Director Liability in a Data Breach Era

0

On September 7, 2017, Equifax announced a massive breach compromising the personal data of 143 million U.S. consumers.[1] The compromised data included consumer names, Social Security numbers, birth dates, addresses, and driver’s license numbers.[2] That is, the exact data meant to be protected by Equifax, one of three major credit reporting and monitoring agencies.[3]

As Equifax later confirmed, hackers gained access by exploiting a vulnerability on its webserver software, Apache Struts.[4] However, the Department of Homeland Security notified Equifax about this vulnerability in March[5] and requested it install the updated Apache Struts software.[6] Equifax responded by following security protocol for patching bugs, which failed to identify and patch the bug resulting in the breach.[7]

The breach remained open from mid-May to July 29, when Equifax first detected it.[8] Even so, Equifax waited six weeks to publicly disclose the breach.[9] During which, three Equifax executives sold shares valued at $1.8 million, prompting an investigation into insider trading.[10] Appropriately, the question is now focused on punishment. Equifax faces an FTC investigation, congressional hearings, class actions and derivative suits. However, its executives will likely escape liability.

Equifax executives failed to ensure the safety of its main product, personal data, and left half the American public susceptible to identity theft.[11] The company had the resources to easily patch the website vulnerability and prevent the breach. At worst, its behavior is, as described by Senator Chuck Schumer, “malfeasance,” or at best, negligence.[12]

It is well established that directors owe the corporation and its shareholders a duty of care, which includes a duty of oversight.[13] Directors must provide adequate reporting systems that will provide the board with information necessary to make informed decisions.[14] Even with such a system, directors breached their duty when they “consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”[15] Additionally, publicly traded corporations owe a duty to disclose. A failure to disclose a data breach can result in liability under regulatory and common law.[16] However, this standard does not apply to data breach cases. Equifax did not actively mislead anyone; thus, its level of intent is an unlikely basis for criminal prosecution. [17] Negligence is only a basis for corporate criminal prosecution in food, drug, and environmental cases.[18]

Further, even civil liability claims may not succeed. Currently, circuits are split on the issue of standing to sue for data breaches.[19] The Third, Sixth, Seventh, and District of Columbia Circuits have held that consumers have a threshold right to bring a class action based on the increased risk of identity theft or credit card fraud.[20] Contrarily, the Second, Fourth, and Eighthircuits held that mere risk is insufficient for standing and required allegations of actual misuse of personal information.[21]

The degree of punishment facing Equifax executives remains unclear. However, the need for greater government regulation of data breaches is clear. Following Equifax, an increasing number of corporations are developing cybersecurity compliance programs. Corporations are engaging in these changes because the potential reputational harm, regulatory scrutiny, and civil litigation resulting from a data breach are significant. Still, Congress and the courts need to develop stricter guidelines to determine the exact level of risk associated with cyber breaches on an industry-wide basis. Otherwise, the true victims of the breach, the American public, will be the ones left without a remedy, while companies like Equifax will escape liability for their careless conduct.


[1] See Press Release, Equifax Inc., Equifax Announces Cybersecurity Incident Involving Customer Info. (Sept. 07, 2017), https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628.

[2] Id.

[3] Equifax is one of three major credit monitoring and reporting agencies. See Tara S. Bernard et al., Equifax Says Cyberattack May Have Affected 143 Million in the U.S., N.Y. Times (Sept. 7, 2017), https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?_r=0.

[4] See Press Release, Equifax Inc., Equifax Releases Details on Cybersecurity Incident, Announces Pers. Changes (Sept. 15, 2017), https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832; see also Thomas Fox-Brewster, How Hackers Broke Equifax: Exploiting a Patchable Vulnerability, Forbes (Sept. 14, 2017), https://www.forbes.com/sites/thomasbrewster/2017/09/14/equifax-hack-the-result-of-patched-vulnerability/#4e98a59c5cda.

[5] See Tara S. Bernard & Stacy Cowley, Equifax Breach Caused by Lone Employees Error Former CEO Says, N.Y. Times (Oct. 23, 2017), https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html; see also Jackie Wattles & Selena Larson, How the Equifax Breach Happened and What We Know Now, CNN (Sept. 16, 2017), http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html.

[6] René Gielen, Apache Statement on Equifax Security Breach, The Apache Software Found, (Sept. 09, 2017), https://blogs.apache.org/ foundation/entry/apache-struts-statement-on-equifax.

See Nicole Perlroth & Cade Metz, Equifax Breach: Two Executives Step Down as Investigation Continues, N.Y. Times (Sept. 14, 2017), https://www.nytimes.com/2017/09/14/business/equifax-hack-what-we-know.html?_r=0.

[7] Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce and Consumer Practice of the H. Comm. on Energy and Commerce, 115th Cong. 2–3 (2017) (statement of former Chairman and CEO of Equifax Inc., Richard F. Smith).

[8] Id.

[9] Id.

[10] Anders Melin, Three Equifax Managers Sold Stock Before CyberHack Revealed, Bloomberg (Sept. 7, 2017), https://www.bloomberg.com/news /articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack.

[11] Peter J. Henning, Hack Will Lead to Little, if Any, Punishment for Equifax, N.Y. Times (Sept. 20, 2017), https://www.nytimes.com/ 2017/09/20/business/equifax-hack-penalties.html?_r=0.

[12] Id.

[13] See In re Caremark Int’l, Inc., 698 A.2d 959 (Del. Ch. 1996).

[14] Id. at 968.

[15] Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).

[16] Lawrence J. Trautman & Peter C. Ormerod, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach. 66 Am. U. L. Rev. 1231, 1284-86 (2017).

[17] Henning, supra, note 11.

[18] Id.

[19] Alison Frankel, Equifax Data Breach Liability Could Hinge on Where Case is Tried, Reuters (Sept. 8, 2017), https://www.reuters.com/article/ us-otc-equifax/equifax-data-breach-liability-could-hinge-on-where-case-is-tried-idUSKCN1BJ2BO.

[20] Id.

[21] Id.

Share.

About Author

Comments are closed.

Fordham Journal of Corporate & Financial Law