When I began my legal career, I spent countless hours defending corporate officers and directors accused of securities fraud — making false or misleading statements or omissions to deceive investors for financial gain.Today, CISOs face a range of legal issues around the financial impact of high-profile data breaches.Many of these cases have the same feel. Back in the day, and even now, the dance with a plaintiff’s attorney works almost the same way every time:The games begin when X Corp issues a formal “restatement,” after determining that its previously filed financial statements contained inaccuracies and that, as a result, X Corp was not as profitable as had been previously reported. alleging that they knew all along that X Corp’s profits were inflated and that they knowingly concealed this fact from shareholders, often while selling their own shares of X Corp. Different plaintiffs’ law firms would bring separate “shareholder derivative actions” — lawsuits alleging that the corporation’s officers and directors breached their fiduciary duties by not adequately investigating and responding to this alleged fraud on their own. Around the same time, X Corp would typically receive a letter from the Securities Exchange Commission (SEC) opening an investigation into the matter and requesting a large volume of documents from the company. That investigation might eventually lead to a civil enforcement action. The company might receive a similar letter from the Financial Industry Regulatory Authority (FINRA), a self-regulatory body for the U.S. securities industry. The company’s officers and directors might also receive inquiries from the U.S. Department of Justice (DOJ) — which could lead to a criminal indictment - and potentially other state and federal regulators. While some of these claims certainly had merit, many of these regulatory investigations ended without any charges of wrongdoing and most of the litigation was dismissed or settled. Only a tiny fraction of these claims went to trial and ended in a finding of wrongdoing. Nonetheless, these claims were extremely expensive to defend — even those with little merit. It was not uncommon to run up millions of dollars in legal fees defending a single corporate officer. That’s not including the settlement, which even if settled for “nuisance value” — typically an amount less than or equal to the amount it would cost to litigate the case — might run into the tens, or in rare instances, even hundreds of millions. Corporate officers and directors were aware that if they served in these roles for long enough, they would eventually find themselves as defendants in similar litigation and/or investigations. Thus, over time, it became standard for corporate officers and directors to receive certain contractual protections to reduce this risk: Right of Defense: This provision would require the company to provide a corporate officer or director with a broad right of defense, meaning that if he or she became involved in any legal proceeding, investigation, or claim arising out of his or her duties, the company would have to promptly provide legal representation and cover all reasonable legal expenses, including attorney fees, court costs, and related expenses. An acquaintance of mine recently became the subject of an aggressive regulatory investigation, which lasted multiple years, but ultimately ended in his exoneration. His legal bills, however, exceeded $10 million, so if they were not covered by his employer, there would have been no way he could have afforded to be vindicated. Indemnification: The provision requires the company to indemnify and hold the officer or director harmless to the fullest extent permitted by applicable law. This includes indemnification for any sentences, settlements, damages, liabilities, expenses, or other losses reasonably incurred by the officer or director in connection with his or her role, as long as he or she acted in good faith and in a manner reasonably believed to be in the best interests of the company. The vast majority of these class actions and enforcement actions end in settlement, but those settlements can cost tens or hundreds of millions of dollars, so there are few (if any) CISOs who could meaningly contribute to such a settlement.D&O Coverage: This provision requires the officer or director’s employer to maintain a directors and officers liability insurance policy (D&O policy), which includes coverage for him or her. The D&O policy would offer coverage for defense costs, settlements, judgments, and other liabilities incurred by the officer or director in connection with claims arising out of his or her role, subject to the terms and conditions of the policy. It’s important to have D&O coverage because without adequate insurance coverage, an officer or director’s company might not have sufficient funds to appropriately defend and indemnify him or her.
Almost immediately after filing a restatement, plaintiffs’ law firms, purporting to represent shareholders of X Corp, swoops down, filing shareholder class actions against the company, its officers and directors, Compliance Management, Security Staff Acquisition & Development, Leadership
Why CISOs need enhanced legal protections in the age of breach lawsuits

Today’s columnist, Brian Levine of EY, writes that CISOs today may find themselves charged with violating securities laws and therefore need the same type of legal protections given to top C-suite officials.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds