By Daniel J. Solove
Privacy and cybersecurity have become issues that should be addressed at the board level. No longer minor risks, privacy and cybersecurity have become existential issues. The costs and reputational harm of privacy and security incidents can be devastating.
Yet not enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.
According to another survey last year, “32.5% of boards do not receive any information about their organization’s cybersecurity posture and activities whatsoever, and of the 55% that do receive regular reports, 19% receive reports only annually.”
Mounting Pressures on Boards to Become More Involved
Boards are increasingly facing shareholder lawsuits. In 2014, Target directors and officers were sued in 4 shareholder derivative lawsuits. There was a lawsuit against Wyndham for its breach, as well as a suit against TJX Companies, Inc.
Other companies such as Heartland Payment Systems and ChoicePoint have faced lawsuits for securities fraud in connection with data breaches. According to a very informative piece by Jon Talotta, Michelle Kisloff and Christopher Pickens (all at Hogan Lovells):
The shareholders challenge not only the directors’ and officers’ conduct before the data breach, alleging their misconduct allowed the data breach to happen, but also challenge their conduct following discovery of the data breach, asserting the directors and officers acted improperly in the way they disclosed, investigated, and remediated the data breach.
Consider Palkon v. Holmes et al., No. 2:2014cv01234 (D.N.J. 2014), where Wyndham shareholders sued the board of directors for refusing to respond to a letter they sent to the board to investigate data breaches and remedy the harm. The court dismissed the case because the plaintiffs could not demonstrate gross negligence — that “the Board acted with so little information that their decision was unintelligent and unadvised.” The court noted that “Board members had already discussed the cyber-attacks at fourteen meetings from October 2008 to August 2012” and the board’s “Audit Committee discussed these same issues in at least sixteen committee meetings during this same time period.”
As the risk of privacy and security incidents grows more severe and more salient in the news, the standards for appropriate action by boards of directors will likely evolve and the actions boards will need to be taking will increase. Boards can no longer just sit idle in the face of these risks and do nothing.
Last summer, SEC Commissioner Luis Aguilar said in a speech about cybersecurity:
Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.
What Should Boards Do?
A recent report by the Institute of Internal Auditors Research Foundation, Cybersecurity: What The Board of Directors Needs To Ask, provides 6 great questions that Board members should address:
- Does our organization use a security framework?
- What are our top 5 risks (ranging from the proliferation of BYOD and smart devices to the outsourcing of critical business processes to third parties)?
- How are we educating our employees about their roles related to cybersecurity?
- Are both external and internal threats considered when planning/monitoring our cybersecurity program?
- How is security governance managed within our organization?
- In the event of a serious breach, has management developed a robust response protocol?
The American Hospital Association has a report, Cybersecurity and Hospitals: What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response, that also contains a useful set of questions:
- Does the hospital have a cybersecurity plan in place that covers all aspects of cybersecurity, not just those associated with personal health information? If so, generally, what is that plan?
- Who in the executive leadership has responsibility for cybersecurity? Is the same person in charge of responding to cyber incidents?
- When will the board be notified about cybersecurity intrusions or breaches, consistent with the escalation policy? Who will be notified?
- Is there a particular board committee that is responsible for cybersecurity? How often will it be briefed on cybersecurity matters? How often will the full board be briefed?
- Does the hospital’s current insurance cover cybersecurity incidents? If so, is the coverage sufficient? If not, is cybersecurity insurance warranted?
- Has hospital leadership considered whether to implement the NIST Cybersecurity Framework and what the benchmarks would mean for the hospital and its approach to risk management?
The 4 A’s that Boards Should Strive For
The questions above are useful, but I think it is valuable to take a step back and look broadly at what a board should do. I’ve come up with a list of 4 things – and I managed to make each conveniently begin with the letter A:
Awareness and Assessment of the Risks. The board of directors should make itself aware of the risks and make sure that risks are being identified and assessed. The board must stay informed and up-to-date on these issues.
Accountability. The board of directors should ensure that there are officials who are responsible for dealing with these risks and that these officials have the power and support they need to effectively do their jobs. The board should make it known that it is committed to minimizing these risks and will provide the necessary support and leadership to do so. And the board should be informed and involved when there is an incident.
Adequate Resources. The board of directors should ensure that adequate resources are being devoted to addressing the risks. There must be sufficient staffing for privacy and security. There must be training of the workforce because every employee plays a role in preventing incidents. There must be appropriate administrative, physical, and technical safeguards. All of these things will not be possible or effective without adequate resources.
Advance Planning. The board of directors should ensure that there are adequate plans in place in the event of an incident. The board should look into cyber insurance. The board should have a PR plan and ensure the relevant officials are trained to handle the media and regulatory attention that an incident will likely bring.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.