[BreachExchange] Canada: Cybersecurity Risks for Directors and Officers

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=68af73f9-81fe-437d-a3d0-
858e5461ccc3

Directors and officers in Canada face increased risk of personal liability
and threats to job security in relation to cybersecurity. Data breaches and
other cybersecurity events often cause companies to suffer staggering costs
and losses, severe adverse reputational impacts and third party litigation
and liability, among other consequences.

In a growing number of cases, affected stakeholders are seeking to hold
directors and officers personally liable and a number of officers have been
ousted in the wake of data breaches.[i] In this short bulletin, we
highlight a number of key developments and considerations for directors and
officers in relation to these matters.

Claims against directors and officers

Directors and officers in Canada generally face limited risk of personal
liability. However, they may be liable in scenarios where, for example,
they breach their fiduciary duties or their duty to exercise the care,
diligence, and skill of a reasonably prudent person in comparable
circumstances. Given the complexity that can be associated with the
oversight of cybersecurity risks in particular, the lack of clear legal
standards in the area, and significant consequences of breaches, the field
is ripe for affected stakeholders to test claims that directors and
officers have failed to discharge their duties.

In recent years, a number of derivative and securities claims against
directors and officers have been brought in the United States in relation
to cybersecurity incidents. Plaintiffs typically allege that directors and
officers failed to adequately oversee the organization’s cybersecurity
before a breach and/or failed to appropriately oversee the organization’s
disclosure, investigation, and remediation efforts after the breach.[ii]
While these lawsuits have not advanced for a variety of technical and
procedural reasons, such claims are expected to continue, particularly as
plaintiffs’ counsel learn from their mistakes and find creative new ways to
frame their claims.

Canada has not yet witnessed the advent of high-profile lawsuits against
directors and officers in relation to cybersecurity, although anecdotally
demands have been made in some cases. However, directors and officers
should not take comfort that such claims will not be made in Canada and nor
should they take comfort that they will be able to invoke the technical and
procedural defences that have been successful in the United States in a
number of cases to date. Many would consider that it is more likely that
similar claims could be more readily advanced in Canada, as compared to the
United States. In addition, strict liability may be imposed for breach of a
fiduciary duty, which may lead to a successful claim even if a plaintiff is
unable to demonstrate compensable damages.

Directors and officers of public companies may also face claims in relation
to securities disclosure obligations. Such claims have been advanced in the
United States to date. In Canada, the Canadian Securities Administrators
(“CSA”) expects to see material risk disclosed in a detailed and
entity-specific manner.[iii] Directors and officers may be liable for
misrepresenting their cybersecurity measures, failing to disclose a
material cybersecurity risk, or failing to disclose a material cyber breach
in a timely manner. Materiality will depend on the circumstances of the
issuer as well as the type of attack and the extent of its consequences.
Even relatively minor cyber attacks may be viewed as being material if they
are frequent or numerous.

Impact of evolving standards and risks

The discharge of directors’ and officers’ duties in respect of
cybersecurity must be continually reassessed and is evolving along with the
changing landscape of standards and risks.

While in the past there has been a relative paucity of concrete guidance in
respect of cybersecurity risk oversight, in recent years we have witnessed
the emergence of specific guidance for directors and officers[iv],
sector-specific directives and initiatives[v], regulatory guidance of
general application[vi] and landmark changes in the legal landscape.[vii]
Each of these developments would be expected to inform the steps that a
reasonably prudent person would take in addressing cybersecurity risk.
Directors and officers must ensure that they have regularly updated
knowledge not only of the risks faced by their organizations but also of
the evolving context in which their actions may be scrutinized.

New privacy regulations in Canada require organizations to: (a) notify
individuals about privacy breaches, (b) report privacy breaches to the
Office of the Privacy Commissioner of Canada (and others in certain
circumstances), and (c) keep certain records of privacy breaches.[viii]
These requirements create the potential for increased risk of cybersecurity
regulatory investigations and litigation, and in turn increased scrutiny of
director and officer actions and potential liability.

With respect to how the evolving threat landscape may influence director
and officer risk, it is notable that in at least one action in the U.S., it
was alleged that similar attacks on major retailers should have caused the
directors and officers to identify an increased risk that the company would
be attacked. In the current environment, it could be asserted that with the
prevalence of phishing and ransomware attacks (to name two extremely common
risks) on organizations of all types and sizes, directors and officers must
be particularly alive to controls and reporting for those well-known risks,
in addition to considering any risks unique to their industry.

Key steps to consider

In seeking to discharge their duties and to mitigate the risk of personal
liability arising from cybersecurity, directors and officers should
consider the full range of questions for management, and steps appropriate
to their organization and industry. Some of the key steps that typically
should be considered include:

- Ensuring that cybersecurity and privacy, and the resources allocated to
those areas, are regularly discussed at board meetings;
- Ensuring that officers with expertise of cybersecurity and privacy in the
organization give regular presentations to the board and that knowledge is
enhanced in other ways;
- Designating a committee of the board, or the audit committee, to have
primary oversight of cybersecurity and regular discussion of the topic;
- Baselining current risks using independent frameworks and analysis to
identify priorities for management;
- Utilizing third party experts to help assess cybersecurity program
effectiveness and improvements (and documenting remediation steps);
- Ensuring that an enterprise-wide cybersecurity framework is implemented,
including training programs and vendor management;
- Understanding how the organization is measuring the effectiveness of its
cybersecurity program;
- Regularly reassessing risks to track progress in mitigating risks;
- Ensuring that an incident response team, plan and resources are
implemented and updated to effectively respond to incidents (in conjunction
with a disaster recovery/continuity plan); and
- Identifying risk transfer considerations, including through cyber
insurance.

Conclusions

Canadian courts have yet to provide specific direction about director and
officer duties in relation to cybersecurity. Certainly the bulk of
responsibility for a cybersecurity program will be the task of management
and, in its oversight role, the board plainly will not be expected or
required to serve as the company’s cybersecurity experts. However, there is
no question that in recent years the risk for directors and officers in
relation to cybersecurity has emerged as a crucial concern. There also
seems no question that this key concern will continue and evolve, which
will require a concerted ongoing focus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180423/1d6b32dd/attachment.html>