Focus on Directors and Officers as a Practicality and a Deterrent
The legal compliance audit process places an incentivizing focus on directors and officers. An audit focus on the actions of the directors and officers is warranted because they set the direction of the entire firm they govern and manage, and they are also the ones who are named as defendants in lawsuits after a major problem.
This audit focus is also warranted because they are the subject of a good deal of recent legislation and regulation. The number and scope of externally dictated requirements for information security and privacy are being markedly increased, for example by the U.S. Securities and Exchange Commission (“SEC”), which has proposed new rules for disclosures in this area about the level of board expertise, the type of board risk management oversight, and recent material incidents.
Public statements made by both federal and state regulators have also recently included the intention to hold corporate directors and officers personally liable for serious lapses in this same area. For example, former SEC Commissioner Luis A. Aguilar indicated that personal liability was one potential result of “failing to implement adequate steps to protect a company from cyber-threats.” Echoing the same perspective, recently retired SEC Chairman Jay Clayton, at his confirmation hearing, stated that “individual liability is the greatest deterrent.” Similarly, former U.S. Department of Justice Deputy Attorney General Sally Yates issued an influential memo indicating that (a) individual executives were to be henceforth individually targeted at the onset of prosecution of corporate wrongdoing, (b) involved corporate entities would be deemed cooperative only if they designated the individuals involved, (c) there would be no entity fine settlements creating a “clear plan” preventing executive prosecution, and (d) Department of Justice staff should pursue civil charges against individuals regardless of their ability to pay.
Financial Incentives
Of course, there are also increasingly significant financial reasons to do a better job in the information security and privacy area. One reason why information security and privacy risks are of such great concern is the very large dollar amounts associated with shareholder suit settlements, regulatory fines, and court judgments. Furthermore, violations of the General Data Protection Regulation (“GDPR”), if they involve the rights and freedoms of data subjects, can involve fines of up to four percent of worldwide annual turnover (sales).
Given that 55 percent of large companies worldwide are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of these breaches, it makes very good sense to have an annual independent audit process that identifies those businesses that are particularly risky, as evidenced by their failure to meet the minimum required by law. This can help other businesses avoid investing in, or becoming business partners with, firms such as FTX. Prevention and avoidance are far less expensive than recovery, repair, reputation rehabilitation, and dealing with the legal aftermath of these incidents. For example, the cost of remediation for a ransomware attack can be thirty times the cost of prevention, according to a survey by Accenture.
Below are notable examples of recent legal activity, which highlight the potentially enormous financial benefits of the legal compliance audit process.
Facebook. Facebook agreed to the largest FTC civil penalty ever imposed on a company for violating consumers’ privacy, in response to the Cambridge Analytica scandal. That 2019 case was resolved with a fine of $5 billion (not a typo). This penalty was not the end of the matter for Facebook: the company recently settled a user class action civil suit related to the same incident for $725 million.
Part of the FTC settlement involved use of a third-party privacy program assessor, similar to—but even more intense scrutiny than—the legal compliance audit process described here. Per the settlement agreement, Mark Zuckerberg, the chief executive officer (“CEO”) of Facebook (now Meta), must certify every quarter that Facebook is compliant with the new privacy program. If he falsely certifies this status, Zuckerberg will be subject to both civil and criminal penalties. This FTC strategy makes the CEO markedly more personally accountable for information security and privacy than in the past.
Yahoo! In 2016, Yahoo! announced several data breaches that had taken place in 2013 and 2014, which had impacted three billion users. As a result of these disclosures, the purchase price in the then-underway acquisition of Yahoo! by Verizon was reduced by $350 million. Following these events, the Yahoo! shareholders filed a securities class action suit against the company and certain directors and officers. This lawsuit was settled for $80 million.
There was also a derivative complaint brought against Yahoo!’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste. Also alleged in the complaint was that Yahoo! officials knew about the data breaches before they were publicly disclosed and that these defendants sold their stock holdings before the breaches were made public. This suit was settled for $29 million. Later, Altaba, Yahoo!’s successor in interest, agreed to pay a further penalty of $35 million in resolution of the SEC’s first data breach enforcement action, again relating to the same data breach incidents. A separate consumer class action lawsuit, which was focused on the same breaches, was settled for $85 million. This last action is particularly noteworthy because it resulted in the plaintiffs’ lawyers receiving approximately $11 million in fees and expenses, and in that respect presented a potential multimillion-dollar payday. While derivative lawsuits filed against directors and officers, alleging that they breached their fiduciary duties, may be difficult to mount and win, they are not impossible in the information security and privacy domain—and a bunch of plaintiff attorneys are likely to now try their hand at this game.
