If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook. As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents increases exponentially, individual executives and board members are being named personally in lawsuits for breaches of their fiduciary duties.
Individual executives and board members, thus, should address and manage any personal risk by, for example, (1) ensuring adequate insurance coverage, (2) remaining up to date on standards and protocols for corporate data security, and (3) creating clear data-privacy and protection roles and responsibilities in corporate governance documents.
The Current State of Corporate Data Protection
With the enactment and enforcement of data-protection laws such as the General Data Protection Regulation (GDPR) in Europe and data-privacy laws such as the California Consumer Privacy Act (CCPA), as well as various cyberbreach-response statutes, the legal risks related to personal data have ballooned. Many data-related lawsuits are filed as putative class actions, again, increasing the potential liability. A quick search on Westlaw reveals over 2000 cases related to data breaches, but with the oldest from only 2004. And there is no sign that the number of incidents and laws enacted to help prevent them will decrease in the future.
History of Corporate Liability for Data
Other than the common law tort for invasion of privacy, most liability related to the collection and other processing of personal data is created by statute. Typically, under those statutes, the company, alone, is directly liable if there is a mishandling of personal information resulting in damages. Recently, however, plaintiffs also have started naming individual company executives and board members in lawsuits for their role in any mishandling of personal data, in an attempt to impose direct personal liability.
Courts are willing to impose personal liability on executives and board members under certain circumstances.
Although the cases naming executives and board members personally for data incidents are somewhat new, courts have provided some guidance on how they might succeed. For example, the Court of Chancery of Delaware recently dismissed one of these lawsuits, and, in so doing, provided a roadmap for what a successful suit might look like. In that case, Construction Industry Laborers Pension Fund v. Bingle, the plaintiffs sued various executives and board members of a software technology provider. The plaintiffs sought to impose personal liability on those individuals for alleged breaches of fiduciary duties to the company. Specifically, the plaintiffs alleged that the defendants had failed to “adequately oversee the risk to cybersecurity of criminal attack.” The company’s governance documents had included express references to both cyber and data security, all the way up to the Board level.
Despite acknowledging that the executives and board members had duties to the company related to personal data, the Court refused to impose personal liability on those individuals. That is because, the Court explained, the plaintiffs also needed to establish that the individual defendants (1) intentionally acted with a purpose other than that of advancing the best interests of the company; (2) acted with intent to violate positive law; or (3) intentionally failed to act in the face of a known duty, demonstrating a conscious disregard for their duties.
But because the plaintiffs in that case failed to establish at least one of those, the court dismissed the case. Thus, if a plaintiff can prove that an executive has acted in bad faith, by establishing one of these three factors, courts may be willing to impose individual liability on executives and board members for personal data incidents and violations.
To avoid or reduce the risk that individual executives and board members will be personally named and held liable in a personal-data lawsuit, companies should adopt the following general steps:
- Review and monitor all applicable data and cybersecurity laws to help ensure that the company is not affirmatively violating them.
- Review and revise corporate governance documents to help ensure proper oversight and monitoring of personal-data risks.
- Ensure proper cyber-risk training for all management and board members; ideally, have at least one board member with cyber-expertise.
- Review D&O (Directors & Officers) and other insurance policies to ensure that, to the extent possible, all executives and directors are indemnified for actions applicable to personal-data and cybersecurity incidents.
Taking these steps will help ensure that the company and its executives and directors provide sufficient data protections under the law, while also helping to protect those officers and directors from being exposed to individual and personal liability.