September 5, 2014

Applying Fair Data Breach Standards to the Board

This recent Corporate Board Member article about ISS’s sought-after ouster of the majority of Target’s directors due to the company’s data breach made several points worth highlighting.

As background, the article notes Target’s praise-worthy corporate governance platform, and informs that while ISS recommended shareholders withhold votes from most of Target’s directors (those who served on the audit and corporate responsibility committees), Glass-Lewis took a different approach – indicating that there wasn’t sufficient evidence available to conclude that the data breach resulted from the board’s negligence. Along those lines, see Donna Dabney’s (The Conference Board) earlier blog where she methodically set forth the then-publicly available information about the board’s cybersecurity oversight practices – concluding that ISS’s recommendation was unfounded. Ultimately, Target’s shareholders elected all of the director nominees.

Among the article’s key points are:

– Should directors, especially those whose performance of fiduciary duties is via adherence to good governance practices, be held responsible for all risks that might occur under their watch?

– What is the proper standard of fairness for holding directors responsible for cyber breaches?

– No organization can ensure absolute data/cyber-security – Target won’t be (now, more appropriately, hasn’t been) the only good company to suffer a large data brach.

– If directors will be automatically presumed negligent in the context of large data breaches – particularly in the context of otherwise good governance practices, what are the implications of that standard on director candidates’ willingness to serve on corporate boards?

–  The article concludes that we must find a fairer way to review board performance. If we don’t, the negative consequences will be worse than the proposed remedy (i.e., ousting directors whose tenure includes a big breach)

The article indicates that “ISS is right to investigate what happened on Target’s board and to get a feel for how the board handles its fiduciary duties. If it comes out that a board was negligent and isn’t governance sensitive, then let the chips fall where they may.” The only thing I would add is that – but for circumstances where all of the pertinent facts about the board’s cybersecurity oversight are publicly available, I can’t see how ISS or any other outside third party would ever be positioned to “investigate” and fairly evaluate a board’s conduct to determine whether a data breach was due to board negligence. Fortunately, it appears that the majority of Target’s shareholders held a similiar view.

Board Cybersecurity Oversight Duties Grounded in In Re Caremark

This recent Gibson Dunn article addresses the standards that govern the board’s fiduciary duties to monitor and minimize cybersecurity risk based on In re Caremark and its progeny, and identifies certain steps boards should take to ensure compliance with their risk management oversight responsibilities.

See our heaps of additional memos and other resources about this topic in our “Cybersecurity” Practice Area.

It’s Mailed: 2015 Edition of Romanek’s “Proxy Season Disclosure Treatise”

Broc Romanek has wrapped up the 2015 Edition of the definitive guidance on the proxy season – Romanek’s “Proxy Season Disclosure Treatise & Reporting Guide” – and it’s been mailed to those that pre-ordered. You will want to order now so that you can get your copy as soon as you can. With over 1450 pages – spanning 32 chapters – you will need this practical guidance for the challenges ahead.

– by Randi Val Morrison