Expert Commentary

Yawning in the Face of Privacy Risks

Are executives bored with warnings that their companies' personal data and other digital assets are at risk? Apparently so.1 At the very least, a large number of executives seem unwilling to heed calls for their active involvement and oversight of privacy and security programs.


Cyber and Privacy Risk and Insurance
May 2012

This can be seen in the advanced findings of the 2012 Carnegie Mellon CyLab Governance of Enterprise Security report. The report includes a survey of major public corporations from the Forbes Global 2000 List. The finding: boards and senior management of the world's largest public companies are not exercising appropriate governance over the privacy and security of their digital assets.

How bad is it? When asked whether they get involved in the approval of roles and responsibilities of their company's privacy and information technology (IT) security programs, more than 66 percent of executives answered "Rarely or Never." Almost half of executives say that they "Rarely or Never" get involved with the review and approval of privacy and security policies.

Figure 1: Executive Involvement in Privacy and Security

Executive Involvement in Privacy and Security

These low numbers are not the result of executives delegating these responsibilities. Less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. Moreover, the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties issues at line responsibility levels.

Industry Unprepared

Not surprisingly, the lack of executive involvement is reflected in the poor preparation of U.S. industry to protect privacy and security. On March 30, 2012, the U.S. Department of Homeland Security released its National Preparedness Report (the "Report"), which Presidential Policy Directive 8: National Preparedness requires. The Report describes the nation's progress (or lack thereof) in preparing for the threats and hazards to 31 core capabilities. The survey describes U.S. preparedness, showing the U.S. core capabilities ranked by average state/territory levels. A score of 100 percent would mean that all U.S. states and territories attained their desired capability levels. Figure 2 provides an overview of the Report's findings.

Figure 2: Preparedness Report

Preparedness Report

The number of cyber-attacks, including attempts to gain unauthorized access to information and attempts to compromise the integrity, availability, or confidentiality of systems has increased significantly in the past several years. Last year alone, there were more than 26 million new strains of malware released into circulation. That is nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cybersecurity incidents or information breaches. Moreover, this serious problem may be subject to underreporting: only 50 percent of owners and operators at high-priority facilities participating in the Enhanced Critical Infrastructure Protection security survey said that they report cyber incidents to any external parties. This leads to the question, just how bad is it if this is all that are reporting these incidents?

Cybersecurity was the single core capability where states have made the least amount of overall progress, with an average capability level of 45 percent. On the positive side, most infrastructure protection stakeholders now identify cybersecurity as a priority issue for their programs. Eighty-one percent of respondents have adopted cybersecurity control frameworks and/or methodologies. On the negative side, however, 45 percent stated that they had not taken the basic step of establishing a formal risk management program. Sixty-six percent had not updated information security or disaster recovery plans in at least 2 years.

Management's Responsibilities

Recent breaches, together with lawsuits and enforcement actions, are forcing boards and executive to change how they govern personal information and other digital assets. At a minimum, businesses must ensure that they have robust processes and systems in place to protect privacy and security.

The Securities and Exchange Commission recently issued its Disclosure Guidance on Cybersecurity, which requires that public companies disclose the risks of cyber incidents if they materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. While this has limited or no application to privately held firms, it nevertheless codifies the importance of transparency of a company's cyber privacy and security practices. Officers and directors will not be able to meet their fiduciary responsibilities and compliance obligations if they are not exercising adequate governance over the privacy and security of their networks, computer systems, and data.

Direct Oversight

The National Association of Corporate Directors (NACD), the leading membership organization for boards and directors in the United States, recognizes the importance of information security. It recommends four essential practices for boards of directors:

  1. Place information security and privacy on the board's agenda.

  2. Identify information security and privacy leaders, hold them accountable, and ensure support for them.

  3. Ensure the effectiveness of the corporation's information security policy through review and approval.

  4. Assign information security to a key committee and ensure adequate support for that committee.

ISO 27001: Management Commitment

Much like the NACD recommended practices, ISO 27001 sets out the elements of the commitment that management must make to an information security program. To pass the ISO 27001 certification, a company must provide evidence of management's commitment to the following:

  • Establishing policy
  • Ensuring plans and objectives are established
  • Establishing roles and responsibilities
  • Communicating the importance of security
  • Providing sufficient resources
  • Training
  • Competencies

It is not enough for a company just to establish these elements of an information security program. Management must also review the company's security plans at regular intervals, at least annually. And, while ISO 27001 is not a legally binding standard, it is accepted by industry as an appropriate standard for security. Executives who fail to meet industry standards for security and privacy are creating a risk for litigation for their companies—and for themselves.

