While director and officer liability (D&O) claims arising out of cybersecurity events are not new, COVID-19 has increased those risks and created fertile ground for litigation and personal liability. Executive oversight of cybersecurity protocols and practices will no doubt be tested by the myriad of new challenges related to post-COVID exit strategies, including heightened monitoring of individuals, and disclosure requirements in the context of contact tracing.
These challenges are more pronounced following the directive by the US Securities and Exchange Commission that public companies provide investors with assessments and plans for addressing material risks to their businesses and operations created by COVID-19 “to the fullest extent possible.” Such disclosure obligations position companies for increased scrutiny by both regulators and shareholders. Companies reliant on third-party suppliers and service providers may be particularly susceptible, to the extent they are held responsible for their deficient cybersecurity measures.
Cybersecurity incidents in recent years have inspired class action and shareholder litigation against publicly traded companies and their directors and officers. Examples include high profile cases against Target, Wyndham Worldwide, Home Depot, CapitalOne, to name a few. More recently, in April 2020, a popular video conferencing provider was sued in federal court by a shareholder alleging that the company had “inadequate data privacy and security measures,” and falsely claimed that the service offered end-to-end encryption. But what happens when security flaws originate at a third party service provider? Could directors and officers still face liability in those situations?
LabCorp. In a shareholder derivative lawsuit filed against LabCorp on April 28, 2020, plaintiffs charged LabCorp’s directors and officers with breach of fiduciary duties based, in part, upon a data breach taking place at one of the company’s third-party service providers. After a large number of compromised payment cards surfaced on the “dark web” containing personally identifiable information (PII) and personal health information (PHI) about LabCorp patients, it was determined that the information likely had been stolen from the third-party service provider that collected patient receivables for LabCorp. The service provider concluded that there had been a breach of its website payment portal. After being informed of the breach affecting more than 10.2 million patients on May 14, 2019, LabCorp informed investors in an SEC filing on June 4, 2019.
In addition to a consumer class action on behalf of patients whose personal information had been compromised, this prompted the filing of a shareholder lawsuit charging that LabCorp’s “insufficient cybersecurity procedures and oversight of [third-party service provider] … permitted unauthorized access to LabCorp’s patients’ confidential, personal information.” The complaint alleges that LabCorp’s directors and officers breached duties of loyalty, care, and good faith by, among other things: “providing PII and PHI of patients to a business associate with deficient cybersecurity and breach detection,” “failing to ensure that the Company, as well as its business associates, utilized proper cybersecurity safeguards,” “failing to have a sufficient incident response plan to immediately respond to Data Breaches,” and by “consciously disregarding, delaying, and failing to ensure that the Company notified all potentially affected individuals and entities in a timely manner upon discovering the Data Breaches.”
- While director liability for cybersecurity measures on the part of a third-party service provider has not yet been tested, LabCorp highlights an area of risk potentially heightened by the present pandemic. Data breaches that result in the compromise of confidential information will give rise to claims against the deepest pockets, including public companies operating in a post COVID-19 environment.
- Companies can mitigate risks associated with third-party suppliers and service providers through careful vetting of privacy and data security measures, indemnification provisions, insurance, and other strategic measures.
- Data breaches on the part of third-party suppliers or service providers that potentially implicate the personal information about a company’s clients or customers must be disclosed in a timely manner once a breach is discovered.
- Laws like the California Consumer Privacy Act (Cal. Civ. Code §1798.150) increasingly empower litigants to bring claims against companies that suffer data security breaches for statutory damages ranging between $100 to $750 per California resident and per incident, or actual damages, whichever is greater, and any other relief a court deems proper.