Christopher Ott Updates Article in ICLG Cybersecurity 2022 on Data Security and Privacy Lapses Leading to Personal Liability
Partner Christopher Ott updated the article he previously wrote titled “Phantom Responsibility: How Data Security and Privacy Lapses Lead to Personal Liability for Officers and Directors" for the International Comparative Legal Guide to: Cybersecurity 2022, published by Global Legal Group Ltd. This is the fifth edition of the guide offering practical cross-border insights into cybersecurity. You can view the original article here.
2021 has made it clear: boards of directors ignore data security and privacy risks to companies at the peril of their companies and – increasingly – their own personal liability. A business has its operations halted by ransomware approximately every 10 seconds. Just in this last year, a United States oil pipeline was shut down by these cybersecurity threats. The global costs of these breaches and online crime exceeds trillions of dollars every year. These potential costs have elevated data security and privacy issues from mere “IT issues” to the centrepiece of strategic risk management. As a result, boards face expanding personal legal liability for the company’s data security and privacy failures.
The upward liability trend is not new. As early as 2014, the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight provided core cybersecurity principles to members of public companies, private companies, and non-profit organisations of all sizes and in every industry sector. The NACD directed board members to understand and approach cybersecurity as an enterprise-wide risk management issue and not just an issue for the IT team. As an established enterprise-wide risk, cybersecurity therefore began triggering boards’ existing legal obligations. In the same year as the NACD handbook’s admonition, 2014, SEC (Securities and Exchange Commission) Commissioner Luis Aquilar stated that “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril”. The new regulators at the SEC, led by Director of Enforcement, Gurbir Grewal, have taken an even more aggressive stance in the last year.
In the chapter, Christopher explores the current trends and tackles a few harder-to-classify risks related to United States national security oversight of cyber readiness.
To read the article in its entirety, click on the related materials shown below, or access the article on the ICLG website here.