Section of Administrative Law and Regulatory Practice

Legal and Policy Issues

Homeland Security

yzyzyz

q

p

Joe D. Whitley and Lynne K. Zusman, Editors

HomelandSecLegalPolicyTP.indd 1 9/3/09 3:48:57 PM

141

Chapter 1C H A P T E R 8

Succession Planning andBusiness Continuityby James P. Gerkis and Adam Klepack

Chapter 8

Part I introduces the concepts of succession planning and busi-ness continuity planning and discusses the developments in theseareas since the events of September 11, 2001. Part II discussesthe federal and state legislative developments in succession plan-ning and business continuity planning. Part III discusses the re-actions from the private sector to business continuity planning.Finally, Part IV discusses potential corporate liability for failingto implement a business continuity plan or failing to monitor theeffectiveness of an existing plan.

ADMINISTRATIVE AND REGULATORY DEVELOPMENTSIN BUSINESS CONTINUITY PLANNING

IntroductionThe United States Constitution contains automatic succession provisionsto ensure orderly lines of command and control in the event of a cata-strophic disaster.1 The Presidential Succession Act of 1947 establishesthe line of succession to the office of President of the United States ifneither the president nor vice president is able to discharge the powersand duties of the office.2 The lack of a clear line of succession wouldhave a devastating effect on the operations of the United States in times

1. U.S. CONST. art. II, § 1, cl. 6.2. U.S. CONST. art. II, § 1, cl. 6; U.S. CONST. amend. XXV; 3 U.S.C.A. § 19.

142 CHAPTER 8

of emergency if high-level officers were incapable of discharging thepowers and duties of office.

Similarly, the operations of a business would be adversely affected ifits board of directors or executive officers were incapable of dischargingtheir managerial duties. All businesses should have a clear line of succes-sion before an emergency and an appropriate business continuity plan incase disaster strikes and the unimaginable becomes reality.

The goal of succession planning and business continuity planning is toensure that business operations face minimal disruption and continue torun efficiently following an event on the scale of a significant terroristattack or natural disaster. Succession planning and business continuity plan-ning do not aim to prevent disasters, but rather help ensure that corpora-tions are in a position to mitigate the effects on their operations. The FederalEmergency Management Agency (FEMA) lists 17 types of disasters, in-cluding earthquakes, floods, hurricanes, terrorism, and release of or expo-sure to hazardous materials.3 This list does not include other types of eventsthat could significantly disrupt business operations, including data securitybreaches, identity theft, and loss of key personnel. Without proper plan-ning, the occurrence of any one of these events could cause significantoperational disruptions that may undermine a business’s relationships withcustomers, suppliers, stockholders, or other third parties.

The events of September 11, 2001, awakened the country to thevulnerabilities of our financial institutions and the need for planning thatwould enable such institutions to continue to provide service to theircustomers, notwithstanding the occurrence of a major national disaster.Although most major business firms had business continuity plans priorto September 11, the scope of those attacks exposed the weaknesses ofsuch plans. For example, some firms transmitted records off-site only atoccasional intervals or stored their off-site records at a nearby facilitythat was destroyed, along with their primary facility, by the September11 attacks.4 Subsequent to September 11, large corporations that are heavilyreliant on the transmission of data, such as banks and telecommunica-tions companies, have increasingly devoted substantial resources to de-

3. JAMES W. SATTERFIELD & HARRY W. RHULEN, DISASTER READY PEOPLE FOR ADISASTER READY AMERICA 31 (Firestorm Solutions LLC, 2006).

4. U.S. SECURITIES & EXCHANGE COMMISSION, SUMMARY OF ‘LESSONS LEARNED’FROM EVENTS OF SEPTEMBER 11 AND IMPLICATIONS FOR BUSINESS CONTINUITY, avail-able at http://www.sec.gov/divisions/marketreg/lessonslearned.htm (Feb. 13,2002).

143Succession Planning and Business Continuity

velop computer disaster recovery measures to guard against and mini-mize the effects of such an occurrence affecting their electronic data.5

The devastation of the Gulf Coast region’s economic infrastructurefollowing Hurricane Katrina reinforced the need for comprehensive plansthat will allow businesses and financial institutions to continue to func-tion in the aftermath of widespread geographic destruction. In today’sworld, business continuity plans that contemplate disruptions of varyingseverity are part of sound corporate governance practices.

Sarbanes-Oxley’s Effect on Business ContinuityPlanningThe Sarbanes-Oxley Act of 2002 (SOX), the goal of which is to “protectinvestors by improving the accuracy and reliability of corporate disclo-sures,” does not specifically require companies to implement businesscontinuity plans.6 Its effect on business continuity planning is indirect atbest. In the event of a significant business disruption, a corporation sub-ject to SOX without a continuity plan may be unable to comply withSOX’s filing requirements. Because SOX requires corporate CEOs andCFOs to certify their filings on a quarterly basis, the inability to makeproper filings could create problems for those corporate officers.7 Rec-ognizing the potential complications posed by this issue, external audi-tors have pushed executives to implement business continuity plans forpurposes of their financial reporting functions.

Additionally, federal securities laws require that corporations iden-tify risks, as well as internal controls to deal with those risks, in theirperiodic filings with the Securities and Exchange Commission (SEC).8

Risks include natural events, such as hurricanes or earthquakes.9 Depend-ing on the location of a corporation’s operations, the risk of a highlydestructive natural disaster could be a relevant consideration. Under SOX,the corporation must accurately identify such a risk and the controlsimplemented to ameliorate the risk, and the officer signing the report

5. Monique C.M. Leahy, American Jurisprudence Proof of Facts 3dDatabase, 29 AM. JUR. 3d 53.

6. Sarbanes-Oxley Act (2002).7. Id. § 302 (2002).8. See Tim J. Leech, Sarbanes-Oxley Sections 302 & 404: A White Pa-

per Proposing Practical, Cost-Effective Compliance Strategies, April 2003,available at http://www.sec.gov/rules/proposed/s74002/card941503.pdf.

9. Id.

144 CHAPTER 8

must take responsibility for the internal controls.10 A control to amelio-rate the risk of detrimental effects to a corporation following a naturaldisaster would, of course, include a sound business continuity plan.

New York Stock Exchange and Financial IndustryRegulatory Authority, Inc.: Business Continuity RulesIn April 2004, the SEC approved rules requiring members of the NewYork Stock Exchange (NYSE) and the members of the Financial Indus-try Regulatory Authority, Inc. (FINRA) to implement business continu-ity plans and designate emergency points of contact.11 NASD Rule 3520became effective for all members as of June 14, 2004, and Rule 3510became effective for clearing firms on August 11, 2004, and for intro-ducing firms on September 10, 2004. NYSE Rule 446 became effectiveas of August 5, 2004.12 Under these rules, business continuity plans mustaddress 10 areas of operations: data backup and recovery (both electronicand hard copy); mission-critical systems;13 financial and risk assessments;alternate communications between customers and the member; alternatecommunications between the member and its employees; alternate physi-cal location of employees; critical constituent, bank, and counter-partyimpact; regulatory reporting; communications with regulators; and howthe member will ensure customers’ prompt access to their funds andsecurities if the member is unable to continue its business.14 If one ormore of the 10 categories is inapplicable to a member’s business, it neednot include the category in its plan but must explain the reason for itsomission.15 Both the NYSE and FINRA require members to providecontact information concerning a person (FINRA requires two such per-sons) whom the NYSE or FINRA may contact in case of an emergency.16

10. Sarbanes-Oxley Act § 302(a)(4)(A) (2004).11. NYSE Rule 446 (2004); NASD Rules 3510, 3520 (2004).12. See Richard Ketchum, Rule 446—Business Continuity and Contin-

gency Plans, Letter to Members and Member Organizations, available athttp://www.disasterrecovery.com/NYSE_Rule446.pdf (last visited Oct. 26,2005).

13. For purposes of the rules, “mission-critical system” means a systemthat is necessary to process transactions, deliver funds and securities, andmaintain and permit access to customer accounts. NYSE Rule 446(e) (2004);NASD Rule 3510(f)(1) (2004).

14. NYSE Rule 446 (2004).15. NYSE Rule 446(c)(10) (2004); NASD Rule 3510(c)(10) (2004).16. NASD Rule 3520(a)–(b).

145Succession Planning and Business Continuity

The emergency contact(s) must be a senior officer, in the case of NYSEmembers, or a senior manager, in the case of FINRA members.17

NYSE and FINRA rules also strive to protect customers and ensurethat the plans are kept up to date. FINRA requires each member to desig-nate a member of senior management to conduct an annual review of itsbusiness continuity plan.18 The NYSE requires members to designate asenior officer to conduct a yearly review.19 Both the NYSE and FINRArules state that members must update their plans in the event of a materialchange to the entity.20 Each member also, at a minimum, must furnish itsplan to its customers in writing when they open their accounts, post itsplan on the company Web site, and mail the plan to customers uponrequest.21 Members must state whether they plan to continue to do busi-ness in the event of a disruption (whether isolated, as in the case of a firein the building, or widespread).22 If they plan to continue operations,they must state their planned recovery time. The NYSE has stated that itspurpose in requiring disclosure is twofold: first, disclosure allows inves-tors to take business continuity plans into consideration when decidingwhether to invest their funds with a particular institution; and second, itdeters companies from enacting inadequate plans.23

The SEC interprets its Rule 206(4)-7 to require investment advisersto prepare business continuity plans. In a release dated February 5, 2004,the SEC stated that investment advisers have a fiduciary obligation toprotect their clients’ interests where they are unable to provide servicesfollowing a natural disaster (or other significant disruption).24 FollowingHurricane Katrina, the SEC established a Web site directory listing thealternate contact information for registered investment advisers locatedin cities throughout the affected areas.25

17. NYSE Rule 446(g); NASD Rule 3520(b).18. NASD Rule 3510(b).19. NYSE Rule 446(g).20. NYSE Rule 446(b); NASD Rule 3510(b).21. NYSE Rule 446(d); NASD Rule 3510(e).22. NYSE Rule 446(d) (2004); NASD Rule 3510(e) (2004).23. U.S. Securities & Exchange Comm’n Release No. 34-48502, NYSE

Rulemaking re: Business Continuity and Contingency Planning, Sept. 17,2003, available at http://www.sec.gov/rules/sro/34-48502.htm.

24. U.S. Securities & Exchange Comm’n, Release No. IA-2204, FinalRule: Compliance Programs of Investment Companies and Investment Ad-visers, Feb. 5, 2004, available at http://www.sec.gov/rules/final/ia-2204.htm.

25. U.S. Securities & Exchange Comm’n, SEC Provides Alternate ContactInformation for Registered Investment Advisers Displaced by Hurricane Katrina,Sept. 9, 2005, available at http://www.sec.gov/news/press/2005-128.htm.

