SlideShare a Scribd company logo

KrasnowCyberDirector 16PVLR60

M
Melissa Krasnow
1 of 4
Download to read offline
Reproduced with permission from Privacy & Security Law Report, 16 PVLR 60, 1/9/17. Copyright ஽ 2017 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com C y b e r s e c u r i t y f o r D i r e c t o r s As the world of cybersecurity risk evolves, companies and their directors and officers should continue to engage in and enhance cyber risk oversight practices and to monitor and consider developments in shareholder derivative lawsuits regarding cyberattacks, regula- tory enforcement actions and legal, regulatory and industry developments and cyber events, the author writes. Developments in Director Oversight of Cybersecurity Risk BY MELISSA KRASNOW T his article provides an update on developments in director oversight of cybersecurity risk in 2016. The first part of this article notes a data security regulatory enforcement action and covers the dismiss- als of shareholder derivative lawsuits regarding the Wyndham Worldwide Corp., Home Depot Inc. and Tar- get Corp. cyberattacks and the shareholder derivative lawsuit filed regarding the Wendy’s Co. cyberattack (Wyndham, Home Depot, Target and Wendy’s are pub- lic companies). The second part of this article addresses steps that public companies and their directors are tak- ing regarding cybersecurity as reported by the 2016- 2017 NACD Public Company Governance Survey. Data Security Regulatory Enforcement Action and Shareholder Derivative Lawsuits Dwolla Data Security Regulatory Enforcement Action Director cybersecurity responsibility has garnered regulator attention. In February 2016, the Consumer Fi- nancial Protection Bureau (CFPB) issued its first data security enforcement action against online payment platform Dwolla Inc., a Delaware corporation. The con- sent order describes requirements for Dwolla’s board of directors in addition to data security measures that Dwolla must take. According to the CFPB, ‘‘. . .[Dwolla’s] Board will have the ultimate responsibil- ity for proper and sound management of [Dwolla] and for ensuring that it complies with Federal consumer fi- nancial law and this consent order.’’ See In the Matter of Dwolla, Inc., File No. 2016-CFPB-0007 (CFPB Feb. 27, 2016). See also Melissa Krasnow, ‘‘CFPB Issues First Data Security Action,’’ International Risk Manage- ment Institute (March 2016). Shareholder Derivative Lawsuits Following dismissals of the shareholder derivative lawsuits regarding the Wyndham, Home Depot and Target cyberattacks, a shareholder derivative lawsuit regarding the Wendy’s cyberattack was filed. Wynd- Melissa J. Krasnow is a partner with VLP Law Group LLP, in Minneapolis, Minn., and prac- tices in the areas of domestic and cross- border privacy and data security, technology transactions, and mergers and acquisitions. Krasnow is a Certified Information Privacy Professional/U.S. and a National Association of Corporate Directors Board Leadership Fel- low. COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1538-3423 Privacy and Security Law Report®
ham, Home Depot and Wendy’s are Delaware corpora- tions, whereas Target is a Minnesota corporation. Wyndham Shareholder Derivative Lawsuit Dismissal (Delaware Law) Directors owe fiduciary duties to the corporation— the duty of care and the duty of loyalty. Delaware case law describes the director duty to monitor and oversee risks as derived from the duty of care and the duty of loyalty. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). In 2014, the U.S. District Court for the District of New Jersey dismissed the Wyndham shareholder derivative lawsuit in Palkon v. Holmes with prejudice and de- scribed the failure to act in good faith (as part of the duty of loyalty) that is required to show director over- sight liability in a footnote: Caremark requires that a corporation’s ‘directors utterly failed to implement any reporting or information system . . . [or] consciously failed to monitor or oversee its operations thus disabling themselves from being informed.’ Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). Yet Plaintiff concedes that security measures existed when the first breach oc- curred, and admits the Board addressed such concerns nu- merous times. (Compl. ¶¶ 46, 62, 63). The Board was free to consider such potential weaknesses when assessing the lawsuit. Palkon v. Holmes, No. 2:14-CV-01234 (D.N.J. Oct. 20, 2014). According to the Delaware Supreme Court in Stone v. Ritter, ‘‘The failure to act in good faith may result in liability because the requirement to act in good faith ‘is a subsidiary element[,]’ i.e., a condition, ‘of the funda- mental duty of loyalty.’ It follows that because a show- ing of bad faith conduct, in the sense described in Dis- ney Co. and Caremark, is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.’’ Stone v. Ritter, 911 A.2d 362, 369-370 (Del. 2006). Home Depot Shareholder Derivative Lawsuit Dismissal (Delaware Law) In In re The Home Depot, Inc. Shareholder Derivative Litigation, the plaintiffs’ primary claim for liability was that the directors breached their duty of loyalty to Home Depot regarding the breach of Home Depot’s payment data systems as confirmed by Home Depot in 2014. According to the U.S. District Court for the Northern District of Georgia, Atlanta Division: . . .the [p]laintiffs essentially need[ed] to show with particu- larized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act. This is an incredibly high hurdle for the [p]laintiffs to overcome, and it is not surprising that they fail[ed] to do so. In re The Home Depot, Inc. Shareholder Derivative Litig., No. 1:15-CV-2999 (N.D. Ga. Nov. 30, 2016). The court noted that the complaint ‘‘. . .details nu- merous instances where the Audit Committee received regular reports from management on the state of Home Depot’s data security, and the Board in turn received briefings from both management and the Audit Com- mittee. Based on those facts alone, there can be no question that the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting ex- isted.’’ Id. The court further stated, ‘‘. . .Delaware courts have held that ‘[b]ad faith cannot be shown by merely show- ing that the directors failed to do all they should have done under the circumstances.’ Wayne Cty. Employees’ Ret. Sys. v. Corti, No. CIV.A. 3534-CC (Del. Ch. July 24, 2009), aff’d, 996 A.2d 795 (Del. 2010). Rather, they use language like ‘utterly’ and ‘completely’ to describe the failure necessary to violate the duty of loyalty by inac- tion.’’ See Lyondell, 970 A.2d at 243-44 (‘‘knowingly and completely failed to undertake their responsibili- ties,’’ and ‘‘the inquiry should have been whether those directors utterly failed to attempt to obtain the best sale price.’’). Id. According to the court: ‘‘...‘Directors’ decisions must be reasonable, not perfect.’ Lyondell, 970 A.2d at 243. While the Board probably should have done more, ‘[s]imply alleging that a board incorrectly exercised its business judgment and made a ‘wrong’ decision in re- sponse to red flags. . . .is not enough to plead bad faith.’ ’’ Melbourne Mun. Firefighters’ Pension Trust Fund on Behalf of Qualcomm, Inc. v. Jacobs, C.A. No. 10872-VCMR (Del. Ch. Aug. 1, 2016). Id. On Nov. 30, 2016, the court granted plaintiffs’ motion to dismiss because plaintiffs failed to show that demand was futile on any of the claims alleged, including the duty of loyalty claims. Id. Wendy’s Shareholder Derivative Lawsuit (Delaware Law) In the Wendy’s shareholder derivative lawsuit in Gra- ham v. Peltz, the plaintiff alleged that the defendants breached their fiduciary duties of loyalty, care and good faith, among other things, relating to a point-of-sale sys- tems breach that was acknowledged by Wendy’s in January 2016. Graham v. Peltz, No. 1:16-CV-1153 (S.D. Ohio Dec. 16, 2016). Target Shareholder Derivative Lawsuit Dismissal (Minnesota Law) In In re Target Corp. Shareholder Derivative Litig., the plaintiffs alleged that the defendants breached their fiduciary duties to Target regarding an intrusion by hackers into Target’s point-of-sale systems that was an- nounced by Target in 2013. Target’s board of directors established a Special Litigation Committee pursuant to Minnesota law to investigate the claims, allegations and requests for relief made in the derivative action, to ana- lyze the rights and remedies of Target and to determine whether and to what extent Target should pursue any such claims. In March 2016, the Special Litigation Com- mittee issued a report to Target’s board that concluded it would not be in the best interests of Target to pursue any of the alleged derivative claims and that the deriva- tive action and the alleged derivative claims should be dismissed. The business judgment rule accords defer- ence to the determination of the Special Litigation Com- mittee regarding a derivative action. In July 2016, the U.S. District Court for the District of Minnesota granted the motions to dismiss the derivative action of the Spe- cial Litigation Committee, Target and the defendants and ordered that the derivative action be dismissed with prejudice. In re Target Corp. Shareholder Derivative Litig., No. 0:14-CV-00203 (D. Minn. July 7, 2016). The Minnesota corporate statute describes the stan- dard of conduct for a director. According to the Minne- sota corporate statute: ‘‘A director shall discharge the 2 1-9-17 COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423
duties of the position of director in good faith, in a man- ner the director reasonably believes to be in the best in- terests of the corporation, and with the care an ordinar- ily prudent person in a like position would exercise un- der similar circumstances. A person who so performs those duties is not liable by reason of being or having been a director of the corporation.’’ Minn. Stat. § 302A.251, Subd. 1. The Minnesota corporate statute further states: (a) A director is entitled to rely on information, opinions, re- ports, or statements, including financial statements and other financial data, in each case prepared or presented by: (1) one or more officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the matters presented; (2) counsel, public ac- countants, or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or (3) a committee of the board upon which the director does not serve, duly established in accor- dance with section 302A.241, as to matters within its desig- nated authority, if the director reasonably believes the com- mittee to merit confidence. (b) Paragraph (a) does not apply to a director who has knowledge concerning the matter in question that makes the reliance otherwise permitted by paragraph (a) unwar- ranted.’’ Minn. Stat. § 302A.251, Subd. 2. Good faith is de- fined in the Minnesota corporate statute as ‘‘honesty in fact in the conduct of the act or transaction concerned. Minn. Stat. § 302A.011, Subd. 13. Eighty-nine percent of respondents indicated that cybersecurity is discussed regularly during board meetings, according to 2016-2017 the National Association of Corporate Directors Public Company Governance Survey. While the Delaware and Minnesota corporate stat- utes, respectively, provide for a provision in a corpora- tion’s articles of incorporation eliminating or limiting the personal liability of a director to a corporation or its shareholders for monetary damages for breach of fidu- ciary duty as a director, neither statute permits elimi- nating or limiting the personal liability of a director to a corporation or its shareholders for monetary damages for breach of fiduciary duty for any breach of the direc- tor’s duty of loyalty to the corporation or its sharehold- ers or for acts or omissions not in good faith or that in- volve intentional misconduct or a knowing violation of law, among other things. See Del. Gen. Corp. Law § 102(b)(7); Minn. Stat. § 302A.251, Subd. 4. See also, Melissa Krasnow, ‘‘Director Cyber Risk: Insights from Shareholder Derivative Lawsuits,’’ The Corporate Gov- ernance Advisor (July/August 2016). Companies should review their organizational documents and applicable law and their indemnification agreements or policies and directors and officers liability insurance and cyber- security liability insurance coverage. Steps Public Companies and Their Directors are Taking Regarding Cybersecurity In December 