Can boards ever be held liable for security breaches?

This is a great question! In my experience, there is nothing to stop shareholders from pursuing derivative or private lawsuits around data breaches. From what I have seen in the media, there have been no individual directors and officers held personally liable for the costs of a data breach to date. But I suspect that will change very soon. However, the risk of individual liability can be mitigated by taking appropriate security proactive measures.

If I remember correctly in the Caremark decision, a Delaware court indicated that directors CAN be held personally liable for failing to monitor and supervise the enterprise. It is a general understanding that a company's board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so could be considered a failure of the board to act in preventing a loss resulting from a breach.

I fully expect the Federal Trade Commission to step up the enforcement of corporate data security standards via regulatory actions in the near future.

Yes. If they fail to complete at least certain level of due diligence and invest adequate resources into cybersecurity (publicly traded companies at least).

Due diligence, due care and the interpretation of that—plus the ability to prove that from a directors and officers liability insurance (D&O insurance) standpoint—should scare every director into making sure that they have a specific security, cybersecurity, and IT focus in one of the committees, or as a fully subset committee. You can ask quite a few technology companies who will tell you that if they keep their security under one of the other groups, it's a massive liability. Depending on the incorporation documentation, I believe that every director at the board level would be held liable.

When I got my administration promotion, I had to sign the paperwork that said I could be held personally liable—all of a sudden, I wasn't sure I wanted to be promoted.