146 CHAPTER 8

As a policy matter, the SEC expects that trading markets and elec-tronic communications networks (ECNs) will establish their own busi-ness continuity plans.26 ECNs are computer systems that automaticallymatch buy and sell orders at specified prices.27 In a 2003 statement, theSEC wrote that each market or ECN should have a plan in place no laterthan the end of 2004 that contemplates resumption of trading on the dayfollowing a significant disruption.28

National Futures Association: Business Continuity RulesOn April 28, 2003, the National Futures Association (NFA) issued Com-pliance Rule 2-38: Business Continuity and Disaster Recovery Plan, andan Interpretive Notice to NFA Compliance Rule 2-38 that requires allNFA members to establish a written business continuity and disaster re-covery plan that outlines the procedures to be followed during an emer-gency or significant business disruption.29 In addition, each NFA membermust provide the NFA with the contact information for an individualwhom the NFA can contact in the event of an emergency, and the NFAmember must update that information upon request.30 Each NFA mem-ber may adopt a business continuity plan tailored to its individual needsbased on the size and complexity of the member’s operations.31 However,to comply with NFA Compliance Rule 2-38, the plan must, at a mini-mum, be designed to allow the NFA member to continue or transfer itsoperations in the event of an emergency and to minimize disruption toother NFA members and the futures market generally.32

The Interpretive Notice to NFA Compliance Rule 2-38 states that anNFA member’s plan should address the following, as applicable:

• establishing backup facilities, systems, and personnel that arelocated in one or more reasonably separate geographic areas fromthe NFA member’s primary facilities, systems, and personnel(e.g., primary and backup facilities should be located in differ-

26. U.S. Securities & Exchange Comm’n, Release No. 34-48545, PolicyStatement: Business Continuity Planning for Trading Markets, Oct. 1, 2003,available at http://www.sec.gov/rules/policy/34-48545.htm.

27. See http://www.sec.gov/answers/ecn.htm.28. Id.29. NFA Compliance Rule 2-38(a).30. NFA Compliance Rule 2-38(b).31. Interpretive Notice to Rule 2-38.32. NFA Compliance Rule 2-38(a).

147Succession Planning and Business Continuity

ent power grids and different telecommunication vendors shouldbe used), which may include arrangements for the temporaryuse of facilities, systems, and personnel provided by third par-ties;

• backing up or copying essential documents and data (e.g., gen-eral ledger) on a periodic basis and storing the information off-site in either hard-copy or electronic format;

• considering the impact of business interruptions encountered bythird parties and identifying ways to minimize that impact; and

• developing a communication plan to contact essential parties,such as employees, customers, carrying brokers, vendors, anddisaster recovery specialists.33

An NFA member must periodically review and update its businesscontinuity plan.34 Although NFA Compliance Rule 2-38 and the Inter-pretive Notice to Rule 2-38 do not expressly require an annual review,NFA members should be encouraged to review the effectiveness of theirbusiness continuity plans on an annual basis. Each NFA member shoulddistribute its business continuity plan to key employees and effectivelycommunicate the proper procedures in the event of a disaster or signifi-cant business disruption. Copies of the business continuity plan should bekept at one or more off-site locations and should be accessible to keyemployees.35

LEGISLATIVE DEVELOPMENTS IN SUCCESSIONPLANNING AND BUSINESS CONTINUITY PLANNING

Disaster Planning and Corporation Law: EmergencyBylawsThe General Corporation Law of the State of Delaware (DGCL) ex-pressly provides emergency bylaws that permit corporations to have propersuccession planning. Section 110 of the DGCL provides that boards ofdirectors may adopt emergency bylaws, which shall be operative if aquorum of the board cannot be convened during an “emergency,” whichincludes:

33. Interpretive Notice to Rule 2-38.34. Id.35. Id.

148 CHAPTER 8

• any emergency resulting from an attack on the United States oron a locality in which the corporation conducts its business orcustomarily holds meetings of its board of directors or its stock-holders;

• during any nuclear or atomic disaster; or• during the existence of any catastrophe or other similar emer-

gency condition.36

Emergency bylaws may become operative regardless of anything tothe contrary in the corporation’s bylaws or certificate of incorporation.37

Section 110 of the DGCL also expressly addresses the issue of direc-tor succession. Section 110 provides that “officers or other persons des-ignated on a list approved by the board of directors before the emergency,all in such order of priority and subject to such conditions . . . as may beprovided in the emergency bylaws . . . shall, to the extent required toprovide a quorum at any meeting of the board of directors, be deemeddirectors for such meeting.”38 If a corporation does not have such a listprepared, Section 110 provides for default succession. Unless otherwisestated in the emergency bylaws, Section 110 states that “the officers ofthe corporation who are present shall . . . be deemed, in order of rank andwithin rank in order of seniority, directors.”39 The board of directorsmay, either before or during an emergency, provide lines of succession intimes of emergency that render directors or officers incapable of dis-charging their duties to the corporation.40

Additionally, Section 110 provides for the possibility of emergencybylaws addressing methods for calling board meetings, reduced quo-rums, and relaxed notice requirements.41 If officers, directors, or em-ployees act in accordance with the corporation’s emergency bylaws,they can only be held liable for willful misconduct.42 In addition toDelaware, other states have adopted laws that provide for the operation

36. 8 DEL. CODE REGS. § 110(a).37. Id.38. 8 DEL. CODE REGS. § 110(a)(3).39. 8 DEL. CODE REGS. § 110(g).40. J. ROBERT BROWN JR. & HERBERT B. MAX, RAISING CAPITAL: PRIVATE PLACE-

MENT FORMS AND TECHNIQUES, Form 1-38 (Aspen Publishers Online, 2002).41. 8 Del. CODE REGS. § 110(a)(1); 8 Del. CODE REGS. § 110(f).42. 8 Del. CODE REGS. § 110(d).

149Succession Planning and Business Continuity

of emergency bylaws and provide for lines of succession in the event ofan emergency.43

Because of the importance of succession and disaster planning, sev-eral large corporations have provisions for emergency bylaws withintheir incorporation documents. For example, Bank of America Corpora-tion has an entire section in its bylaws dedicated to emergency bylawsthat provide for, among other things, special meeting and quorum rulesin the event of an emergency.44 In addition, the emergency bylaws givethe board of directors the authority to modify, amend, or add to theemergency bylaws to make any provision that may be practical or neces-sary under the circumstances of the emergency. Halliburton Company’sbylaws contain a similar section.45 Another example of succession anddisaster planning is contained in the amended and restated bylaws ofKraft Foods, Inc., which provide, among other things, that if an officeris unavailable to perform his or her duties for any reason, the board ofdirectors is authorized to elect any director or officer of the company tofill such position on a temporary basis.46

The Emergency Securities Response Act of 2004In December 2004, Congress passed the Emergency Securities ResponseAct (ESRA) as part of the Intelligence Reform and Terrorism Preven-tion Act.47 ESRA extends the SEC’s authority to act in case of an emer-gency under the Securities Exchange Act of 1934, as amended.48 If anemergency arises (defined to include “a major disturbance that substan-tially disrupts or threatens to disrupt” the functioning of the securitiesmarkets), the SEC may suspend or impose requirements under securi-ties laws (its own or those of a self-regulatory organization, such as theNYSE or FINRA) for up to 10 days.49 The SEC may extend the order if

43. FLA. STAT. tit. VI, ch. 607, §§ 0207, 0303; KAN. STAT. ch. 17, art. 60, pt.10; VA. CODE tit. 13.1, ch. 9, pts. 824 & 827; Model Bus. Corp. Act §§ 2.07 &3.03; N.Y. BUS. CORP. LAW ch. 4, art. 2, § 202(11).

44. http://sec.gov/Archives/edgar/data/70858/000119312507011657/dex31.htm.

45. http://sec.gov/Archives/edgar/data/45012/000004501206000343/amendedbylaws.htm.

46. http://sec.gov/Archives/edgar/data/1103982/000119312508196014/dex31.htm.

47. Pub. L. No. 108-458, § 7803.48. Pub. L. No. 108-458, § 7803(b)(1).49. Pub. L. No. 108-458, § 7803(b)–(c).

150 CHAPTER 8

the emergency lasts beyond 10 days, but it may not extend the order formore than a total of 30 days.50 ESRA also requires the SEC, the Boardof Governors of the Federal Reserve, and the Comptroller General ofthe Currency to report on the efforts of the private sector to implementbusiness continuity practices suggested in their Interagency Paper onSound Practices to Strengthen the Resilience of the U.S. Financial Sys-tem (the Interagency Paper).51 The Interagency Paper sets forth busi-ness continuity practices with which securities market participants shouldcomply. Recognizing the interdependent nature of the U.S. financialsystem, the goal of the Interagency Paper was to encourage institutionsto develop plans that would help the system stabilize if some signifi-cant securities dealers were unable to function.52 The practices identi-fied included intraday resumption or recovery goals to be set by eachparticipant, maintenance of resources to meet those goals, and routinetesting of business continuity plans.53 The agencies suggested that mar-ket participants should have backup facilities at least 200 to 300 milesaway from their primary facilities.54 Their suggestion contemplates anevent causing widespread destruction (like the events of September 11)rather than a destructive incident confined to a single facility.

In response to ESRA, in April 2006, the SEC, the Board of Gover-nors of the Federal Reserve, and the Comptroller General of the Cur-rency rendered a joint report. The report concluded that the financialindustry’s core clearing and settlement organizations had substantiallyimplemented the sound practices from the Interagency Paper. Accordingto the report, significant firms had achieved or should have completedsubstantial implementation by the end of 2006. The agencies believedthat there was no need to expand the Interagency Paper to cover addi-tional private-sector financial services firms or to adopt other legislative

50. Pub. L. No. 108-458, § 7803(b)(2)(C).51. Pub. L. No. 108-458, § 7830(e)(1).52. See Mary Ann Gadziala, Speech by SEC Staff: Disaster Recovery and

Business Continuity Planning, given to the Financial Markets Association2003 Compliance Seminar, May 1, 2003, available at http://www.sec.gov/news/speech/spch050103mag.htm.

53. Id.54. See Anue Systems, Solutions, available at http://www.anuesystems.

com/regulatory_requirements.htm.

151Succession Planning and Business Continuity

or regulatory requirements for supervised financial institutions. Overall,significant progress had been made within the financial sector.55

PRIVATE-SECTOR DEVELOPMENTS IN BUSINESSCONTINUITY PLANNING

How the Private Sector Has ReactedAlthough there have been great strides within the private sector on thisissue, many companies have not taken the necessary steps in disasterpreparedness and business continuity planning. In June 2008, AT&T re-ported in its annual AT&T Business Continuity Survey that on average,nearly 30 percent of U.S. businesses do not consider business continuityplanning a priority. Companies recently have become more likely to makebusiness continuity planning a priority—43 percent compared to 34 per-cent in 2005. Accordingly, more companies have been adopting businesscontinuity plans, with 80 percent indicating that they have a businesscontinuity plan compared to 67 percent in 2005. Among the companiesthat do have a plan, 60 percent have made some type of business changein the past year that would warrant updating their business continuityplans, but only 28 percent updated their plans due to such changes. TheAT&T Business Continuity Survey also found that companies are morelikely to update their plans than to test their effectivenes: 59 percent havehad their plans updated in the last year, but only 46 percent have hadtheir plans tested during the same period.

