In numerous prior posts I have examined efforts by plaintiffs’ attorneys to try to impose civil liability on corporate executives in D&O claims following cyber security incidents. Two recent cases show that, in addition to potential civil litigation liability exposure, corporate executives may also face potential regulatory liability and even criminal liability exposure for cyber security incidents at their company. The two recent cases are discussed in an October 27, 2022 memo from the White and Case law firm, here.
One of the two examples discussed in the law firm memo is a recent case in which a corporate executive was criminally convicted in connection with a cybersecurity incident. The criminal case involved James Sullivan, the former chief security officer at Uber. As discussed here, on October 5, 2022, a jury found Sullivan guilty of criminal obstruction and concealment of a felony. Prosecutors had alleged that Sullivan had failed to alert the Federal Trade Commission (FTC) about a 2016 data breach at Uber. The incident involved a hacker’s unauthorized access to Uber customer records. The hacker demanded a $100,000 payment, which Sullivan’s team ultimately paid. The law firm memo comments that Sullivan’s prosecution “is believed to be the first time a U.S. company executive has been criminally prosecuted over a cyber breach.”
The second case is a recent regulatory action involving a corporate executive and relates to the October 24, 2022 FTC order concerning a cybersecurity incident at the drinks delivery company Drizly. The FTC’s press release about the order can be found here. The FTC’s order relates both to the company itself as well as to the company’s CEO Cory Rellas. The order was filed in connection with an FTC complaint in which the agency alleged that the company failed to enact reasonable safeguards for consumer data after a 2018 incident in which a Drizly employee posted company cloud computing account login information online. The FTC’s order requires the company and the CEO to put in place an information security program to protect customer data.
With respect to the inclusion of the CEO in the order, the FTC’s press release states that “this ensures the CEO faces consequences for the company’s carelessness.” In a joint statement, FTC Chair Lena Khan and Commissioner Alvaro Bedoya stated that “Holding individual executives accountable … can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations.”
While the implications for corporate executives from these developments may be alarming, the law firm memo emphasizes that both of these cases involved “aggravating factors that may place them outside of a ‘typical’ scenario” and that prompted the authorities to target the individuals.
The 2016 cyber security incident that the Uber executive was alleged to have failed to disclose to the FTC arose when the company was already under investigation for a 2014 cyber incident. Sullivan was alleged to have failed to alert the FTC to the 2016 incident notwithstanding the ongoing investigation of the 2014 incident. Sullivan was also alleged to have taken steps to conceal the incident internally within Uber. Uber later fired Sullivan in connection with his actions.
The FTC directed its order against Drizly’s CEO allegedly because the company failed to implement basic cyber security safety measures even though the company allegedly made public statements in which the company claimed to have appropriate cybersecurity protections in place.
But while there may well have been special circumstances that explain in part the regulators’ and prosecutors’ efforts to target the corporate executives in these two cases, the fact is that both cases raise the prospect of potential personal liability for corporate executives arising from cybersecurity incidents, including even potential criminal liability.
The law firm memo notes that regulators “have long made clear their view that cybersecurity is a board level issue that requires serious and meaningful senior engagement.” Corporate directors and officers should therefore assume that regulators “will be looking very closely at the conduct of individual directors in relation to any cyber breach suffered by their company.”
The law firm memo concludes by noting that “cyber security is now firmly established as a key business risk” which, among other things means that directors and officers “can increasingly expect a cyber breach suffered by their company to result in more pressure to demonstrate that they have taken reasonable steps both to prevent a breach and to prepare to handle any breach that occurred.”
In any event, these developments provide even further justification for cyber security to be a top board level issue and well as a key issue for senior corporate officers. The cases show that it is important for companies to be forthright about the cybersecurity efforts and to be forthright when companies experience cybersecurity incidents. As the law firm memo notes, companies will want to take steps to ensure that they can show that they took reasonable steps to protect customer data and that they were forthright in their disclosures about cybersecurity and cybersecurity incidents.