Document Type
Note
Abstract
This Note seeks to explore the impact of cybersecurity in a particular context: corporate law. Specifically, this Note examines whether a Board of Directors (Board) should be liable for breach of fiduciary duty for failure to take reasonable and prophylactic measures to protect sensitive corporate data. As the magnitude and sophistication of cyberthreats advances, the resulting harm to corporations develops as well. Corporations are implementing enough cybersecurity measures to protect their data and sensitive information, and existing law does not create sufficient incentives for corporations and their Boards to take necessary precautions to protect sensitive information from cyberthreats. To complicate the matter, corporations are reluctant to disclose cyberbreaches because of the impact on their reputation, their profitability, and due to fear of increased liability.
This Note proposes a reasonable solution to the data breach problem through a combination of enforcement of existing corporate legal principles, and continued shareholder pressure to scrutinize cybersecurity measures taken by a Board. The structure of this Note will first illustrate the intersection between corporate and cyberlaw as it pertains to cybersecurity and director fiduciary duties through the use of a hypothetical corporate Board. The author will then highlight both the negligence of the hypothetical board’s response to a cyberattack, and the likely response of courts applying existing legal doctrines as they are currently and erroneously interpreted. The author will conclude with potential solutions through modification of existing law to appropriately address growing concerns, as well as review an appropriate Board response to a cyberbreach and explore lessons that can be learned for the future.
Recommended Citation
Harris Yegelwel,
Cybersecurity Oversight: A Cautionary Tale for Directors,
20 J. Tech. L. & Pol'y
(2015).
Available at: https://scholarship.law.ufl.edu/jtlp/vol20/iss2/5