Why Cyber-Security Professionals and Company Executives and Boards Face Personal Legal Liability, and What to Do About It

Why Cyber-Security Professionals and Company Executives and Boards Face Personal Legal Liability, and What to Do About It
Presented at the 3rd annual Rail Cybersecurity USA conference May 23/24th 2023 in Chicago.

Individuals with responsibilities over cybersecurity at all levels face an increasing risk of civil or even criminal liability based on their managerial decisions and oversight when a cybersecurity incident happens. Cyber vulnerability has already been shown to exist in mobile operating assets and communication systems and should be of particular concern to railroads, where monetary awards will be based on damage to human life and property, and likely far exceed damages from compromised data or privacy.

Lessons learned from recent case studies provide helpful guidance on what steps individuals within a company can take to limit their own exposure. Trends in litigation also suggest what evidence governmental agencies and plaintiffs’ firms will use to prove negligence or a breach of a fiduciary or other duty. Other relevant considerations will be discussed, including emerging standards of care (such as implementation guidance from U.S. and international agencies), and tangible steps companies can take to put into place a defensible plan of action and mitigate operating vulnerabilities before a complaint is filed, at which point there is little that can be done to shape the record that will be used to prove or disprove liability.

Craig Wenner represents individuals and corporations in complex commercial litigation, white collar defense, and internal investigations. He has seen cases through to trial involving allegations of financial and tax fraud, violations of constitutional rights, conspiracy, and breaches of contract.

In December 2022, he was chosen as a litigator of the week by The American Lawyer for obtaining a $100 million damage award on behalf of a client whose funds were stolen and laundered over the course of an 18-year global conspiracy. He has extensive experience in advising individual and corporate clients in a variety of industries, including infrastructure, and has managed internal investigations regarding accusations of fraud, theft of trade secrets and data breaches, regulatory violations, and investor misrepresentations.

Before joining the firm, Craig served as a law clerk to the Hon. Harold Baer, Jr., in the U.S. District Court for the Southern District of New York and was a post-graduate fellow in the Frank J. Guarini Center on Environmental and Land Use Law at N.Y.U. School of Law. Prior to law school, Craig worked in civil and environmental engineering, and in the construction trades and real estate. He holds unlimited plumbing, pipe-fitting, and HVAC licenses in Connecticut.