Do CIOs and CISOs Get Covered in Cybersecurity Litigation?

Photo by Alexander Zemlianichenko Jr. (Bloomberg)

Editor’s Note: The authors of this post are practice leaders at Zeichner, Ellman & Krause.

By Daniel Garrie, Partner and Head of Cyber Practice at ZEK and Executive Managing Partner of Law & Forensics, and Yoav M. Griver, Partner at ZEK and a member of its Cyber Practice

In today’s rapidly changing legal landscape, global companies confront a litany of cyber security issues domestic and international.  One issue quickly rising to the top is Chief Information Officer (CIO) and Chief Information Security Office (CISO) cyber security liability. In the near future, CIOs and CISOs should expect to be sued in increasing numbers.  One need look no further than the large scale hacks at Target, Sony and Adobe, which have resulted in lawsuits against both company and directors.  Target offers a great example of the potential fall-out that companies face if the legal, technology, and business teams do not work cohesively together to ensure a 360 degree cyber security solution is deployed when managing a breach.  At one point, as a result of the breach, Target was facing more than 15+ law suits, a baker’s dozen of inquiries by State Attorneys General, and lawsuits from multiple banks.

More recently, the CIO of the U.S. Office of Personnel Management (OPM), Donna Seymour, was named in a lawsuit for failing to protect the personal data files of millions of government employees and federal contractors.  As part of a massive breach of governmental computer systems, the highly personal data of at least 21.5 million people – including addresses, legal, health, mental and financial history – was exposed and taken.  Essentially, every person given a government background check for the last 15 years, as well as their spouses and friends, are now at risk of having their private and personal information misused.  An earlier breach at the OPM had compromised the “sensitive” personnel data of another 4.2 million federal employees.  Ms. Seymour has already been subject to intense grilling by Congress, but it is her legal exposure that should concern her and every CIO and CISO.

Indeed, CIOs and CISOs are natural targets of post-breach lawsuits. 

The lawsuit against Ms. Seymour seeks to hold her personally liable for these OPM breaches, advancing claims for negligence, privacy violations, and other causes of action.  This lawsuit will likely set a variety of precedents for legal action against CIOs and CISOs in future data breaches.  More and more, CIOs and CISOs will be personally accused for their actions, and inactions, prior to, and during, cyber-events, and personally named as parties in lawsuits.  It will be argued that the CIO and/or CISO, by dint or their role and purported expertise, assume a fiduciary duty to the shareholders and to those whose information they are supposed to protect, requiring the installation, monitoring and modification/updating of appropriate cybersecurity measures.

Indeed, CIOs and CISOs are natural targets of post-breach lawsuits.  As part of their job, CIOs and CISOs create and circulate internal memos on a regular basis, informing the C-level executive team and board of directors of cybersecurity issues and concerns, along with requests for additional funds.  More often than not, it is the CIO or CISO that is pushing for new policies, practices, and guidelines relating to cybersecurity.  By extension, these memos and recommendations make the CIO/CISO (and other directors and officers) compelling targets when these identified cyber-related weaknesses are not addressed, or additional funds not requisitioned.  Consequently, it is only a matter of time before liability claims are routinely extended to senior in-house legal stakeholders, with the CIO and CISO in starring roles.

The CIO and its board members must take an active role in evaluating the company’s cybersecurity measures.

As you cannot avoid being sued, the question becomes what can be done to help you avoid being judged liable once you are sued?  We recommend some basic precautionary measures based upon what we have seen from prior cybersecurity incidents.

First, one takeaway from the cybersecurity incidents at Target, Sony, and others is that the CIO and its board members must take an active role in evaluating the company’s cybersecurity measures.  Internal policies and directives should be re-examined to ensure that proper policies are being implemented across the company.  Some questions to be answered include: (i) has cybersecurity been given the appropriate priority and amount of resources; (ii) has the company’s most valuable information been identified and protected; (iii) are the company’s third-party partners also securing the company’s most valuable information; (iv) is the effectiveness of the company’s security being regularly evaluated and probed for weakness; (v) does the company have a well-designed and exhaustive plan for what happens in the event the company is compromised; and (vi) is the company and its executives properly insured in the event of a breach?  If a company and its CIO/CISO can demonstrate that the company had adopted and implemented a careful, proactive approach to its cybersecurity measures, they will have gone a long way toward proving that they have met their fiduciary responsibilities to their shareholders, and to the persons who entrusted sensitive personal information to them.

Second, an interdisciplinary team should be created at the company that includes both in-house technical, business, and legal stakeholders, and knowledgeable outside counsel.  Companies should ensure that the lawyers they have engaged know both the law and the technology that is being proposed, adopted, and deployed to mitigate and manage cyber risks.  These lawyers should have a firm and definite grasp of the cyber security technologies, the company’s cybersecurity and incident response solutions, and the basics. The “basics” may include being able to differentiate between spyware, malware, logical v. disk level image, a megabyte and a terabyte, and platform as a service and software as a service.  The interdisciplinary team should be responsible for reviewing the company’s internal cyber-policies to ensure they are appropriate, and that they are being honored and implemented within the company.  This team should also be an integral part of any response the company formulates to a cyber-attack.

Third, the company’s General Counsel and CIO need to review the company’s patchwork of insurance policies, and determine if they are covered for lawsuits that may be filed directly against the CIO and other executives for alleged negligence that helped cause or worsen the data breach.  Whether coverage comes from the company’s cyber insurance policy, or from its D&O policy, a company must ensure that coverage does in fact exist. The company should also ensure it has obtained the right insurance policies for the industry it serves, and the specific operational exposures it faces. In reviewing the state of the insurance a company must be cognizant that the CIO and the CISO may not rise to the level of officers of the companies, meaning that the existing insurance policies for the executive team may not extend to them.

The opinions expressed in this article are entirely their own, and not those of their firm.