Can you be held personally responsible for your company's Data Breach

As a Director or Officer of your company you are open to litigation risks due to the decisions you make to influence the company.  How you choose to respond after a Data Breach and how you have influenced Cyber Security measures within your company could lead you to be held personally responsible for damages following a breach.  The acts you commit as a board member, including plans and decisions need to be protected.

The precedent has been set by past legal cases following data breaches in which the directors and officers have been accused of failing to take reasonable steps to protect customer data, failing to implement controls to detect and prevent a data breach and failing to report a breach in a timely manner.  In these situations, the companies’ Cyber Liability policy did not offer legal protection.  However, a D&O policy can.

What is a D&O policy?

A D&O policy provides protection for Directors and Officers for “wrongful acts.” This can include actual, or alleged errors, misleading statements, omissions of information, neglect and breach of duty.  Without a D&O policy, as a Director or Officer your personal assets could be forfeited to cover legal costs.  With cybercrime on the rise it is important that your company have strong cyber security and a data breach plan.  Failing to develop either could be classified as negligence or breach of duty.  However, not all D&Os include data breach in their coverage.  It Is important you talk to your insurance agent to ensure your policy is tailored to include protection in such an event.

How can I increase Cyber Security?

Cybercrime is a tricky and quickly evolving crime industry, making it hard to protect against.  However, it is important that every measure is taken to prevent an attack.  Here are a few techniques to improve cyber security:

• Security software. Installing, and updating, security software on every computer within your network is a strong defense against cyber-attacks.
• Install firewalls. Firewalls can protect your network from potential hackers.
• Train employees on common “phishing” techniques, such as suspicious links in emails masquerading as Google docs.
• Have a strict “plug-in” policy. Ensure your employees know not to plug in flash drives, tablets, etc. or insert CDs/DVDs/Disks into work computers, especially if the item is not familiar to them.
• Use a Virtual Private Network (VPN). VPN’s offer advanced encryption and authentication protocols and can be used to access your company’s network remotely rather than depending on a remote-access server.
• Have a plan ready for when a data breach occurs. Unfortunately, it is no longer a matter of if, but rather when a breach will occur.  Already having a protocol in place to ensure those effected by the breach in a timely manner could mean the difference between an embarrassing loss of data, and a legal case for negligence. 
• If you are a publicly traded company ensure you are incompliance with all Security and Exchange Commission (SEC) guidelines regarding cyber breach, data loss and shareholders.

Most importantly you should talk to your insurance agent regarding Cyber Liability and D&O policies to ensure your policy is tailored to cover any gaps in coverage.