Bug Bounty Programs as a Corporate Governance “Best Practice” Mechanism
Originally posted on Berkeley Technology Law Journal Blog, on March 22, 2017
In an economy where data is an emerging global currency, software vulnerabilities and security breaches are naturally a major area of concern. As society produces more lines of code, and everything – from cars to sex toys is becoming connected: vulnerabilities are produced daily. Data breaches’ costs are estimated at an average of $4 million for an individual breach, and $3 trillion in total cost. While some reports suggest lower figures, there is no debate that such vulnerabilities could result in astronomically losses if left unattended. And as we recently learned from the Cloudflare breach, data breaches are becoming more prominent and less predictable, and even security companies get hacked.
In light of these developments, it is no surprise that cybersecurity has become one of the major subjects regularly discussed in board rooms. Recently, the U.S. National Association of Corporate Directors (NACD) reported that while the directors do believe cyberattacks will affect their companies, many of them “acknowledge that their boards do not possess sufficient knowledge of this growing risk.” These findings suggest that directors should rethink their direct legal reasonability for the losses incurred due to unattended vulnerabilities.
The legal and business risks associated with data breaches are complex, and range from the FTC and other regulators’ investigations to M&As complications and consumer class actions. But usually, if executives aren’t named personally in the complaint or prosecuted by regulators, such costs are endured by corporations or their cyber insurance, not the directors or managers themselves. However, shareholders’ derivative lawsuits for directors and managers’ liability are different. These suits target management personally.
Experience shows that stock prices, even if influenced by the data breach, will eventually recover. Yet, shareholder derivative lawsuits for directors’ liability are continuously filed in cases of data breaches. In such cases, the shareholders of the company that suffered from the data breach allege that by virtue of neglecting to enforce internal controls and monitor security vulnerabilities, the mangers breached their fiduciary duties towards the company.
Wyndham hotels, Home Depot and, of course, Target, are just a few companies in which data breaches were followed by such directors’ liability suits. More recently, Wendy’s, the popular fast food restaurant chain, was hit with such a suit and now Yahoo! management is being sued by a group of shareholders for breach of fiduciary duties following their highly public data breach. Until now, courts have dismissed these cases, following U.S. corporate law higher threshold concerning the Business Judgement Rule (BJR). According to the court, directors’ duty of care to monitor security vulnerabilities is satisfied by enacting a reasonable system of reporting existing vulnerabilities, and their fiduciary duty is further fulfilled by doing something, anything, with these reports. The view is that the board should put a “reasonable” security plan in place, not a perfect one. It’s still not clear how the BJR reasonableness threshold differs from the FTC’s requirement to enact reasonable security practices under Section 5(a) of the FTC Act, but at least from the Wyndham case, it seems that BJR’s reasonableness threshold, when it comes to cyber, is much lower.
The result is that corporate fiduciary duties are perhaps not the most effective mechanism to promote cybersecurity in the current legal environment. This is because, on the one hand the BJR is highly deferential to any reasonable action a board might take, and the other hand, especially in cyber security, reasonable actions are just not enough to provide adequate protection.
Yet, as Wong argued, even if shareholders’ derivative lawsuits often fail in the data breach context, directors should still be concerned with security vulnerabilities. Data breaches involve personal reputational and economical costs for management, could result in board reelection, and cause consumer dissatisfaction. We have recently learned the Yahoo! managers were not only sued for breach of fiduciary duties, but asked to answer to a Senate Committee. Moreover, Yahoo!’s General Counsel has resigned, there were “management changes,” and Marissa Mayer, Yahoo!’s CEO, didn’t receive her annual bonus for 2016. All of this in addition to the $350 million drop in the Verizon-Yahoo M&A consideration price. It follows that managers and directors alike should continue to consider cybersecurity from a corporate governance perspective, but instead of focusing on minimizing liability, they should inspire to enact cybersecurity “best practices,” as they do in other corporate related areas.
Introducing “Bug Bounty” Programs
As the economic, reputational and legal costs of data breaches grow rapidly, the practice of exposing cyber vulnerabilities and “bugs” has evolved from an internal quality assurance process to a booming industry: a “bug bounty economy” emerged. Governments and companies enact vulnerability rewards programs in which they pay millions to individual security experts worldwide for preforming adversarial research and exposing critical vulnerabilities, previously uncovered by the organizations internal checks and quality assurance. From cutting-edge Silicon Valley companies to traditional governmental organizations such as the Pentagon and the FTC: all are beginning to understand why we need the help of friendly hackers, as we face the big battle over who controls the vulnerability market. For regulators, Bug Bounty Programs allow the advantage of employing talent which they might not be able to recruit in traditional employment tracks and facilitates, as explained here, an additional cost-effective objective monitoring system, free of hierarchies and political boundaries.
