After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?
People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?
Business Judgement Rule and Cybersecurity
After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center.
The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.
“The rule protects officers and directors from liability where they have made decisi ..
Support the originator by clicking the read the rest link below.
