And Capital One Should be Scared
A closer review of the remaining class action suits against Equifax should give the parties of interest at Capital One (aka shareholders, plaintiff attorneys, officers, and board members) a large dose of both fear and heartburn.
The latest class action lawsuit against Equifax claims that the company “employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” and that it admitted using unencrypted servers to store the sensitive personal information on a public-facing website.
Affected Shareholders Strike Back
This suit consolidated 373 previous lawsuits into one and is of the nature that should be the most worrisome for Capital One. Unlike prior lawsuits against Equifax, this lawsuit doesn’t come from affected consumers, but instead comes from affected shareholders who allege the company didn’t adequately disclose risks and that it failed to adequately assure proper security practices were in place.
The lawsuit claims damages arising from the fact that the investments lost value due to “multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.” A misconfigured server will fail both the vulnerability and the best practices test.
As regards the second claim related to encryption, the lawsuit states that when Equifax did actually encrypt data, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
Fiduciary Duty in Cyber Terms
These claims, if proven, will make it very difficult for Equifax to argue that as a company, it exercised a fiduciary duty of care appropriate to the risk. The uphill climb for the plaintiffs will be proving that the board and officers should have exercised a greater duty of care and the courts will look for evidence that they had properly discharged their governance responsibility over what is now identified by the SEC as a core area of enterprise risk.
Generally speaking, the fiduciary duties owed to a corporation by its directors and officers include the duty of care and the duty of loyalty. The duty of care requires directors and officers to be diligent and adequately informed in order to make business decisions on behalf of the corporation, exercising honest and unbiased business judgment in good faith. The duty of loyalty serves as a wall between the company’s interests and the personal interests of the officers and directors, requiring them to make decisions in the best interests of the corporation without regard for their personal interests or desires.
In the Equifax case, the defendants are arguing that the “Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”
This argument hinges on the duty of loyalty while completely ignoring the duty of care.
As the SEC has recently made clear in its 2018 Cybersecurity Guidance, it is now viewing cybersecurity risks through the same lens that it does all other economic and business risks, especially as risk relates to internal controls, financial reporting, and requisite related public disclosures.
Corporate Boards and their Cyber Accountability
Given the current class action litigation landscape relating to cybersecurity issues, data security incidents not only create regulatory and other legal liability for corporations, but they also create personal liability for board members. Whether a board makes a decision regarding specific cybersecurity measures that resulted in a breach (like failing to adequately fund a cybersecurity budget that included technologies that would have prevented a security incident) or just failing to act on specific recommendations regarding cybersecurity vulnerabilities, today’s boards face a ton of potential liability.
Over the next few years, directors and officers will continue to see shareholder derivative suits brought following major data breaches. In assessing whether directors have met their duty of due care and/or have violated the “business judgment rule”, the court will “look for evidence of whether a board has acted in a deliberate and knowledgeable way, identifying and exploring alternatives.”
The business judgment rule is intended to protect officers and directors from liability where they have made decisions in good faith using appropriate procedures, even if those decisions turn out to be poor or have resulted in negative outcomes. Corporate officials eligible for protection under the business judgment rule are not liable for breaching duties of care merely because they have made mistakes, but to be eligible for this protection, the corporate officials must have met certain standards of conduct. The rule states that
A director or officer who makes a business judgment in good faith fulfills their duty of care if the director or officer: is not interested in the subject of his business judgment; is informed with respect to the subject of the business judgment to the extent the director or officer reasonably believes to be appropriate under the circumstances; and rationally believes that the business judgment is in the best interests of the corporation.
Importantly, the business judgment rule only operates in the context of director action: “Technically speaking, it has no role where directors have either abdicated their functions or absent a conscious decision, failed to act,” according to a 1984 Delaware decision in Aronson v. Lewis. Those oversight actors who ignore their risk-management responsibilities for cybersecurity will likely find no protection under the business judgment rule.
In the case of Equifax, there is substantial evidence that corporate oversight failed to exercise a sufficient duty of care, yet to date, no officer or C-suite executive has been punished. (Jun Ying, CIO for Equifax’s U.S. Information Solutions business was punished for dumping $1 million in Equifax stock after the breach but before the announcement, and not for the breach itself)
In fact, Richard Smith, the CEO at the time of the breach was allowed to resign, thus ensuring that all of his options will vest and his retirement benefits (including full medical for life) and bonuses ($20 million) will remain intact, a separation parachute worth just north of $90 million (Equifax’s clawback provision covered accounting fraud but not legal settlements). David Webb (CIO) and Susan Mauldin (CISO) who were the IT and Cybersecurity custodians at the time of the breach were also allowed to “retire”, thus retaining all benefits and bonuses and whatever options they held at the time.
While this may be an incredibly unjust treatment for the actors most responsible for the largest breach in recorded history, it will definitely pave the way for all future breach participants and likely set a new tone for organizational cybersecurity strategies, programs, and cyber-risk management going forward.
As part of that tone, the issues of abdication and failure to act will play large courtroom roles in Equifax’s ongoing litigation to come and the legal proceedings poised on the horizon for CapitalOne.
Good luck.