Corporate directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management's response.
The trend in many legal quarters toward imposing upon businesses affirmative duties to implement measures to help prevent data breaches and comply with ever-expanding data privacy regulation—and liability if they fail to do so—has brought increased scrutiny of the actions, or more likely inactions, of corporate directors in the cybersecurity arena. A series of cases applying Delaware law, culminating in the June 2019 opinion in Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019), indicate that directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management's response. These developments are of interest to New Jersey attorneys who advise companies on these matters, because many in-state corporations were incorporated in Delaware and because many states, including New Jersey, follow many aspects of Delaware corporate law. In re Merck & Co. Sec., Derivative & ERISA Litig., 493 F.3d 393, 399 (3d Cir. 2007).
Previously published in the New Jersey Law Journal - November 2019
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.