Bloomberg Law
Nov. 28, 2022, 9:00 AM

Mitigating the Risks in Era of Heightened Liability for CISOs

Kim Peretti
Kim Peretti
Alston & Bird
Cara Peterman
Cara Peterman
Alston & Bird
Sierra Shear
Sierra Shear
Alston & Bird

Chief information security officers have recently been the target of several lawsuits and government actions arising out of data security incidents, including shareholder class actions, shareholder derivative suits, and even a criminal case. With increasing focus on data security and privacy as an enterprise-wide risk, the trend is likely to continue.

There are several measures that public companies and their counsel can consider to protect against potential CISO liability and best position the company and its officers and directors in case of a significant security incident.

Shareholder Class Actions

In recent years, CISOs and other top security officials have been named as defendants in several securities fraud class actions following the announcement of a security incident.

Shareholder plaintiffs typically allege that the company and its officers made false and/or misleading statements about the company’s cybersecurity practices or failed to timely disclose a security incident. Then when the alleged “fraud” was revealed—i.e., a cyber incident was disclosed—the stock dropped.

For instance, shareholder plaintiffs sued SolarWinds and certain of its officers, including its vice president for security architecture, Tim Brown, in the wake of revelations that the company suffered a significant security incident. The complaint alleged that Brown had posted articles on the company’s website emphasizing the strength of the company’s security program and in an interview touted SolarWinds’ focus on “heavy-duty hygiene.”

This was despite SolarWinds’ purported lack of cybersecurity controls, including weak password requirements, lack of multi-factor authentication, and lack of a dedicated security team. SolarWinds on Nov. 3 agreed to pay $26 million to settle the case.

Breach of Fiduciary Duty, Derivative Actions

CISOs and other top security officials have also been named as defendants in several shareholder derivative actions arising out of cybersecurity and privacy incidents.

In these cases, shareholder plaintiffs typically allege that the CISO and other directors and officers breached their fiduciary duties by failing to properly oversee the company’s cybersecurity program, or by failing to ensure that the company implemented internal controls to maintain the security of the company’s or its customers’ data, ultimately to the detriment of the company and its shareholders.

Thus far, shareholder derivative suits arising out of cyber incidents have typically been dismissed or settled early in the litigation. Those early dismissals, however, came about partly because the plaintiffs failed to plead that the named directors and officers allowed the company to violate “positive law,” such as an existing statute or regulation.

As additional cyber-related laws and regulations are put into effect—including those that require board-level involvement in cyber-risk oversight—plaintiffs may have more success surviving early dismissal.

Criminal Actions

The conviction of Uber’s former chief security officer, Joe Sullivan, represents the first time an executive has faced federal criminal prosecution over its response to a data security incident.

Prosecutors charged Sullivan with violations related to concealing a data security incident that affected more than 57 million users and accused him of taking steps to prevent the Federal Trade Commission and Uber’s counsel from learning of the breach while Uber was under active investigation for an earlier incident.

A federal jury recently found Sullivan guilty on charges of obstruction of justice and misprision of a felony (i.e., concealment). He now faces up to eight years in prison and potentially hundreds of thousands of dollars in fines.

Managing Litigation Risks

Although CISOs have become a new target in civil and criminal litigation, companies and their counsel can take proactive steps to protect against future CISO liability.

First is to provide support to CISOs on disclosure considerations. Counsel should be in frequent communication with CISOs about cyber-related disclosure concerns, including the importance of consulting with legal before making public representations about the company’s security practices.

CISOs should be aware that even general “puffery” remarks about the state of a company’s security program have been used against them in certain circumstances.

Next is to involve CISOs in preparing for changing disclosure obligations. Public companies should remain aware of rapidly changing disclosure obligations as the SEC finalizes its cyber-related disclosure rules and should involve their CISOs in preparing for the likely disclosures required by those forthcoming rules.

Including disclosure considerations and board-level communications in the incident response plan is also important. This step should contemplate both SEC reporting concerns and communications to the board, as appropriate.

In addition, companies that have experienced a significant incident should involve their CISOs in continually assessing the incident’s materiality under the federal securities laws as their investigation unfolds. This includes documenting disclosure considerations and determinations.

Companies with elevated cyber risks should consider whether routine board updates from the CISO may be appropriate. If so, document those updates in the formal board record to demonstrate that the company maintains sufficient controls and that the board and CISO are both actively engaged in cyber-risk oversight.

It’s also important for companies to review their current directors and officers and cyber policies in tandem with an eye toward potential gaps in CISO liability coverage.

Finally, companies should review their governing documents to ensure they provide for exculpation to the extent permitted under applicable law and indemnification and advancement of costs to CISOs should there be litigation.

Companies that follow these practical recommendations will be better-positioned to limit and mitigate the risks associated with CISO liability should there be a cybersecurity incident.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Write for Us: Author Guidelines

Author Information

Kimberly Peretti is a partner and co-chair of Alston & Bird’s Privacy, Cyber & Data Strategy and National Security & Digital Crimes teams. She is a former senior litigator with the Department of Justice’s Computer Crime and Intellectual Property Section.

Cara Peterman is a partner in Alston & Bird’s Securities Litigation group and works with public companies and their boards on public disclosure and corporate governance matters.

Sierra Shear is a senior associate in Alston & Bird’s Securities Litigation group and focuses her practice on securities litigation and enforcement matters.

Lance Taubin, a senior associate on Alston & Bird’s Privacy, Cyber & Data Strategy team, contributed to this article.