2016, the National Association of Cor- porate Directors (NACD) issued the 2016-2017 NACD Public Company Governance Survey which provides information about: (1) board and committee oversight of cyber risk, (2) frequency of director discussion of cy- bersecurity, (3) reporting to the board about cybersecu- rity, (4) satisfaction with information about cybersecu- rity and (5) 15 cyber risk oversight practices performed by the board in the last 12 months. Survey respondents were from the following types of companies: 18 percent were from companies with equal to or greater than $10 billion in market capitalization, 30 percent were from companies with $2 billion to less than $10 billion in market capitalization, 34 percent were from companies with $300 million to less than $2 billion in market capitalization and 18 were percent from companies with less than $300 million in market capitalization. Sixty-eight percent of respondents were independent directors, 17 percent were general counsels/corporate secretaries, 11 percent were CEOs/ other corporate executives and 3 percent were non- independent directors. Twelve percent of respondents serve as the chair or lead director of their board and 41 percent chair at least one board committee. Board and Committee Oversight Over Cyber Risk Fifty-one percent of respondents indicated that cyber risk is allocated to the audit committee, whereas 41 per- cent said that cyber risk is allocated to the full board. 11 percent said that cyber risk is allocated to a specialized risk committee and 4.5 percent said that cyber risk is al- located to a technology committee. Frequency of Director Discussion of Cybersecurity Eighty-nine percent of respondents indicated that cy- bersecurity is discussed regularly during board meet- ings. The frequency of these discussions varies, from once per year to once per month. Boards hold a median of three discussions per year about cybersecurity. According to Aggregate Survey results, 14 percent of respondents said that cybersecurity was discussed dur- ing board meetings after a breach in their company’s in- dustry, 13 percent said that cybersecurity was discussed during board meetings after an internal breach and 7 percent said that cybersecurity matters were not dis- cussed at the board level. Reporting to the Board About Cybersecurity The following percentages of respondents indicated that the following report to the board about cybersecu- rity: (1) the chief information officer (62 percent), (2) the head of internal audit (38 percent), (3) the CEO (37 percent), (4) the chief information security officer (CISO) (31 percent), (5) the general counsel (25 per- cent), (6) the head of risk (21 percent) and (7) compli- ance officer (11 percent). Satisfaction With Information About Cybersecurity Though 61 percent and 15 percent of respondents in- dicated that they were satisfied and very satisfied, re- 3 PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 1-9-17
spectively, with the information about cybersecurity, 24 percent expressed dissatisfaction with the quality of cy- ber risk information provided to the board by manage- ment. The respondents who were dissatisfied cited the fol- lowing reasons for dissatisfaction, with percentages. The information the respondents receive: (1) does not allow for effective benchmarking (46 percent), (2) does not provide enough transparency concerning perfor- mance issues (33 percent), (3) is difficult to interpret (24 percent), (4) is filtered for the board (19 percent), (5) is not timely enough (18 percent), (6) is too retro- spective (5 percent) and (7) is too numbers-focused, making it difficult to glean real insight (5 percent). 15 Cyber Risk Oversight Practices Performed by the Board in the Last 12 Months The following percentages of respondents described 15 cyber risk oversight practices performed by the board in the last 12 months: (1) reviewed the company’s current approach to pro- tecting its most critical data assets (77 percent); (2) reviewed the technology infrastructure used to protect the company’s most critical data assets (74 per- cent); (3) communicated with management about the types of cyber risk information the board requires (64 per- cent); (4) reviewed the company’s response plan in the case of a breach (59 percent); (5) assessed risks associated with third-party ven- dors or suppliers (50 percent); (6) assessed risks associated with employee negli- gence or misconduct (45 percent); (7) assigned clearly defined roles to its standing committees regarding cyber risk oversight (44 percent); (8) discussed the legal implications of a breach (37 percent); (9) leveraged internal advisors, such as internal audi- tors or the general counsel, for in-depth briefings (37 percent); (10) reviewed the scope of cyber coverage in the case of an incident (33 percent); (11) assigned clearly defined roles to the full board regarding cyber risk oversight (32 percent); (12) attended continuing education events on cyber risk (31 percent); (13) leveraged external advisors, such as consultants or government agencies (e.g., FBI), to understand the risk environment (31 percent); (14) conducted a post-mortem review following an actual or potential incident (21 percent); and (15) participated in a test of the company’s response plan (12 percent). See also Melissa Krasnow, ‘‘Guidance for Guidance for Incident Response Plans,’’ International Risk Manage- ment Institute (May 2015); Federal Trade Commission, ‘‘Data Breach Response: A Guide for Business’’ (Sep- tember 2016); and National Institute of Standards and Technology Special Publication 800-184, ‘‘Guide for Cy- bersecurity Event Recovery’’ (December 2016).. Conclusion As the world of cybersecurity risk evolves, companies and their directors and officers should continue to en- gage in and enhance cyber risk oversight practices and to monitor and consider developments in the Wendy’s shareholder derivative lawsuit in Graham v. Peltz and other shareholder derivative lawsuits regarding cyber- attacks, regulatory enforcement actions and legal, regu- latory and industry developments and cyber events. 4 1-9-17 COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423

Recommended

Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Shawn Tuma
 
Top 10 Issues in De-SPAC Securities Litigation
Top 10 Issues in De-SPAC Securities LitigationTop 10 Issues in De-SPAC Securities Litigation
Top 10 Issues in De-SPAC Securities Litigation
Wendy Couture
 
Bad Faith Litigation in Canada: Much Ado About Nothing?
Bad Faith Litigation in Canada: Much Ado About Nothing?Bad Faith Litigation in Canada: Much Ado About Nothing?
Bad Faith Litigation in Canada: Much Ado About Nothing?
Samantha Ip
 
Tema 5. a atmosfera. tempo e clima
Tema 5. a atmosfera. tempo e climaTema 5. a atmosfera. tempo e clima
Tema 5. a atmosfera. tempo e clima
Mariquiña Terremoto
 
Evaluation question 1
Evaluation question 1Evaluation question 1
Evaluation question 1
Lorna Hacon
 
RICARDO FONSECA PORTFOLIO 2016
RICARDO FONSECA PORTFOLIO 2016RICARDO FONSECA PORTFOLIO 2016
RICARDO FONSECA PORTFOLIO 2016
Ricardo Fonseca
 
Tema 1 2ºbach
Tema 1 2ºbachTema 1 2ºbach
Tema 1 2ºbach
Eduardo Lopez Miñambres
 
Catálogo Alternative Beer 2017
Catálogo Alternative Beer 2017Catálogo Alternative Beer 2017
Catálogo Alternative Beer 2017
Alternative Beer
 

Recommended

Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Shawn Tuma
 
Top 10 Issues in De-SPAC Securities Litigation
Top 10 Issues in De-SPAC Securities LitigationTop 10 Issues in De-SPAC Securities Litigation
Top 10 Issues in De-SPAC Securities Litigation
Wendy Couture
 
Bad Faith Litigation in Canada: Much Ado About Nothing?
Bad Faith Litigation in Canada: Much Ado About Nothing?Bad Faith Litigation in Canada: Much Ado About Nothing?
Bad Faith Litigation in Canada: Much Ado About Nothing?
Samantha Ip
 
Tema 5. a atmosfera. tempo e clima
Tema 5. a atmosfera. tempo e climaTema 5. a atmosfera. tempo e clima
Tema 5. a atmosfera. tempo e clima
Mariquiña Terremoto
 
Evaluation question 1
Evaluation question 1Evaluation question 1
Evaluation question 1
Lorna Hacon
 
RICARDO FONSECA PORTFOLIO 2016
RICARDO FONSECA PORTFOLIO 2016RICARDO FONSECA PORTFOLIO 2016
RICARDO FONSECA PORTFOLIO 2016
Ricardo Fonseca
 
Tema 1 2ºbach
Tema 1 2ºbachTema 1 2ºbach
Tema 1 2ºbach
Eduardo Lopez Miñambres
 
Catálogo Alternative Beer 2017
Catálogo Alternative Beer 2017Catálogo Alternative Beer 2017
Catálogo Alternative Beer 2017
Alternative Beer
 
Seurity policy
Seurity policySeurity policy
Seurity policy
Hari Sarda
 
Open education @ sc4
Open education @ sc4Open education @ sc4
Open education @ sc4
Kendra Lake
 
Dear Sir
Dear SirDear Sir
Dear Sir
Hnin Yu
 
Célula
CélulaCélula
Célula
grabugnot
 
Tema 8. Funcións Vitais dos Animais
Tema 8. Funcións Vitais dos AnimaisTema 8. Funcións Vitais dos Animais
Tema 8. Funcións Vitais dos Animais
SALVADOR FOLGAR COUSELO
 