Target. The cost to a business from a single information security and/or privacy problem can be horrendous, even in those cases where the involved legal actions are dismissed or abandoned by the plaintiffs. Consider what happened at Target. In 2013, the payment card data and personal details of approximately 70 million Target retail store customers were stolen by hackers. On the day the breach was announced, the stock price dropped almost 2.2 percent, representing a reduction of $890 million in the market value of the firm. Target’s EBIT (reported earnings before interest and taxes) decreased by 28.6 percent in the four quarters after the breach, compared to the four quarters before the breach.
As a result of the breach, the firm became embroiled in investigations and lawsuits with forty-seven states and the District of Columbia. The resulting settlement, announced in 2023, involved $18.5 million paid to the states and the District of Columbia. Interestingly, part of the settlement involves the retention of an independent third party to do a comprehensive security assessment, again not too far away from what this article is proposing. Of further concern to the directors and officers is a multidistrict consumer class action suit, which was pending at the time that this article was prepared.
In its 2016 10-K report, Target reported a total of $292 million of breach-related expenses. Target also suffered a severe blow to its brand, it paid a great deal for legal defense costs, and its president was forced to resign.
In addition, Target’s board was distracted by a shareholder derivative lawsuit that dragged on for years, involving exchanges of thousands of documents, interviews with sixty-eight witnesses, and consultations with a variety of potential expert witnesses. Although that Target case was eventually dismissed, shareholder cybersecurity-related derivative lawsuits are an increasing threat. Beyond paying fines and damages, directors and officers also need to worry about losing their seats on the board of directors, their executive employment positions, significant value in the shares they own, and stock options and performance bonuses. They additionally need to worry about the erosion of their personal reputations, paying legal fees that D&O liability insurance does not cover, plus paying regulatory fines as well as civil suit damages. Although rare, they may also go to prison if a criminal law has been violated, but in all cases they suffer health-taxing stress as a defendant in a high-profile lawsuit or criminal prosecution.
Legal Defenses Created When Legal Compliance Audits Are Used
As a side benefit of the proposed compliance audit approach, an admissible evidentiary paper trail is created by a third-party lawyer auditor. This evidence can later be used not only to defend the auditee corporation, showing that the directors and officers were in fact diligent in their efforts to be compliant with all relevant legal obligations, but also to personally defend the involved directors and officers. Hopefully, disclosure of the fact that these compliance audits were annually performed, and then used to make internal decisions related to information security and privacy, would be enough to cause those who are considering legal actions to seriously reconsider the advisability of proceeding. The circumstances supporting the use of the following three notable legal defenses—which are suitable for a defense against both civil claims and criminal charges—are created when this compliance audit process is performed.
Business Judgment Rule
The first of these three possible affirmative legal defenses involves the business judgment rule. In its general formulation, the factors for this defense require that the directors and officers acted in good faith, with the care that an ordinary prudent person in a like position would exercise under similar circumstances, and also acted in a manner that they reasonably believed to be in the best interests of the corporation.
A legal compliance audit provides support for the business judgment rule because it involves the provision of an independent expert’s advice—in a form designed to be admissible in court—about the reasonable and appropriate course of action that is in the best interests of the corporation. The performance of a legal compliance audit also supports the use of the business judgment rule because it shows good faith in that it creates evidence that the directors and officers acted reasonably and intended to faithfully perform their legal duties.
Acting on the Advice of Counsel
The second possible legal defense involves acting on the advice of counsel. In its general formulation, the factors for this defense require that, “before taking action,” the directors and officers “in good faith sought the advice of an attorney whom [they] considered to be competent, . . . for the purpose of determining the lawfulness of [their] possible future conduct”; and to enable that attorney to do a proper job, they “made a full and accurate report” to this attorney about all material facts relevant to the matter and then acted in strict accordance “with the advice of [their] attorney who had been given a full report.”
This type of legal audit process involves the retention of a competent attorney who follows a scripted process in accordance with professional ethics, much the way that independent financial auditors follow a scripted process in accordance with professional ethics. While the burden is on the directors and officers to show that they followed the recommendations found in the management letter detailing needed changes, they are likely to be highly motivated to follow such advice because if they follow the lawyer auditor’s recommendations, they avoid significant legal problems, not to mention attendant business problems such as adverse publicity, damage to the company’s brand, and time lost to handling problems that need not have taken place.
