One of the most closely watched issues in the world of D&O is the extent to which cybersecurity-related issues will lead to liability for corporate directors and officers. In the following guest post, Tarun Krishnakumar, a New Delhi attorney qualified in India and California specializing on issues relating to emerging technology , takes a look at the corporate liability framework under Indian laws with respect to emerging cybersecurity exposures. I would like to thank Tarun for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Tarun’s article.
This note seeks to provide an overview of the Indian legal regime applicable to director and officer liability in relation to emerging cybersecurity concerns. It is hoped that this note will provide a robust starting point for further discussions on the interplay between corporate governance and cyber risk under extant Indian law.
Indian company law underwent a drastic change with the enactment of the new Companies Act in 2013 (Act). Meant to overhaul an ageing companies’ framework (last codified in 1956), the Act was intended to improve the ease of doing business by reducing compliance and bringing Indian law on par with modern global standards. The new regime brought sweeping reforms including in relation to encouraging e-governance and electronic documentation, mandating corporate social responsibility, simplifying merger procedures, improving disclosure norms, and enhancing protections for investors and minority shareholders. While almost five years have passed since the Act came into force, a significant majority of the its provisions have yet to be meaningfully tested by Indian courts. Therefore, going forward, it is likely that the new framework will continue to raise as many questions as it had intended to answer.
Not least of these will be the potential for the framework to account for emerging corporate governance concerns such as cybersecurity. With large scale data breaches becoming commonplace, focus has increasingly turned on C-suite oversight – in many cases, the lack thereof – over cybersecurity in the corporate setting. Apart from liability at the entity level, courts (and research) in various jurisdictions have begun to explore if liability can be attracted by the failures of directors and key management personnel to sufficiently account for organizational cybersecurity.
In light of the above, a consideration of the effect of the new Companies Act on such questions in the Indian setting is timely. Neither Indian industry nor the legal community have explored these questions in any significant level of detail. Though Indian courts have yet to substantially engage with cybersecurity and data breach liability in general – much less, in a D&O liability setting – these questions are only likely to become increasingly common as affected parties look to localize liability for failure to implement adequate cybersecurity measures within corporations. This note aims to serve as a starting point for this discussion by outlining three key interfaces between cybersecurity concerns and D&O liability under Indian law.
Codification of Director Duties
Of the sweeping reforms brought by the 2013 Act, a key change has been the codification of director duties under Section 166. This provision attempts to provide much-needed clarity to an issue which was previously governed by a patchwork of inconclusive judicial decisions. Despite a general recognition of the fiduciary duties of directors under common law, decisional law providing clarity on the scope and extent of each duty has been elusive. Therefore, it is hoped that codification will provide a clean slate for judicial consideration of this critical topic.
Under the new Act, directors owe six broad duties to companies on whose boards they serve. These are duties (i) to act in accordance with the company’s articles, (ii) to act in good faith to promote the objects and best interests of the company, (iii) to exercise duties with due and reasonable care, skill, diligence, and independent judgment, (iv) to avoid conflicts of interest, (v) to not attempt to gain any unfair gain or advantage for him or his relatives, and (vi) to not assign one’s office. Of these, of particular relevance to cybersecurity concern is the duty of a director to exercise his duties with care, skill, and diligence.
While courts around the world have yet to arrive at a consensus on this issue, in today’s paradigm, it is hard to rebut the assertion that adequate cybersecurity measures should form part of the reasonable care that any director should exercise in managing corporate risk. However, legally, the issue may not be straightforward. In a post-breach scenario, a court will likely be required to analyze whether the specific security measures adopted by a board were sufficient to be considered good faith exercises of business judgment (see for e.g. D&O Diary post on Palkon v. Holmes, et al.). In making this determination, courts are likely to consider factors including:
- State of art of existing technical and policy measures adopted by a company;
- Industry-wide and sector-specific standards and best practices;
- Level of discussion of cyber issues at board or committee level;
- Implementation of recommendations at operational law.
- Third party auditing and certification of security measures; and
- History of response and remediation of incidents.
In the event of a finding against a director on this issue, penalties as well as damages may be available. The new Act goes as far as to prescribe specific penalties for breach of duties by a director. Under Section 166(7), breach of duties by a director shall be punishable with fine with shall not be less than one lakh (100,000) Rupees which and which may extend up to five lakh (500,000) Rupees.