Demystifying the brand patanjali
Demystifying the brand patanjaliDemystifying the brand patanjali
Demystifying the brand patanjali
Xillion Telecom Private Limited
 
եվա
եվաեվա
եվա
ashkhen1983
 
Tema 10. Reino Fungos, Protistas e Moneras
Tema 10. Reino Fungos, Protistas e MonerasTema 10. Reino Fungos, Protistas e Moneras
Tema 10. Reino Fungos, Protistas e Moneras
SALVADOR FOLGAR COUSELO
 
Cybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowCybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to Know
Shawn Tuma
 
Cybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to KnowCybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to Know
Shawn Tuma
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Shawn Tuma
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Shawn Tuma
 
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
Shawn Tuma
 
Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
MMMTechLaw
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
jyates
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS
David Sweigert
 
ACEDS-Recommind 1-28-15 Webcast Slides
ACEDS-Recommind 1-28-15 Webcast SlidesACEDS-Recommind 1-28-15 Webcast Slides
ACEDS-Recommind 1-28-15 Webcast Slides
Logikcull.com
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
Rachel Hamilton
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
Todd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
Joe Nathans
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Shawn Tuma
 

More Related Content

Viewers also liked

Dear Sir
Dear SirDear Sir
Dear Sir
Hnin Yu
 

Viewers also liked (8)

Seurity policy
Seurity policySeurity policy
Seurity policy
 
Open education @ sc4
Open education @ sc4Open education @ sc4
Open education @ sc4
 
Dear Sir
Dear SirDear Sir
Dear Sir
 
Célula
CélulaCélula
Célula
 
Tema 8. Funcións Vitais dos Animais
Tema 8. Funcións Vitais dos AnimaisTema 8. Funcións Vitais dos Animais
Tema 8. Funcións Vitais dos Animais
 
Demystifying the brand patanjali
Demystifying the brand patanjaliDemystifying the brand patanjali
Demystifying the brand patanjali
 
եվա
եվաեվա
եվա
 
Tema 10. Reino Fungos, Protistas e Moneras
Tema 10. Reino Fungos, Protistas e MonerasTema 10. Reino Fungos, Protistas e Moneras
Tema 10. Reino Fungos, Protistas e Moneras
 

Similar to KrasnowCyberDirector 16PVLR60

Cybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowCybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to Know
Shawn Tuma
 
Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
MMMTechLaw
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
Joe Nathans
 
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
Kevin Miller
 
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
Kevin Miller
 

Similar to KrasnowCyberDirector 16PVLR60 (20)

Cybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowCybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to Know
 
Cybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to KnowCybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to Know
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
 
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
 
Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS
 
ACEDS-Recommind 1-28-15 Webcast Slides
ACEDS-Recommind 1-28-15 Webcast SlidesACEDS-Recommind 1-28-15 Webcast Slides
ACEDS-Recommind 1-28-15 Webcast Slides
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
Financial Advisors in MA Transactions (PLI Trends) - 1-11-16
 
ACC 2013 - Spoliation Claims & Maximizing Attorneys' Fees
ACC 2013 - Spoliation Claims & Maximizing Attorneys' FeesACC 2013 - Spoliation Claims & Maximizing Attorneys' Fees
ACC 2013 - Spoliation Claims & Maximizing Attorneys' Fees
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
 
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad-...
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad-...Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad-...
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad-...
 
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad ...
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad ...Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad ...
Clarifying Bad Faith Jurisprudence in Virginia, Federal Court Recognizes Bad ...
 
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
PLI M&A 2017 - Advanced Trends Opening Remarks 1-12-17 (Display)
 

