boards and black hats - lsuc...cybercrime organizations and drivers • largest group of cyber...
TRANSCRIPT
Boards and Black Hats
Director and Officer Liability for
Cybersecurity Breaches
Ryder Gilliland
Ryder practices complex litigation and dispute resolution.
He regularly advises clients on matters relating to fraud,
extortion and security breaches requiring internal and/or
external investigation and corporate reputation
management. In the cybersecurity space, Ryder has
assisted clients with a variety of issues ranging from lost or
stolen data, cyber-extortion threats, malware and phishing
attacks and vendor service provider breaches. He is the
breach coach for leading cyber-insurance provider and
regularly advises clients respecting cyber-breach
preparedness issues. He is a seasoned litigator with broad
experience that includes appearances at the Supreme
Court of Canada in several of the leading access to
information and privacy cases.
Joseph Coltson
Joseph is Managing Director at Duff & Phelps, responsible for Global eDiscovery, Forensic
Services and Information Security.
Prior to Duff & Phelps, Joseph was President and co-founder of Harvester Forensics Ltd. Prior to
starting Harvester, Joseph was a Vice President at KPMG, and is a 16 year veteran police officer
with extensive investigative experience, both traditional and technical.
Joseph has testified at all levels of court proceedings and has been qualified as an expert witness
on a number of occasions in both criminal and civil matters. Joseph is also a seasoned and
successful Investigative Interviewer.
Joseph has extensive experience supporting litigation mandates and project management. He
has worked on several engagements involving active litigation, internal and external
investigations, fraud, arbitrations, tobacco litigation, securities litigation, class actions, Health Care
litigation, IP theft, Cartel investigations and other complex matters.
Joseph has authored many articles on topics related to his practice. His articles have appeared in
a number of different publications.
Outside Duff & Phelps, Joseph has taught and developed Investigative Interviewing, Data
Forensic, eDiscovery, Investigative and Information Security courses and lectures at the
University, College and professional levels. Joseph has instructed Federal Attorneys and civil
litigators on technological evidence on a number of occasions, and has presented to various
Attorney’s Associations on computer forensics.
Joseph hold an icd.d designation from the Institute of Corporate Director’s and a Masters degree.
He holds a number of professional certifications including Certified Forensic Computer Examiner
and Certified Electronic Evidence Collection Specialist and is a past President of the High Tech
Crimes Investigators Association.
Duff & Phelps 3
Managing Director and Global Lead, eDiscovery, Forensic Services and Information Security
U.S. Office
Duff & Phelps, LLC
55 East 52nd Street
Floor 31
New York, NY 10055
T +1 212 871 6284
M +1 647 298 1869
Canada Office
Duff & Phelps Canada Limited
Bay Adelaide Centre
333 Bay Street
14th Floor
Toronto, ON M5H 2R2
T +1 416 361 6740
F +1 647 497 9494
m
• 1. Cybersecurity Risk Background
• 2. Sources of D&O Liability
• 3. U.S. Example Cases
• 4. CSA Guidance
Outline
A Growing Risk
CYBERSECURITY BREACHES
• Numerous high-profile cybersecurity breaches in recent years
– e.g. Ashley Madison:
• Infamous infidelity website, based in Toronto
• Details of 30+ million customer accounts compromised
• Included names, addresses, phone numbers, credit card info, hashed passwords
Context
• Class action lawsuits, mitigation efforts (such as credit monitoring), regulator fines, loss of confidential business information, reputational harm
• Difficult to assess – can vary significantly depending on circumstances
Costs of Breaches
Canadian Directors and Officers
DUTIES AND SOURCES OF LIABILITIES
• Personal liability of directors and officers generally limited
• Common law and statutory exceptions
– Breach of duty of care / fiduciary obligations
– Secondary market disclosure liability
D&O Obligations
• Fiduciary obligation to act honestly and in good faith in the best interest of the corporation
• Exercise reasonable care and diligence
– “Reasonably prudent person” standard
• Under common law and statute
D&O Duty of Care
• Courts reluctant to interfere in business decision-making:– “Provided the decision taken is within a range of reasonableness, the court
ought not to substitute its opinion for that of the board even though subsequent events may have cast doubt on the board’s determination. As long as the directors have selected one of several reasonable alternatives, deference is accorded to the board’s decision”
• Maple Leaf Foods Inc v Schneider Corp (1998) 42 OR (3d) 177 (Ont CA), cited in Peoples Department Stores Inc. (Trustee of) v Wise, 2004 SCC 68 at para 65.
