4 Steps to Safeguard Against Individual Liability for Data Security Failures

By Justin R. Donoho

With cyberattacks on the rise and class actions arising from cyberattacks being filed at an increased rate, executives and board members increasingly face the risk of being individually targeted in lawsuits brought by class action plaintiffs and governmental bodies alleging individual liability for data security failures. Typically, such suits allege that the individuals made misrepresentations about their companies’ cybersecurity risks and practices and took or failed to take certain actions in connection with data security incidents.
This article identifies recently emerging trends in such varied but similar lawsuits, including two currently being prosecuted in U.S. district courts, draws common threads, and discusses four best practices that executives and board members should consider to mitigate the risk of individual liability for data security failures: don’t make any alleged misleading statements about cybersecurity risks and practices; don’t conceal cybercrimes or obstruct proceedings; disclose use of website advertising technology; and implement reasonable data security practices.
|

1. Don’t Make Any Alleged Misleading Statements About Cybersecurity Risks and Practices

Last year the Security and Exchange Commission (SEC) began imposing new cybersecurity disclosure rules that require publicly traded companies to annually make disclosures specifically relating to their cybersecurity risks and practices. See, Regulation S-K, Item 106, codified at 17 C.F.R. Section 229.106. With these cybersecurity disclosure requirements just getting underway, there will be many more opportunities for alleged missteps by individual defendants like the ones examined next from which officers and directors may draw the following lessons in navigating this expanding legal landscape:

• Statements about password policies and access controls. In In re SolarWinds Securities Litigation, 595 F. Supp. 3d 573 (W.D. Tex. 2022), the Russian Foreign Intelligence Service injected malicious code into an IT software company’s flagship product used by 300,000 customers including the U.S. Pentagon, State Department, Office of the President, FBI, Secret Service and National Security Administration. Securities plaintiffs alleged that the company’s VP of Security Architecture (VP) violated Rule 10b-5 by making various statements in the company’s online security statement that the company’s access controls and password policies were strong, when he allegedly knew they were weak. The district court denied the VP’s motion to dismiss, finding that the complaint was sufficient to allege that he had acted with “at least, severe recklessness.” The district court also denied the company’s motion to dismiss. Unlike the claims against the VP and the company, however, the court dismissed the claims against the CEO, finding that even though the CEO had reviewed and approved the online security statement, the plaintiffs failed to sufficiently plead: “his knowledge or intent while the security statement was published; and that the timing of his stock sales supports a finding of scienter.” This case settled. However, the SEC is currently pursuing its own claims against the company and the VP, in what has been described as “the first case in which the SEC has brought an accounting control claim based on an issuer’s cybersecurity failings.” See, SEC v. SolarWinds, 2024 WL 3461952, at *2 (S.D.N.Y. July 18, 2024) (denying motion to dismiss). The SEC is seeking monetary penalties against the VP and a prohibition on him acting as an officer or director of any publicly traded company.
• Statements about cybersecurity practices and compliance. In In re Equifax Securities Litigation, 357 F. Supp. 3d 1189 (N.D. Ga. 2019), criminal hackers breached the network of a credit reporting agency and allegedly obtained a vast amount of personally identifiable information in the company’s custody. Securities plaintiffs alleged that the company’s CEO violated Rule 10b-5 by allegedly making or controlling statements in the company’s financial disclosures that the company’s cybersecurity practices were strong and that they complied with data protection laws, regulations and industry best practices, when he knew they were weak and noncompliant, in part, because he was allegedly given specific information about cybersecurity deficiencies in connection with overseeing a consultant’s cybersecurity audit. The district court denied the CEO’s and the company’s motion to dismiss, concluding that plaintiffs had sufficiently alleged scienter. The case settled without any factual findings and without any admission of liability.
• Omissions, inactionable puffery, and post-incident statements. In In re First American Financial, 2021 WL 4807648 (C.D. Cal. Sept. 22, 2021), on a financial service company’s public-facing website, automated bots or scraper programs accessed more than 350,000 records containing highly sensitive information about the company’s customers. An investment fund alleged that the company’s CEO, CFO, and CISO committed fraud in the company’s financial disclosures, on its website, and through other media channels, by knowingly making or controlling the contents of various omissions concealing that the company had declined to protect customer data from being accessed “by anyone with a web browser via the company’s public-facing website;” misstatements about the company’s security practices and controls; and misstatements about the information security incident. The court dismissed the lawsuit.
• Omissions. The court dismissed the omissions claim because “plaintiff did not adequately plead that Defendants had actual knowledge of the breach at the time of the company’s risk factor disclosures.” Further, the plaintiff did not adequately tie any alleged knowledge of the vulnerability giving rise to the breach “to any representation that the state of affairs materially differed from the one defendants’ represented.”
• Inactionable puffery. The court ruled that statements like, “we have established a formal information security program,” “we are ‘serious’ about ‘the protection of customer information,’” and “we will not release your information to nonaffiliated parties,” were “either true or inactionable puffery.”
• Post-incident statements. The court found neither false nor misleading post-incident alleged misrepresentations that the company had “implement[ed] basic security standards,” were “working diligently” to remediate the issue, and had “fixed the issue in the database, not that they had recovered all customer data.”

