Corporate investors, disgruntled staff and trade unions
could soon be able to hold IT directors on company boards
personally liable for their decisions. The decisions of IT leaders
who are not on the board could leave directors liable, legal
experts warned.
The government last week introduced the Company Law Reform Bill,
which for the first time gives individual shareholders and
investment institutions the right to sue directors for their
management decisions.
Kit Burden, partner at law firm DLA Piper, said IT directors
were already concerned about compliance with legislation such as
the Data Protection Act, Basel 2 and Sarbanes-Oxley, but these
risks were relatively easy to assess because they were enforced by
regulatory bodies.
Litigation from shareholders would be much less predictable,
said Burden. "Now, we open up the risk that an indeterminate number
of people [could sue]; you cannot account for all those
individuals' behaviours; they can be irrational and a lot have
their own agendas."
He warned that contentious decisions, such as outsourcing, could
be challenged by staff buying company shares in order to sue IT
decision makers personally. Even though many such claims would
fail, it could still be time-consuming, distracting and stressful
to defend them, he said.
Other legal experts agreed that shareholders might use the law
to sue directors, including those responsible for IT. "If damage to
the shares could be attributed directly to the IT director, lawyers
will see him or her as fair game," said Robert Bond, partner at law
firm Faegre & Benson. "It could be argued that an
ill-thought-out IT strategy was just as likely to be an act of
negligence."
National Computing Centre chief executive Michael Gough said if
IT directors were to face legal action it would be alongside others
on the board. "Most CIOs/IS directors will strive to make IT
decisions a shared responsibility, and seek to carry their board
with them," he said.
"Legislation of this type, despite its negative connotation,
could reinforce this behaviour and have the benefit of improving
the relationship between IT and the business. Boards will have to
be more diligent in the documentation of their rationale for their
decisions, citing clear business reasons for their actions."
The new legislation could also provoke greater interest in IT
strategy from auditors, said Bond. "Given that the auditor now has
the opportunity to limit their liability [to shareholders], they
might view IT risks in the same way as financial risks."
He said IT directors should also ensure there is an audit trail
for IT investment decisions.