While these amounts may seem paltry, it may be noted that the liability under this provision is likely to be personal in nature. Moreover, it may be open for courts to apply the penalty separately to each of multiple failures uncovered in a post-breach scenario. The new Act’s recognition of class actions also empowers company members and depositors to claim damages or compensation from the company or its directors for ‘any fraudulent, unlawful, or wrongful act or omission or conduct’. This provision, though un-tested, may substantially increase D&O risk in relation to cybersecurity-related liability going forward. Lastly, it may be noted that liability under this regime would be over and above liability incurred under parallel frameworks such as Indian IT and data protection law.
Express Duties under Delegated Legislation
In addition to implied responsibility of directors to ensure cybersecurity as part of their fiduciary duties under Section 166, various pieces of delegated legislation issued under the Act create express data security obligations for management. For instance, Rule 28(1) of the Companies (Management and Administration) Rules, 2014 (‘Rules’) makes the managing director, company secretary, or other designated officer or director responsible ‘for the maintenance and security of electronic records’. Rule 28(2) of the same Rules goes as far as to outline thirteen specific obligations for management which include ensuring:
- adequate protection against unauthorized access, alteration or tampering of records;
- against loss of the records as a result of damage to, or failure of the media on which the records are maintained;
- that computer systems, software and hardware are adequately secured and validated to ensure their accuracy, reliability and consistent intended performance;
- that records are accurate, accessible, and capable of being reproduced for reference later;
- that at least one backup, taken at a periodicity of not exceeding one day, are kept of the updated records kept in electronic form;
- limitation of access to the records to the managing director, company secretary or any other director or officer or persons as may be authorized by the Board in this behalf; and
- that necessary steps are taken to ensure security, integrity and confidentiality of records.
For purposes of these Rules, ‘electronic record’ is defined broadly to include any “data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche” (Section 2(1)(t) of the Information Technology Act, 2000). The breadth of this definition means that these obligations will likely extend to any and all electronic records which may be maintained by a company in ordinary course.
Despite the express recognition of an obligation to ensure data security, penalties for non-compliance under this Rule are nominal. Any default in compliance may attract penalties which may extend up to five thousand (5,000) Rupees and where the contravention is of continuing nature, a further fine which may extend to five hundred (500) Rupees for every day after the first during which such contravention continues. As is the case above, it remains to be seen if class action suits may prove to be a viable mechanism for affected shareholders to seek compensation.
D&O risk under Other Frameworks
While not the focus of this note, it is also important to understand that management failures to implement adequate security may attract liability under other statutory and regulatory frameworks. For instance, under Section 43A of the omnibus Information Technology Act, 2000 (as amended), organizations failing to implement reasonable security practices in relation to the collection of sensitive personal data or information (which is then breached) may be liable for uncapped monetary damages. For the purposes of this requirement, implementation of ISO 27001:2013 or an equivalent framework is deemed fulfillment of this requirement.
Under Section 85 of the IT Act, where an offence or non-contravention is committed by a Company, “every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention”. However, an officer is entitled to raise the defence that that the contravention took place without his/her knowledge or that all due diligence was exercised to prevent such contravention.
Similarly, detailed guidance has been issued by various sectoral regulators in sectors including banking, insurance, and securities. While awareness of these issues is still crystallizing, enforcement levels by regulators are expected to pick up in the short and medium term. D&O risk under this head would depend on the specific framework at issue – and whether it contemplates extension of liability for non-compliances to directors or officers.
The Way Forward
While awareness relating to cybersecurity concerns within a corporate governance context is still emerging in India, the new company law regime provides a starting point for deeper consideration of these issues by courts.
In general, while D&O risk in relation to cybersecurity may be limited under extant Indian company law, it remains to be seen how Indian courts will address these questions under yet-untested mechanisms including class actions. However, given problems relating to pendency which are endemic to the Indian judiciary, we are probably still a few years away from judicial consideration of these issues. Till then, companies in India should ensure the implementation of industry-specific security best practices combined with a robust organizational, technical, and managerial security measures.
Author: Tarun Krishnakumar is an India and California qualified attorney with a leading Indian law firm in New Delhi. His practice focusses on cutting-edge legal, regulatory, and policy issues surrounding emerging technology, business models, and products. Areas of special focus include privacy and data protection, cybersecurity, cloud computing and outsourcing, intermediary liability, financial regulation, and FinTech. Tarun may be contacted through his LinkedIn profile. All views expressed are personal.