Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity counsel is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. We're going to look today at a new lawsuit and we're going to see what we can learn about it. It was filed by a shareholder of a publicly traded company and it's filed against the leaders of that same company, and it has to do with the cybersecurity failures, the recent ones, of that company. It's the craziest thing as a non-lawyer that I've seen in a long time, but I think our audience is going to find it fascinating.

Jake Bernstein: Yes. And this would be the 104 page complaint you sent to me five minutes before recording time, right?

Kip Boyle: Oh, okay. Way to out me. Yeah. Okay. So as part of my show prep, I figured you'd want to see the complaint, and yeah, I know it was kind of short notice. But here's the thing. You're a law school graduate. You're an accomplished litigator. I just figured you would absorb 104 pages like it was nothing. I didn't figure it would be a challenge at all.

Jake Bernstein: Well, we'll see how this goes. I've absorbed a good portion of it, but there's going to be... What's great about this complaint actually, is that it is worth, I would say, detailed study for our audience and both of us, because in this a 104 page complaint, though, there is a lot of what I would consider a standard legalese for a complaint. It is chock-full of very specific and, I would say, juicy factual allegations. A lot of work actually are redacted now that I continue to scroll through it.

Kip Boyle: Yeah. We can talk about why that is because I was kind of surprised by that. Okay. So for the audience, though, what we're talking about is a complaint that was filed on April 28, 2020. We are recording this show not too long from that. So this is all very fresh and it's Laboratory Corporation of America. When I first saw this, one of the things that caught my eye is I thought of LabMD, which has a long history with FTC over data security problems. It all started back in 2005 for LabMD with, if anybody was around might remember, LimeWire, which was a peer-to-peer file sharing app that actually distributed sensitive data throughout the peer-to-peer network because somebody installed it on their computer at LabMD.

Kip Boyle: LimeWire had this very prodigious and promiscuous habit of sharing files all over the place. That's extensively for music sharing, but ended up being a whole lot of stuff. LabMD ultimately got into a lot of trouble and caused the FTC quite a bit more trouble than it bargained for. Right?

Jake Bernstein: Yes. LabMD certainly did get into a fight with the FTC. I don't think that the FTC expected it. Oftentimes, well, I'd say almost all the time, the FTC will just get a settlement out and the company will take it, but LabMD chose to fight. Now, one of the things that happened with LabMD is it went up all the way to the 11th Circuit, which again, for the non-lawyers among us, is one court below the US Supreme Court. The circuit courts of appeals are just one below. And the commentary at first, when the 11th Circuit came out with its decision, which was back in 2018, was a lot of it was the FTC lost and the FTC's ability to regulate data security is in danger and all this stuff. You can probably tell from the tone of my voice that I don't agree with that assessment.

Kip Boyle: Oh, but that's great headlines though, man. That's sensible topic.

Jake Bernstein: Well, it is good headline, but it is again, typical of reporters, and in this case tech reporters, which is even worse, trying to pass judgment on a legal case. What they didn't really understand about it is that the 11th Circuit basically said, "Look, FTC, one, we're not even going to talk about whether you can do cybersecurity and privacy regulation, which means that they did not create any kind of circuit split with the Third Circuit, which held in the FTC versus... Why am I blanking on the name, which it's in here, Wyndham. The Wyndham Worldwide Corporation case.

Kip Boyle: Yeah, because they challenged FTC also. They went down swinging.

Jake Bernstein: Yeah. They lost, but they just lost completely.

Kip Boyle: Yeah, they did.

Jake Bernstein: The Third Circuit in the FTC vs. Wyndham basically said, "The FTC, you can do this." And the 11th Circuit in LabMD did not even address it. What the 11th Circuit did say is, "Okay, FTC, you have to be a little bit more specific. Basically, these injunctions are too vague." A lot of people at the time were worried that this meant that the reasonableness standard itself was under assault and that the FTC might not be able to continue to use the reasonableness standard.

Jake Bernstein: There's two major caveats to this concern. One is that when the FTC settles, you can't challenge the complaint or you can't challenge the settlement, the consent decree in order for vagueness, because you've agreed to it. So, presumably you're not going to agree to something, if it's too vague for you to comply with. Secondly, the 11th Circuit had this kind of unfortunate, double purpose. On the one hand, it wanted to prevent the FTC from micromanaging companies and micromanaging the cybersecurity programs. But on the other hand, and this is a directly opposed paradoxical requirement, it said, "This is too vague to be enforceable. You're not telling these companies what to do enough." Right?

