Company officials have come to accept that they are accountable for maintaining and enforcing appropriate cybersecurity protocols for their own company or else face the risk of shareholder derivative lawsuits or securities actions. The list of concerns for public companies grows, however, as officers and directors are now facing shareholder derivative suits for data security incidents incurred by the company’s third-party vendors, rather than by the company itself. As a result, public companies should be extra vigilant in reviewing their third-party service contracts. These vendor agreements are vital mechanisms for allocating risk amongst the parties and ensuring vendors implement proper cybersecurity safeguards while handling company data.
Cyber Risk: An Evolving Threat for Company Boards
A recently filed complaint against directors and officers of Laboratory Corporation of America (LabCorp) demonstrates the continued risk cyber-related derivative lawsuits pose to company boards. The complaint asserts LabCorp’s directors and officers breached their fiduciary duty due to two data breaches suffered by vendors that the company used to handle and store sensitive data. The first incident involved the breach of vendor American Medical Collective Agency’s (AMCA) website payment portal. It resulted in the disclosure of LabCorp patients’ credit card information, personally identifiable information (PII) and personal health information (PHI). AMCA informed LabCorp of the breach, which affected more than 10.2 million LabCorp patients, and LabCorp advised investors of the breach in an SEC filing. The derivative lawsuit attempts to hold board members accountable for the AMCA breach, alleging that LabCorp’s “insufficient cybersecurity procedures and oversight of AMCA … permitted unauthorized access to LabCorp’s patients’ confidential, personal information,” which has resulted in a consumer class action against LabCorp. The second breach involved an unprotected web address that granted access to LabCorp’s documents containing PII. The complaint alleges LabCorp failed to disclose this breach in any public release of SEC filing. The complaint alleges the defendants breached their duties of loyalty, care and good faith by, among other things, “providing PII and PHI of patients to [AMCA] with deficient cybersecurity and breach protection” and “failing to ensure that the Company, as well as its business associates, utilized proper cybersecurity safeguards to adequately secure the PII and PHI.”
Mitigation is Key.
To reduce the risk of such litigation, companies must assess, scrutinize, and monitor their third-party service providers’ cybersecurity, as well as their own. Adams and Reese’s Privacy, Cybersecurity and Data Management team has previously reported on the importance of vendor management in the cybersecurity space, and will continue to monitor developments in this arena.