Board-level liability is the legal responsibility of the directors and officers of a company for any damages or losses caused by their actions or inaction, especially in the case of a data breach. A data breach is an unauthorized or unlawful access, disclosure, or acquisition of personal or sensitive data that compromises the security, confidentiality, or integrity of the data or the data subjects. 

Some industries have specific board level liability based on regulations and laws: 

• Healthcare: Healthcare providers, insurers, and related entities are subject to strict regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), which impose exacting standards of data protection and privacy, and severe penalties for non-compliance. Board level liability in this industry can include civil lawsuits, class actions, regulatory fines, criminal charges, reputational damage, and loss of trust and business.  

• Financial Services: Financial institutions process enormous amounts of financial and personal data, such as account numbers, transactions, credit scores, and identity information. They are subject to rigorous regulations, such as the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS), which require them to safeguard the data and notify the affected parties in the event of a breach. Board level liability in this industry can include litigation, arbitration, regulatory sanctions, fraud losses, customer attrition, and market devaluation.  

• Technology and Telecommunications: Technology and telecom companies are subject to various laws and regulations, such as the Federal Communications Commission (FCC) rules and the EU Network and Information Systems Directive (NISD), which oblige them to ensure the security and resilience of their services and to report any incidents that affect them. Board level liability in this industry can include service disruption, network failure, data corruption, cyber espionage, intellectual property theft, and competitive disadvantage. 

• Retail and E-commerce: Retailers are subject to consumer protection laws, such as the Fair Credit Reporting Act (FCRA) and the California Consumer Privacy Act (CCPA), which grant consumers the right to access, delete, or opt out of the sale of their data, and to seek compensation for any harm caused by a breach. Board level liability in this industry can include consumer claims, breach of contract, breach of warranty, negligence, unfair trade practices, and lost sales and revenue.  

Two examples of costly data breaches in the retail industry are:   

• A national retail chain faced a lawsuit due to a data breach impacting 40 million cards and 70 million records, with claims of poor cybersecurity management and disclosure. The court’s decision allowed some claims to proceed. The company settled in 2015, paying $10 million to customers, $67 million to banks, and committed to enhancing governance and security. 

• In the lawsuit against a home improvement retail chain, following a 2014 data breach, shareholders accused the board of neglecting security and mishandling disclosure of the breach. The court let the case proceed, citing possible board liability. The dispute was settled in 2017, with the company agreeing to pay $1.125 million and improve governance and security.
  

 

One of the most important steps that a Board of Directors can take to prevent a data breach is to establish and enforce a comprehensive data protection and security policy that covers all aspects of the company’s data lifecycle, from collection to disposal.

 

The Data Protection and Security defines at a minimum: 

• The roles and responsibilities of the board, management, staff, and third parties 

• Standards and procedures for data classification, storage, encryption, access, backup, recovery, retention, and deletion.  

• Regular audits, reviews, and updates to ensure its effectiveness and compliance with the relevant laws and regulations. 

Another crucial step that the board of directors can take to quickly become operational in the event of a data breach is to proactively implement a backup and deep archive solution that safeguards the company’s data from any potential threats or disasters.  

This solution usually consists of two components:  

1. A backup component that creates and maintains a secondary copy of the company’s data in a different location and format than the primary storage. 
2. A deep archive component that stores and preserves the company’s data for long-term retention and compliance purposes. 

 

Questions, or Feedback?  Contact Rimage Corporation