
EP 19: Business Judgment Rule
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
March 5, 2019
Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, discuss how cyber risk management is actually a fiduciary duty of corporate directors and officers.
Episode Transcript
Kip Boyle: Welcome to the Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.
Jake Bernstein: And I'm Jake Bernstein, cyber security counsel at the law firm of Newman Du Wors.
Kip Boyle: And this is the show where we help you become a better cyber risk manager.
Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities-
Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, that's just sales accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.
So, Jake, what are we going to talk about today?
Jake Bernstein: Today, Kip, we're going to talk about the fiduciary duties of corporate officers and directors, and specifically how the business judgment rule relates to cyber risk management.
Kip Boyle: Okay. You're being a lawyer now, for sure. I think everybody can hear that.
Jake Bernstein: Why are you laughing?
Kip Boyle: Because I often think of myself as being in the audience of our podcast, and so I can just imagine like some of the initial reactions that we may be getting, I don't know, from our audience, but obviously this is really important otherwise we wouldn't be talking about it.
Okay. So let's start breaking down what you said so that folks can understand why this is so important.
Jake Bernstein: Yeah, definitely. First of all, we are talking about corporate law and specifically a subset of corporate law that has to do with the two main duties that directors and officers owe to the corporations, either on whose board they sit or who they are working for.
Kip Boyle: Okay, so if we have members of our audience are officers of a corporation, or if they're sitting on boards, then this is a topic that's particularly aimed at them. So tell us what's the intersection with cyber risk management though.
Jake Bernstein: Yeah, exactly. So it turns out that cyber risk management is actually a part of the fiduciary duties owed to corporations by the directors and officers. The way I think about it is, it's another reason that's completely separate from regulations and contract law and other, whether it's GDPR or HIPAA or other things that we've talked about, it's a separate inaudible a reason for executives and boards to take cyber risk management very seriously.
Kip Boyle: So this is great because when we talk about all the business reasons for practicing reasonable cyber security, what you're saying is hey, here's another that people aren't really talking about, but that our listeners need to know about. When we were doing a little bit of show prep, you actually brought up another angle that I want to make sure people are aware of, which is that the business judgment rule is actually something that's very much in the favor of a corporate officer or a director and can actually protect them. Is that right?
Jake Bernstein: Yeah. So actually the business judgment rule is specifically meant to protect the business judgment of directors and officers. That's what we're going to be talking about today in terms of how cyber risk management plays into that.
Kip Boyle: So, the scenario might be you're a corporate officer, you're a corporate director, and there's a massive data breach or some kind of a super cyber failure. So now you're going to come under some kind of scrutiny. Certainly customers are going to be unhappy, maybe regulators, perhaps a lawsuit. What we want our audience to realize is that you've got this business judgment rule that can really work in your favor. But I think what you're going to point out Jake is that, there's some things you need to do.
Jake Bernstein: There are. I think that the best way to kind of talk about this and talk through it is, to start towards the beginning of this. So I mentioned the term fiduciary and fiduciary duty. Do you know what that means exactly?
Kip Boyle: You know, I know that as somebody who's investing money in mutual funds or whatever, I love the idea of fiduciary because I know that means that the people I hire to look after my money have to put my interests ahead of theirs. But what does it mean in this context?
Jake Bernstein: Much the same thing. So a fiduciary is a person who has a legal or ethical relationship of trust with another party. So common examples are the attorney/client relationship, accountants, public accountants, and then obviously trustee and beneficiary, and that shows up all over the place between financial planners and trust funds and mutual funds. Basically a fiduciary duty is one where the person who owes the duty must act in the best interest of the person to whom the duty is owed. In other words, they have to put aside their own interests and work for the benefit of someone else.
Kip Boyle: Okay, that's good.
Jake Bernstein: So in the context of corporate law, the way we talk about these fiduciary duties is that directors and to some degree officers, if there are other lawyers listening, I'm not going into the painful details of the differences between directors and officers so there's my disclaimer. And I'm just going to say directors because it's easier for this purpose, but there's two primary duties that they owe to the corporation and the shareholders of the corporation. Those are called the duty of care and the duty of loyalty. Basically under American corporate law, the directors and officers must act in the best interest of the corporation in order to maximize shareholder value. So-
Kip Boyle: Okay, so now do these have to be publicly traded companies?
Jake Bernstein: Nope, they do not. In any situation where you have a corporation that is incorporated under a certain set of statutory rules, then these rules apply. Whether it's a publicly traded or a privately owned corporation, it doesn't matter. It gets a little fuzzier with smaller LLCs and things like that, but with corporations, it's pretty clear.
Kip Boyle: Okay. All right. So this is helpful, kind of building the context here. Now, what's the connection with cyber risk management?