In response to a January 23, 2004, letter from the 9/11 Commission,the American National Standards Institute (ANSI) convened safety, secu-rity, and business continuity experts from a wide range of industries andassociations, as well as from federal, state, and local government stake-holders, to consider the need for standards for private-sector emergencypreparedness and business continuity. ANSI recommended that the De-partment of Homeland Security (DHS) recognize as the national stan-dard the National Fire Protection Association Standard 1600 (NFPA 1600).This is a voluntary code that sets forth a process for creating and imple-menting a crisis management plan.

55. See Joint Report on Efforts of the Private Sector to Implement theInteragency Paper on Sound Practices to Strengthen the Resilience of theU.S. Financial System—April 2006, available at http://www.sec.gov/news/press/studies/2006/soundpractices.pdf.

152 CHAPTER 8

For a number of reasons, some believe that NFPA 1600 in time maybecome mandatory and lead possibly to legal exposure for employers. Inthe Intelligence Reform and Terrorism Prevention Act, Congress urgedthe DHS to promote the adoption of voluntary national preparednessstandards for the private sector. The 9/11 Commission report also en-couraged the credit-rating and insurance industry to rate companies basedon NFPA 1600 compliance. The 9/11 Commission strongly suggestedthat companies failing to comply with NFPA 1600 are operating theirbusinesses in a negligent manner. Even if Congress does not implementNFPA 1600 as the statutory duty of care for companies, some courtscould adopt this standard in negligence suits as the measure of reasonableexpectation.56

An example of the positive strides that have been made within theprivate sector was the Financial Services Industry Business ContinuityTest. The Securities Industry Association, the Bond Market Association,the Futures Industry Association, and the Financial Information Forumsuccessfully completed an industry-wide business continuity planningtest on October 14, 2006. More than 250 securities firms, exchanges,markets, service bureaus, and industry utilities participated. These par-ties collectively handled more than 80 percent of normal market tradingvolume. During the test, firms and service bureaus were able to connectby utilizing backup data centers and communications links, alternativetrading sites, and alternative operations facilities to place test orders,receive simulated executions, and conduct payment and settlement inter-actions. The test achieved a 95 percent overall success rate and did notencounter any significant problems.57

Business Continuity Planning for PandemicsEven after multiple wakeup calls from the events of September 11 andHurricane Katrina, many American companies have not even attemptedto address business continuity and disaster preparedness planning. Buteven within the ones that have, there remains a gap between what hasbeen done and what needs to be done regarding appropriate business

56. See Kevin Lindsey, Crisis alert! Plan for emergencies to avoid lossesof life, property and profits—and liability under a heightened duty of care;Legal Trends, HRMAGAZINE, Aug, 1, 2006, at 121(4).

57. See Melissa Buden, Financial Services Industry Conducts Success-ful Business Continuity Test, Oct. 20, 2006, available at http://www.bondmarkets.com/story.asp?id=2660.

153Succession Planning and Business Continuity

continuity planning. Unfortunately, many of these businesses do not giveenough thought to what many experts believe could be the next U.S.disaster, the worldwide outbreak of a pandemic such as avian (bird) flu.Every state and many localities have devised plans to respond to an out-break.58 However, a Deloitte & Touche survey of more than 100 execu-tives in January 2006 found that two-thirds have done virtually nothingto prepare for a pandemic. Traditional business continuity plans tend toaddress technology breakdowns or the collapse of physical structures.But a pandemic is a personnel crisis with no geographic boundaries, andwaves of the infections could come in year-long periods of time.59

The Financial Services Sector Coordinating Council for Critical In-frastructure Protection and Homeland Security has stated that many fi-nancial institutions are concerned that their current planning for businesscontinuity may not address the unusual circumstances that could ariseduring an outbreak of flu or other highly infectious disease. The councilcautioned that financial service organizations ought to reexamine theircurrent business continuity plans with a view to surviving a long-runningoutbreak of a highly infectious disease. The following were some of therecommendations suggested by the council:

• Identify which operations could be suspended and which arecritical;

• Segregate critical staff into separate office locations;• Plan for possible governmental actions that would cause large

numbers of employees to remain home;• Expand telecommuting and videoconferencing capabilities to

avoid travel and face-to-face contact;• Increase security due to police and security services’ potential

compromise by the illness; and• Implement emergency plans that can be phased to deal with dif-

ferent degrees of an outbreak.60

58. See Allan H. Weitzman & Kimmone M. Ottley, Asian Flu Pandemic:A Legal Framework for the Wary Employer, HR ADVISOR LEGAL & PRACTICE

GUIDE, Vol. 13, No. 5, September/October 2007.59. See Janet H. Cho, When bird flu hits, PLAIN DEALER (Cleveland), June

26, 2006, at B1.60. See FSSCC Says, ‘Avian Flu’ Outbreak Poses Unique Threat; Coun-

cil Issues Paper Outlining Guidelines to Prepare Financial Industry, BUS.WIRE, Jan. 24, 2006.

154 CHAPTER 8

61. See NYSE Info. Memo, No. 06-30, Guidance Pertaining to BusinessContinuity and Contingency Plans Relating to a Potential Pandemic (May5, 2006); and Financial Services Sector Coordinating Council for CriticalInfrastructure Protection and Homeland Security, Statement of Preparationsfor “Avian Flu” and related paper, Issues for Consideration Regarding Prepa-rations for “Avian Flu” (Jan. 23, 2006).

62. NYSE Reg. Info. Memo, No. 06-30, May 5, 2006.63. PROSSER & KEETON ON TORTS § 43 (5th ed. 1984).

Additionally, in a May 5, 2006 Information Memo, the NYSE ad-dressed the issue of “Guidance pertaining to Business Continuity andContingency Plans relating to a Potential Pandemic” with its mem-bers.61 The memo encouraged all members to assess whether their busi-ness continuity plans would be suitable for a prolonged, widespreadpublic health emergency. The memo stated five specific risks regardinga pandemic and the disruption it could cause: (1) pandemics can havemultiple strains that arrive in multiple waves; (2) the government hasindicated that it may resort to quarantines; (3) pandemics can have amultinational or global scale; (4) pandemics can impact large percent-ages of the company’s workforce; and (5) a pandemic could result inthe loss of multiple personnel within the same business unit (successionplanning). The NYSE’s goal was to initiate change within those com-panies that have not considered this rather new and alarming possibilitywhen attempting to abide by NYSE Rule 446.62

CORPORATE LIABILITY

IntroductionSince the events of September 11, business continuity planning hasbecome imperative for some corporations to protect themselves fromunknown and unforeseeable risks. Given that business continuity plan-ning has become prevalent among certain types of corporations basedon size, complexity, and geographic location, it raises the issue of whetherthe failure to implement a business continuity plan could expose direc-tors and officers to liability. Traditional notions of tort liability suggestthat corporations and their directors and officers may have a defense totort claims based on foreseeability requirements,63 although personalliability for directors and officers is not beyond the realm of possibil-

155Succession Planning and Business Continuity

ity.64 Even though corporations and their directors and officers may notbe liable to third parties on tort theories, state corporation law imposesfiduciary duties of loyalty and care65 on directors that could form thebasis of liability.

Under Delaware corporation law, the business judgment rule pro-tects directors from liability for bad business decisions made in goodfaith, upon reasonable information, and with a rational basis.66 The policyof the business judgment rule prevents courts from review of the meritsof a business decision made in good faith and with due care.67 However,the business judgment rule applies only to decisions made by the boardof directors; inaction or failure to make any decision generally is outsidethe scope of the protection afforded to directors.68 It follows that thebusiness judgment rule conceivably would not be available to protectdirectors from allegations that the board failed to implement a businesscontinuity or disaster recovery plan to protect the corporation from pre-ventable harm.69

Oversight Liability: Board of Directors and OfficersIn In re Caremark,70 the Delaware Supreme Court applied the traditionalnotions of fiduciary duties and crafted a general rule for oversight liabil-ity. In Caremark, the court held that the fiduciary duty of care owed bydirectors includes an obligation to implement adequate information andreporting systems to ensure compliance with the key regulatory regimes

64. Monique C.M. Leahy, American Jurisprudence Proof of Facts 3dDatabase, 29 AM. JUR. 3D 53, § 35 (explaining that personal liability forcorporate officers for failure to provide computer disaster recovery measuresis unlikely but possible under traditional theories of negligence).

65. In re Walt Disney Derivative Litig., 906 A.2d 27 (Del. 2006).66. Smith v. Van Gorkom, 488 A.2d 858, 872 (Del. 1986).67. EDWARD P. WELCH, ANDREW J. TUREZYN & ROBERT S. SAUNDERS, FOLK ON THE

DELAWARE GENERAL CORPORATION LAW, FIFTH ED., § 141.2.2.2 (2006, supplemented6/08).

68. Rales v. Blasband, 634 A.2d 927 (Del. 1993); EDWARD P. WELCH, AN-DREW J. TUREZYN & ROBERT S. SAUNDERS, FOLK ON THE DELAWARE GENERAL CORPORA-TION LAW, FIFTH ED., § 141.2.2.10. Note that a conscious decision to refrainfrom acting may be a valid exercise of business judgment and would beprotected under the business judgment rule.

69. Kevin P. Cronin, As Courts Increasingly Hold Firms Liable for LossesCaused by Computer Failures, Recovery Capabilities Are Fast Becoming aLegal Necessity, DISASTER RECOVERY JOURNAL, Vol. 6 #2 (1997).

70. In re Caremark Int’l Deriv. Litig., 698 A.2d 959 (Del. 1996).

156 CHAPTER 8

under which it operates.71 Specifically, the board “has a responsibility toassure that appropriate information and reporting systems are establishedby management” to ensure compliance with applicable law.72 UnderCaremark, directors have an affirmative duty to the corporation to set upa monitoring system to ensure that the corporation does not violate law;passivity is not permitted.

Ten years after Caremark, the Delaware Supreme Court in Stone v.Ritter reaffirmed and recast the Caremark standard for liability in corpo-rate oversight matters.73 Stone involved a derivative action against thecorporation’s present and former directors relating to $50 million in finesand penalties paid by the corporation for violations of the Federal BankSecrecy Act. Despite the existence of an information and reporting sys-tem that was designed to monitor legal compliance (although inadequatein this instance), the plaintiffs alleged that the directors failed to imple-ment adequate controls that would have enabled them to learn of viola-tions of the law.

