Cybersecurity legislation stalks bank directors
In the wake of recent well-publicized breaches of cybersecurity, regulations and new legislation has proliferated, putting bank directors in the cross-hairs of scrutiny for potential liability. A board of directors may find that trying to defend its inaction regarding cybersecurity on claims of delegation to information technology and risk management teams no longer suffices. As SEC Commissioner Luis A. Aguilar noted in a June 2014 speech at the New York Stock Exchange: “Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Among the latest examples of practical guidance from the government is the Cyber Security Assessment Tool released by the Federal Financial Institutions Examination Council (FFIEC). The Assessment resembles a guide for a financial institution board of directors that sets expectations regarding management of the inherent risks of a data breach, notification policies and preventative measures.
Because the Federal Reserve has announced plans to utilize the Assessment in late 2015 or early 2016 as part of the examination process when evaluating financial institutions, bank leadership would be wise to follow the guidelines from the Assessment to better protect against the increasing cascade of legislation aimed at protecting customer data.
The effects of a data breach to a financial institution can be staggering. According to the “2015 Cost of Data Breach Study: Global Analysis,” conducted by IBM and the Ponemon Institute, with 350 companies participating from 11 different countries, the average total costs of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. A separate study conducted by Verizon Enterprise Solutions, which calculated losses using a logarithmic scale, found that a data breach of 100,000,000 records may cost $392,000 to $199,895,100. It also projects a 95% confidence rating for the expected cost of a data breach of this size as being $8,852,540.
These costs stem from implementing compliance programs, lawsuit litigation and federal penalties. While compliance programs are a necessary cost, ensuring that the program places an emphasis on updated legislative direction and regulatory guidance from the state and federal government may better directors’ abilities to mitigate the latter costs.
In addition to the Gramm-Leach-Bliley Act’s Safeguards Rule, which assigns financial institutions affirmative duty to protect a consumer’s personal information, 47 states have enacted breach notification statutes that can be pursued in tandem with federal enforcement. State notification costs may reach hundreds of thousands of dollars for an affected institution. Meanwhile, federal agencies and the executive branch are pushing Congress to pass federal legislation governing cybersecurity.
President Obama released a legislative plan to boost the nation’s cybersecurity following his Executive Order of 2012, which mandated the release of critical data breach information by federal agencies to the private sector. Pressure mounted on Congress to pass legislation regarding cybersecurity that would force the private sector to reciprocate and deliver data breach information to the government. The Senate seems poised to address cybersecurity this fall, including reviewing the Cybersecurity Information Sharing Act of 2015, which passed the Senate Intelligence Committee with only one vote against it.
Data breaches typically result in lawsuits for negligence, breach of contract, and violation of state laws that typically include deceptive trade practices acts or data breach notification laws. More importantly, violating any federal legislation might subject directors to personal liability from a shareholder derivative class action lawsuit.
While many of these cases have been dismissed under Article III of the Constitution for a lack of standing, new legislation may change this landscape. Directors may be held liable by legal action, despite claims that they were acting in a “commercially reasonable” manner or exercising sound business judgment, if they fail to take appropriate action in line with regulatory guidance and updates, including:
- Taking proactive steps to implement the FFIEC’s Assessment through written information and security policy procedures;
- Providing for and regularly updating (at least quarterly) a data breach response corporate policy plan, routine testing of the plan and employee, customer and vendor training;
- Following state and regulatory notification standards if a breach were to occur;
- Monitoring third party vendor contracts and third party security measures for data breaches;
- Purchasing specific first party and third party cyber policy insurance;
- Adequately disclosing a cybersecurity breach to shareholders of a public institution.
Directors should also clarify contractual relationships with third-party vendors regarding information gathered, obtained, stored, disseminated or transacted between parties. Vendor contracts must be analyzed to include potential cybersecurity data breaches, limit or restrict liability for any data breach by the vendor, separate a general limitation of liability from the specific liability of a data breach and establish appropriate caps for any potential damages. As for insurance, because there is not a standard cyber liability insurance policy for first-party or third-party coverage, specific attention must be given to the terms, conditions and exclusions in all cyber insurance coverage policies to ensure protection against a data breach.
Mr. King is an attorney in the Tampa, Fla., office of Burr & Forman LLP, practicing in the firm’s commercial litigation group within the creditor’s rights division. He can be reached at [email protected].