Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Timothy A. Miller
Marc S. Gerber
Richard S. Horvath, Jr.

Most public company directors are by now well aware that cybersecurity is a critical part of the business landscape. In the wake of attacks against virtually every type of government and business entity, from the White House to health insurers, the question that remains is whether public company directors will, in fact, face real legal exposure resulting from a malicious and criminal cyberattack?

The answer under Delaware law, at least according to the plaintiffs’ bar, depends on whether directors failed to satisfy the duty of oversight. Consistent with a board’s oversight duties, directors should give regular attention to whether the corporation has instituted adequate controls and procedures tomitigate the risk and harm of a data security breach. The failure to undertake such efforts could, in theory, expose directors to liability for the corporation’s costs arising from a data security breach, including the costs from investigating a possible cyberattack, potential legal penalties, and the reputational harm suffered by the corporation. This article will discuss the potential legal basis for such liability and suggest some practical steps a board of directors can take in the discharge of its oversight duties in the cybersecurity arena.

Directors bear the ultimate responsibility for managing and overseeing the business and affairs of a corporation. Day-to-day responsibility is typically delegated to officers and employees, requiring director oversight for strategic direction and risk management, and approval of significant transactions. In the seminal case In re Caremark Int’l, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), then-Chancellor William T. Allen held that, in discharging their duty of oversight, directors must assure themselves that a corporation’s reporting systems will enable the board to reach informed business judgments “concerning both the corporation’s compliance with law and its business performance.” See Caremark, 698 A.2d at 970.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.