Jake Bernstein: So you can't micromanage, but you didn't micromanage enough is essentially what the 11th Circuit said. I think that that is where we started to get the at a minimum standard language that we talked about in a recent episode.

Kip Boyle: Yeah, we Did.

Jake Bernstein: Because what the FTC did is like, "Okay, fine. If you think it's too vague, then we're just going to change things around." Like I said in that episode, they didn't really change things, but they did add I'd say a fair amount of additional information in detail. I think it's helpful, honestly. I actually think that in the end, the LabMD case was not a bad thing. By the way, bad here depends upon your point of view. But I don't think that the FTC was ultimately that troubled by LabMD. You can look at that ruling very narrowly. It does not affect the reasonableness standard, and it basically says you guys have to be a little bit more descriptive in your injunction writing and largely they have.

Jake Bernstein: I don't think it's a big deal, but this is not LabMD. LabMD is small potatoes. LabMD was not publicly traded. This is laboratory corporation of America, AKA LabCorp, for which millions and millions of people, myself included, have received invoices. It's almost impossible to get any kind of medical test, and not at some point meet up with LabCorp.

Kip Boyle: I just paid one the other day.

Jake Bernstein: Exactly. So, okay. Why don't you tell us why this jumped out at you?

Kip Boyle: Right. Okay. So again, just to recap, so when I saw this, the first thing was like, "Oh my gosh." LabMD is doing something which kind of surprised me because they're actually out of business, and as you said, were never publicly traded. So once I realized it was not LabMD, I was like, "Okay, well, okay, it's LabCorp." But I'm still interested, and the reason why is because 12 of LabCorp's executives and directors are named as defendants in this complaint, including the CEO, the CFO, and the CIO.

Kip Boyle: And guess what. In my work, as a chief information security officer, those are the people that I am regularly advising on cyber risk management. So I was like, "Holy moly, this is so relevant to my work." I figured that our audience is probably talking to the people in those positions on a regular basis as well. That's what really got me interested. And then the other thing that stuck out to me is this idea of a shareholder derivative complaint. As a non-lawyer, my first reaction is, "Huh, but wha'?" I didn't know what that was, but it was weird and that also caught my eye. But let's take a short detour and Jake, tell us what is a shareholder derivative complaint.

Jake Bernstein: Sure. I believe we may have mentioned this in another episode where we talked about the business judgment rule.

Kip Boyle: Yeah. I'd have to go into the vault to find that though.

Jake Bernstein: Totally. But essentially, a shareholder derivative lawsuit is a mechanism by which shareholders of a publicly traded company, although it doesn't need to be a publicly traded company. So shareholders of a corporation sue on behalf of that corporation and they're suing the... Usually, it's the board of directors and/or the officers as is the case here. That's who the target is. What the case is ultimately saying is, you, the directors and officers, breached your fiduciary duties to the corporation. And because a corporation is a legal fiction and cannot act on its own, it has to either act through and it always has to act through agents.

Jake Bernstein: Normally, those agents are the directors and officers, right? So the derivative lawsuit is one of the few ways in which a shareholder can take a direct action on behalf of the company that they hold shares in. It's interesting, you only have to own one share to be a valid shareholder derivative plaintiff.

Kip Boyle: Wow.

Jake Bernstein: What it is, is it's meant for trying to hold the leadership and the directors responsible for the usually mismanagement in some way of the company. That is exactly what this case is about.

Kip Boyle: So my non-lawyer brains says, again, I need to find some other way to think about this. One way that I've started thinking about it is this. So let's say I'm the guardian or the parent of a child, and I have to put my child into the care of a guardian for whatever reason, and the guardian, I think, screws up. And so in a way I sort of say, "Okay, guardian, I'm totally pissed at you. You're screwing up all over the place. I'm going to file a lawsuit on behalf of my child and deal with you." I mean, I know that would never happen because it doesn't work that way. But again, in my non-lawyer brain, I'm like, "Is it kind of sort of like that?"

Jake Bernstein: So here, let's twist your hypothetical around a little bit. A more likely circumstance would be the court appoints a guardian who sues the parent on behalf of the child, because the parent is being a bad parent.

Kip Boyle: There you go.

Jake Bernstein: That is what would more realistically happen. And yeah, it's similar. It's a situation where the entity, who needs to have rights exercised, can't do it on its own either because it is a minor or because it is a legal fiction, which is what a corporation is.

Kip Boyle: Right. Okay.

Jake Bernstein: So that is what this is.

