Representatives of some cybersecurity-focused organizations here say that cyberattacks are becoming more complex and sophisticated, and the impact of those cyberattacks can put executives and board members of victim organizations at risk of legal liability.

Washington state businesses and agencies sent 6.3 million data-breach notices to residents last year, breaking a previous record of 3.5 million notices in 2018, according to a report from the Washington state Office of the Attorney General.

Heather Stratford, CEO of Spokane-based cybersecurity training platform Drip7 Inc., says it’s up to senior leaders to ask cybersecurity experts about potential risks, as not everyone has knowledge to take appropriate precautions.

If ignored, she says leaders should be prepared for increased liability as time goes on, especially as notable lawsuits that have named individual board members make their way through the courts.

Underscoring that concern, a new trend has emerged in cybersecurity-related lawsuits, where attorneys for shareholders are filing claims against directors, officers, and senior leaders for insufficient oversight against cyberattacks, according to a recent article by New York-based Redpoint Cybersecurity LLC.

Stratford says that the legal world is still catching up to the changes that are impacting businesses, but there have been several recent breaches after which the members of boards of directors have been sued personally.

“Some of the big ones out there include SolarWinds, which had a large breach last year, Equifax, Target, Labcorp, and the most recent one from January 2019 where the board of directors for Yahoo was held liable.”

The D&O Diary, an online periodic journal covering issues of business and organization director and officer liability, also reports that T-Mobile USA’s board of directors was named in a shareholder lawsuit in November for allegedly failing to monitor and act upon red flags.

Locally, Whitworth University is still investigating a reported ransomware attack on its information systems that happened in July, according to a statement from media relations manager Trisha Coder, who declines to comment further for this story.

Stratford says losses from cyberattacks can range between $20,000 and $20 million and notes that one-third of victims end up paying a ransom, which perpetuates the problem.

Senior leaders can mitigate their risk of personal liability in these situations in a variety of ways, although attorney Tom Ahearne says even with cyber insurance and implementing preventative measures, directors or officers could still be challenged to prove they’ve done everything they could to prevent a cyberattack.

Ahearne, principal at Seattle-based law firm Foster Garvey PC, which has a Spokane office, says directors have a fiduciary duty to protect the corporation and its assets.

“For example,” Ahearne says, “the shareholders of a private corporation can sue the board of directors for not being good captains of the ship because the board and the officers have the highest honor and obligations of responsibilities that are owed.”

Ahearne says some of his clients have had their information stolen for profit, while others have been extorted to pay to restore information that’s been taken or encrypted from their organization through a ransomware attack. Additionally, some clients have been tricked into providing either payments or sensitive information through an email phishing scam.

Ahearne says he’s worked with clients, including municipal entities, nonprofits, and businesses that have been damaged by cyberattacks, to negotiate with insurance companies to honor claims.

Cyber insurance may only help a company recover damages in some specific scenarios, Ahearne claims.

“I’m seeing a lot of corporations these days have a policy that covers both the company and the directors and officers for liability arising out of a cyberattack,” he says.

However, he adds that if any information reveals losses were due to someone failing to perform their duties, which has been the trend in recent shareholder lawsuits, then the insurance company likely will cover only a fraction of the loss, and officials may be held responsible for remaining damages.

Ahearne adds that insurance won’t cover damages to a company’s reputation either.

“If, for example, the cyber hacker gets confidential business plans or strategies, you’re not going to get that back, and that could tube the company,” he explains.

Kris Bliesner, CEO of Liberty Lake-based Vega Cloud Inc., says any business operating a computer or that has a digital presence online can become a target of a cyberattack.

Bliesner says hackers’ jobs are made easier as companies fail to update outdated security infrastructure, and “bad actors have better tools and capabilities than the folks trying to defend their own digital infrastructure.”

Small businesses have the same level of risk of a cybercrime happening to their company as a larger business and can no longer rely on “security by obscurity,” which used to be the norm 20 years ago, he says.

Back then, “if you were small enough and stayed out of the limelight, then it wasn’t an issue and you probably wouldn’t be attacked,” he says. “Well, it turns out those days are pretty much over.”

Small companies are frequent ransomware targets, according to a report from technology publication Cloudwards.net, which states that in 2020, 55% of all ransomware attacks targeted businesses with fewer than 100 employees and 75% of attacks were against companies earning less than $50 million in revenue.

Stratford advises senior leadership officials to protect anything that would shut down operations, which can be accomplished through employee training, backup data systems, and multifactor authentication to help reduce risks of a breach.

The Redpoint Cybersecurity report states that directors serving as fiduciaries are mandated to address cybersecurity threats and remediation, including monitoring cybersecurity practices regularly and correctly relaying relevant information to all stakeholders.

Ahearne agrees and says he advises his clients to have the board of directors create and test detailed emergency response plans that are easy to access as a way to lessen personal liability.

He says it’s common knowledge that cyberattacks happen often, so companies need to have repeated stress tests to understand vulnerabilities.

“You need that emergency response plan in place so that when this happens, you immediately know what to do,” he says. “Having a policy buried somewhere is not helpful. It’s the same reason why we practice fire drills, so we all know what to do.”

The policy also should be made known to everyone in the organization, Ahearne adds.

“You have to have a clear chain of command, and you have to have a forensic expert lined up and an IT specialist to lockdown the system,” he says. “(The plan) should say, ‘Here’s the person you contact immediately.’”