In dismissing the plaintiffs’ claims, the court concluded that the boardestablished reasonable reporting systems to supervise compliance withrelevant law, even though those systems failed to prevent the violationsat issue.74 Plaintiffs must show more than a substantial financial loss toestablish oversight liability. The court concluded that oversight liabilitymay be imposed only if “(a) the directors utterly failed to implement anyreporting or information system or controls; or (b) having implementedsuch a system or controls, consciously failed to monitor or oversee itsoperations, thus disabling themselves from being informed of risks orproblems requiring their attention.”75 That a monitoring system fails todetect serious misconduct does not necessarily demonstrate a consciousdisregard of oversight duties to impose liability.

Although the Delaware Supreme Court reaffirmed the principles ofoversight liability in Caremark, the court also recast the theory of liabil-ity in a way to prevent indemnification in certain cases.76 While the courtin Caremark framed the oversight liability analysis in terms of a duty of

71. 698 A.2d 959, 970.72. 698 A.2d 959, 969–70.73. 911 A.2d 362 (Del. 2006).74. 911 A.2d 362, 370–71.75. 911 A.2d 362, 370.76. See http://www.businessassociationsblog.com/lawandbusiness/com-

ments/stone_v_ritter_directors_caremark_oversight_duties/ (last visitedSept. 23, 2008).

157Succession Planning and Business Continuity

77. 911 A.2d 362, 370.78. 8 DEL. CODE § 102(b)(7).79. Miller v. McDonald, 385 B.R. 576 (Bankr., Del. Apr. 9, 2008). Al-

though Florida law governed the breach of fiduciary duty claim, the courtcited Caremark and Stone in its analysis and stated that Delaware law wasrelevant because the Florida courts have relied upon Delaware corporate lawto establish their own body of corporation law.

80. Caremark, 698 A.2d 959, 968.81. Judah Best & Bruce E. Yannett, Practicing Law Inst. Corp. Legal

Dep’ts, Crisis Management, in PLIFEF-CORPLEG 13 Exh. 13A, § I.B.

care, the court in Stone framed the issue in terms of good faith andloyalty rather than the duty of care.77 This may have the practical effectof moving oversight liability claims outside the purview of Section102(b)(7) of the DGCL, which allows corporations to adopt charter pro-visions that eliminate or limit the personal liability of directors for mon-etary damages for breach of the duty of care.78

It was assumed that the duties imposed by Caremark and its progenyapplied to corporate officers as well as directors. Recently, a bankruptcycourt in Delaware confirmed this assumption.79 At issue in Miller v.McDonald was whether the corporation’s general counsel and vice presi-dent could be held liable for failing to implement a system to detect andreport wrongdoing by the president of the corporation. The court heldthat officers also have the duty to exercise reasonable care in oversight ofcorporate operations in their area of responsibility. Officers, like direc-tors, owe an affirmative duty to implement a monitoring system by whichmanagement misconduct can be detected and reported. Accordingly, of-ficers and directors should work together to devise a plan for ameliorat-ing any potential risk of loss to the corporation.

Oversight Liability and Business Continuity PlanningGenerally speaking, a director may be held liable to the corporation for aloss arising from an unconsidered failure by the board to act in circum-stances in which due attention might have prevented the loss.80 The Dela-ware courts have not had the opportunity to decide whether a director orofficer would be liable to the corporation for the failure to implement abusiness continuity plan or the failure to monitor the effectiveness ofsuch a plan. Directors and officers are obligated to ensure that the corpo-ration has adequate policies, procedures, and systems for managing theaffairs of the corporation.81 Applying the reasoning of Caremark and itsprogeny, directors and officers could be held to an affirmative duty to

158 CHAPTER 8

plan for disasters.82 Depending on the size, complexity of operations, andgeographic area of the corporation, directors and officers (at a mini-mum) should have a business continuity plan and establish procedures totest its effectiveness on a regular basis.

Best PracticesTo guard against potential liability, directors and executive officers ofa company that does not already have a business continuity plan orsuccession plan should adopt such plans and give careful considerationto the type of plans that would be appropriate for their company. Aspart of sound corporate governance, all business entities, regardless ofsize and geographic location, should assess their risk of, and their vul-nerability to, certain disasters that could adversely affect their businessoperations. Almost every type of organization is under some pressure(e.g., from the government or customers) to demonstrate that they havea viable plan to mitigate the risks of disastrous events.83 Companies thathave a business continuity plan and succession plan should periodicallyreview and test those plans. For companies without a business continu-ity plan, high-ranking officers should, at a minimum, coordinate withthe IT department, familiarize themselves with the risks to the busi-ness, and design a plan to mitigate those risks. In addition, companiesshould review their insurance policies and determine whether they arecovered for loss of earnings, off-premise power failures, electronicdata failures, or valuable papers insurance for the cost of reconstruct-ing destroyed documents.84

82. Id. § IV.83. HOWARD MUSON, PREPARING FOR THE WORST: A GUIDE TO BUSINESS CONTINU-

ITY PLANNING FOR MID-MARKETS, The Conference Board, Executive Action Se-ries, No. 179, February 2006.

84. JEAN BARR, PUTTING TOGETHER A DISASTER RECOVERY PLAN, January/Febru-ary 1993.

CHAPTER 5

Business LiabilityBy Leslie Alan Glick, Esq.

of Porter Wright Morris & Arthur*Washington, D.C.

TASK ASSISTANT

Statutes:

Revised Model Business Corporation Act

Other Chapters:

Section 11.04

SYNOPSIS

§ 5.01 Introduction

§ 5.02 Scope and Use of This Chapter

§ 5.03 Potential Liability of Corporations

[1] Liability for Failure to Provide Adequate Security

[2] Lessons from September 11 Litigation

[3] Corporate Liability After September 11

§ 5.04 Potential Liability of Officers and Directors

[1] Duty of Care, Generally

[2] Statutory Duty of Care

[a] Duty to Implement and Monitor Policies and Procedures

[b] Case-by-Case Analysis

[3] Business Judgment Rule

* B.S., J.D., Cornell University. Mr. Glick is chairman of the International Trade and Customs Law

Committee of the Administrative Law and Regulatory practice section of the American Bar Association.

Mr. Glick is the author of the current version of this chapter. A previous version was authored by Paul

T. Kaplun and Erin P. Cohen of Venable LLP. Mr. Glick acknowledges the assistance of summer intern

Betty Lee of George Mason University School of Law in the revision of this chapter.

5-1 (Rel. 5-12/2009 Pub.1371)

§ 5.01 HOMELAND SECURITY DESKBOOK 5-2

§ 5.05 How to Minimize Liability for Negligent Failure to Plan

[1] Assessing Current Policies and Procedures

[a] For Immediate Risks

[b] For Restoring Operations

[2] Updating Policies and Procedures to Address Potential Risks

§ 5.06 Specific Liability of Landlords and Business Property Owners

§ 5.07 Exemptions from Liability in Declared National Emergencies

§ 5.08 Protection Through Insurance Coverage

§ 5.09 Conclusion

5.01 Introduction

The events of September 11, 2001, that led to the creation of the Department ofHomeland Security (DHS) have raised questions as to the financial responsibility foractions by companies, partnerships, and individuals needed to prevent or respond toterrorist acts and threats. The events of September 11 have led to concerns in suchindustries as airlines, aircraft manufacturing, security, and building ownership andoperation about damage to their property and about liability to employees and workerswho were injured directly or indirectly by the attack, as well as innocent third-partyvictims. Other industries not directly physically affected by the September 11 eventssuffered indirect damage through decreased productivity, lower employee morale, anda downturn in business caused by such events as an embargo on commercial airtransportation and the temporary closing of the New York Stock Exchange, generallyresulting in a temporary hiatus in business activity. According to one publication, thecost of litigation related to September 11 alone could exceed $30 billion.'

Today, companies face not only the usual challenges of competition, meetinginvestor and shareholder expectations, and litigation, but also the possibility of thethreat of future terrorist attacks and the ensuing costs and liabilities. Businesses arenow more aware that policies and procedures must be in place to minimize any risksand damage in the event of another terrorist attack. As one commentator noted,"September 11 was the ultimate wake-up call, stirring companies to look at their ownsecurity and risk management plans in an entirely new light."2

Among emerging categories of risk and liability from which companies need toprotect themselves is the potential exposure to claims arising from the "negligentfailure to plan."3 This evolving tort rests on the traditional tort concept of foresee-ability of another terrorist attack, forcing businesses to take reasonable precautions toprevent or mitigate damage or be held accountable for failure to do so. One

1 Ed Bethune, Rob Housman & George Foote, What's Expected Now: The 'Reasonable Man'Standard for Liability is Much Higher Since September 11, Legal Times, Feb. 4, 2002, at 24.

2 Dean H. O'Hare, RMs Have What it Takes in War Against Terrorism, Nat'l Underwriter Prop. &Cos.-Risks A Benefits Mgint., Apr. 1:i, 2002 (Vol. 106, No. 15), at 10; see also Tcir Pristin, CommercialReal Estate; U.S. Landlords Face Post-9/11 Standards, N.Y. Times, Feb. 11, 2004, at C8.

3 Bruce T. Blythe & Terri Butler Stivarius, Negligent Failure to Plan: The Next Liability Frontier,Bank Acct. & Fin., June 1, 2003 (Vol. 16, Issue 4), at 31.

(Ra 5-12/2009 Pub.1371)

5-3 BUSINESS LIABILITY § 5.02

commentator noted, "Following September 11, 2001, the range of known hazards iswidely perceived to have broadened . . . Corporations can now rightly be expectedto prepare for these newly foreseeable risks."4 The duty to plan for disasters derivesfrom the duty of care owed by a corporation to its employees, shareholders, vendors,and customers and by building owners to their tenants. This duty likewise extends toofficers and directors of corporations who owe a duty of care to the corporation andits stockholders. In the event of a terrorist attack, the duty of care obligates thecorporation to ensure that it has adequate internal controls to manage risk andminimize direct and indirect damage to the business.

In a claim that alleges a negligent failure to plan, a corporation and its officers anddirectors would not necessarily be held liable for failure to prevent the damage, unlessnegligent, but rather for failure to prepare the corporation to respond to the attack inthe best way possible, including the adoption and implementation of policies andprocedures designed to protect corporate assets and operations from damage resultingfrom such a terrorist attack. Essentially, under this emerging concept, corporations andtheir officers and directors could be sued for failing to identify, evaluate, and respondto the potential ramifications of a terrorist threat—or, for that matter, a nonterroristevent. But the lessons are the same.