Kip Boyle: Okay. Members of the audience, if that helped you, I'm glad. If that just made everything worse, I'm sorry. Let's keep going. Let's talk about some of the details of the lawsuit. The lawsuit alleges that LabCorp's leadership, right? The 12 people, that they failed to address cybersecurity weaknesses, and that they failed to adequately notify data breach victims and shareholders about two specific incidents. As a result, the lawsuit wants the senior decision makers to be held accountable for damages. They also want to force the company to make changes to its governance to prevent future data breaches.

Kip Boyle: That's kind of like a thumbnail sketch of what's going on. I'm sure it's way more hairy and complicated than that. But again, I'm going to go back to my question. So when I'm working as a chief information security officer, should I worry about myself being named in a lawsuit like this? Or is there something I should be doing to help protect the executives that I'm advising, right? This is what I want to know.

Jake Bernstein: I mean, that's a really interesting question. We probably could spend multiple episodes talking about it. Maybe we will. I think there's a couple of ways to answer that. First, I think if you're part of the C-suite, you are potentially a valid target in a derivative lawsuit. Now, it depends on the structure, right? If your title is CISO, but you actually are one of the CISOs that reports to the CIO, maybe not, maybe you aren't a valid target. But let's say you're a powerful CISO who's a peer of the realm, direct-

Kip Boyle: Okay. So if I report directly to the CEO, that makes me a peer of the CFO and the CIO, and so that creates more exposure for me.

Jake Bernstein: Yeah, it does. I think, with great power comes great responsibility.

Kip Boyle: CISOs out there, they just realized that you may get what you wish for and more.

Jake Bernstein: Yeah. Just to be clear, reporting to the CIO or someone else before you get to the CEO is not a guarantee that you're not going to be named. It really is highly fact dependent. But the real question here that I think you asked, which is, what should we be doing to protect the rest of the C-suite from these types of lawsuits. I think that's one of the questions that CISOs have been asking for a long time. I think it's not so much that the CISOs haven't been doing their jobs, it's that the CISOs haven't been listened to.

Jake Bernstein: This actually is the type of complaint that is bound to change behavior, and actually is probably likely to result in CISOs being heard more, because I don't know about you, but I don't know many CISOs who... I don't know many true CISOs who are worthy of the title, who don't stay up at night worrying about cybersecurity and what's going on at their company. Generally speaking, the stories you hear, and this is a gross generalization, are about the CISO not getting the resources or the CISO not getting the exposure or getting listened to, or being allowed to speak to the board.

Jake Bernstein: Really what this lawsuit is, is a massive, I would say, shot across the bow of every director and officer and board that doesn't regularly get cybersecurity updates from the CISO and the CISO's team, because what this lawsuit does is say you all mismanaged because you didn't pay enough attention to cybersecurity. Again, that's a simplification, but it's an appropriate one.

Kip Boyle: Right. Okay. So that's why LabCorp leadership were named as defendants in this lawsuit. What we've talked about for a long time is that they have a duty to pay attention, right, to cyber risk management and data security and privacy. They can delegate that, which most all of them do, but they cannot... They can delegate responsibility, but they cannot delegate the bottom line accountability.

Jake Bernstein: Right. Just to be clear, you always name the... The whole point of a shareholder derivative lawsuit is to name the officers and directors in some fashion or another. That's definitional of a shareholder derivative suit.

Kip Boyle: Okay. Because of that, if I'm not mistaken, there's actually insurance that corporations routinely purchase to protect their directors and officers from these kinds of things. Right?

Jake Bernstein: There is. Yes. I'm sure that LabCorp has it. I think what's interesting though is this is... I don't want to say this is. It's not fundamentally different than a lot of situations. A lot of the times, what gets people in trouble is either self-dealing or enriching yourself over the company, or violations of the duty of loyalty. But in this situation, this really goes to the heart of being a board of directors and being officers, because it goes to the core question of ultimate accountability for cybersecurity. This is something that we have talked about a lot. In fact, we've mentioned the term shareholder derivative complaint for years. This is a current example of a very well thought out, very long complaint. That is exactly that.

Jake Bernstein: You've seen these after the other kind of major public breaches, Target, obviously Wyndham, Home Depot. I think those were older enough that the facts are going to be a little different. Again, we've talked about the business judgment rule, but at this point, the interesting thing about the business judgment rule and most of these types of cases is that the standard by which you shall be judged changes. The business judgment rule with respect to cybersecurity in 2015 is going to be meaningfully different than the same question in 2020.