The recent news about one of the biggest breaches in 2017, the Cloudflare breach (ironically termed “Cloudbleed”), discovered by Tavis Ormandy from Google’s Project Zero bug-hunting team, teaches us that even a small software bug, unattended, could result in great harm. The fact that this vulnerability was eventually exposed by a bug hunter, emphasizes that in cyber, as in all other source codes, “given enough eyeballs, all bugs are shallow.” This means that if we can invite every security researcher in the world, to join the “co-developer base,” bugs will be discovered and fixed faster. This is exactly what Bug Bounty Programs aim to do.
Bug Bounty Programs proactively invite security researchers from around the world to expose the company’s vulnerabilities in exchange for monetary and, sometimes more importantly, reputational rewards. If adequate report mechanisms are in place, Bug Bounty Programs could serve as an additional security layer, an external monitoring system, and provide management and directors with essential information concerning cyber vulnerabilities. Indeed, “[b]ug bounty programs are moving from the realm of novelty towards becoming best practice” – but they can also serve as a corporate governance best practice, by operating as an additional objective and independent report system for management. Naturally, this will require the company’s senior management and board to become more involved in the program, demand timely reports, and that direct communication channels will be established. This is an increased standard both in terms of resources as well as time, but in the context of million-dollar breach damages, these preventative actions are worth the price.
Recognizing the above advantages of Bug Bounty Programs by senior management and directors will further contribute to the “bug bounty ecosystem,” while strengthening companies’ corporate governance practices. Bug Bounty Programs provide the management with a relatively inexpensive yet effective independent monitoring system, that could potentially reduce D&O liability and corporate litigation risks, while boosting the overall cybersecurity safeguards of the corporation.
 See Why everything is hackable: Computer security is broken from top to bottom, The Economist (Apr. 7, 2017) http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security (explaining how technology, software development culture, economic incentives, governments divided interests and cyber-insurance, all fuel the vulnerabilities’ “circus”).
 For example, New York State Attorney General, Eric T. Schneiderman reported a 60% increase in data breaches affecting New York state residents in 2016. See Att’y Gen. Eric T. Schneiderman, A.G. Schneiderman Announces Record Number of Data Breach Notices for 2016, available at https://ag.ny.gov/press-release/ag-schneiderman-announces-record-number-data-breach-notices-2016.
 As of the end of 2016, the FTC brought over 60 cases related to information security against companies that were engaged in “unfair or deceptive” practices. See Fed. Trade Comm’n, Privacy & Data Sec. Update: 2016 (2016), available at https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2016/privacy_and_data_security_update_2016_web.pdf. For a recent, comprehensive analysis of the FTC efforts in this field (and others) see Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy ch. 8 (2016).
 As the Verizon-Yahoo! deal illustrates, data breaches could result in price reductions and renegotiations of M&As. Professor Steven Davidoff Solomon wan an early observer of this result of the Yahoo! breach, claiming on September 2016 that the data breach will give Verizon “significant leverage to renegotiate the price”. See Steven Davidoff Solomon, How Yahoo’s Data Breach Could Affect Its Deal With Verizon, N.Y. Times (Sep. 23, 2016), https://www.nytimes.com/2016/09/24/business/dealbook/how-yahoos-data-breach-could-affect-its-deal-with-verizon.html (discussing the relationship between data breaches and “material adverse change” (MAC) clauses).
 For example, yet another class action was filed against Yahoo! to the on February 7, 2017, following the major data breaches the company suffered from in 2016. See Steven Trader, Yahoo Hit With Another User Class Action Over Data Breach, Law360, (Feb. 8, 2017), https://www.law360.com/articles/889685/yahoo-hit-with-another-user-class-action-over-data-breach (Ridolfo v. Yahoo Inc., case number 3:17-cv-00619).
 A derivative lawsuit is brought by the shareholders on behalf of the company, seeking a remedy for injury that the company incurred. It allows shareholders to police directors and other mangers activities, but also requires that the shareholders will all exhaust available intracorporate remedies, such as demanding from the board to take action, as a procedural hurdle. The derivative lawsuit differs significantly from the direct shareholder suit, which seek remedy for injuries suffered by the shareholders themselves. See, e.g., Tooley v. Donaldson, Lufkin, & Jenrette, Inc., 845 A.2d 1031, 1033 (Del. 2004). Its noteworthy that in some cases, where fiduciary duties are breached not in “good faith,” D&O insurance will not cover such suits and directors couldn’t be indemnified for their legal costs.
