Infotech and the Law: Homeland security policy expands corporate liability
In the post-Sept. 11 world, corporations must confront numerous liability issuesrelated to terrorism. One is the liability of the corporation, its directors and officersfor business decisions related to a company's preparedness for terrorist attacks.
In the post-Sept. 11 world, corporations must confront numerous liability issuesrelated to terrorism. One is the liability of the corporation, its directors and officersfor business decisions related to a company's preparedness for terrorist attacks.SIZE="2">In the National Strategy for Homeland Security, released in July, the Bushadministration placed responsibility for certain terrorism-related planning squarely onthe shoulders of American business, recommending that businesses "conduct riskassessments on their holdings and invest in systems to protect key assets." The WhiteHouse stated such action is not simply sound corporate governance and good corporatecitizenship, but "an essential safeguard of economic assets for shareholders,employees and the nation."SIZE="2">Thus, the White House has characterized terrorism-related planning as a corporategovernance issue. This is important, because it suggests that corporate decision-makers --whether directors or officers of large, publicly held corporations or of small privatecompanies -- may face increased liability for decisions relating to counterterrorism andsecurity.SIZE="2">We advise corporate clients to take steps in four areas: protecting employees,visitors and facilities; protecting shareholders; complying with security-related laws;and protecting directors and officers. In addition, companies must assessindustry-specific risks and obligations.
Similarly, in the recent draft of
the National Strategy to Secure Cyberspace, the administration described cybersecurity as
a "management challenge" requiring senior leadership within an organization,
including the close attention of the corporate board of directors.
The
strategy stated: "Considering security only after an incident has occurred places the
business, the customers and even the country at risk. In contrast, effective governance of
cybersecurity promotes growth, productivity and shareholder confidence."
Generally, the directors and officers of a corporation
owe fiduciary duties to both the corporation and its shareholders. One of these duties,
the duty of care, requires that directors and officers act in good faith, with the care
that an ordinarily prudent person would exercise under similar circumstances, and in a
manner that the officer or director believes to be in the best interest of the
corporation.
More specifically, the duty of care has two
components: decision-making and oversight. In making business decisions, directors and
officers have a duty to protect corporate assets and minimize exposure to third-party
liability. In the exercise of oversight obligations, directors and officers are
responsible for monitoring the corporation's business, policies and procedures with regard
to compliance with applicable law.
Corporate directors typically
are protected against liability for their business decisions by the so-called business
judgment rule. As stated by the Delaware courts, this rule is based upon "a
presumption that in making a business decision, the directors of a corporation acted on an
informed basis, in good faith and in the honest belief that the action taken was in the
best interest of the company."
The business judgment rule may
not, however, protect directors from liability if they have made ill-advised or negligent
decisions, or if a director has abdicated his or her role through inattention and lack of
involvement. A director may face personal liability for corporate inaction if he or she
was fully informed and attentive with regard to a particular risk, but failed to take
appropriate action.
Thus, given the continuing threat of
terrorism, a corporation's effort, or lack of effort, in assessing vulnerabilities and in
implementing security measures may have significant legal consequences.
The bottom line, as the
Bush administration has suggested, is that no corporation can afford the status quo on
security issues. A thorough liability assessment should be performed to ensure informed
and considered decision-making.
Richard Rector is a partner in the
Government Contracts Group of Piper Marbury Rudnick & Wolfe LLP in Washington. His
e-mail is richard.rector@
piperrudnick.com.
Richard Rector
Similarly, in the recent draft of
the National Strategy to Secure Cyberspace, the administration described cybersecurity as
a "management challenge" requiring senior leadership within an organization,
including the close attention of the corporate board of directors.
The
strategy stated: "Considering security only after an incident has occurred places the
business, the customers and even the country at risk. In contrast, effective governance of
cybersecurity promotes growth, productivity and shareholder confidence."
Generally, the directors and officers of a corporation
owe fiduciary duties to both the corporation and its shareholders. One of these duties,
the duty of care, requires that directors and officers act in good faith, with the care
that an ordinarily prudent person would exercise under similar circumstances, and in a
manner that the officer or director believes to be in the best interest of the
corporation.
More specifically, the duty of care has two
components: decision-making and oversight. In making business decisions, directors and
officers have a duty to protect corporate assets and minimize exposure to third-party
liability. In the exercise of oversight obligations, directors and officers are
responsible for monitoring the corporation's business, policies and procedures with regard
to compliance with applicable law.
Corporate directors typically
are protected against liability for their business decisions by the so-called business
judgment rule. As stated by the Delaware courts, this rule is based upon "a
presumption that in making a business decision, the directors of a corporation acted on an
informed basis, in good faith and in the honest belief that the action taken was in the
best interest of the company."
The business judgment rule may
not, however, protect directors from liability if they have made ill-advised or negligent
decisions, or if a director has abdicated his or her role through inattention and lack of
involvement. A director may face personal liability for corporate inaction if he or she
was fully informed and attentive with regard to a particular risk, but failed to take
appropriate action.
Thus, given the continuing threat of
terrorism, a corporation's effort, or lack of effort, in assessing vulnerabilities and in
implementing security measures may have significant legal consequences.
The bottom line, as the
Bush administration has suggested, is that no corporation can afford the status quo on
security issues. A thorough liability assessment should be performed to ensure informed
and considered decision-making.
Richard Rector is a partner in the
Government Contracts Group of Piper Marbury Rudnick & Wolfe LLP in Washington. His
e-mail is richard.rector@
piperrudnick.com.