Authors
As an enterprise-wide concern that involves the responsibilities of senior officers, directors and any incident response or other related committees, cybersecurity risk has been raising the stakes for D&O liability in recent years. The rising expectations of shareholders, regulators and other stakeholders for how boards and management mitigate cybersecurity risk are similarly reflected in the case law governing D&O liability. In this article, we discuss case law developments and offer best practices on how directors and officers can ensure their organizations are covering their compliance obligations.
In February, Google proposed to settle a U.S.-shareholder class action relating to a cyber vulnerability for US$350M—one of the larger cyber-related securities settlements in history.
The settlement is the result of a cyber vulnerability that spanned from 2015-2018, which had allowed third-party developers “potential” access to Google+ social media profile information without users’ knowledge, including names, addresses, interests and other personal data. While Google had obtained internal legal advice that the issue was likely to attract regulatory attention, the vulnerability didn’t meet the company’s internal disclosure thresholds. As a result, management decided not to disclose the “privacy bug”, and subsequent continuous disclosure said there had been no material changes to its risk factors.
After the privacy bug became public, multiple lawsuits followed. Shareholders brought a claim for the loss of shares value, naming Alphabet (Google’s parent company) and several officers and directors as the defendants. After nearly six years of litigation, the parties proposed a US$350M settlement on the stipulation that the company engaged in no wrongdoing.
The crux of the allegations was that, while no major cyber incident resulted from the vulnerability, Google+ user data was exposed for the entire three-year period, which the company was aware of and did not disclose. The shareholders argued that Google was required to set forth any material changes from risk factors as previously disclosed (through the SEC’s Form 10-Q). Accordingly, they claimed that the company’s Form 10-Qs for the first two quarters of 2018 were materially misleading because they did not disclose additional data security risks related to the privacy bug or the additional risks that would be incurred if Google’s concealment of the bug was exposed.
The Google case is the most recent wave in a rising tide of U.S. securities litigation targeting both companies and individuals following cybersecurity incidents. While cybersecurity cases against D&O have not yet proceeded to trial in Canada, the U.S. developments provide an indication of where Canadian litigation may follow in the coming years, and where securities and privacy regulators may focus enforcement actions.
Take, for example, the SEC charges against SolarWinds and its CISO. A malicious breach of SolarWinds’ software led to a major cybersecurity incident in 2020, affecting corporate and government clients. It was alleged that SolarWinds was aware of the vulnerabilities in its system that led to the 2020 cyber-attack as early as 2019, and its earlier disclosure was misleading. SolarWinds settled its securities class action in 2022 for US$26M.
In 2023, the SEC charged SolarWinds on allegations of fraud, insufficient controls and incomplete disclosure, as well as the CISO for alleged failure to escalate risks internally. Among other relief sought, the SEC is seeking to bar the CISO from acting as a director or office of other companies.
These recent cases follow a line of U.S. decisions in the last five years that outline consistent themes where directors and officers were held to their oversight of cybersecurity risk, setting the stage for similar Canadian class actions to follow. In these recent cases, lawsuits have been permitted to proceed against directors and officers on the following grounds:
Management and directors on both sides of the border can seize on these themes as focus areas for cybersecurity governance.
Canadian companies also face corporate governance, privacy and securities regulatory, and reputational risk imperatives to closely monitor cybersecurity risk. As privacy law reforms across the country provide more avenues for personal liability, directors and officers have increased reason to review internal incident response protocols, risk management frameworks and external communications protocols.
Below, we outline cyber risk mitigation tips to help companies exercise their oversight function.