§ 5.02 Scope and Use of This Chapter

This chapter examines the potential liability of corporations and their officers anddirectors for failure to plan to respond to a terrorist attack as well as the carrying outof activities in response to terrorist attacks that might lead to liability and discusseswhat corporations can do to minimize liability for such failure. Although this chapterreviews this potential liability in a corporate context, it would appear that the conceptsand recommendations presented here are relevant to alternative business forms, suchas limited liability companies and limited liability partnerships, and their respectiveowners and managers. Similarly, Hurricane Katrina showed many business people thatthey need to account for other threats just as well.

Section 5.03 examines the elements of a potential claim against a corporation fornegligent failure to plan. Section 5.04 explains how the duty to plan extends tocorporate officers and directors, who owe a duty of care to the corporation they serve.Section 5.05 recommends how corporations can prepare against future terrorist attacksto minimize liability and avoid successful claims for a negligent failure to plan.

The current revision of this chapter both expands the prior discussion and addsseveral new topics including the use of presidential power to declare a nationalemergency and the limitations of liability that arise from that, as well as the protectionscovered by federally mandated insurance. Specific discussion is added concerning theliability of property owners.

4 hi. September 11 itself expanded the scope of known hazards and therefore the types of events that

might be considered "foreseeable" in the future. As a result of investigations after September 11, however,

there is evidence that even some of the events of September 11 themselves were perhaps foreseeable. See

Nat'l Comm'n on Terrorist Attacks upon the United States, The 9/11 Commission Report 341-43 (2004).

(Re!. 5-12/2009 Puh.I 370

§ 5.03 HOMELAND SECURITY DESKBOOK 5-4

§ 5.03 Potential Liability of Corporations

Generally, a corporation will be liable for negligence if it does not take reasonablesteps to eliminate or mitigate known or foreseeable risks that could cause harm toemployees, shareholders, vendors, customers, and other potential plaintiffs. In order toestablish an actionable claim for negligence against a corporation, a plaintiff mustprove that:

(1) the corporation owed the plaintiff a duty of care,

(2) it breached that duty,

(3) its action or inaction in fact caused harm to the plaintiff,

(4) the corporation's action or inaction was not only the cause in fact of theplaintiff s harm but also the proximate cause (i.e., the corporation's action orinaction has a significant relationship to the harm suffered by the plaintiff),and

(5) damages resulted, in some amount.'

Generally, an intervening criminal act of a third party, such as an act of terrorism, willnot break the causal connection between the breach of the duty of care and theresulting damage, unless such a criminal act is unforeseeable.2

Under the principles of negligence, a corporation will be liable for damage resultingfrom a terrorist attack only if it creates an unreasonable risk of harm to a plaintiff andthe corporation recognized, or should have recognized, that risk. Whatever may be saidabout the foreseeability of the original September 11 attack, it is clear that the veryexistence of that attack made future attacks of the same or similar kind foreseeable.Since it is now foreseeable that another terrorist attack could occur, corporations andother entities can be liable for negligence if they do not exercise reasonable care toprotect employees, vendors, shareholders, customers, tenants, and other potentialplaintiffs against this risk of harm. The fact that an act of terrorism is criminal in andof itself will not insulate corporations from liability.

[1] Liability for Failure to Provide Adequate Security

Liability to provide security has been a legal concept since long before the risks ofterrorist attacks. It goes back to the historical duty of the innkeeper (in modem timesthe hotel or restaurant owner) and the building owner to provide reasonable protectionto business guests from foreseeable hazards.3

1 Dan B. Dobbs, The Law of Torts § 114 (2001).

2 "Mt is the rule that where other causes combine to produce injury, the causal connection betweenthe defective product and the injury will be broken only if the acts or omissions of others were improbableor unforeseeable." Williams v. RCA Corp., 376 N.E.2d 37, 38 (Ill. App. Ct. 1978) (citing Klaees v. Gen.Ordnance Equip. Corp., 367 A.2d 304 (Pa. Super. Ct. 1976)); accord Restatement (Second) of Torts

H 30213,118, 119 (1965).3 Numerous cases discuss the duty of the hotel owner, the modern successor to the innkeeper, to

provide adequate security to protect its guests against foreseeable hazards including criminal acts. See,e.g., Shadday v. Omni Hotels Mgmt. Corp., 477 F.3d 511, 512 (7th Cir. 2007) (citing several Seventh

(Rel. 5-12/2009 Pub.1371)

5-5 BUSINESS LIABILITY § 5.03[1]

Over the years, corporations have been liable for the failure to provide adequate

security to prevent or mitigate harm from a terrorist attack. Recently, most of the

claims that have been brought against the airlines, airport security companies, owners

and operators of damaged or destroyed buildings, and aircraft manufacturers by

victims who were injured, by survivors of victims who were killed, and by parties whosustained property damage in the events of September 11 (September 11 litigation)have been based on theories of negligence.4 Plaintiffs have alleged that the airlines andairport security companies failed to carry out their duty to adequately secure passengeraircraft against the potential threats of terrorists and weapons being smuggled aboard,which enabled the terrorists to hijack and crash the airplanes.5 The plaintiffs have alsoargued that the airlines and the airport security companies employed their securitymeasures specifically to guard against hijackings, and knew or should have known thatthe hijacking of a jumbo jet would create substantial risks of damage to passengers,crew, persons on the ground, and property.6 Plaintiffs have also claimed that theowners and operators of buildings should have designed, constructed, repaired, andmaintained structures to withstand the spread of fire and to avoid collapses caused byfire, and that they should have designed and implemented fire-safety and evacuationprocedures to provide for the safe escape of more people.7 With respect toforeseeability of the attacks, plaintiffs have asserted that terrorism was a substantialinternational concern and that suicidal acts by terrorists seeking to cause death and

Circuit and D.C. Circuit cases). The test was stated by the court that "The hotel has a duty to take

precautions that are reasonable in relation to the likelihood that without them guests will be victims of

criminal acts." Id. (citation omitted). The court noted that this duty to the guest, although arising out of

tort law, is impliedly contractual as well. Id. The courts have found that the hotel's duty to protect arises

in part because it has better access to information about danger than the guests do. Id. In many states the

law is that the innkeeper has an elevated standard of care to the guest. Id. (citations omitted). California

and the District of Columbia have not adopted this standard and in fact place the burden on plaintiffs to

demonstrate a "heightened showing of foreseeability." Id. (citations omitted). Some states like Virginia

have imposed a particularly high standard of care on the innkeeper/hotel operator analogous to the

elevated standard applied to common carriers. For example, in Taboada v. Daly Seven, Inc., 271 Va. 313,

626 S.E.2d 428 (2006), the Supreme Court of Virginia held that the innkeeper has the "elevated duty of

utmost care and diligence' to protect against the danger of injury caused by criminal conduct of a third

person on the innkeeper's property." Id. at 434; see infra § 5.06.

4 See In re September 11 Litigation, 280 F. Supp. 2d 279 (S.D.N.Y. 2003). In this case, the court

consolidated the claims of seventy people who were injured or represented people who died in the attacks

and ten entities that sustained property damage against three groups of defendants: (1) United and

American Airlines and other airlines and airport security companies, (2) the Port Authority of New York

and New Jersey and the World Trade Center Properties LLC, and (3) Boeing Company. In denying the

defendants' motions to dismiss the court focused on traditional tort concepts of defendants' duty to

plaintiffs and the proximate cause of plaintiffs' injuries.

5 280 F. Supp. 2d at 290. Plaintiffs have also asserted that the airplane manufacturers manufactured

inadequate and defective cockpit doors, and that this made it possible for the hijackers to invade the

cockpits and take over the airplanes. See 280 F. Supp. 2d at 305.

6 280 F. Supp. 2d at 290.

7 280 F. Supp. 2d at 299; see also Terry Pristin, Commercial Real Estate; U.S. Landlords Face

Post-9/I1 Standards, N.Y. Times, Feb. 11, 2004, at C8.

(1201. 5-12/2009 Pub.1371)

§ 5.03[2] HOMELAND SECURITY DESKBOOK 5-6

injury to as many innocent people as possible had become frequents

[2] Lessons from September 11 Litigation

In the September 11 litigation, most of the defendants moved to dismiss negligenceclaims on the grounds that they owed no duty to the plaintiffs and that they could notreasonably have anticipated that terrorists would hijack several airplanes and crashthem, killing passengers, crew, persons on the ground, and themselves.9 However, theSouthern District of New York has held that the airlines, airport security companies,owners and operators of buildings, and airplane manufacturers owed a duty to theplaintiffs who sued them, and rejected the arguments for dismissal of the claims.rn Thecourt also rejected the defendants' argument that the events of September 11 were tooextraordinary and unforeseeable, so as to constitute intervening and supersedingcauses that would break the causal link need to prove negligence and a duty to thedefendants."

[3] Corporate Liability After September 11

In today's post-9/11 environment, corporations are now on notice that they can beliable for not exercising due care by having adequate safeguards in place to mitigatedirect damage suffered by potential plaintiffs caused by terrorist attacks. Given theheightened foreseeability of terrorist attacks after September 11, it is possible thatcourts will also hold businesses accountable for more indirect damage resulting fromthe negligent failure to plan. For example, courts may hold corporations accountableto shareholders for loss of stock value due to negligent management of foreseeablerisks.12 Courts may also consider holding businesses accountable to customers fortheir loss of revenues due to their inability to continue operations and provide productsor services to their customers.'s The range of potential claims will continue to growas long as the likelihood of the occurrence of a terrorist attack exists and businessesfail to take reasonable steps to protect vendors, customers, tenants, shareholders,employees, and other potential plaintiffs.

§ 5.04 Potential Liability of Officers and Directors

The duty to plan how to respond to another terrorist attack also extends to theofficers and directors of the corporation who are responsible for managing its business

8 280 F. Supp. 2d at 291.

9 280 F. Supp. 2d at 287.10

11

12

280 F. Supp. 2d at 287.

280 F. Supp. 2d at 301.

O'Hare, supra § 5.01 note 2, at 10.13 Id. Continued operations after the September 11 attack were important for many companies. For

example, Cantor Fitzgerald is a brokerage firm that was located on World Trade Center North TowerFloors 101-105. It lost 657 employees or 95% of its revenue-generating staff. Nevertheless, it wasoperational again by September 13, 2001, in a temporary space provided by UBS Warburg. See, e.g.,Worst hit firm rebuilds after 9/11, CNN.com, http://archives.crm.com/2002/Business/09/10/at-911.eantor.london/index.html.

