Managing Cybersecurity Risk for Nonprofit Organizations: A Fiduciary Duty?
We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs. Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.
Data breaches and associated clean-ups are costly. In addition to bottom-line costs, nonprofits face “headline risk,” reputational damage, disruption in programming and operations and, increasingly, litigation risk in the event of a data breach—and litigants are getting creative. In 2014, a Wyndham Worldwide Corporation shareholder brought a derivative action against the corporation’s directors and officers—including its CEO and its General Counsel—in connection with data breaches at the corporation from 2008 to 2001. The complaint alleged, among other things, that directors and officers breached their fiduciary duties to the corporation by failing to implement internal controls to protect customers’ personal and financial information and failing to reasonably disclose the breaches to investors, resulting in financial and reputational damage to the corporation. Similar suits were filed by shareholders against directors and officers in response to the Target Corporation data breach in 2013 and the Home Depot data breach in 2014. In an earlier case, directors of the TJX Company Inc. were sued for breach of fiduciary duties in connection with a data breach at TJ Maxx stores from 2002 through 2006.
None of these fiduciary duty claims has yet been successful on its merits, and we have yet to see analogous claims in reported cases in the nonprofit context. Some commentators have posited that suits against directors and officers for breaches of fiduciary duty are likely to fail in the absence of utter disregard for duties or acts in bad faith, while others have argued that a transformed and perhaps heightened duty of care in managing data privacy and security is emerging. Either way, these cases illustrate the exposure directors and officers may face in the event of a data breach and the significant corporate resources involved in dealing with the fallout.
This litigation trend is also in line with increased regulatory efforts by Congress and Federal and State agencies such as the Securities and Exchange Commission (the “SEC”), the Federal Trade Commission (the “FTC”), and the Department of Financial Services of the State of New York (“NYDFS”), supplementing the already complex patchwork of statutes and regulations governing cybersecurity. While the typical nonprofit is generally not subject to regulatory oversight of the SEC, FTC or NYDFS, such efforts signal a trend that State Attorneys General or other nonprofit regulators may be inspired to join (and some industry-specific and other statutes and regulations already apply to some nonprofits, e.g., the Health Insurance Portability and Accountability Act or “HIPAA”).
So what does all this mean for nonprofit directors and officers?
While cybersecurity is relatively new and unfamiliar technical territory for most nonprofit (and for-profit) directors and officers, fiduciary duties are not – the challenge is how to appropriately fulfill those duties in this new context.
Generally speaking, the fiduciary duties owed to a corporation by its directors and officers include the duty of care and the duty of loyalty. The duty of care requires directors and officers to be diligent and informed in making business decisions on behalf of the corporation, exercising honest and unbiased business judgment in good faith. Directors and officers may, in certain circumstances, delegate responsibilities to or rely on guidance from external advisors or a Board committee. In general, the “business judgment rule” will protect a Board decision if the directors acted on an informed basis, in good faith and in the corporation’s best interests, and generally only behavior that is grossly negligent will breach the duty of care.
The duty of loyalty requires a director or officer to make decisions in the best interests of the corporation and without regard for his or her personal interest. This duty generally relates to the diversion of corporate business opportunities for personal gain and other conflicts of interest. Under Delaware law, the duty of loyalty also encompasses the duty of oversight, which requires a Board to implement monitoring and reporting systems to oversee corporate operations, but, like the duty of care, sets a high bar for liability, to be found only when “the directors utterly failed to implement any reporting or information system or controls; or having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”
New York also imposes a duty of obedience in the nonprofit corporation context, which requires directors and officers to act with fidelity to the corporation’s mission, its governing documents and policies, duly adopted acts of the board and applicable laws.
To fulfill these fiduciary duties in the context of cybersecurity, directors and officers of nonprofits should put systems and controls in place to effectively manage the risk of cyberattacks to the level and degree appropriate for their institutions, taking into consideration each institution’s own needs, resources, level of risk and risk tolerance. For most organizations, this will not require directors and officers to acquire in-depth technical expertise in information technology (“IT”) and data security, or to become intimately familiar with the organization’s day-to-day IT operations. It will mean undertaking reasonable efforts to inform themselves about the corporation’s data needs and vulnerability to breach, and taking reasonable steps to protect against such breaches.
