In 2012, then FBI Director Robert Mueller warned, “There are only two types of companies: those that have been hacked, and those that will be.” Earlier this year, a federal court judge offered a more grim proclamation that the only two types of companies are “those that have been hacked and those that don’t know that they have been hacked.”
Data security poses a paramount strategic concern, requiring proactive leadership at the highest organizational levels. It is no longer a responsibility or task that can simply be delegated to IT personnel. Breaches can arise from a variety of circumstances such as a lost laptop, a hacker or an employee releasing confidential information.
An organization’s board of directors must recognize both internal and external risks to data security. The board should play an interactive role with management and key personnel in setting preventive and remedial data-security measures.
Especially, the board must pay particular attention to the organization’s “crown jewels” within its digital data, which could have particularly crippling impacts if compromised. The board must lead when facing the potential consequences of a breach, including reputational harm, adverse public relations, governmental enforcement actions and civil litigation that may result in class actions.
Proactive and consistent board leadership is vital, especially with myriad legislative and regulatory data-security requirements. For example, 47 states, including Rhode Island, have enacted cybersecurity laws, which may subject an organization to differing applicable obligations.
Under the recently enacted amendments to Rhode Island’s identity-theft-protection law taking effect on June 26, 2016, businesses, state and municipal agencies must implement a “risk-based information-security program.”
The organization must determine reasonable security procedures and practices consistent with the size and scope of the organization, the nature of its information and the purposes for which it collects the information.
The board should ensure that management conducts performance reviews and invokes disciplinary procedures, if necessary, to hold personnel accountable for their compliance with data requirements. The board must promote organizational continuity such that there will be no disruptions to cybersecurity upon the departures of key managers or IT personnel.
Although board members are not expected to become technical experts, they must have sufficient acumen to fulfill their expanding fiduciary duties relating to cybersecurity. For example, cybersecurity costs will require careful estimation and scrutiny in the organization’s budgetary planning.
Regarding procurements, the board should ensure that third-party engagements contain appropriate contractual clauses committing the vendor’s adherence to the organization’s cybersecurity controls. Also, the board should evaluate the suitability of the organization’s insurance, including the necessity of cybersecurity and D&O policies beyond general-liability coverage.
As a practical step, the board should require cybersecurity updates.
More than ever, cybersecurity must be an enterprisewide concern. The challenges will be vexing, as organizations utilize ever-expanding technological resources, including the cloud, Internet-connected devices as part of the “Internet of Things,” and employee use of personal and wearable devices.
Data breaches will not wait for board members to get up to speed on the causes and impacts. •
Steven Richard is a business litigator at Nixon Peabody and co-editor of the firm’s Privacy Blog.