Jake Bernstein: Yeah, so there's a couple of ways that it ties into cyber risk management. The first thing I want to do is actually just set aside the duty of loyalty for this discussion. The duty of loyalty is focused on preventing conflicts of interest between a director and a corporation. It could come up in the cyber risk arena, but an example would be if I'm a director of a corporation and I have a financial interest in the success of a cybersecurity firm, and I don't necessarily care how good that security firm is, I just want them to make more money. So if I use my directorship to have the company that I'm directing buy services from that, that's a potential breach of the duty of loyalty.
Kip Boyle: I see.
Jake Bernstein: We work, you and I specifically work very hard to avoid conflict or the appearance of conflict, and that's why we don't directly sell products and services.
Kip Boyle: Right. Other people's.
Jake Bernstein: So it's the same idea here. Other people's, right. We don't sell other people's or other vendor specific products. So that's kind of the duty of loyalty that I do want to set aside. The business judgment rule, to get right to it, is a component of the duty of care. The duty of care is probably a nearly pure form of the reasonable person standard in law. The way you would formulate that is that, the duty of care requires a director to act with the care that a person in like position would reasonably believe appropriate under similar circumstances.
So, one, note that we've already used the word reasonable several times in this episode, so-
Kip Boyle: And in previous episodes, we've talked about reasonable cybersecurity.
Jake Bernstein: All the time, all the time. Reasonableness is so critical to how we make judgements and litigate cases in a lot of situations. One area of law where you generally don't find reasonableness used at all is criminal law. Criminal law is not really about reasonableness, it's about whether or not you've committed a crime with each little element in place. So I think that's just an interesting aside.
So, what is the business judgment rule exactly? It's a type of standard of review that arose because judges felt squirrely and uncomfortable about imposing liability on directors for decisions that those directors made after the fact, in other words, with the benefit of hindsight. If something bad happens, when we go to Monday morning quarterback those decisions, we have the benefit of hindsight. Right?
Kip Boyle: Right.
Jake Bernstein: And hindsight, as they say is always, 20/20. So it developed that it was unfair to directors to judge them based on hindsight.
Kip Boyle: Interesting.
Jake Bernstein: So what the business judgment rule does is, create a legal presumption that directors comply with the duty of care. You're like, okay, well, that doesn't sound that interesting or important, but in law, a presumption is a special word. What it refers to is a burden shifting mechanism that flips the burden of proof. You'll hear lawyers talk about rebuttable presumptions, meaning that I start off the case where the burden of proof is mine, and if I can rebut this presumption, then it shifts.
Kip Boyle: Okay. It's kind of saying like, who has to do the work here?
Jake Bernstein: That's exactly what it's saying. Who has to do the work here?
Kip Boyle: Okay. So, as a director, the law is presuming that I acted in due care, right? So the presumption is, that you have to find a way to prove that I wasn't. Is that about it?
Jake Bernstein: That's right. So the way that it works is that under Delaware law, if I sue a director or the board of directors, and I claim that they've violated the duty of care, then the business judgment rule operates to basically create an evidentiary presumption that the directors did comply. This is kind of like starting a football game where one side has two touchdowns, and rather than start zero, zero, the other team starts 14 points ahead. And you don't really even get to start the real fair game until you've caught up.
Kip Boyle: Yeah, and there's no Monday morning quarterbacking. So that's disallowed too.
Jake Bernstein: Well, exactly, because you have the game going in real time. So the way it works with the business judgment rule here is that the board is presumed to have acted on an informed basis, and with the honest belief that the action was taken in the best interest of the corporation. So to rebut this presumption, the plaintiff has to show that a majority of the board of directors did not meet at least one of three requirements.
Here are the three requirements. The directors must be informed, they must have acted in good faith, and they must act in the best interests of the corporation. So let's take a moment and step back, because this is a lot of really esoteric, legal jargon, and kind of get your take on this.
Kip Boyle: So, let's see. What I'm hearing is that directors are kind of innocent until proven guilty of violating their duty of care. That's one thing that I'm hearing. And then I'm also hearing that there's a framework that can be used in order to try to rebut the presumption. I'm not practicing as a lawyer when I say that, nobody get upset, but there's-
Jake Bernstein: Yeah, crosstalk.
Kip Boyle: ... a framework to try to figure out whether that was true or not. So I'm looking for evidence to show that a director didn't stay informed, didn't act in good faith and did things that were not in the best interest of the corporation. Is that a pretty much it?
