In a recently published article by Gary Clayton of Privacy Compliance Group, Inc. he asks the question “Are executives bored with warnings that their companies’ personal data and other digital assets are at risk?”.
The answer according to a 2009 study by Ponemon Institute and published on Forbes.com is “Apparently so“.
A recent survey of Forbes Global 2000 list corporations finds that boards and senior management are not governing the privacy and security of their digital assets. More than 66% of executives “Rarely or Never” get involved in the approval of roles and responsibilitities of their company’s privacy and information technology security programs.
Executive Involvement in Privacy and Security
Less than two-thirds of the companies surveyed have full-time personnel in key roles which are responsible for privacy and security in an accepted and best practices standard. Raising a conern also is the practice of assigning security personnel both privacy and security responsibilties which creates segregation of duties issues on that level of responsibility.
Cyber-attacks have increased significantly in the past several years. Approximately 2/3 of U.S. firms report they have been victims of cybersecurity incidents or information breaches and studies suggest incidents are under-reported. Adam Vincent, CTO-public sector at Layer 7 Technologies (a security services provider to federal agencies including Defense Department organizations), describes the problem:
“The treat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It’s no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly….”
Recent breaches and lawsuits, along with enforcement actions are making boards and executives take note of how they need to govern personal information and other digital assets. Officers and directors that are not exercising governance over the privacy and security of their networks, computer systems and data are not meeting the standard for fiduciary responsibilites and compliance.
The National Association of Corporate Directors (NACD), the leading membership organization for boards and directors in the United States, recognizes the importance of information security. It recommends four essential practices for boards of directors:
Place information security and privacy on the board’s agenda.
Identify information security and privacy leaders, hold them accountable, and ensure support for them.
Ensure the effectiveness of the corporation’s information security policy through review and approval.
Assign information security to a key committee and ensure adequate support for that committee.
ISO 27001: Management Commitment
Much like the NACD recommended practices, ISO 27001 sets out the elements of the commitment that management must make to an information security program. To pass the ISO 27001 certification, a company must provide evidence of management’s commitment to the following:
- Establishing policy
- Ensuring plans and objectives are established
- Establishing roles and responsibilities
- Communicating the importance of security
- Providing sufficient resources
It is not enough for a company just to establish these elements of an information security program. Management must also review the company’s security plans at regular intervals, at least annually. Executives who fail to meet industry standards for security and privacy are creating a risk for litigation for their companies—and for themselves.
Data breach litigation can come in the form of a wide variety of lawsuits, including class action and shareholder derivative action lawsuits. There has been a surge in liability lawsuits filed against companies and boards for inadequate security and/or privacy safeguards. Currently private lawsuits attempting to hold businesses liable for injuries to consumers have been generally unsuccesful. However, the Federal Trade Commission (FTC) is growing increasingly active in pursuing claims and penalties against companies it believes are not implementing reasonable measures to protect personal data from security breaches.
In April 2011, Sony suffered one of the largest ever Internet security break-ins when hackers stole millions of customers’ personal information, including birth dates, e-mail addresses, user names, passwords, log-ins, and security questions. These break-ins occurred just 2 weeks after Sony laid off a substantial number of security personnel responsible for protecting customer personal data. According to claims in one of the lawsuits it is facing, Sony made this reduction despite its awareness that the affected network faced serious security challenges. According to litigation filed in California, Sony spent “lavishly” to protect the security of its own data while failing to do so for customer data.
The data breaches exposed Sony to a variety of lawsuits, including class actions. In addition, the security breach exposed Sony to incredible expense. It is projected that Sony’s security breach could ultimately cost the company more than $1 billion. The breach also knocked off more than 6 percent of the company’s shares. Industry experts in Japan project that the breach will ultimately cost Sony 100 billion Japanese yen, or $1.25 billion, from lost business, various compensation, and brand damage.
The Sony breach illustrates why board members and senior executives can no longer afford to simply assign these issues to IT for handling. Privacy and data security are serious issues requiring active board and executive involvement and guidance. They are no longer issues that boards and senior executives can ignore. Those companies and executives failing to take privacy and security seriously expose their companies—and themselves—to a variety of lawsuits and enforcement actions.
Perhaps expensive litigation and billions in damages will finally pique the interest of boards and senior executives. It may even wake them up.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer, IRMI or Roach Howard Smith & Barton. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.