Business Judgment Rule
• Shareholders can seek to bring action against directors in the name of the corporation
• Requires leave of the court
– Must be “in the interests of the corporation or its subsidiary”
• High threshold, comparatively rare
Derivative Actions
• Public corporations (issuers) liable under securities laws for:
– Misleading statements or omissions
– Failure to disclose material changes
• Directors and officers who authorized, permitted, or acquiesced in the violation also personally liable
Secondary Market Liability
United States Examples
DERIVATIVE ACTIONS
• TJX (2006)
– In-store networks poorly secured, below Payment Card Industry data security standards
– 94 million customer credit and debit cards compromised plus personal info of customers making returns
U.S. Examples: Derivative Actions
• TJX (2006)
– Louisiana Municipal Police Employees’ Retirement System v Alvarez
– DE Chancery Ct
– Settled for $595,000
– Compare to total estimated cost: $256 million (including settlements with consumers, states, banks and credit card companies)
U.S. Examples: Derivative Actions
• Wyndham Worldwide (2010)
– Global hotel chain
– Three separate attacks between April 2008 and January 2010
– Personal information of 600,000+ customers breached
U.S. Examples: Derivative Actions
• Wyndham Worldwide (2010)
– Palkom v Holmes et al
• US Dist Ct NJ
– Dismissed: business judgment rule applied
U.S. Examples: Derivative Actions
• Target (2013)
– 40 million credit and debit card numbers
– 70 million addresses, phone numbers, and other personal information of customers
– Company had installed malware detection tool which had raised alarm – but were ignored by security team
U.S. Examples: Derivative Actions
• Target (2013)– Kulla v Steinhafel; Collier v Steinhafel
• US Dist Ct MN
– Derivative actions against Target’s directors
– Special Litigation Committee struck
– 21-month investigation, concluding actions were not in company’s best interest
– Action dismissed
U.S. Examples: Derivative Actions
• Home Depot (2014)
– 56 million credit and debit cards
• Canada and US
– Most store networks below Payment Card Industry data security standards – company was slowly upgrading
U.S. Examples: Derivative Actions
• Home Depot (2014)
– Bennek v Ackerman; Frohman v Ackerman
• US Dist Ct GA
– Dismissed: Business judgment rule applied– “…what the Plaintiffs are asking the Court to conclude from the presence of these “red
flags” is that the Directors failed to see the extent of Home Depot’s security risk and therefore made a “wrong” business decision by allowing Home Depot to be exposed to the threat of a security breach. With hindsight, it is easy to see that the Board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one. But this decision falls squarely within the discretion of the Board and is under the protection of the business judgment rule.”
U.S. Examples: Derivative Actions
United States Examples
SECONDARY MARKET LIABILITY
• Heartland Payment Systems (2007)
– Payment processor, 130 million credit and debit cards stolen
U.S. Examples: Derivative Actions
• Heartland Payment Systems (2007)
– In Re Heartland Payment Systems Inc. Securities Litigation (US Dist Ct NJ)
– Plaintiffs alleged CEO and CFO concelaed existence of breach when they said “We’ve never had anything close” to the TJX hack and misrepresented overall state of security
– Dismissed: Not misleading as breach did not result in major financial cost; never asked to specify about general cybersecurity
U.S. Examples: Derivative Actions
• Home Depot (2014) – Bennek v Ackerman
– Plaintiffs alleged that 2012 proxy circular created false impression of care in statement that audit committee would now be overseeing infrastructure risks
– Dismissed: plaintiffs unable to point to any specific statements in the proxy that were materially misleading or false
U.S. Examples: Derivative Actions
• 2017 UK Digital Economy Bill
• Personal liability for directors and officers who fail to pay fines for breaches of Data Protection Act 1998
• Presently under debate
Legislative Liability?
Avoiding Liability
CSA GUIDANCE
• 2013 Staff Notice 11-326– Brief, awareness-oriented
– “Issuers, registrants and regulated entities who have not considered the risks of cyber crime to date should consider how they can best address the risks of cyber crime.”
CSA Staff Notices
• 2016 Staff Notice 11-322– Begins by noting “Since the 2013 Notice, the cyber security
landscape has evolved considerably, as cyber attacks have become more frequent, complex and costly for organizations.”
– Provides long list of recommendations and guidance material
– Notes intention to continue monitoring the issue and promote coordination efforts
CSA Staff Notices
• manage cyber security risk exposures that arise from using third-party vendors for services;
• consider methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority;
• consider whether to share information about cyber incidents with Market Participants;
• communicate, collaborate and coordinate with other entities;
• establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and
• treat cyber security programs as living
• manage cyber security at an organizational level with responsibility for governance and accountability at executive and board levels;
• organize its cyber security activities at a high level: Identify, Protect, Detect, Respond, and Recover;
• establish and maintain a robust cyber security awareness program for staff;
• formulate a clear understanding of the business drivers and security considerations specific to its use of technology, systems and networks;
• understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;
CSA Recommendations
Cybercrime Organizations and Drivers
• Largest group of cyber criminals are organized crime– Financially motivated– Low risk due to lack of extraterritorial jurisdiction– 2016 saw commoditization of cybercrime services, lowered barrier to
entry
• What do they want? Data– Steal and sell identities – Encrypt and ransom critical data ($1 billion industry in 2016)– Extortion by threatening to release sensitive data– IP theft & corporate espionage (less organized crime, more nation
state)– Steal banking passwords for wire fraud
Biggest Threats
• Social Engineering
– Phishing & phone calls leverage employees over-sharing on social media
• Internet of Things
– Does the cybersecurity program cover the office WiFi tea pot?
– New (and therefore) unregulated industry
• Compromise of a business partner or service provider
• Insider threats
– Former/disgruntled employee, malicious insider, negligent employee
Not all breaches are created equal
Law Firm
• Significant impact to reputation as trust and matter confidentiality is foundational to client relationship
• Fewer clients (relatively speaking) to bring a class action or to cover for credit monitoring
• Smaller IT footprint to investigate and remediate
Retail Chain• Minimal impact to reputation;
trust is less critical to customer loyalty. Ex: Eventually you have to go back to Home Depot to buy that screwdriver
• Large volume of customers means increased cost for credit monitoring and larger class actions
• IT infrastructure present in many locations complicates investigation and slows remediation
Questions?