With that in mind, here are a few steps directors and officers of nonprofits can consider taking toward fulfilling their fiduciary duties relating to cybersecurity—with the understanding that there is no one-size-fits-all approach:
• Make cybersecurity a priority, setting a tone for the organization to take it seriously;
• Become familiar with applicable State or Federal laws, rules and regulations that may govern cybersecurity practices for the organization or its industry, as well as industry best practices;
• Provide cybersecurity education and training for directors, officers and employees;
• Develop clear data security policies (including with respect to document retention and computer usage);
• Task specific personnel (or a Board committee) with implementing internal controls and related responsibilities, with regular reporting to the Board;
• Develop and implement (or oversee the development and implementation of) mechanisms to assess risks of breach, with annual audits; an incident response and crisis management plan; and a review of contracts with third parties who host or have access to confidential information to ensure the organization is protected (for example, via representations and warranties and indemnification provisions);
• Retain outside experts as necessary and as resources permit; and
• Review professional and general liability insurance policies for coverage and exclusions relating to cybersecurity, and consider obtaining a separate cyber-insurance policy, which may cover costs relating to data breach events that may not be covered by other policies.
Whatever directors and officers do with respect to managing cybersecurity risk, they should do it regularly and consistently and maintain adequate documentation of their actions.
Ultimately, by following some or all of these steps (as appropriate), directors and officers of nonprofits should be able to show that they recognized cybersecurity as a priority, sufficiently understood the risks, and took reasonable measures to prevent data breaches and related security events in the event of a cyberattack or breach.
 A California consumer education organization reports that data breaches in the nonprofit, education and healthcare sectors have compromised over 60 million records of sensitive data since 2005. See Privacy Rights Clearinghouse, Chronology of Data Breaches, available at https://www.privacyrights.org/data-breach. In reality, the number is likely much higher as not all breaches are reported and the number of records affected is often unknown.
 According to a data security research institute report, the annual cost of responding to criminal cyberattacks among a representative sample of 58 surveyed U.S. organizations in both the public and private sectors averaged $15 million in 2015 (representing a net increase of 82% over the past six years). The average annual cost for surveyed organizations in the education and research sector alone was $11.4 million, and in the healthcare sector, $9.78 million. See Ponemon Institute, 2015 Cost of Cyber Crime Study: United States (October 2015), at 1-3. The average cost does not include catastrophic or “mega” security incidents.
 See Palkon v. Holmes, 2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 2, 2014).
 See Davis v. Steinhafel, Case No. 14-cv-00203 (shareholder’s complaint filed in the District of Minnesota on July 18, 2014 regarding Target breach); Bennek v. Ackerman, Case No. 1:15-xv-2999 (shareholder’s complaint filed in the Northern District of Georgia on September 2, 2015 regarding Home Depot breach) and Frohman v. Bousbib, Case No. 1:15-cv-3650 (same, filed on November 2, 2015, recently consolidated with the Bennek action).
 See La. Mun. Police Emples. Ret. Sys. v. Alvarez, 2004 Del. Ch. LEXIS 208 (Del. Ch. Jan. 2, 2004).
 The Wyndham case was dismissed on other grounds, the Target and Home Depot cases are still pending and the TJX case settled.
 There are cases in which the FTC has brought enforcement actions against nonprofit organizations. See, e.g., In re Advocate Health Care Network, Docket No. 9369 (FTC administrative complaint filed December 17, 2015); In re The Penn State Hershey Medical Center, Docket No. 9368 (FTC administrative complaint filed December 7, 2015).
 In New York, the duty of care is codified in Section 717 of the Not-for-Profit Corporation Law (the “NPCL”), which requires that directors and officers of nonprofit corporations perform their duties in good faith and with such care as an ordinarily prudent person would exercise in a similar position under similar circumstances (with specific standards of conduct for investment duties set forth in other sections of the statute).
 In New York, the duty of loyalty concept is represented in NPCL provisions relating to prohibitions on distributions (Section 508 and 515(a)), related party transactions (Section 715), and loans from the corporation to its directors or officers (Section 716).
 The duty of oversight was first articulated by the Delaware Chancery Court in In re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996) and later affirmed by the Delaware Supreme Court in Stone v. Ritter, 911 A.2d 362 (Del. 2006).
 Stone v. Ritter, 911 A.2d at 370 (emphasis added).
 Other corollary duties include the duty of good faith and the duty of disclosure (or candor), which are typically not viewed as independent fiduciary duties but are creatures of the duties of loyalty and care.