Proposed Senate Cybersecurity Bill and the Challenges Facing Corporate Boards


HHR Advisories & Publications

Recent high profile data breaches have led to increased focus on corporate boards' responsibilities in managing cybersecurity. Although the breach at Target may have received the most attention, a recent director and officer suit against Home Depot demonstrates the expanding risks faced by corporate officers and directors. Following a September 2014 cyber-attack against Home Depot that compromised approximately 56 million credit cards, in September 2015, a shareholder sued twelve of Home Depot's directors and officers for failing to ensure that the company reasonably protected its customer's personal and financial information. See Complaint, Bennek v. Ackerman et al., No. 1:15-cv-2999 (N.D. Ga. Sept. 2, 2015). Suits like the one against Home Depot can be expected to become more common and are only the start of the pressure that will be exerted on directors and officers to address cybersecurity.

For example, in response to the recent high profile data breaches, Senators Jack Reed and Susan Collins introduced a bipartisan bill in December 2015 that would substantially intensify the pressures and requirements facing boards of directors. The Cybersecurity Disclosure Act of 2015 would force publicly traded companies to have a cybersecurity expert on their board, or to explain in SEC filings why such an expert is not necessary and describe additional measures the company is taking to address cybersecurity.

Although the goal of increasing corporate cybersecurity is laudable, the Cybersecurity Disclosure Act misses the mark. The need for a specific director with cybersecurity experience is far less important than ensuring a company has generally taken steps and devoted the resources necessary to handle its cybersecurity. Moreover, although boards need to pay greater attention to cybersecurity, a company should not lose the ability to compose its board of individuals experienced or skilled in the areas most relevant to that company. Indeed, the best board candidates should not be displaced due to a rigid congressional mandate.

Attracting qualified and diligent board members is already challenging due to the inherent risks and disincentives in joining a board. The specter of a directors and officers suit has long been one such risk, and the recent Home Depot suit hammers home that directors and officers may also begin facing liability over the company's handling of cybersecurity. Although companies certainly need to increase their understanding of and energy devoted to cybersecurity, the Cybersecurity Disclosure Act unnecessarily restricts companies when flexibility will be key for addressing the threat of data breaches, while maintaining a board of directors that is best suited for the business it governs.

Even if the Cybersecurity Act fails to become law, cybersecurity is undoubtedly an area of growing import and concern. Therefore, whether or not directors bring cybersecurity experience to the board, all directors should educate themselves on the cybersecurity issues facing modern companies. Furthermore, corporate boards should devote resources necessary to prevent data breaches and the undesirable consequences that accompany such breaches: harm to the company's reputation, government fines and the potential for civil litigation.