Today, any company that accepts credit cards is likely at some risk of a cyberattack or data breach. Threats to information security are like natural disasters in the sense that one can take every precaution and yet still not be 100-percent safe. And with each publicized data breach comes litigation, irrespective of whether or not any cardholder was actually harmed by the breach. Although data security litigation is a relatively new frontier, two new developments to date highlight potential ways to manage the risks of liability that may result from data breaches.
The Securities and Exchange Commission has warned companies that threats to data security are among the most significant risks that corporate directors and officers must manage carefully. Some companies, among them the entities behind Wyndham Hotels and Target, suffered attacks on their computer systems that accessed customers’ personally identifiable information (PII). Not surprisingly, derivative suits against these companies followed, generating uncertainty in the board room about the liability risks from cyberattacks. But recent developments have helped to reduce that uncertainty.
While companies can take heart that the opinion signals derivative suits may not be easy at the pleading stage, they should not relent in their efforts to protect the company and its shareholders from the risk of cyberattacks. Doing so not only protects the goodwill of individuals whose PII is in the possession of the company, it also deters shareholder allegations that company officers and directors have failed to protect the company from data security threats.