Jake Bernstein: Yeah, that's a really good way of thinking about it. And I think that the most important one where I'm going in this episode is to look at the informed requirement. To kind of unpack that a bit, it turns out that directors must keep themselves informed about the corporation and its decisions. They have to participate in board actions. That means attending meetings, carefully reading reports, or other materials and asking questions. Now, it's true that directors can safely rely on information and opinions from consultants, or management and employees, but they still have to make an independent, good faith determination that those persons can competently produce reports and the analysis. So basically what I'm looking for here, what I'm talking about is that you can't, as a director, rubber stamp something you don't understand. If you do, then guess what you lose the protection of the business judgment rule.
What's interesting, and so it's very common, particularly for non-lawyers to invoke the innocent until proven guilty and beyond a reasonable doubt, a lot of images from Law and Order and Criminal Law. But it's important for our listeners in this context to appreciate just how different civil lawsuits are from criminal law. Here's what happens, if I can show that a director wasn't informed or that for any reason, the business judgment rule doesn't apply, what happens is that now it actually, the burden of proof flips over to the directors. They now have to prove that whatever action or transaction they did was completely and entirely fair to the corporation.
And as a practical matter, once a director or board of directors loses the protection of the business judgment rule, it's very hard to prove that an action or transaction was entirely fair. So it is really important for directors and officers too, to maintain their protection under the business judgment rule.
Kip Boyle: Okay. This might be the most legal jargon-filled episode we've done yet.
Jake Bernstein: It totally is, and I appreciate the confusion, but it's one of those things that like really only corporate lawyers think about, and no one else thinks about it until they find themselves in a lawsuit. Then suddenly, their entire existence focuses on these concepts. So, what I'm hoping our listeners are getting out of is, no one's going to take the bar exam based off this podcast, and obviously we're not giving legal advice because we're talking in generalities, but the idea is to gain just an awareness of these issues.
Kip Boyle: And since we're trying to help executives become better cyber risk managers, we want them to thrive as cyber risk managers-
Jake Bernstein: We do.
Kip Boyle: ... even though this is maybe somewhat obscure, I can absolutely see that if I'm a director and I find out about the business judgment rule before I end up in a bad situation where there's a lawsuit coming at us, then I can do a better job of managing my personal risk, my personal cyber risk as a fiduciary. Am I picking this up?
Jake Bernstein: Yep. You are, you are. I think that where we're going with this is that everyone knows or should know by now that cyber risks can seriously threaten the health of corporations and entities. Whenever a data breach hits, there's almost always a rash of firings, the stock price will dip for a while. We talked about how the directors and officers have to maximize shareholder value, causing a dip in stock price is literally the opposite of maximizing shareholder value. So-
Kip Boyle: Or losing customers, or revenue decrease.
Jake Bernstein: Yeah, and that all is reflected to some degree in these concepts. So I have a question for you, Kip, which is this, how can any director or officer claim the protection of the business judgment rule for cyber risk management if their corporation doesn't have a formal or even informal cyber risk management program in place to keep the director's informed?
Kip Boyle: Right. Now, let's see for my time watching Law and Order, I believe this could be considered a leading question.
Jake Bernstein: It was, but crosstalk-
Kip Boyle: I mean, clearly you've got to have some kind of ongoing program, you've got to have some kind of ongoing reporting about whether cyber risks are being well managed on a regular basis. You need to have artifacts of that reporting and that ongoing work. Is that pretty much it?
Jake Bernstein: I think it is. I worded it very intentionally to ... There's really no answer to that other than, well, yeah. How can you be informed if you don't have a program to make yourself informed? You can't.
Kip Boyle: Exactly.
Jake Bernstein: You can't.
Kip Boyle: And if you're treating cyber like a technology risk, if you've sort of confined it to that domain, then I would imagine most directors would never really hear about it. Because I mean, that's something that happens deep in the bowels of the engine room of the good ship corporation and why would a director ever wander down there?
Jake Bernstein: Exactly. Directors are, they're specifically not meant to manage day-to-day operations. Their goal, their duties, their job is to direct strategic level corporate decisions, make recommendations to the shareholders and hire and supervise the corporate officers. Up until the recent past, cyber risk was an IT problem that most directors would never hear about, and my, how that has changed.
Kip Boyle: I've seen it change over the course of my career. When I started doing this in 1992, it really was called computer security. It was a highly technical thing, and it was just assumed that only people who have the systems knowledge to work with computers could possibly be involved with computer security, and I have vivid memories of what that was like.
So, fast forward to today, and you've got the Equifax data breach, the Uber data breach, and it goes on and on and on, and it's clearly evolved to become a business issue, a top line businesses just as important as risks to your sales, risks to your order fulfillment and your ability to collect money that people owe you.
Jake Bernstein: Yeah, precisely. I think as we move forward, being secure is going to be a kind of base level requirement for making anyone want to do business with you. I mean, who in their right mind is going to want to do business with someone who they don't trust is managing their cyber risks?
