Data governance and Canada’s c-suite: are directors and officers liable for cybersecurity failures?

The world has gone digital, with the global pandemic accelerating the pace of transition.

As online business and the data companies collect or generate become more central to organizational value, cybersecurity is, now more than ever, a critical enterprise issue. For senior management, cybersecurity planning, governance and resourcing now require dedicated attention; for boards, appropriate oversight and input into cyber risk assessment and mitigation must be given.

The crucial role of cybersecurity to an organization’s investors, customers and regulators—as well as to the organization’s profitability—is well demonstrated in both public company disclosure of data security risks and class action litigation following breaches. While officers and directors need to play a role in cybersecurity risk management to fulfill their obligations to the company, their potential personal liability for security failures is a developing area in Canadian law. A recent trend of investor class actions in the United States gives us insight into the question of liability that Canadian officers and directors may face when a company experiences a cybersecurity incident.

Current landscape in Canada

Directors and officers can be liable for regulatory penalties under Canadian federal and provincial privacy legislation. In Québec, directors and officers who authorize a corporate act or omission which violates privacy law may be named as parties and liable to penalties.

The scope of civil liability for directors and officers in the context of cybersecurity class actions, however, is untested in Canada.

So far, Canadian class actions have focused on effects experienced by consumers after an organization suffers a data breach. Examples include Home Depot customers whose financial information was stolen when cybercriminals hacked into that company’s payment systems, and individuals whose personal information was stolen when hackers broke into Yahoo’s databases¹.

Absent intentional misconduct by an insider, few cases alleging cybersecurity or privacy failures are likely to present the facts required to pierce the corporate veil.

Directors and officers owe statutory and common law obligations to exercise reasonable care and diligence in running the company. In Québec, directors and officers also remain subject to general rules of civil liability under article 1457 of the Civil Code of Québec (C.C.Q.). Claims could be advanced by customers against directors and officers for failing to protect against known cybersecurity vulnerabilities, or for approving a product that is not compliant with privacy law requirements. To be successful on claims like these, however, plaintiffs who are customers would need to overcome fundamental corporate law principles of separate legal personality. Absent intentional misconduct by an insider, few cases alleging cybersecurity or privacy failures are likely to present the facts required to pierce the corporate veil.

Probably for this reason, cybersecurity class actions in Canada have focused on the liability of organizations for failing to prevent data breaches.

Looking ahead: Investor class actions in the U.S.

In the U.S., however, a new trend of class actions has emerged: investor lawsuits against officers and directors when cybersecurity incidents cause a public company’s share price to drop. Unlike a company’s customers, investors may have special statutory remedies against directors and officers. Two recent cases illustrate the point.

In Drieu v Zoom, shareholders of the video platform sued the company and two of its officers after encryption flaws in the company’s flagship product were revealed earlier this year. The claim alleges the officers breached U.S. securities laws by knowingly withholding information about cybersecurity vulnerabilities from the public market.

New penalties and private right of action proposed under federal privacy law following a finding of non-compliance may raise director and officer exposure if they do not fulfill obligations to manage cybersecurity risk.

In Laboratory Corporation of America Holdings v Berberian, shareholders of a clinical laboratory company brought a derivative class action on behalf of the company against its officers and directors. The claim alleges the officers and directors neglected their fiduciary duties by failing to prevent data breaches, including a breach at a third-party service provider to the company.

Drieu is a good example of the types of cybersecurity claims directors and officers may face for alleged misrepresentations in securities law filings. However, as the Berberian case illustrates, directors’ and officers’ liability to investors is not confined to disclosure issues and may encompass allegations related to oversight of cybersecurity in the company’s day-to-day operations.

Similar statutory remedies are available to shareholders in Canada. In Québec, recent case law in the securities context suggests an expansion of directors’ civil liability to shareholders under the C.C.Q.² Moreover, proposed amendments to Québec’s private sector privacy legislation would expand the scope of corporate liability for privacy violations. Those amendments include a new cause of action with no-fault liability where prejudice ensues from the violation of the legislation or of articles 35 to 40 of the C.C.Q., which explicitly protect persons’ reputations and privacy. And new penalties and private right of action proposed under federal privacy law following a finding of non-compliance may increase director and officer exposure if they do not fulfill their obligations to manage cybersecurity risk.

Conclusion

It is likely only a matter of time before class actions similar to those we have seen in the U.S. against directors and officers begin to emerge on this side of the border. To mitigate the risk of these claims, directors and officers should consider the appropriate level of oversight required for cybersecurity issues, and how this due diligence is documented in the event it is needed for litigation defence in the future.

_________________________

¹ Lozanski v The Home Depot, Inc., 2016 ONSC 5447; Bourbonnière c. Yahoo! Inc., 2019 QCCS 2624.

² See Catucci v. Valeant Pharmaceuticals International Inc., 2020 QCCS 1413 where the Superior Court rejected an application to dismiss a shareholder class action invoking directors’ liability for misrepresentations. The directors argued that there was no cause of action under civil law (as opposed to securities legislation) because directors only have obligations towards the company. The Court found that directors can have extracontractual obligations toward shareholders under article 1457 C.C.Q., and that shareholders did not have to demonstrate a distinct prejudice from that which was suffered by the company.