Insufficient Time to Discover the Incident and Take Action
The third of these legal defenses involves a defendant’s claim that the incident could not have reasonably been discovered in sufficient time for the directors and officers to have taken action. In its general formulation, the factors for this affirmative defense require that evidence of the need for the directors and officers to take remedial action could not have been discovered within the time frame involved even though the directors and officers had exercised reasonable due diligence.
The legal compliance audit establishes proof that the directors and officers exercised reasonable due diligence. As mentioned, the legal compliance audit process results in a one-page professional opinion indicating whether the directors and officers are fully compliant with all their material duties in the domain of information security and privacy. If they are deemed presently not compliant, the lawyer auditor provides the directors and officers with a management letter detailing needed remedial actions. These recommendations are responsive to the unique legal requirements that the directors and officers at that auditee firm face (which, in turn, are based on a review of industry-specific laws and regulations, in-force consent decrees, contractual agreements, and related firm-specific legal obligations). So, the performance of this legal audit involves the retention of an independent attorney not just to identify whether the directors and officers are compliant with all of their material legal obligations but also to double-check internal efforts to identify all relevant legal requirements. This management letter and the annual preparation of a list of all relevant legal requirements (which is accomplished as part one of the compliance audit), as well as an internal risk-management system that regularly reviews progress on identified and needed improvements, help to establish that the directors and officers did all that they could reasonably do, from a legal standpoint.
Beyond taking all reasonable actions to protect the organization and its constituencies (customers, employees, business partners, shareholders, etc.), and performing the legal compliance audit described here (and responding to the deficiencies noted, if any), there is not much that the directors and officers can do to prevent or avoid the breach itself given that information system attacks are now often automated and happen extremely fast. Thus, a very good defensive claim can be made that such incidents, if and when they do occur, could not reasonably have been discovered or responded to in sufficient time to have reduced the losses that were sustained. Instead, the efforts of the directors and officers should be focused on doing everything they can do, to further exclude the attackers from their systems, restore the integrity of their systems after a breach, restore reliable versions of files from backups, switch over to alternative facilities, control the damage done by adverse publicity, notify third parties, and the like.
Legal Compliance Audits and the Sarbanes-Oxley Act: Parallel Strategies
The scandals occurring during the dot-com bubble, and the subsequent crash of the stock market (for example Enron, WorldCom, and Tyco International), prompted Congress to focus on the actions taken by company leaders when it passed the Sarbanes-Oxley Act of 2002 (“SOX”). Section 404 of that law requires that publicly listed companies must establish internal controls over financial reporting processes and document those controls, test them, and maintain them in an effective state.
Based on the hearings surrounding the dot-com bubble scandals, it is clear that the “tone from the top” (messaging provided to employees from the top management and the board) is absolutely critical. If the tone from the top is to cut corners, bend the rules, and do whatever you need to do in order to make lots of money—as it was at Enron—then multiple employees engaged in fraud and misrepresentation will be the predictable result. However, if the tone from the top is honesty, ethics, integrity-mindedness, legal compliance, and a focus on community, then the result will be a successful and sustainable company. In the words of the former chair of the SEC: “If you’re a new leader in an organization, my advice is to let people get to know you—and your values. Let them know how serious you are about doing the right thing [about being fully compliant with the law].”
SOX provides a barometer indicating the tone from the top. That law is noteworthy because it puts two members of the top management team (the chief executive officer and the chief financial officer) at these companies on the spot, increasing their personal accountability and personal liability. They must sign quarterly forms stating that they have reviewed the internal disclosure controls over financial reporting (in a 10-Q or 10-K statement). Because they are on the line legally, because their name appears on these forms, the process surrounding the generation of financial statements, and the internal controls that go along with that process, have improved notably since SOX went into effect.
Like SOX, the legal compliance audit process that this article proposes can have a markedly reorienting effect on both the board and top management, such that information security and privacy are both markedly improved. The process of annually reviewing whether the directors and officers are in compliance with all of their legally required duties in the domain of information security and privacy creates a new incentive system and a new point of reference that guides decisions throughout the year. Thus, this annual compliance audit process not only reduces the long-term costs of information security and privacy but also improves the tone-at-the-top messaging from the leaders—thereby, and most importantly, improving the trustworthiness of the firms using this approach. Trust in today’s high-tech world critically depends on security, privacy, transparency, and compliance, and the legal compliance audit process can help markedly improve the level of trust that a firm receives.