KrasnowCyberDirector 16PVLR60

  • 1. Reproduced with permission from Privacy & Security Law Report, 16 PVLR 60, 1/9/17. Copyright ஽ 2017 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com C y b e r s e c u r i t y f o r D i r e c t o r s As the world of cybersecurity risk evolves, companies and their directors and officers should continue to engage in and enhance cyber risk oversight practices and to monitor and consider developments in shareholder derivative lawsuits regarding cyberattacks, regula- tory enforcement actions and legal, regulatory and industry developments and cyber events, the author writes. Developments in Director Oversight of Cybersecurity Risk BY MELISSA KRASNOW T his article provides an update on developments in director oversight of cybersecurity risk in 2016. The first part of this article notes a data security regulatory enforcement action and covers the dismiss- als of shareholder derivative lawsuits regarding the Wyndham Worldwide Corp., Home Depot Inc. and Tar- get Corp. cyberattacks and the shareholder derivative lawsuit filed regarding the Wendy’s Co. cyberattack (Wyndham, Home Depot, Target and Wendy’s are pub- lic companies). The second part of this article addresses steps that public companies and their directors are tak- ing regarding cybersecurity as reported by the 2016- 2017 NACD Public Company Governance Survey. Data Security Regulatory Enforcement Action and Shareholder Derivative Lawsuits Dwolla Data Security Regulatory Enforcement Action Director cybersecurity responsibility has garnered regulator attention. In February 2016, the Consumer Fi- nancial Protection Bureau (CFPB) issued its first data security enforcement action against online payment platform Dwolla Inc., a Delaware corporation. The con- sent order describes requirements for Dwolla’s board of directors in addition to data security measures that Dwolla must take. According to the CFPB, ‘‘. . .[Dwolla’s] Board will have the ultimate responsibil- ity for proper and sound management of [Dwolla] and for ensuring that it complies with Federal consumer fi- nancial law and this consent order.’’ See In the Matter of Dwolla, Inc., File No. 2016-CFPB-0007 (CFPB Feb. 27, 2016). See also Melissa Krasnow, ‘‘CFPB Issues First Data Security Action,’’ International Risk Manage- ment Institute (March 2016). Shareholder Derivative Lawsuits Following dismissals of the shareholder derivative lawsuits regarding the Wyndham, Home Depot and Target cyberattacks, a shareholder derivative lawsuit regarding the Wendy’s cyberattack was filed. Wynd- Melissa J. Krasnow is a partner with VLP Law Group LLP, in Minneapolis, Minn., and prac- tices in the areas of domestic and cross- border privacy and data security, technology transactions, and mergers and acquisitions. Krasnow is a Certified Information Privacy Professional/U.S. and a National Association of Corporate Directors Board Leadership Fel- low. COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1538-3423 Privacy and Security Law Report®
  • 2. ham, Home Depot and Wendy’s are Delaware corpora- tions, whereas Target is a Minnesota corporation. Wyndham Shareholder Derivative Lawsuit Dismissal (Delaware Law) Directors owe fiduciary duties to the corporation— the duty of care and the duty of loyalty. Delaware case law describes the director duty to monitor and oversee risks as derived from the duty of care and the duty of loyalty. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). In 2014, the U.S. District Court for the District of New Jersey dismissed the Wyndham shareholder derivative lawsuit in Palkon v. Holmes with prejudice and de- scribed the failure to act in good faith (as part of the duty of loyalty) that is required to show director over- sight liability in a footnote: Caremark requires that a corporation’s ‘directors utterly failed to implement any reporting or information system . . . [or] consciously failed to monitor or oversee its operations thus disabling themselves from being informed.’ Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). Yet Plaintiff concedes that security measures existed when the first breach oc- curred, and admits the Board addressed such concerns nu- merous times. (Compl. ¶¶ 46, 62, 63). The Board was free to consider such potential weaknesses when assessing the lawsuit. Palkon v. Holmes, No. 2:14-CV-01234 (D.N.J. Oct. 20, 2014). According to the Delaware Supreme Court in Stone v. Ritter, ‘‘The failure to act in good faith may result in liability because the requirement to act in good faith ‘is a subsidiary element[,]’ i.e., a condition, ‘of the funda- mental duty of loyalty.’ It follows that because a show- ing of bad faith conduct, in the sense described in Dis- ney Co. and Caremark, is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.’’ Stone v. Ritter, 911 A.2d 362, 369-370 (Del. 2006). Home Depot Shareholder Derivative Lawsuit Dismissal (Delaware Law) In In re The Home Depot, Inc. Shareholder Derivative Litigation, the plaintiffs’ primary claim for liability was that the directors breached their duty of loyalty to Home Depot regarding the breach of Home Depot’s payment data systems as confirmed by Home Depot in 2014. According to the U.S. District Court for the Northern District of Georgia, Atlanta Division: . . .the [p]laintiffs essentially need[ed] to show with particu- larized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act. This is an incredibly high hurdle for the [p]laintiffs to overcome, and it is not surprising that they fail[ed] to do so. In re The Home Depot, Inc. Shareholder Derivative Litig., No. 1:15-CV-2999 (N.D. Ga. Nov. 30, 2016). The court noted that the complaint ‘‘. . .details nu- merous instances where the Audit Committee received regular reports from management on the state of Home Depot’s data security, and the Board in turn received briefings from both management and the Audit Com- mittee. Based on those facts alone, there can be no question that the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting ex- isted.’’ Id. The court further stated, ‘‘. . .Delaware courts have held that ‘[b]ad faith cannot be shown by merely show- ing that the directors failed to do all they should have done under the circumstances.’ Wayne Cty. Employees’ Ret. Sys. v. Corti, No. CIV.A. 3534-CC (Del. Ch. July 24, 2009), aff’d, 996 A.2d 795 (Del. 2010). Rather, they use language like ‘utterly’ and ‘completely’ to describe the failure necessary to violate the duty of loyalty by inac- tion.’’ See Lyondell, 970 A.2d at 243-44 (‘‘knowingly and completely failed to undertake their responsibili- ties,’’ and ‘‘the inquiry should have been whether those directors utterly failed to attempt to obtain the best sale price.’’). Id. According to the court: ‘‘...‘Directors’ decisions must be reasonable, not perfect.’ Lyondell, 970 A.2d at 243. While the Board probably should have done more, ‘[s]imply alleging that a board incorrectly exercised its business judgment and made a ‘wrong’ decision in re- sponse to red flags. . . .is not enough to plead bad faith.’ ’’ Melbourne Mun. Firefighters’ Pension Trust Fund on Behalf of Qualcomm, Inc. v. Jacobs, C.A. No. 10872-VCMR (Del. Ch. Aug. 1, 2016). Id. On Nov. 30, 2016, the court granted plaintiffs’ motion to dismiss because plaintiffs failed to show that demand was futile on any of the claims alleged, including the duty of loyalty claims. Id. Wendy’s Shareholder Derivative Lawsuit (Delaware Law) In the Wendy’s shareholder derivative lawsuit in Gra- ham v. Peltz, the plaintiff alleged that the defendants breached their fiduciary duties of loyalty, care and good faith, among other things, relating to a point-of-sale sys- tems breach that was acknowledged by Wendy’s in January 2016. Graham v. Peltz, No. 1:16-CV-1153 (S.D. Ohio Dec. 16, 2016). Target Shareholder Derivative Lawsuit Dismissal (Minnesota Law) In In re Target Corp. Shareholder Derivative Litig., the plaintiffs alleged that the defendants breached their fiduciary duties to Target regarding an intrusion by hackers into Target’s point-of-sale systems that was an- nounced by Target in 2013. Target’s board of directors established a Special Litigation Committee pursuant to Minnesota law to investigate the claims, allegations and requests for relief made in the derivative action, to ana- lyze the rights and remedies of Target and to determine whether and to what extent Target should pursue any such claims. In March 2016, the Special Litigation Com- mittee issued a report to Target’s board that concluded it would not be in the best interests of Target to pursue any of the alleged derivative claims and that the deriva- tive action and the alleged derivative claims should be dismissed. The business judgment rule accords defer- ence to the determination of the Special Litigation Com- mittee regarding a derivative action. In July 2016, the U.S. District Court for the District of Minnesota granted the motions to dismiss the derivative action of the Spe- cial Litigation Committee, Target and the defendants and ordered that the derivative action be dismissed with prejudice. In re Target Corp. Shareholder Derivative Litig., No. 0:14-CV-00203 (D. Minn. July 7, 2016). The Minnesota corporate statute describes the stan- dard of conduct for a director. According to the Minne- sota corporate statute: ‘‘A director shall discharge the 2 1-9-17 COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423
  • 3. duties of the position of director in good faith, in a man- ner the director reasonably believes to be in the best in- terests of the corporation, and with the care an ordinar- ily prudent person in a like position would exercise un- der similar circumstances. A person who so performs those duties is not liable by reason of being or having been a director of the corporation.’’ Minn. Stat. § 302A.251, Subd. 1. The Minnesota corporate statute further states: (a) A director is entitled to rely on information, opinions, re- ports, or statements, including financial statements and other financial data, in each case prepared or presented by: (1) one or more officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the matters presented; (2) counsel, public ac- countants, or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or (3) a committee of the board upon which the director does not serve, duly established in accor- dance with section 302A.241, as to matters within its desig- nated authority, if the director reasonably believes the com- mittee to merit confidence. (b) Paragraph (a) does not apply to a director who has knowledge concerning the matter in question that makes the reliance otherwise permitted by paragraph (a) unwar- ranted.’’ Minn. Stat. § 302A.251, Subd. 2. Good faith is de- fined in the Minnesota corporate statute as ‘‘honesty in fact in the conduct of the act or transaction concerned. Minn. Stat. § 302A.011, Subd. 13. Eighty-nine percent of respondents indicated that cybersecurity is discussed regularly during board meetings, according to 2016-2017 the National Association of Corporate Directors Public Company Governance Survey. While the Delaware and Minnesota corporate stat- utes, respectively, provide for a provision in a corpora- tion’s articles of incorporation eliminating or limiting the personal liability of a director to a corporation or its shareholders for monetary damages for breach of fidu- ciary duty as a director, neither statute permits elimi- nating or limiting the personal liability of a director to a corporation or its shareholders for monetary damages for breach of fiduciary duty for any breach of the direc- tor’s duty of loyalty to the corporation or its sharehold- ers or for acts or omissions not in good faith or that in- volve intentional misconduct or a knowing violation of law, among other things. See Del. Gen. Corp. Law § 102(b)(7); Minn. Stat. § 302A.251, Subd. 4. See also, Melissa Krasnow, ‘‘Director Cyber Risk: Insights from Shareholder Derivative Lawsuits,’’ The Corporate Gov- ernance Advisor (July/August 2016). Companies should review their organizational documents and applicable law and their indemnification agreements or policies and directors and officers liability insurance and cyber- security liability insurance coverage. Steps Public Companies and Their Directors are Taking Regarding Cybersecurity In December 2016, the National Association