(Rol. 5-12/2009 PIA 1371)

5-7 BUSINESS LIABILITY § 5.04[1]

affairs. As fiduciaries, officers and directors owe a duty of care to the corporations theyserve.' Essentially, the duty of care requires officers and directors to discharge theirduties in good faith with the care that an ordinarily prudent person in a like positionwould exercise under similar circumstances and in a manner reasonably believed to bein the best interests of the corporation.2 If an officer or director does not exercise therequisite amount of care in carrying out his or her responsibilities and harm is causedto the corporation or to any of its employees, shareholders, customers, tenants,vendors, or other potential plaintiffs, the officer or director can be held personallyliable.3

[1] Duty of Care, Generally

In order to minimize the threat of litigation against officers and directors fornegligent failure to plan, corporations should educate themselves and their officers anddirectors about the duty of care and the exposure to liability if officers and/or directorsfail to exercise the requisite care. The duty of care is rooted in many sources of law.Generally, the duties of officers and directors are controlled by the laws of thejurisdiction where the corporation is incorporated, regardless of where the breachoccurred or where the plaintiff was injured.4 For example, if a corporation is

1 In addition to the duty of care, corporate officers and directors owe a duty of obedience and a dutyof loyalty to the corporations they serve. See William E. Knepper & Dan A. Bailey, Liability of CorporateOfficers and Directors § 1.05 (7th ed. 1998). The duty of obedience requires officers and directors to obeythe law and take reasonable efforts to ensure that the corporation is obeying the law. See id. The duty ofobedience also requires directors and officers to act in accordance with the corporation's charter, articlesof incorporation, and bylaws. See id. The duty of loyalty requires a director to refrain from engaging inhis personal activities in such a manner as to injure or take advantage of the corporation. See id.

2 Id. § 1.05.

3 Statutory and contractual indemnification provisions and insurance, however, can shift the financialrisks associated with such liability from officers and directors to the corporation. Whether and how muchindemnification directors will be entitled to for costs associated with a claim for negligent failure to planwill depend on the applicable indemnification statute and the corporation's indemnification policy. See PatK. Chew, Directors' and Officers' Liability § 8:2.8 (2000). Typically, indemnification provisions allowofficers and directors to be reimbursed for out-of-pocket costs, including (1) fines, judgments, orsettlement payments, and (2) expenses of litigating and defending against claims, including attorneys'fees, that are associated with almost any type of litigation or proceeding so long as the officer or directoris acting in his or her official corporate role. See id. § 8:2.2. Most corporate statutes distinguish amongmandatory indemnification, permissive indemnification, and court-ordered indemnification. See id.

4 The "internal affairs doctrine" provides,

In disputes involving directors' liability, there is a presumption in favor of applying the law of thestate of incorporation. . .. The presumption is rebutted when another state has a more "significant"relationship with the parties and the dispute at issue, as determined by reference to three factors: (1)justified expectations; (2) certainty; and (3) ease in the determination and application of the law tobe applied.

Knepper, supra note 1, § 1.05. Some jurisdictions have exceptions to the internal-affairs rules. Forexample, in California, if a corporation is incorporated in another state, but has its principal businessactivities in California and more than half of its stock held by persons with California addresses, thecorporation must comply with certain provisions in the California statutes. See Chew, supra note 3,§ 1:3-1[13].

(Rd 5-12/2009 Pub.1371)

§ 5.04[2] HOMELAND SECURITY DESKBOOK 5-8

incorporated in Delaware but has substantial assets in Florida, and a customer in New

Jersey sues the corporation and its officers and directors for damages arising from a

terrorist attack that occurred in New York, Delaware law will most likely be applied

to resolve the claim because the corporation is incorporated in Delaware, even though

the corporation and the customer have substantial ties to Florida, New Jersey, and New

York.5

[2] Statutory Duty of Care

Most jurisdictions have enacted statutory duty-of-care provisions that follow§ 8.30(a) of the revised Model Business Corporation Act (the Model Act),6 whichprovides:

A director shall discharge his duties as a director, including his duties as a memberof a committee:

(1) in good faith;

(2) with the care an ordinarily prudent person in a like position would exercise

under similar circumstances; and

(3) in a manner he reasonably believes to be in the best interests of thecorporation.'

As one commentator notes, "The statutory requirements concerning a director's dutyof care reflect the 'good faith' concept embodied in the business judgment doctrine anda well-established definition of ordinary care taken from the common law."8

Section 8.30(b) of the Model Act also sets forth the standard of care for the boardof directors when acting as a whole body in the context of decisionmaking andoversight functions. It provides:

The members of the board of directors or a committee of the board, whenbecoming informed in connection with their decision-making function or devotingattention to their oversight function, shall discharge their duties with the care thata person in a like position would reasonably believe appropriate under similarcircumstances.9

As the Official Comments to § 8.30(b) of the Model Act suggest, the board's oversightfunction requires "gaining assurances that systems believed appropriate have beenestablished coupled with ongoing monitoring of the systems in place . . . followed up

5 See Chew, supra note 3, § 1:3-1[B].

6 The Model Business Corporation Act is a compilation of model corporate law provisions written bya committee of the Corporation, Banking and Business Law Sectio of the American Bar Association.

Model Business Corporation Act, http://www.abanet.org/buslaw/committees/CL270000pub/nosearch/mbca/home.shtml.

7 Revised Model Business Colyounion Act § 8.30(a).

8 Knepper, supra note 1, § 3.02.

9 Revised Model Business Corporation Act § 8.30(b).

(Rel. 5-12/2G09 Puh.1371)

5-9 BUSINESS LIABILITY § 5.04[2][b]

with a proactive response when alerted to the need for inquiry."rn Generally, directors'oversight responsibilities include approving fundamental operating and other corpo-

rate plans, strategies, and objectives; adopting policies for corporate conduct,including compliance with applicable laws and regulations, and maintenance ofcontrols; and reviewing the process of providing appropriate operational informationto decisiomnakers."

[a] Duty to Implement and Monitor Policies and Procedures

If the duty of care requires the board of directors of a corporation to implement, orcause to be implemented, policies and procedures to prevent or mitigate damages inthe event of a terrorist attack, the board's oversight responsibilities also require thatofficers and directors monitor such policies and procedures to ensure they areadequate. A claim for negligent failure to plan can be based on the breach of the dutyof care due to improper actions of the board of directors or the failure to act. In aleading court decision on the duty of care, the Delaware Court of Chancery noted:

Director liability for a breach of duty to exercise appropriate attention may, intheory, arise in two distinct contexts. First, such liability may be said to followfrom a board decision that results in a loss because that decision was ill advisedor "negligent." Second, liability to the corporation for a loss may be said to arisefrom an unconsidered failure of the board to act in circumstances in which dueattention would, arguably, have prevented the loss.12

Thus, liability can result from inadequate or ill-advised planning against anotherterrorist attack, inattentiveness, or failure to oversee planning against a terrorist attack.

[b] Case-by-Case Analysis

The question of whether the officers and directors of a corporation have satisfied theduty of care with respect to preparing the corporation for a future terrorist attack is aquestion of fact that will be decided on a case-to-case basis. The statutory provisionsset forth the applicable standard of care and the manner in which directors shouldperform their duties. The September 11 litigation addresses discrete events andwhether a director's actions or inactions in a particular situation did or did not satisfythe duty of care. Thus, statutory provisions and court decisions provide some guidance,but do not state specifically what officers and directors must do in any given situationto satisfy the duty of care.

10 Revised Model Business Corporation Act, Official Comment § 2.4.1.

11 Chew, supra note 3, § 2:4.4. Additional oversight responsibilities include evaluating the perfor-

mance of the corporation and its senior management and taking appropriate action, including removal,

when warranted; selecting, regularly evaluating, and fixing the compensation of senior executives;requiring, approving, and implementing senior executive succession plans; and evaluating the overall

effectiveness of the board. Id.

12 In re CareMark Intl Derivative Litig., 698 A. 2d 959, 967 (Del. Ch. 1996) (Company and some

officers indicted for violation of the Anti-Referral Payments Law, which prohibits health-care providersfrom paying remuneration to induce the referral of Medicare and Medicaid patients).

(Rel. 5-12.12009 Pub.]371)

§ 5.0431 HOMELAND SECURITY DESKBOOK 5-10

[3] Business Judgment Rule

Courts in several jurisdictions, including Delaware, have modified the traditionalduty of care by applying the business judgment rule, which is a presumption that, inmaking a business decision, the directors of a corporation acted on an informed basis,in good faith, and with the honest belief that the action taken was in the best interestsof the corporation.13 Essentially, the business judgment rule provides that courtsdetermining director liability should not examine the quality of, or the outcome thatresults from or is connected with, the directors' business decisions, but only theprocedures followed in reaching those decisions." Courts are reluctant to evaluateafter the fact whether a damaging decision resulted from a breach of the duty of care.i5The business judgment rule protects directors from liability for their decisions unlessthe decisionmaking process was grossly negligent or the directors acted fraudulently,illegally, oppressively, or in bad faith.16

If directors thoroughly evaluate potential risks and implement and regularlymonitor, or cause to he implemented and regularly monitored, policies and proceduresthat are designed to evaluate and minimize risks and damage in the event of anotherterrorist attack, then the business judgment rule, if applicable, should reduce, orperhaps eliminate, the directors' (and the corporation's) exposure to liability fornegligent failure to plan. In this case, if the business judgment rule is applicable, therewill be a presumption that the directors satisfied their duty of care and acted properlyto minimize foreseeable risks. The party asserting the claim will have the burden ofestablishing that the directors did not follow the five-step process to comply with thebusiness judgment rule. Unless the directors were grossly negligent, or actedfraudulently, illegally, oppressively, or in bad faith, the business judgment rule shouldprotect them.

§ 5.05 How to Minimize Liability for Negligent Failure to Plan

The best defense against a claim for negligent failure to plan is a set of corporatepolicies and practices that have been implemented after a thorough evaluation ofpotential risks and that are regularly monitored and tested to ensure continued

13 Knepper, supra note 1, § 2.01. Five preconditions must generally be present to apply the businessjudgment rule:(1) a business decision,(2) disinterestedness (i.e., the absence of personal interest or self-dealing),(3) due care (i.e., an informed decision following a reasonable effort to become familiar with the

relevant facts),(4) good faith, and(5) no abuse of discretion.

Id. § 2.04.14 y. § 2.01.15 Id16 See FDIC v. Stahl, 89 F.3d 1510 (11th Cir. 1996); Smith v. Van Gorkom, 488 A.2d. 858 (Del.

1985); Aronson v. Lewis, 473 A.2d 805 (Del. 1984); Chew, supra note 3, § 2.5.4; Knepper, supra note1, § 2.07.

(Rel. 5-12/2009 Pub.1371)

5-11 BUSINESS LIABILITY § 5.05[1][b]

effectiveness. As one commentary noted, "It is good to be lucky, but relying on luckis a negligent preparedness plan."' Thus, companies in a post-9/l I environment maywish to adapt affirmative plans as to how to prepare for and respond to terroristincidents.

