As regular readers of this blog know, one of the many consequences that may follow for a company that experiences a cybersecurity incident is that it could get hit with a D&O claim. In the following guest post, Paul Ferrillo examine whether the increasing move toward cybersecurity-related D&O claims could in turn lead to an increase in prior Delaware Section 220 books and records inspection demands. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. I would like to thank Paul for allowing me to publish his guest post as an article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
The most recent spate of high profile cybersecurity breaches generally have an element that most directors do not like — litigation against the board. Whether it be on Securities litigation precipitated by a stock drop (e.g. FedEx or Capital One), or breach of fiduciary duty litigation, boards continue to find themselves on the wrong side of the playing field when it comes to cybersecurity cases, especially from a bad breach. As a result, lots of questions will be asked about the board’s conduct. What did they know about the cybersecurity posture of the company? When did they know it? And in Delaware, more generally, did they fulfill their fiduciary duty with respect to the oversight of the cybersecurity of the company?
These are all good questions. Testimony might be needed, but at least in Delaware, plaintiffs can file even before the litigation a critical request called a “Section 220 corporate books and records demand (Hereinafter, a “Section 220 demand”). If improperly handled, it might mean that plaintiffs will be able to sufficiently supplement a motion to dismiss made by the directors with factual allegations that the board to not generally “pay any attention to cybersecurity.” If the derivative action survives, then directors will need to buckle up their seatbelts for a potentially bumpy ride on the litigation train. We have seen successful 220 demands in many cases this year (not cyber, but in other areas). Several of the higher profile cases survived, meaning director and officer’s liability insurance limits will continue to get depleted by litigation expenses. That’s bad news for the directors. The news becomes worse if, from a cyber perspective, a company does not survive the consequences of the breach, leaving insurance the only method to protect the director’s personal assets. How do you get though the potential meltdown of a Section 220 demand in cyber-related litigation? Here are some ideas.
“The paramount factor in determining whether a stockholder is entitled to inspection of corporate books and records is the propriety of the stockholder’s purpose in seeking such inspection.” A purpose is “proper” where it reasonably relates to the stockholder’s interest as a stockholder. “In a section 220 action, a stockholder has the burden of proof to demonstrate a proper purpose by a preponderance of the evidence.” See Kosinski v. GGP, Inc. (Del.Ch Aug 28, 2019) available here (Hereinafter “the GGP case”). What is a proper purpose? The GGP case tells us:
To inspect books and records for the purpose of investigating waste, mismanagement, or wrongdoing, a stockholder must “present some evidence that establishe[s] a credible basis from which the Court of Chancery could infer there were legitimate issues of possible waste, mismanagement or wrongdoing that warrant[s] further investigation.” The “credible basis” standard is “the lowest possible burden of proof.” It requires that the plaintiff demonstrate only “some evidence” of possible mismanagement or wrongdoing to warrant further investigation. See Id.
On a books and records motion, plaintiff does not actually have to plead a breach of fiduciary duty claim. The standard is low: A plaintiff’s showing must only be “sufficient to meet the exceptionally low standard to support a credible basis for investigating wrongdoing.” Id. So in a theoretical cyber case, what if the plaintiff claimed in his Section 220 demand that:
- The company involved got hacked and lost 50 million pieces of personally identifiable information, including name, address, phone number, email address, credit card number and social security number (a “bad breach”);
- A forensic cyber investigation noted that breach occurred in March 2018 when the attacker exploited a known vulnerability that was first discovered in 2017, with the patch then being announced 2 months later. But the company never made the patch until February 2019;
- The breach was first discovered in February 2019, but was not announced to the public and regulators until November, 2019 (7 months later, well past any regulatory guidance, and three fiscal 10Q quarterly reports later);
- The prior CISO of the company left in March 2019 but was not replaced by the time of the November 2019;
- The CISO left a badly under-staffed IT group that was running Windows 7 (circa 2009) on its main frame server;
- The company had no patch management policy. Critical vulnerabilities took 2 months to patch. Lesser vulnerabilities were never patched; and
- The company did not think multi-factor authentication was “worth the effort” based upon complaints from senior management that it was “too hard” to sign on.
Under this fact pattern, all of which was announced publicly, would the plaintiff’s books and records demand be granted? We are not Chancery Court judges, but on this fact pattern we think the the demand would be granted, like in the GGP case. So, ok, motion granted for books and records during the class period. We would imagine the board meeting minutes and documents would not portray a pretty picture (if they portrayed a picture at all). This would not bode well for anybody involved going forward, especially the directors.
If we are to use this train of thought, what would a good “record” of cybersecurity oversight look like if the company were forced to give them over in Section 220 discovery? That is a good question. So here is what a forward-thinking company, knowing that plaintiffs have been encouraged by the Court follow the books and records path, should make sure is contained in a corporation’s board minutes and attachments:
- A documented record that the board met every quarter with the CISO for 30 minutes to discuss the cybersecurity posture of the company and what questions the board members had;
- A powerpoint deck prepared for the board showing the following the quarter over quarter statistics: events, incidents, breaches, description of what happened, dwell time (how long was the malware on the network prior to when it was discovered), and how long did remedial efforts take (in days);
- IT head count/quarter over quarter for the past 12 months;
- Results of employees spearphishing and phishing training, quarter over quarter for the preceding 12 months;
- Quarterly or semi-annual cyber risk and vulnerability assessments showing potential problem areas and remedial efforts; and
- Quarterly and YTD expenses for cybersecurity, broken out by equipment, software and incident response charges.
This is not a perfect list, nor a totally exhaustive one. There could be other documents prepared for the board that we have not mentioned. But if a judge saw these elements submitted into evidence, they would make it appear to the board that they was reasonably informed of the company’s cybersecurity posture. They might not have asked the right questions, and they might not have received the most relevant of information from the CISO. They also might not have made the right decision about what next steps should be taken to improve the company’s cybersecurity posture, but the evidence would probably be determined to be “good enough” under the Caremark oversight standard of liability. So what about the motion to dismiss under Caremark? Granted. So says VC Ferrillo. See “Recent Delaware Caremark Duty Decision Underscores Board Cyber and Privacy Liability Risks,” available here.
The purpose of this article is two-fold: (1) first, to show that cybersecurity litigation risk today is more prevalent than ever given the nature of the breaches and the applicable laws and regulations in effect in most of the major jurisdictions, and (2) second, the more the company and board is pro-active about cybersecurity, the less potential litigation harm can come to them if the basics of cybersecurity are followed (like e.g. prompt patching of known vulnerabilities). Remember: cybersecurity is not about perfection. That does not exist, except maybe for the top 10 companies in the world who have hundreds of millions of dollars to spend on cybersecurity.
So don’t let perfection get in the way of “good” or “reasonable security.” Establish a record of good or reasonable “on the record.” If you follow the NIST framework, or indeed an applicable state law, like the NY Shield Act, you would be well on your way to reasonable security notwithstanding Delaware law. Companies and boards just need to document their efforts. And even if the Section 220 motion is granted, the records, as we outlined them above, probably would not support a Caremark type breach of fiduciary claim. So your motion to dismiss would likely be granted. You just got to do the work beforehand. Remember cybersecurity is the greatest “team sport” ever. But in today’s environment all the team members (the Board, the C-suite and It executives) need to be ready to play ball.