What Should Boards Think About After a Breach?

29 Jan 2020

This article in our “Beyond the Breach” series was co-authored by Morrison & Foerster partners Jackie Liu and Miriam H. Wugmeister.

Thanks, in no small part, to cybersecurity’s potential impact on organizations’ bottom lines, cybersecurity has become a top-of-mind concern for boards of directors. Equifax’s September 2017 data breach is a stark example of how a breach can negatively—and significantly—impact an organization’s bottom line. To date, the company has reportedly spent over $1.4 billion investigating the breach and overhauling its information security systems because of it. The company is still on the hook for as much as another $700 million as a result of its settlement of the litigation and government actions filed against it in the wake of the breach.

We’ve previously covered what boards can do before a data breach to prepare themselves and their organizations for such an event. However, what about when the inevitable happens and an organization—your organization—suffers a data breach? What’s a board—your board—to do then, and how?

It’s all about systems and processes

In the wake of a data breach, your board of directors should focus on the same things it would normally focus on following any crisis affecting your organization.

As the people responsible for the oversight of your organization’s strategic direction and overall performance, your board’s primary concern should be making sure that whatever problems were exposed by the breach are: (i) recognized, (ii) understood, and (iii) that there is a plan to fix them.

This requires your board to receive regular updates regarding your organization’s systems and processes that are designed to safeguard its information and networks to understand whether they helped the organization respond to the breach and limit its impact—or whether they played a role in causing it, as well as fulfill the board’s oversight responsibilities.

In addition, your board will have to consider the people-side of the equation. Do you have the right people and processes in place to respond to a cyber event? Even if mistakes were made, was there a process in place to identify the risk, escalate concerns, and make decisions in a timely way?

For example, let’s say that one of your organization's older databases was compromised. Your internal investigation determines that the database was not patched with security updates as often as it should have been because it was a legacy system that was scheduled to be decommissioned. Patching this particular program was not a priority because the IT team has to focus its time and resources on the systems the company actually use.

After promptly being presented with the findings of this investigation, your board should focus on your organization's systems and processes for patching databases.  Your board should not conduct its review with the goal of placing blame. Its focus should stay on: (i) understanding what happened, (ii) getting regular reports on whether the people or processes should have behaved differently, (iii) determining whether the proper processes were used to identify and remediate the issue, and (iv) receiving updates about how the lessons learned from the incident are built into new, or newly revised, systems and processes within the organization.

In light of Marchand v. Barnhill (June 18, 2019), directors have risk oversight responsibilities and could be subjected to liability for failing to “make a good faith effort to implement an oversight system and then monitor it.” Furthermore, the board’s consideration and deliberation about the organization’s new systems and processes should be documented through written records.

Continuing oversight may be needed

The severity of a particular data security incident will dictate the role your board plays in overseeing changes to your organization’s systems and processes.

Some data breaches are the result of a one-time mistake or a particularly sophisticated bad actor. When a breach of this type occurs, your management and board may determine, after due deliberation, which is well documented, that your organization’s systems or processes did not significantly contribute to the breach. In that event, no additional oversight may be required—aside from your board’s typical oversight responsibilities—to ensure that the lessons learned from this kind of breach are implemented by your organization.

If a particular data breach exposes shortcomings in your organization's systems and processes, your board should consider delegating the task of overseeing the changes required to fix these shortcomings to one of its committees.

There is a trend to delegate cyber issues to a committee, such as the risk or the technology committee, as they may have more experience in cyber issues and might be able to provide focused guidance and oversight.

A serious data breach, however, may require the creation of a separate cybersecurity risk committee to oversee the bevy of new systems and processes—and may even result in employment changes—that your management and board agree needs to be implemented to reduce the future risk of similar breaches.

On a related note, there is a brewing debate over whether boards should have at least one director on them who has significant professional cybersecurity experience. As more organizations add board members with this experience, standing cybersecurity risk committees may become commonplace.

Not letting a good crisis go to waste

If—or, more realistically, when—your organization suffers a significant data breach or other cyber incident, your organization’s board of directors will have a role to play.

Its focus should be on understanding:

  • what happened,
  • the risks that a cybersecurity event can create,
  • the plan to mitigate the risk,
  • the cadence of regular updates that the board should receive to be well informed, and
  • management’s plan to fix any deficiencies.


Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.