[1] Assessing Current Policies and Procedures

As a starting point, the business should conduct an intense review, perhaps done byan outside law firm or accounting firm, to examine its existing policies and proceduresand assess how well such policies and procedures address the immediate requirementsand post-incident requirements in the event of a terrorist attack. In order to assess theeffectiveness and adequacy of existing policies and procedures, the business mustassess the risks that are particular to its industry and operations. Thus, a company thatmanages a nuclear plant would face a higher set of potential risks than one makingsoap, and the scope and nature of any plan could be considerably different. This may,and in many cases should, require consulting with outside experts in the security fieldand related fields, such as health, technology, insurance, and management consulting.In any event, the determination of potential risks and the audit of current policies andprocedures should be well documented so the business has a record of the time, effort,and expertise that was spent developing and implementing effective policies andpractices.2 The federal government has recommended that companies "conduct riskassessments . . . and invest in systems to protect key assets."3

[a] For Immediate Risks

With respect to immediate requirements, the business should assess the adequacy ofthe following in light of the potential risks:

• Procedures for the safe and immediate evacuation of employees;

• Procedures for the protection of company assets, such as property andequipment, including cash, software, and documents;

• Procedures for providing immediate emergency medical assistance to employ-ees;

• Procedures for providing immediate law enforcement personnel response; and

• Procedures for communicating information to personnel and their families.

[b] For Restoring Operations

In addition to pre-incident needs, the business must also assess the policies and

1 Bruce T. Blythe & Terri Butler Stivarius, Negligent Failure to Plan: The Next Liability Frontier,Bank Acct. & Fin., June 1, 2003 (Vol. 16, Issue 4), at 31.

2 One source recommends that companies obtain outside counsel to oversee the audit process so theycan claim attorney-client privilege for the information developed. See Ed Bethune, Rob Housman &George Foote, What's Expected Now: The 'Reasonable Man' Standard for Liability is Much Higher SinceSeptember 11, Legal Times, Feb. 4, 2002, at 24.

3 Office of Homeland Security, National Strategy for Homeland Security 12 (2002), available athttp://www.dhs.gov/xlibrary/assets/nat_strat_hls.pdf (last visited Sept. 19, 2009).

(Rel. 5-12/2009 Puh.1371)

§ 5.05[2] HOMELAND SECURITY DESKBOOK 5-12

procedures it has in place to restore operations as soon as possible after a terroristattack. With respect to post-incident requirements, businesses should assess theadequacy of:

• Policies providing for succession in the event that senior management ormembers of the board are killed or incapacitated;

• Policies providing for a pre-determined location at which to continue businessoperations if the permanent location is destroyed or damaged in the attack;

• Policies providing for post-incident emotional and psychological assistance,including counseling, for employees; and

• Policies for obtaining back-up files, documents, inventory, and equipment.

In addition to policies and procedures that directly address pre-incident andpost-incident concerns, businesses should also assess how potential risks are beingaddressed with respect to the following:

• Do standard due-diligence checklists address security issues and concerns inthe event of a terrorist attack?

• Do contracts with customers and vendors contain provisions for acts of warand force majeure?

• Do contracts with property-management services, security services, and otherservice providers contain special standards of operation in the event of aterrorist attack and provisions that would indemnify and hold the businessharmless for the action or inaction of such service providers?

• Do leases contain rent-abatement and termination provisions for loss of use ofthe premises, loss of utility services, and loss of access to premises due togovernmental mandate?

• Does the business's insurance provide adequate coverage for indirect anddirect damage from a terrorist attack, including coverage for damage causedby interruption of its business and operations?

• Does the business's overall crisis-management plan provide for response toterrorist attacks?

• Does the business's communications plan provide for proper communicationof risks and damage to investors, vendors, customers, and the media?

[21 Updating Policies and Procedures to Address Potential Risks

If existing policies and procedures do not adequately address the potential risks tothe business, then it must design and implement policies and procedures that do.4 Once

4 Potential sources of information to use as starting points include the website of the Corporate CrisisResponse Officers Association, vi,wv,,.ceroa.g,ov (last visited Sept. 16, 2009), Business Roundtable guidesfrom 2005, available at www.businessroundtable.org/sites/default/files/20050503003CEORiskMgmtGuideFlNAL.pdf and www.businessroundtable.org/sites/defaultifiles/20050503002CrisisPrepare.pdf (last visited Sept. 16, 2009), and a Homeland Security InfoPAKsm from

(Rel. 5-12/2009 Pub.1371)

5-13 BUSINESS LIABILITY § 5.07

adequate policies and practices are in place, businesses should regularly reassesspotential risks and then review and, where appropriate, replace and adopt policies andtest procedures through simulations and emergency exercises to ensure that theyaddress such new risks. Depending on the severity of the risks and the size of thebusiness, it may consider undergoing regular risk assessments by outside counsel toensure that policies and practices are adequate. As part of this ongoing process, it isincumbent upon the business to properly document the steps undertaken in the design,implementation, and review of the policies and procedures. A business also needs asystem to monitor new and different types of terrorist threats and attacks (e.g.,biological) and technologies available to prevent, respond, or ameliorate the effects ofsuch threats and attacks.

§ 5.06 Specific Liability of Landlords and Business Property Owners

Throughout the chapter, landlords have been mentioned as among the class ofpersons that need to engage in risk management and who are potentially liable.Mention also must be made of the historically higher standard of care placed oninnkeepers and their successors in the hotel and restaurant industries. Business

property owners have an obligation to warn tenants of the risk of terrorist acts.' Courtshave applied different tests to determine when the "duty to protect" arises, includingthe imminent-harm test, the prior-instances test, the totality-of-the-circumstances test,and the balancing-of-interests test.2 There is evidence that these tests are being applieddifferently after September 11.3

§ 5.07 Exemptions from Liability in Declared National Emergencies

For many years, provisions have existed for exempting companies and individualsfrom liability when acting in a declared national emergency. Title 50 of the U.S Code,dealing with War and National Defense, provides in Chapter 35 the InternationalEmergency and Economic Powers Act (the IEEPA). Part of the IEEPA, § 1701,

provides that

Any authority granted to the President by [50 U.S.C. § 1702] may be exercisedto deal with any unusual and extraordinary threat, which has its source in wholeor substantial part outside the United States, to the national security, foreign policy

the Association of Corporate Counsel, developed with DLA Piper, available from the DLA Piper website(2008 version as of Sept. 16, 2009).

1 See Elizabeth H. Belkin, Beyond 9/11—Homeland Security and the Owner/Operator of Real Estate,20 Prob. & Prop. 28 (Mar./Apr. 2006).

2 Id.

3 Id. at 29 (citing In re September 11 Litigation, 280 F. Stipp. 2d at 298-99, and a jury decision in theearlier Port Authority bombing case finding the Port Authority liable). For a more detailed discussion of

these tests see Belkin, supra note 6, § 5.06. For other commentary on the changes taking place in the

foreseeability test see Joe Wientge, Comment: Foreseeable Change: The Need for Modification of the

Foreseeability Standard in Cases Resulting from Terrorist Acts after September 11, 74 UMKC L. Rev.

165 (2005).

(Rel. 5-12/2009 Pub.1371)

§ 5.07 HOMELAND SECURITY DESKBOOK 5-14

or economy of the United States, if the President declares a national emergencywith respect to such threat.1

The broad powers granted to the President are set out in section 1702 and include theright to regulate and prohibit foreign currency transactions; investigate, block,regulate, nullify, and void transfers of property subject to the jurisdiction of the UnitedStates;2 and

when the United States is engaged in armed hostilities or has been attacked bya foreign country or foreign nationals, confiscate any property, subject to thejurisdiction of the United States, of any foreign person, foreign organization orforeign country that he determines has planned, authorized, aided or engaged insuch hostilities or attacks against the United States. . . .3

This language is broad enough to cover the events of September 11 and other terroristattacks, since it includes acts involving foreign nationals and not necessarily thoseendorsed or supported by foreign countries. In the case of September 11, PresidentBush declared a national emergency in Executive Order 13,2244 based on his authorityin the IEEPA and other laws.5

Obviously, in carrying out these powers, the President may order private companiesto take action that otherwise might give rise to lawsuits, such as to close or turn overbank accounts of foreign nationals, to transfer the funds to the United Statesgovernment, to block otherwise legal sales of property, and/or to transfer that propertyto the United States. This again can give rise to potential liabilities for privatecompanies that are complying with presidential orders during a national emergency. Todeal with this problem and to assure companies complying with presidential orders innational emergencies that they will not be flooded with lawsuits, the law provides whatis essentially a blanket exemption from liability in § 1702(a)(3). This says that "Noperson shall be held liable in any court for or with respect to anything done or omittedin good faith in connection with the administration of, or pursuant to and in relianceon, this chapter or any regulation, instruction, or direction issued under this chapter."6Thus, the only issue that might be possibly subject to litigation is whether a party actedin "good faith." Protection is, therefore, consistently greater for businesses when anational emergency is declared, and they should look carefully when terrorist eventsoccur to see whether the President has in fact formally declared an emergency underthe IEEPA or another law.

1 50 U.S.C. § 1701(a).

2 50 U.S.C. § 1702(a)(1).

3 50 U.S.C. § 1702(a)(1)(C).

4 66 Fed. Reg. 49,079 (Sept. 25, 2001).

5 Declaration of National Emergency by Reason of Certain Terrorist Attacks (Sept. 14, 2001), Proc.No. 7 1 63, 66 Fed. Reg. 48,199 (Sept. 18, 2001); see, e.g., National Emergencies Act, 50 U.S.C. §§ 1601,1621, 1622, 1631, 1641, 1651.

6 50 U.S.C. § 1702(a)(3).

(Rel. 5-12/2009 Pub.( 371)

5-15 BUSINESS LIABILITY § 5.08

§ 5.08 Protection Through Insurance Coverage

Insurance coverage against terrorism risks is available through several carriers. Apolicy offered by MG is called "Property Terrorism Insurance" and covers multina-tional companies based in North America against losses to their property worldwide.Coverage includes losses from acts perpetrated by foreign or domestic terrorists, up to$250 million. Coverage encompasses attacks using biological or chemical agents andincludes the costs of biohazard cleanup. A business-interruption coverage is alsoincluded (with a thirty-day waiting period). In addition, coverage with a productknown as "LexCyber secure" may be available against catastrophic financial lossesthat could result from cyberterrorism and penetration of the company's computernetwork. This coverage includes information-asset protection, network business-interruption coverage, and cyberextortion coverage, including investigation andsettlement of any threats.

AIG also offers threat and vulnerability assessments- and online crisis-managementservices. Coverage for business interruption can be claimed based on any civil ormilitary order even if there is only a threat of terrorism (e.g., an order by the Presidentto close all oil refineries or airports). The business-interruption coverage would seemto cover secondary causes of loss such as the closing of highways that block access toa business, or the lack of access to supplies because of closure of a port.' Anotherinsurer, Hiscox, offers consultations with a "Control Risks Group" of leadingrisk-assessment and crisis-management consultants.2

Insurers are required to offer this type of coverage as a result of the Terrorism RiskInsurance Act of 2002 ( l'RIA).3 The purpose of this law, originally designed to betemporary, was to "address market disruption, ensure the continued widespreadavailability and affordability of commercial property and casualty insurance forterrorism risk, and allow for a transition period for the market to stabilize and buildcapacity while preserving State insurance regulation and consumer protections."4 Theprogram provides shared public and private compensation and authorizes the TreasuryDepartment to implement TWA and promulgate rules. TRIA was extended by theTerrorism Risk Insurance Extension Act of 20055 and again with the Terrorism RiskInsurance Program Reauthorization Act of 2007.6 This extended the law until 2014.7

1 See MG Property Terrorism Insurance-Terrorism-Specialty, http://www,aig.com/Property-Terrorism-Insurance_20_1736.html.

2 See Hiscox, War, Terrorism and Political Violence Insurance, http://www.hiscox.com/ViewCMSPage.aspx?pagelD=42df06f6-9323-4d83-8335-b9b5665bcb70.

3 Pub. L. No. 107-297, 116 Stat. 2322 (codified at 15 U.S.C. § 6701 note).

4 See Terrorism Risk Insurance Program: Terrorism Risk Insurance Program Reauthorization ActImplementation, 74 Fed. Reg. 18,135 (Apr. 21, 2009) (discusses the reauthorization of the program).

5 Pub. L. No. 109-144, 119 Stat. 2660.

6 Pub. L. No. 110-160, 121 Stat. 1839.

7 See Chapter 14 of this treatise for more information on the Terrorism Risk Insurance Act.

(Rel. 5-12/2009 Puh.1371)

§ 5.09 HOMELAND SECURITY DESKBOOK 5-16

§ 5.09 Conclusion

The tragic events of September 11 continue to present significant financial andmanagerial challenges to businesses and may have redefined what is "foreseeable" interms of terrorism. Today, the biggest challenge facing some businesses may beadequately preparing against another terrorist attack. Businesses must protect theinterests of their employees, tenants, vendors, stockholders, and customers not only forcontinuity-of-business purposes but also for liability purposes. Corporations and theirofficers and directors must exercise due care to prepare against another terrorist attackand to avoid successful claims for a negligent failure to plan. Having policies andprocedures in place to address potential risks, together with a plan for regular riskassessment, is essential not only for ensuring continuation of operations after anotherterrorist attack, but also for providing the best defense to potential claims by thirdparties such as for negligent failure to plan.

(Rel. 5-12/2009 Pub.1371)

Permissions granted to revise and reprint by Fulton County Daily Report. Copyright 2015. ALM Media Properties, LLC. All rights reserved.

1

Lessons for General Counsel from Recent Cyberattack on the U.S. Office of Personnel Management (originally published

August 4, 2015, republished August 2016 with update) Joe D. Whitley

While most consumers seem to find the various media reports of public and private sector cyberattacks relatively unremarkable, an April cyberattack on the U.S. Office of Personnel Management (OPM) and other recent high-profile breaches should remind general counsel that "no sector, network or system is immune to infiltration by those seeking to steal commercial or government secrets and property to perpetrate malicious and disruptive activity." (See "The Budget Message of the President"). President Barack Obama's proposed budget for the 2016 fiscal year seeks $14 billion to bolster cybersecurity efforts across the U.S. government. This article will explore whether you, as general counsel (or those advising general counsel), are taking appropriate measures to protect your company or client from cybersecurity breaches, exposure, and liability.

OPM: The Successful Target of a Cyber-Attack In April, just two months after the president requested $14 billion to make cybersecurity improvements, the OPM discovered a cybersecurity incident potentially affecting 21.5 million current, former and prospective government employees and independent contractors. Investigations confirmed that these individuals' most private information, including Social Security numbers and personal data collected through employment applications and background checks, had been compromised. While the OPM has involved the Department of Homeland Security and the FBI to address the security breach and any continuing threats, immeasurable and irreversible damage has already been done. The extent and severity of the damage? It is too soon to tell.

What Next? Unofficial blame has been placed on Chinese hackers, and the speculation is that stolen information will likely be used for many purposes that will advance both state and private interests in China, to the detriment of U.S. interests. Admittedly, we are traveling into unknown territory with the OPM breach having such a major impact, so we will likely

Permissions granted to revise and reprint by Fulton County Daily Report. Copyright 2015. ALM Media Properties, LLC. All rights reserved.

2

face an unfolding challenge to our national security and proprietary information for many years to come.

Unfortunately, the issue of cybersecurity breaches and resulting international violations and damages is not redressable by U.S. laws and regulations alone. Although five Chinese perpetrators have been indicted in relation to prior similar attacks, it is unknown whether such individual perpetrators will ever actually face punishment in the absence of an extradition treaty with China or other similarly positioned countries. Further, the reality is that the stolen information has already been disseminated. Much damage has already been done.

Some proponents of retribution cite the UN Charter as authority to take responsive action against China; however, there is no universally applicable international law governing responses to cybersecurity attacks. Most of the arguments in favor of retribution require very nuanced analysis of such international law concepts as "use of force," "unlawful intervention" into the domain of another state, breach of state sovereignty, or breach of an obligation owed to another state—concepts that have not traditionally been applied to the cyberindustry and do not generally afford private entities (as opposed to states) any authority to retaliate.

Further, the analysis generally oversimplifies the careful consideration that must be given to economic and foreign policy effects of such action against another nation. There have been talks of international treaties to address these concerns; however, such discussions remain conceptual and are largely irrelevant to today's cyberbreaches.

The Impact on General Counsel In a rapidly evolving digital age with countless unknowns and limited remedies, general counsel in every sector of the economy should now be concerning themselves with the preemptive and responsive measures they should take when—not if—they fall victim to a cybersecurity event.

In a 2014 publication on data security breaches, the Washington Legal Foundation explained that every entity storing electronic information will be subject to a cybersecurity event at some point. See Jana Valdetero and David Zetoony, "Data Security Breaches: Incident Preparedness and Response 9" (Washington Legal Foundation 2014). What remains relatively unknown (and potentially treatable) is the extent of such a breach and the resultant damages.

One thing is certain: the right breach, in the absence of appropriate preventive and remedial measures, has the potential for grave consequences for a company's reputation, continuity, competitive advantages, liabilities and unbudgeted expenses (e.g., investigation, notification, regulation and prevention).

To combat the unknowns, general counsel should adopt comprehensive and quantifiable preventative measures to pre-empt cybersecurity breaches and enable swift

Permissions granted to revise and reprint by Fulton County Daily Report. Copyright 2015. ALM Media Properties, LLC. All rights reserved.

3

response when breaches are detected. In the digital age, all companies should have in place written security programs, policies and procedures delineating important security protocols, contacts, escalation measures, incident response plans and employee training programs.

These and related legal documents should be kept on hand in both paper and electronic format by general counsel and other affected personnel, so that threats can be swiftly assessed and addressed. This is especially critical when dealing with the onslaught of legal, regulatory, and media attention that can be expected when a breach occurs.

Additionally, general counsel need to consider involving outside legal counsel at the earliest possible moment, both to ensure that attorney-client privilege protects documents and communications in the aftermath of an incident, and also to ensure that evidence is properly investigated and controlled to avoid chain of title issues. An outside legal team should also address various aspects of the breach, including: isolating the breach, leading a forensic investigation, managing media inquiries and other communications, addressing human resource issues, and advising as to ongoing business operations. Outside counsel will ensure that all responsive and remedial measures taken are appropriate and well-documented, which may provide an additional layer of insulation from civil exposure in the current uncertain regulatory climate.

Finally, general counsel should be diligent in selecting or upgrading cyberinsurance policies. With the evolving and escalating nature of cyberattacks, it is likely cyberinsurance providers will modify policies to exclude or limit the liability coverage for incidents or cap reimbursement for costs expended and remedial measures taken.

In light of the previously discussed costs associated with security breaches, both known and unknown, general counsel should routinely investigate the application and coverage of any cyberinsurance policy and be sure that coverage is appropriate in light of the individual entity's particular risk factors.

Navigating Conflicting State Disclosure Laws and Preparing for a Federal Regulatory Response At least 47 states have laws addressing the type and content of security breach notifications required of entities affected by intrusions. The laws vary from permissible electronic notification to mandatory mailed notices. Further complicating the issue is that many entities do business in and have contact with affected parties from many states.

General counsel should understand and apply state law in the states where they operate or seek guidance from outside counsel as to which state laws govern notifications to affected parties and whether their presence in a state relegates them to mandatory compliance. Of course, these notice requirements must be carefully synthesized with privacy laws governing both intra- and international operations of U.S. businesses as well.

Permissions granted to revise and reprint by Fulton County Daily Report. Copyright 2015. ALM Media Properties, LLC. All rights reserved.

4

General counsel should also be aware that mere compliance with mandatory notice laws may not protect an entity from civil exposure and will likely not, in and of itself, re-establish the entity's course of business and reputation. Victims whose data has been leaked in the wake of cybersecurity breaches have sued for damages under various legal theories, including negligence, breach of contract and breach of fiduciary duty, among others. Unfortunately, most known cases have resulted in confidential settlements, leaving the case law on the subject relatively undeveloped.

In light of these issues and the increased scrutiny regarding recent cyberintrusions, efforts are being made to establish a federal regulatory scheme to provide more guidance to the private sector and bolster confidence in the public domain.

As a result of this highly dynamic environment, general counsel also need to keep themselves apprised of proposed changes to federal law governing notice requirements and other regulatory standards. For example, to bridge the apparent gaps and conflicts in state cyberbreach law, five proposals were submitted to the Senate in 2014, and in January 2015 the president announced the proposal of the "Personal Data Notification and Protection Act," which aims to set a federal standard for notifying victims of cybersecurity breaches. H.R. 1704, 114th Cong. (2015). General counsel should follow the progression of this proposed legislation and respond accordingly if one of these proposals or a similar bill is passed.

Madeleine G. Kvalheim and Brett A. Switzer, associates in Baker Donelson's Atlanta office, also contributed to this article.

August 17, 2016 Update

At the end of the 2015 legislative session, the United States Congress passed the Cybersecurity Act of 2015 [P.L. 114-113] as part of a last-minute omnibus appropriations bill, and President Obama signed the bill into law later the same day. The Cybersecurity Act of 2015 aims to promote a collaborative, crowdsourcing approach to cyber-defense efforts through the sharing of information related to cyber threats between the public and private sectors, while simultaneously protecting the privacy rights of individuals whose information may be implicated. The law incentivizes private sector participation by extending liability protections to private sector entities that share information and defensive measures with the government and other members of the private sector, which many companies consider a pre-requisie to any sort of information sharing arrangement. The Act, which will remain in effect until September 30, 2025 unless repealed, does not provide the type of streamlined regulation that is desired by the private sector and identified as a priority in the President's Cybersecurity Executive Order issued in 2012. As a result, general counsel must continue to pay particularly close attention to industry sector-specific developments at both the state and federal level.