Kip Boyle: Is that because due care changes? What's-

Jake Bernstein: It's because due care changes. It's because the duty of care changes as the situation, as technology and everything revolves. You just have to think about it in the same way that you'd think about duty of care of a physician, right? 35, 40 years ago, the duty of care was you would... This is where I start to speak about things that I do not know.

Kip Boyle: Well, there's new treatments now than the last 50 years, though.

Jake Bernstein: Exactly. There's constantly new treatments. There's new things all the time. Here, I can do one better just because you've mentioned it before. Way long ago, not washing your hands was not considered a failure of the duty of care. Right?

Kip Boyle: Right.

Jake Bernstein: In fact, that is a very simple and straightforward violation of the duty of care these days for a medical professional. In this situation, in 2015, or certainly go back in 2010, just five years earlier, and I think that the courts are going to have a very, very different view of the duty of care related to cybersecurity and privacy programs. In 2020 though, and this lawsuit specifically calls it out, all of these people were aware of cybersecurity issues. In fact, LabCorp had been in the news, had gotten attention of the wrong variety for its poor cybersecurity practices over time.

Jake Bernstein: So all of the board members and the officers knew there's almost no way that they could argue they didn't know. There was failure of reporting, failure to disclose. The only place that it was disclosed at times was in the SEC filings. I think that the lawsuit ultimately is saying, your mismanagement is now exposing the company for which I am a shareholder to significant financial loss. If you unpack that, again this ties in very well to our business judgment rule episode because if you recall from that discussion, corporate law basically requires that corporations seek to maximize shareholder value. When you are paying out millions of dollars in class action damages, you're not doing a good job of maximizing shareholder value.

Jake Bernstein: Essentially what this lawsuit comes down to is your mismanagement is why we're paying out millions of dollars in a class action lawsuit. On the one hand, yes, it's 104 pages, it's very complicated, but on the other hand, it's really not. It is something that we as security professionals have been banging the drums about for decades, which is take this stuff seriously. Effective cybersecurity starts at the top and oftentimes cannot be successful unless it comes from the top. This is not something that you can do as a ground up type of project.

Kip Boyle: Right. This continues the evolution of the chorus of voices that are saying, "To senior decision makers. I don't care if you don't know how to turn on a computer, this is important and you've got to start paying attention to it." I think this is good. I think it's bad for you though, because I handed you 104 page complaint five minutes before the show, and look what you've done with it. You've totally torn it apart, reduced it to its essence, and explained it very succinctly to the audience. Well done.

Jake Bernstein: Well, thank you. I think it is worthwhile to look at some details here. You prepared this script and we should use this part of it, and I just want to talk through real fast some of the allegations. Now, like I said, it is a long complaint, but some of the specific allegations are interesting and everyone will have heard them before and they can be tied right into the NIST cybersecurity framework. So for example, in the identify function, the lawsuit says that the leadership failed to implement and enforce a system of effective internal controls and procedures to protect patient information.

Kip Boyle: That's textbook out of the framework.

Jake Bernstein: Textbook. Under what would be the detect function, failing to exercise their oversight duties by not monitoring LabCorp's compliance with its own procedures and federal and state regulations. Protect was providing PII and PHI, that's private health information or personal health information of patients to a HIPAA business associate with deficient cybersecurity and breach detection. So just to be clear, that is... We didn't mention it yet, but the breach, there's two breaches involved in this case. One of them, for sure, the first breach, was a supply chain breach. The collection agency that LabCorp used was compromised, and made mis- Pardon me. Made mistakes. This is one of the-

Kip Boyle: Failure to protect.

Jake Bernstein: The failure to protect, failure to monitor your third party vendors, et cetera, et cetera. Now, this one's really basic. I'll let you guess which of the five functions this one falls under. Failing to have a sufficient incident response plan to immediately respond to data breaches.

Kip Boyle: There's that R word, respond.

Jake Bernstein: Yep. Twice. Yes. And then the last one of course is recover. Disregarding, delaying, and failing to ensure that the company notified all potentially affected individuals and entities in a timely manner upon discovering the data breaches. They just didn't do that. This is an amazing case study in how our legal system is going to hold, I would say, more and more corporate leadership groups accountable for cybersecurity failures.

Kip Boyle: Okay. All right. So this is just as interesting as it seemed to me when I first saw it. I hope that our audience is getting a lot of value out of this. There's another thing about this case that's a little different, which is that... You had mentioned before that there were derivative suits in the Target data breach, the Wyndham, and the Home Depot data breaches. What's different about this one I noticed is that this is based on a data breach that didn't actually happen inside of LabCorp's area of control but actually happened while data was in the hands of a third party service provider. That's pretty different. Wouldn't you agree?

