Corporate investors, disgruntled staff and trade unions could soon be able to hold IT directors on company boards personally liable for their decisions. The decisions of IT leaders who are not on the board could leave directors liable, legal experts warned.
The government last week introduced the Company Law Reform Bill, which for the first time gives individual shareholders and investment institutions the right to sue directors for their management decisions.
Kit Burden, partner at law firm DLA Piper, said IT directors were already concerned about compliance with legislation such as the Data Protection Act, Basel 2 and Sarbanes-Oxley, but these risks were relatively easy to assess because they were enforced by regulatory bodies.
Litigation from shareholders would be much less predictable, said Burden. "Now, we open up the risk that an indeterminate number of people [could sue]; you cannot account for all those individuals' behaviours; they can be irrational and a lot have their own agendas."
He warned that contentious decisions, such as outsourcing, could be challenged by staff buying company shares in order to sue IT decision makers personally. Even though many such claims would fail, it could still be time-consuming, distracting and stressful to defend them, he said.
Other legal experts agreed that shareholders might use the law to sue directors, including those responsible for IT. "If damage to the shares could be attributed directly to the IT director, lawyers will see him or her as fair game," said Robert Bond, partner at law firm Faegre & Benson. "It could be argued that an ill-thought-out IT strategy was just as likely to be an act of negligence."
National Computing Centre chief executive Michael Gough said if IT directors were to face legal action it would be alongside others on the board. "Most CIOs/IS directors will strive to make IT decisions a shared responsibility, and seek to carry their board with them," he said.
"Legislation of this type, despite its negative connotation, could reinforce this behaviour and have the benefit of improving the relationship between IT and the business. Boards will have to be more diligent in the documentation of their rationale for their decisions, citing clear business reasons for their actions."
The new legislation could also provoke greater interest in IT strategy from auditors, said Bond. "Given that the auditor now has the opportunity to limit their liability [to shareholders], they might view IT risks in the same way as financial risks."
He said IT directors should also ensure there is an audit trail for IT investment decisions.