of Cor- porate Directors (NACD) issued the 2016-2017 NACD Public Company Governance Survey which provides information about: (1) board and committee oversight of cyber risk, (2) frequency of director discussion of cy- bersecurity, (3) reporting to the board about cybersecu- rity, (4) satisfaction with information about cybersecu- rity and (5) 15 cyber risk oversight practices performed by the board in the last 12 months. Survey respondents were from the following types of companies: 18 percent were from companies with equal to or greater than $10 billion in market capitalization, 30 percent were from companies with $2 billion to less than $10 billion in market capitalization, 34 percent were from companies with $300 million to less than $2 billion in market capitalization and 18 were percent from companies with less than $300 million in market capitalization. Sixty-eight percent of respondents were independent directors, 17 percent were general counsels/corporate secretaries, 11 percent were CEOs/ other corporate executives and 3 percent were non- independent directors. Twelve percent of respondents serve as the chair or lead director of their board and 41 percent chair at least one board committee. Board and Committee Oversight Over Cyber Risk Fifty-one percent of respondents indicated that cyber risk is allocated to the audit committee, whereas 41 per- cent said that cyber risk is allocated to the full board. 11 percent said that cyber risk is allocated to a specialized risk committee and 4.5 percent said that cyber risk is al- located to a technology committee. Frequency of Director Discussion of Cybersecurity Eighty-nine percent of respondents indicated that cy- bersecurity is discussed regularly during board meet- ings. The frequency of these discussions varies, from once per year to once per month. Boards hold a median of three discussions per year about cybersecurity. According to Aggregate Survey results, 14 percent of respondents said that cybersecurity was discussed dur- ing board meetings after a breach in their company’s in- dustry, 13 percent said that cybersecurity was discussed during board meetings after an internal breach and 7 percent said that cybersecurity matters were not dis- cussed at the board level. Reporting to the Board About Cybersecurity The following percentages of respondents indicated that the following report to the board about cybersecu- rity: (1) the chief information officer (62 percent), (2) the head of internal audit (38 percent), (3) the CEO (37 percent), (4) the chief information security officer (CISO) (31 percent), (5) the general counsel (25 per- cent), (6) the head of risk (21 percent) and (7) compli- ance officer (11 percent). Satisfaction With Information About Cybersecurity Though 61 percent and 15 percent of respondents in- dicated that they were satisfied and very satisfied, re- 3 PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 1-9-17
  • 4. spectively, with the information about cybersecurity, 24 percent expressed dissatisfaction with the quality of cy- ber risk information provided to the board by manage- ment. The respondents who were dissatisfied cited the fol- lowing reasons for dissatisfaction, with percentages. The information the respondents receive: (1) does not allow for effective benchmarking (46 percent), (2) does not provide enough transparency concerning perfor- mance issues (33 percent), (3) is difficult to interpret (24 percent), (4) is filtered for the board (19 percent), (5) is not timely enough (18 percent), (6) is too retro- spective (5 percent) and (7) is too numbers-focused, making it difficult to glean real insight (5 percent). 15 Cyber Risk Oversight Practices Performed by the Board in the Last 12 Months The following percentages of respondents described 15 cyber risk oversight practices performed by the board in the last 12 months: (1) reviewed the company’s current approach to pro- tecting its most critical data assets (77 percent); (2) reviewed the technology infrastructure used to protect the company’s most critical data assets (74 per- cent); (3) communicated with management about the types of cyber risk information the board requires (64 per- cent); (4) reviewed the company’s response plan in the case of a breach (59 percent); (5) assessed risks associated with third-party ven- dors or suppliers (50 percent); (6) assessed risks associated with employee negli- gence or misconduct (45 percent); (7) assigned clearly defined roles to its standing committees regarding cyber risk oversight (44 percent); (8) discussed the legal implications of a breach (37 percent); (9) leveraged internal advisors, such as internal audi- tors or the general counsel, for in-depth briefings (37 percent); (10) reviewed the scope of cyber coverage in the case of an incident (33 percent); (11) assigned clearly defined roles to the full board regarding cyber risk oversight (32 percent); (12) attended continuing education events on cyber risk (31 percent); (13) leveraged external advisors, such as consultants or government agencies (e.g., FBI), to understand the risk environment (31 percent); (14) conducted a post-mortem review following an actual or potential incident (21 percent); and (15) participated in a test of the company’s response plan (12 percent). See also Melissa Krasnow, ‘‘Guidance for Guidance for Incident Response Plans,’’ International Risk Manage- ment Institute (May 2015); Federal Trade Commission, ‘‘Data Breach Response: A Guide for Business’’ (Sep- tember 2016); and National Institute of Standards and Technology Special Publication 800-184, ‘‘Guide for Cy- bersecurity Event Recovery’’ (December 2016).. Conclusion As the world of cybersecurity risk evolves, companies and their directors and officers should continue to en- gage in and enhance cyber risk oversight practices and to monitor and consider developments in the Wendy’s shareholder derivative lawsuit in Graham v. Peltz and other shareholder derivative lawsuits regarding cyber- attacks, regulatory enforcement actions and legal, regu- latory and industry developments and cyber events. 4 1-9-17 COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423