Jake Bernstein: Yes and no. I think that if you look at the... I mean, I'd say it's a little bit of perspective shifting. The Target data breach, yes, it did happen inside of Target, but it happened through a third party vendor. I don't know that the distinction here is worth drawing. I honestly think that the difference is the timing. 2020 is different than 2015 when it comes to these issues. I think that's what makes it interesting. I think, one thing that we haven't talked about that we should is what is... Okay. So what? Right? This happened. What does this mean?

Jake Bernstein: I just happened to scroll through here. And I ended up at paragraph 54 on page 19, talking about the compensation to David King, who was the the CEO. Now he is the director of the company. According to the 2020 proxy statement in 2019, so this is all publicly filed, this is what publicly traded companies have to do, Mr. King received total compensation of $12.933 million. What the lawsuit is going to seek is some of that money back honestly. Basically, what happens is, is there's a couple of things that the plaintiffs want. One, ultimately, they want the company that they are a stockholder for to not lose money on pointless things like lawsuits and issues related to poor cybersecurity management caused by potentially negligent management.

Jake Bernstein: The money side is... I'm sorry, strike that. One of the things they obviously want is the company to be ordered to adjust its cybersecurity behavior, right? So, they're actually looking to be told to do more on cyber security, and that's obviously good for the company, and it's not really. I mean, you could call it a punishment of the defendants, the actual defendant, but it's kind of not. What is the punishment is that they're going to seek to be held financially responsible. In addition to potentially having to pay from their own pocket, the potential damages from the class actions, they'll also potentially have to pay the attorney's fees for the plaintiffs in this case.

Jake Bernstein: The reason that they target the officers and directors is, not so much the directors, but the officers are often paid substantial salaries and get stock awards. And should they profit... They should pay when they cause damage to the corporation is the theory. So, yeah, I mean, are these people going to go to jail? No, that's not how this works. Are they going to have to pay a bunch of money back to the company? They might. I think that's a big deal.

Kip Boyle: Okay. So there can be a clawback.

Jake Bernstein: I mean, it's damages. It's ultimately damages. It's not really a clawback. That has a specific legal meaning in many situations, but outside of legal profession, yes, you could call it a clawback. They're paying back. They're giving money back to the company. They're basically having to pay the company's expenses that they got.

Kip Boyle: Right. Out of the money that they earned from-

Jake Bernstein: The company.

Kip Boyle: ... serving the company.

Jake Bernstein: Exactly.

Kip Boyle: Okay. Okay. Yeah. I mean, when I look at my checking account, it looks like a clawback. Money came in, money went back out.

Jake Bernstein: Yeah.

Kip Boyle: Okay. Yeah, this is how I think about it, but I didn't know that that was actually a specific term legally. So that's helpful to know. All right. So-

Jake Bernstein: Yeah. It has a different context, but we'll ignore that for now.

Kip Boyle: Okay. So you think that's the worst case scenario for the defendants here is that they might actually have to pay some of the damages or some of the expenses of the corporation. Are their careers over if that happens?

Jake Bernstein: You know, I don't know. It would really depend on the shareholder's ability. I mean, possibly, but possibly not. I think that's a different question entirely.

Kip Boyle: I wish we had an insurance person on as a guest right now, because one angle that I'm thinking about is, if I'm an officer and I'm on the losing end of this kind of a lawsuit and I paid damages, then could I even be insured again if I became the officer of a new corporation and they wanted to get directors and officers liability insurance and name me as an insured? Would anybody actually allow me to be an insured? Would an insurance carrier look in my background and say, "Oh yeah, he's a good risk. Let's put him on the policy." I don't know.

Jake Bernstein: I don't know actually is the answer, but it does strike me that maybe, it could be. These people's careers could be over, but maybe not.

Kip Boyle: Okay, well, if anybody in the audience would like to weigh in on that, I'd love to hear your take on it particularly if you work in insurance or if you've got a specific experience with something like this. So shoot us a message if you have something that you can add.

Jake Bernstein: Agreed. Well, I think we probably should wrap up this episode, Kip.

Kip Boyle: Yep, yep. Actually, we are pretty much right on time. Today, on the episode, we saw how a third party cybersecurity failure resulted in a shareholder derivative lawsuit that named company senior decision makers as defendants. We're way early in this, so we don't know how it's going to turn out, but we'll keep an eye on it for you and let you know what happens. So until then, we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport. So include your senior decision makers, legal department, HR, and IT for full effectiveness. If you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.