 For a more academic survey, that reached similar conclusions, see Pierangelo Rosati et al., The effect of data breach announcements beyond the stock price: Empirical evidence on market activity, 49 Int’l Rev. Fin. Analysis 146 (2017), available at http://www.sciencedirect.com/science/article/pii/S1057521917300029 (surveying 74 data breaches of U.S. publicly traded firms, from 2005 to 2014, and reaching the conclusion that there is a positive short-term effect, but a quick return to normal market activity).
 Graham v. Peltz, 1:16-cv-1153 (S.D. Ohio Dec. 16, 2016).
 Its noteworthy that this Yahoo! claim focuses on “breach of fiduciary duty arising from the non-disclosure of data security breaches to Yahoo Inc.’s customers”, as opposed to failure to monitor security vulnerabilities. See Steven Trader, Yahoo Shareholders Sue Over Massive Data Breaches, Law360 (Feb. 21, 2017), https://www.law360.com/articles/893976?scroll=1 (Oklahoma Firefighters Pension and Retirement System v. Brandt, 2017-0133) (Del. Ch. Feb. 21, 2017).
 For a helpful review of the manner in which the directors’ “duty to monitor”, as articulated under Caremark, was applied in the Target and Wundham Shareholders’ derivative lawsuits, see Victoria C. Wong, Cybersecurity, Risk Management, and How Boards Can Effectively Fulfill Their Monitoring Role, 15 U.C. Davis Bus. L.J. 201 (2015).
 See In re Home Depot S’holder Derivative Litig., 2016 U.S. Dist. LEXIS 164841, at *16 (N.D. Ga. Nov. 30, 2016) (citing Lyondell Chem. Co. v. Ryan, 970 A.2d 235, 243-44 (Del. 2009) and noting that “[u]nder Delaware law, … directors violate their duty of loyalty only ‘if they knowingly and completely failed to undertake their responsibilities’” and that “in other words, as long as the Outside Directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty.”)
 Id. at *18.
 The boundaries of how the FTC reasonableness standard will be applied with respect to cyber security are still not clear, although the FTC releases statements regarding this standard. The newly initiated suit against D-link will probably shed some light in this respect. See Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (Jan. 5, 2017), https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate and Federal Trade Commission, Data Security, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security (last visited Mar. 3, 2017)
 Wong, supra note 10.
 Id. at 211–214.
 See Trader, supra note 9.
 See 1 Corporate Governance: Law & Practice § 1.03 (Amy L. Goodman & Steven M. Haas eds., 2016) (explaining that “many of the sources of guidance on corporate governance practices are not captured in rules and regulations but, rather, are set forth in statements, principles and white papers issued by bar associations, institutional investors, business groups and proxy voting advisory services, among others. These have come to be collectively referred to as recommended ‘best practices.’”).
 Cybersecurity Research: Addressing the Legal Barriers and Disincentives, https://www.ischool.berkeley.edu/sites/default/files/cybersec-research-nsf-workshop.pdf, at 5. See also Bugcrowd, The State of Bug Bounty – Bugcrowd’s second annual report on the current state of the bug bounty economy (June 2016), available at https://pages.bugcrowd.com/hubfs/PDFs/state-of-bug-bounty-2016.pdf, at 8. A comprehensive list of bug bounty programs, enacted by leading companies such as Google and Facebook, is available here: https://hackerone.com/bug-bounty-programs.
 Generally, Bug Bounty Programs generate value on multiple levels: They boost companies return on investment, when comparing the cost of employing highly qualified security researchers; they facilitate recruitment and talent acquisition; they produce a reputation value; and they create a positive impact on software development lifecycle. See, e.g., Keren Elazari, How hackers can be a force for corporate good, Financial Times (Apr. 10, 2017) https://www.ft.com/content/46b9e012-1de3-11e7-b7d3-163f5a7f229c.
 This is Eric Raymond’s famous “Linus Law,” one of open source culture corner stones, coined in Eric S. Raymond, The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary 19 (1999).
 Id. at 30.
 See also Jeff Stone, in an age of digital insecurity, paying bug bounties becomes the norm, The Christian Science Monitor (Aug. 12, 2016), http://www.csmonitor.com/World/Passcode/2016/0812/In-an-age-of-digital-insecurity-paying-bug-bounties-becomes-the-norm.