Introduction
In the past decade, there have been several reports of cybersecurity attacks and data breaches to large corporations.1 In many cases, those affected by the breach want to hold the directors and officers accountable, as they feel the corporation failed to implement the proper security measures to prevent a breach from happening or did not effectively handle the aftermath of the breach. However, directors and officers generally enjoy limited personal liability subject to a few exceptions.2 Nevertheless, as more specific guidance emerges for directors and officers handling cybersecurity issues, the scope of this liability may widen.3 Thus, directors and officers should not take comfort in the substantial barriers that prevent them from being held liable for issues relating to the organization.4 In fact, despite these substantial barriers, shareholders continue to pursue derivative actions against directors and officers.
This article will discuss the scope of personal liability directors and officers face relating to cybersecurity breaches, and recent actions pursued against directors and officers in Canada and the US. Following the article, key takeaways will be provided.
Scope of liability
Cybersecurity poses a significant threat to directors and officers as cyber threats continue to emerge, and the rules and regulations that guide cybersecurity continue to evolve. Directors and officers may be held liable in the event of a cybersecurity attack if they are found to have breached their duty of care or have failed to comply with any disclosure requirements. Moreover, directors and officers can be personally liable where a company fails to comply with Canada’s Anti-Spam Legislation (CASL).5
Directors and officers have a duty to exercise reasonable care and diligence, both at common law6 and under corporate statutes.7 Failure to oversee the company’s cybersecurity measures adequately, before and after a breach occurs, could be considered a breach of this duty.8 Moreover, failure to comply with federal and provincial disclosure requirements after a breach could lead to liability for secondary market misrepresentation.9
Therefore, having an appropriate response or compliance plan, and effective security measures to protect the company against future cyber threats is essential. This will help support any claim by a director or officer that all requisite care and diligence was met, and all regulations were complied with.10
Lastly, directors and officers can be held personally liable and receive fines where the company has violated CASL. Penalties for non-compliance with CASL carries a maximum fine of CA$1 million for individuals and CA$10 million for organizations.11 Moreover, directors and officers can be vicariously liable for non-compliance of an organization even where the regulator, Canadian Radio-television and Telecommunications Commission (CRTC), does not pursue the organization. In fact, the CRTC has made a public statement that directors and officers cannot hide behind their company’s structure or online entities to avoid liability.
Derivative actions in Canada and the US
Currently, there have not been any attempts at a lawsuit against directors and officers in relation to cybersecurity in Canada.12 However, given the amount of derivatives actions commenced in the US, it is possible that it could give rise to such claims in Canada. The US has seen several derivative action suits against directors and officers relating to cybersecurity over the past few years.13 All but one have been unsuccessful, largely due to technical and procedural reasons. However, in January 2019, a derivative action lawsuit settled for US$29 million, compensating the plaintiffs significantly.14 This is the first time shareholders have been awarded monetary damages for a breach-related derivative lawsuit. This settlement could spark the beginning of successful derivative action lawsuits, and inspire others to pursue civil actions against directors and officers for cybersecurity breaches. Moreover, this settlement can be used as a benchmark for future civil actions to compare to when deciding on the amount to be awarded. Effectively, this settlement may not only effect civil actions in the US, but also allow derivative actions to gain traction in Canada.
Penalties for violation of Canada’s Anti-Spam Legislation
More recently, the CTRC has held directors and officers personally liable for a company’s violation of CASL. On April 23, 2019, the CTRC found that a coupon marketing company, nCrowd, had violated CASL, and found the former CEO of the company to be personally liable.15 As a result, he received a CA$100,000 fine. Further, a different company that was also part of this scheme with nCrowd, had also violated CASL, and CRTC held this company’s CEO vicariously liable for the violation. As a result, he received a fine of CA$10,000. Ultimately, liability under CASL can extend beyond the corporation if the person authorized, acquiesced or participated in the commission of the violation.
Key takeaways
- Directors and officers should familiarize themselves with all regulatory guidelines to protect the company from a data breach and to avoid being personally liable for the breach;
- D&O liability insurance does not always offer protection for cyber-related incidents or threats. It is important to confirm whether this is protected and the scope of protection provided. Not having proper protection could expose directors and officers to liability and significant payouts;
- There have been no derivative action attempts relating to cybersecurity breaches in Canada, but given the current climate in the US, it is possible this will encourage such claims to occur in Canada; and
- Directors and officers can be held either personally or vicariously liable for a company’s violation of CASL if that individual played some role in the commission of the violation.
Conclusion
Cybersecurity attacks and data breaches are inevitable and can happen to any organization, thus remaining a significant threat to corporate governance. While a cybersecurity attack is a crime, directors and officers may still be held liable for a breach if they failed to oversee the company’s security measures prior to the breach, or failed to take the necessary course of action after the breach occurred. Ultimately, boards of organizations must recognize the current cybersecurity environment that exists, and assemble a reasonable response plan to respond to these threats when and if they occur. Our final article will provide key takeaways and best practices for both insureds and insurers in relation to cybersecurity risks.
For more information about this case, please contact Deepshikha Dutt or another member of Dentons’ Insurance group.
A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.
1 For example, the breach of a consumer reporting agency company Inc. in 2017 which impacted 143 million US consumers. The company had a valuation drop because of their cybersecurity failures. See also the Canadian Centre for Cyber Security, which has emphasized the increasing number of attacks targeted at businesses and business executives, especially via social engineering techniques.
2 These include breaching their duty of care and fiduciary duty under business corporations acts in Canada and at common law, and liability for secondary market misrepresentations.
3 These include both CSA Staff Notices and the new disclosure and reporting requirements under the Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA]. Specifically, see CSA Staff Notice 33-321: under this national instrument, a registered firm is required to establish, maintain and apply policies and procedures that establish a system of controls and supervision to ensure compliance and manage risks associated with its business in accordance with prudent business practices. Specifically, these compliance systems should address cyber threats. See also CSA Staff Notice 11-332, which provides that registered firms remain vigilant in developing, implementing and updating appropriate measures to safeguard themselves and their clients from cyber threats. See also ss 10.1, 10.1(3) and 10.2(1) under PIPEDA.
4 This includes, the business judgment rule and the due diligence defense set out in business corporate statutes in Canada.
5 SC 2010, C 23 [CASL].
6 Peoples Department Stores Inc v. Wise, 2004 SCC.
7 See Canada Business Corporation Act, RSC 195, c C-44 s 122(1) [CBCA]; Ontario Business Corporations Act, RSO 1990 c B 16 s 134(1) [OBCA]. These corporate statutes require that directors and officers to perform their duties with the care, skill and diligence of a reasonably prudent person. This duty is owed to the corporation, shareholders and creditors.
8 The court will look to the directors’ and officers’ conduct throughout the breach. For example, in an American home improvement retailer lawsuit, the court did criticize the board’s conduct, but ultimately did not find them liable. The court held that their decisions only had to be reasonable; not perfect.
9 See provincial and territorial securities laws, and reporting and disclosure requirements under PIPEDA.
10 See OBCA, supra note 8 s 135(4); CBCA, supra note 8 s 123(4). These provisions include the defence of “reasonable diligence” which is available to a director or officer when they have exercised the care, diligence and skill that a reasonably prudent person would have exercised in comparable circumstances. Ultimately, if the director or officer has put their minds to the issue, weighed the costs and benefits of the implementation of certain cybersecurity measures, have incorporated reasonable policies or industry standard policies, and complied with the reporting and disclosure requirements, then they will unlikely be held to breach their duty of care.
11 CASL, supra note 6 s 31.
12 This is largely a result of the requirement to obtain leave from the court before commencing a derivative action in Canada. It can be very expensive and often deters individuals from moving forward, especially given the lack of success in the US. This may now change given the recent settlement of an American web services provider lawsuit in January 2019.
13 For example, the Target lawsuit (ultimately dropped), Palkon v. Holmes (unsuccessful), and an American home improvement retailer lawsuit (unsuccessful).
14 In a recent case with an American web services provider, there was a securities class action lawsuit commenced by shareholders and plaintiff shareholders commenced a number of derivative lawsuits against the board and senior managers, which were consolidated. Both lawsuits were settled, class action at US$80 million (in 2018) and derivative action at US$29 million (in 2019).
15 The CRTC found that Brian Conley had acquiesced in the commission of the violations by the company based on the evidence provided (sending emails without consent).