Pub. 13 2022 Issue 3

• Ensure the company’s data breach response plan is strictly adhered to in the event of a breach. • Retain counsel experienced with handling data breaches and cybersecurity litigation to help guide the CISO through the breach response process. Implementing these policies and procedures, along with the CFPB’s recommendations, should help stave off enforcement actions by federal and state regulators in the event of a data breach or ransom attack, in addition to lessening the risk of civil litigation. Reducing Personal Risks for the C-suite & Boards of Directors Another concern is that officers and directors risk being personally named in lawsuits brought by customers whose personal data was exposed as a result of the breach and by shareholders against the financial firm. CISOs have immediate responsibility for a company’s cybersecurity, and they would likely be the first target for a plaintiff looking for officers to name personally in a lawsuit. But, in the past ten years, plaintiffs have tried to hold C-suite executives and company directors personally liable. These classes of plaintiffs likely will allege that the officers breached their fiduciary duty to protect the plaintiffs’ personal information or that they unnecessarily exposed the company to liability. If the lapse in cybersecurity can be shown to result from the director’s failure to properly prepare for cyberattacks, there is a narrow path for aggrieved parties to hold directors personally liable: a plaintiff must prove that (1) the board of directors made a decision that resulted in a loss because that decision was ill-advised or negligent, or (2) the board failed to act in circumstances in which due attention would, arguably, have prevented the loss. Attentiveness to known threats and taking reasonable actions to counter those threats will provide strong defenses against personal liability claims against officers and directors. There are many steps officers and directors can take to reduce the likelihood that they are held personally liable after a cyberattack or data breach. They include: • Ensuring the directors have sufficient cybersecurity training. • Conducting regular discussions about cybersecurity as part of board meetings. • Overseeing the implementation of cybersecurity protocols. o This can include the adoption of quantum computing and quantum-resistant encryption, zero trust security, and zero-knowledge proofs. Quantum computing and quantum encryption can generate truly random numbers for encryption keys, which prevents hackers Working as a team to secure customers’ data will reduce the liability of directors in the event of a data breach. Nicholas P. Mooney II and Alexander L. Turner are member attorneys at Spilman Thomas & Battle. They co-chair the firm’s Cybersecurity & Data Protection Practice Group. They both have extensive experience in consumer finance and banking litigation. Nick can be reached at 304.340.3860 or nmooney@spilmanlaw.com, and Alex can be reached at 336.955.8352 or aturner@spilmanlaw.com. from cracking the company’s encryption. Some privacy laws incentivize encryption, like the California Consumer Privacy Act, by stating that a company’s failure to encrypt personal information can result in a direct cause of action by customers in the event of a data breach. Zero trust security is used to mitigate the danger of an insider threat by requiring all users and devices attempting to access the network to verify their identity. Zero-knowledge proofs use a blockchain to protect data transmitted over the Internet. • Regularly review the status of the company’s cybersecurity protocols to ensure they are up to date. • Ensure the company’s IT department is vigilant and actively monitors the status of the company’s computer network. • Require regular reports from the company’s IT department and conduct regular communications with that department regarding potential threats to the network and steps to be taken to protect the data the company maintains. Working as a team to secure customers’ data will reduce the liability of directors in the event of a data breach. The PwC survey shows that cybersecurity issues are frontand-center in U.S. executives’ minds. The above-referenced recommendations may not stop all data breaches, but by enacting them, your financial institution will significantly lower the likelihood of litigation after a data breach. Putting these recommendations into service also will help keep the regulators at bay. If litigation or governmental action cannot be avoided after a cyberattack, implementing these recommendations increases the likelihood of a favorable outcome.  Pub. 13 2022 I Issue 3 Fall 17 West Virginia Banker

RkJQdWJsaXNoZXIy ODQxMjUw