Kip Boyle: Right. We're already seeing lots of supply chain pressure like that so that's already happening. My perception is that it could get more intense, probably is going to get more intense. So this stuff isn't going away, it's not plateauing. It just seems like it's continuing to get more and more intense.
Now, a lot of our audience is probably working for private companies and they may not even have a person who is currently responsible for providing leadership on cyber risk management. So that's kind of one of the presumptions of our cyber risk managed programs is, that you don't have to build your own capability in house to be able to do great cyber risk management, but that you can actually partner with an outside company to do that for you. So this is actually one of the things that I'm taking away from our podcast today is, that we're providing more value than we realized.
Jake Bernstein: You are. In fact, if you recall, just a few minutes ago when I was talking about the informed element of the business judgment rule, you may recall that I actually explicitly called out that information and opinions from consultants is allowed, can help create the protections for the business judgment rule, can make that applicable. That includes cybersecurity managed programs, whether they're from us or counsel or anyone else, or even if you're doing it internally.
The fundamental takeaway here is that assuming that a cyber risk management program was ever optional, and maybe it was 20 years ago, it's simply not optional now. That without one, you cannot credibly argue that the board is informed, which means they lose the protection of the business judgment rule, and all hell will break loose.
Kip Boyle: So, based on your background, I think you're particularly well suited to talk about this because before you joined private practice, were you not performing prosecutor duties?
Jake Bernstein: I was, and in the consumer protection realm, it turns out that I can skip ... I used to be able to skip over the corporate form or what we would say as lawyers is, pierce the corporate veil, because consumer protection laws really don't respect the corporation form if you can show that the leaders knew or should have known what was going on, that was illegal. So it's a little bit different when the business judgment rule, but it is certainly very related, and the same idea applies.
If a corporation gets hacked and it causes consumer harm, and the regulator finds out that you had no cyber risk management program in place, then you couldn't possibly have known what you should have known, meaning I can start to go through and hold you liable. So these issues are very broad, and the business judgment rule is something that is, it's honestly not hard to get the protection of. crosstalk-
Kip Boyle: Yeah, it's sort of like, it's your game to lose, right? Like you said, you start with 14 points on the board, if you don't come out to the field and play well, it's not going to matter.
Jake Bernstein: Yah. I mean, you really do have a huge advantage. It's simply a huge advantage, and it's one of the reasons that lawsuits that allege violations of the duty of care are so hard to bring. That's intentional, but they're not impossible. So in the cyber risk realm, there's not a lot of case law about it at this point, but what we can do is, we can look at compliance procedures and policies that have been litigated.
Audit committees have been around for a long time now, and we know that if the board doesn't keep itself informed of those types of issues, that you can go to jail. I mean, we're talking Enron. Enron level is about some of this stuff. So are you going to go to jail over a cyber breach? Probably not. That would require a specific law, but the corporate law concepts are very similar.
Kip Boyle: I mean, at the end of the day, who wants to get dragged through a lawsuit, no matter how it turns out. It's a very horrible experience. And I think our listeners should bear in mind that in this conversation, the point that I was most recently trying to make is that, Jake, you're thinking about this as a prosecutor. So even though in our work we're helping executives thrive as cyber risk managers, we're kind of flipping. We're looking through the other end of the telescope right now, and we're saying, but if I did want to prosecute you, how would that happen?
Jake Bernstein: Exactly. I've said it, I think many times that I like to advise working backwards from the lawsuit, because ultimately that is what we're trying to avoid. Even if you cannot guarantee, which you cannot by the way, guarantee avoiding a lawsuit, you do want to be sure that you're in the best position to defend yourself. Certainly I would suspect that most board members know that, yeah, they want the business judgment rule in place.
Kip Boyle: Absolutely. It's their game to lose. They need to hold onto the ball as tightly as possible. That means you've got to do stuff now to guard your position, to guard your advantage. So, well, that's fantastic. This has been really helpful for me. For crying out loud, I'm on the podcast and I already feel like I've learned a lot so I hope our audience has learned a lot.
Send us your questions if you're wondering about this, or if you think we've overlooked anything we'd love to hear from you, but that wraps up this episode of the Cyber Risk Management podcast. Today, we talked about how the business judgment rule interacts with corporate law to create a very strong incentive for boards of directors to implement formal cyber risk mitigation programs within their corporations. So thanks a lot, Jake.
Jake Bernstein: Thanks Kip, and we'll see everyone next time.
Kip Boyle: All right. Next time. Bye.
Thanks everybody for joining us today on the Cyber Risk Management podcast.
Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.
Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.
Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
YOUR HOST:
Kip Boyle
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
YOUR CO-HOST:
Jake Bernstein
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.