

• formulate a clear understanding of the business drivers and security considerations specific to its use of technology, systems and networks;

• understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;

CSA Recommendations

Cybercrime Organizations and Drivers

• Largest group of cyber criminals are organized crime– Financially motivated– Low risk due to lack of extraterritorial jurisdiction– 2016 saw commoditization of cybercrime services, lowered barrier to

entry

• What do they want? Data– Steal and sell identities – Encrypt and ransom critical data ($1 billion industry in 2016)– Extortion by threatening to release sensitive data– IP theft & corporate espionage (less organized crime, more nation

state)– Steal banking passwords for wire fraud

Biggest Threats

• Social Engineering

– Phishing & phone calls leverage employees over-sharing on social media

• Internet of Things

– Does the cybersecurity program cover the office WiFi tea pot?

– New (and therefore) unregulated industry

• Compromise of a business partner or service provider

• Insider threats

– Former/disgruntled employee, malicious insider, negligent employee

Not all breaches are created equal

Law Firm

• Significant impact to reputation as trust and matter confidentiality is foundational to client relationship

• Fewer clients (relatively speaking) to bring a class action or to cover for credit monitoring

• Smaller IT footprint to investigate and remediate

Retail Chain• Minimal impact to reputation;

trust is less critical to customer loyalty. Ex: Eventually you have to go back to Home Depot to buy that screwdriver

• Large volume of customers means increased cost for credit monitoring and larger class actions

• IT infrastructure present in many locations complicates investigation and slows remediation

Questions?

boards and black hats - lsuc...cybercrime organizations and drivers • largest group of cyber...

Documents