• 404.554.8181

HPW Blog

​The Georgia Business Judgment Rule Will Protect Officers and Directors in the Wake of a CyberSecurity Breach

 The Georgia Business Judgment Rule Will Protect Officers and Directors in the Wake of a CyberSecurity Breach

     Serving as a director of a corporation is no easy task, and multiple aspects of the business demand a director’s attention. In this day and age, one of those areas is cybersecurity – a complex topic that many directors frankly do not know much about. A recentstudy found that twenty percent of directors lack confidence in their board’s understanding of the cybersecurity risk. See NYSE and Spencer Stuart study, What Directors Think,  here.

     In Georgia, if directors take adequate steps to inform themselves of cybersecurity risks and make cybersecurity decisions in good faith, the business judgment rule should protect them in suits filed against them for decisions made pertaining to cybersecurity. In FDIC v. Loudermilk, 761 S.E.2d 332 (2014), the Georgia Supreme Court addressed Georgia’s business judgment rule. The Court held that “the mere exercise by directors of poor judgment” is not sufficient to form a basis of liability. Officers and directors were held to owe only a “limited standard of care,” and under this limited standard, they could be sued for ordinary negligence based only on want of care “in the process by which they made a business decision … but not as to the wisdom of the judgment itself.” The business judgment rule provides a presumptionthat officers and directors engaged in the decision making process in good faith and with due care. Thus, the business judgment rule in Georgia provides extensive protection for officers and directors. The officers and directors can be sued only for want of care in the process by which the challenged decision was made, and there is a presumption in their favor that they engaged in the process in good faith.

     See our post of January 26, 2015 referencing advice from the American Bar Association’s Business Law Section regarding steps officers and directors should take to inform themselves of cybersecurity risks.

Previous Page