2. Don’t Conceal Cybercrimes or Obstruct Proceedings

In United States v. Sullivan, 2023 WL 163489 (N.D. Cal. Jan. 11, 2023), a transportation company suffered a data breach in which the personally identifiable information of the company’s ride-hailing users and drivers was accessed, including approximately 600,000 driver’s license numbers. The company’s CISO directed payment of $100,000 to the cyberthief in exchange for a nondisclosure agreement. A jury convicted him of misprision, for failing to notify federal authorities of what he knew was a federal crime while taking an affirmative step to conceal the crime; and obstructing an FTC proceeding regarding a prior data breach in which the CISO had been deposed, as the jury was presented with evidence that the CISO “believed that the circumstances of this data breach belied what he had previously told the FTC.” The court sentenced the CISO to three years of probation, 200 hours of community service, a $50,000 fine, and a ban on international travel until the fine was paid in full.
|

3. Disclose Use of Website Advertising Technology

In United States v. Cerebral, No. 24-cv-21376 (S.D. Fla. May 31, 2024) (filed on referral from the FTC), the United States is seeking a permanent injunction and monetary relief under the FTC Act and Opioid Act against a telehealth provider’s CEO and director of marketing for their failure to disclose the use of website advertising technology (adtech).
Adtech suits against individuals are rare but existent. Moreover, adtech class actions against companies are exploding. In 2023, plaintiffs filed over 250 class actions alleging that pixel software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to big tech online advertising agencies. Executives and board members should consider whether to modify their organizations’ online terms of use and data privacy policies to describe the organization’s use of adtech in additional detail. Doing so could deter or help defend a future adtech class action lawsuit similar to the many that are being filed today, alleging omission of such additional details, raising claims brought under various states’ wiretap acts and consumer fraud acts, and seeking multimillion-dollar and billion-dollar statutory damages. See, Justin R. Donoho, “Three Best Practices to Mitigate High-Stakes AI Litigation Risk,” Journal of Robotics, Artificial Intelligence & Law, Volume 7, No. 6, at 410-13, 421-23 (Nov./Dec. 2024).
|

4. Implement Reasonable Data Security Practices

In In re Drizly, No. C-4780 (FTC Jan. 9, 2023), a malicious actor allegedly breached an e-commerce company’s computer systems and exfiltrated personal information of 2.5 million consumers. The FTC alleged under the FTC Act that the company’s CEO “is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices.” The FTC and the CEO entered a consent agreement in which the CEO did not admit to liability. Under the consent agreement, the CEO was required for the next 10 years, for any business he owns, runs, or otherwise has any responsibility for information security, to within 180 days ensure that the business has established a comprehensive information security program compliant with the details set forth in the consent agreement. The CEO is also required during this 10-year period to keep the FTC informed of all of his business activities.
In a recent letter, U.S. Sen. Ron Wyden requested that the FTC and SEC investigate a health care company’s purported negligent cybersecurity practices and failure to disclose to investors the true state of the company’s cybersecurity practices, averring that the company’s senior executives and board of directors “must be held accountable.” See, 5/30/24 Wyden letter. Whether Wyden’s calls for action against executives and board members will result in lawsuits by the FTC and SEC against individuals for data security failures, like the ones currently being prosecuted in United States v. Cerebral (upon referral from the FTC) and SEC v. SolarWinds, remains to be seen.