Litigation Risks

Data breaches can expose companies to a wide variety of lawsuits, including class actions2 and shareholder derivative action3 lawsuits. Indeed, there has been a surge in liability lawsuits filed by parties against companies and boards for inadequate security/privacy safeguards. To date, however, private lawsuits attempting to hold businesses liable for injuries to consumers resulting from security breaches have been generally unsuccessful. Although there have been calls to apply common law theories of liability for security breaches,4 to date courts have generally been reluctant to impose such liability. The Federal Trade Commission (FTC), however, has grown increasingly active in pursuing claims and penalties against companies that it believes are responsible for not implementing reasonable measures to protect personal data from security breaches. The FTC has used its "Section 5"5 authority to file complaints against businesses that have experienced security breaches.

Conclusion

In April 2011, Sony suffered one of the largest ever Internet security break-ins when hackers stole millions of customers' personal information, including birth dates, email addresses, user names, passwords, log-ins, and security questions. These break-ins occurred just 2 weeks after Sony laid off a substantial number of security personnel responsible for protecting customer personal data. According to claims in one of the lawsuits it is facing, Sony made this reduction despite its awareness that the affected network faced serious security challenges.6 According to litigation filed in California, Sony spent "lavishly" to protect the security of its own data while failing to do so for customer data.7

The data breaches exposed Sony to a variety of lawsuits, including class actions. In addition, the security breach exposed Sony to incredible expense. It is projected that Sony's security breach could ultimately cost the company more than $1 billion.8 The breach also knocked off more than 6 percent of the company's shares.9 Industry experts in Japan project that the breach will ultimately cost Sony 100 billion Japanese yen, or $1.25 billion, from lost business, various compensation, and brand damage.10

The Sony breach illustrates why board members and senior executives can no longer afford to simply assign these issues to IT for handling. Privacy and data security are serious issues requiring active board and executive involvement and guidance. They are no longer issues that boards and senior executives can ignore. Those companies and executives failing to take privacy and security seriously expose their companies—and themselves—to a variety of lawsuits and enforcement actions.

Perhaps expensive litigation and billions in damages will finally pique the interest of boards and senior executives. It may even wake them up.


1A 2009 study by the Ponemon Institute suggests that senior executives may be blissfully ignorant of privacy and cyber risks because they are not informed of the full extent of the data risks. See Andy Greenberg, "What CEOs Don't Know About Cyber Security," Forbes.com, July 13, 2009.

2A "class action" is a lawsuit that allows a large number of people with a common interest in a matter to sue or be sued as a group.

3A "derivative action" is a lawsuit brought by a corporation shareholder against the directors, management, and other shareholders of the corporation for a failure of management.

4See, e.g., Joel B. Hanson, "Liability for Consumer Information Security Breaches: Deconstructing FTC Complaints and Settlements," Washington Journal of Law, Technology & Arts 4 (May 23, 2008):11, FN. 15.

5Section 5 of the Federal Trade Commission Act (Act of Sept. 26. 1914, ch. 311, § 5, 38 Stat. 717, 719 (codified as amended at 15 USC. §§ 41–58 (1994))), prohibits "unfair methods of competition" and "unfair or deceptive acts or practices."

6Jalkumar Vijayan, "Sony 'cut corners' in protecting user data, lawsuit alleges," Computerworld.com, June 27, 2011.

7Dan Levine, "Sony laid off employees before data-breach lawsuit," Reuters.com, June 23, 2011.

8See Mary Hellen Miller, "Sony data breach could be most expensive ever." The Christian Science Monitor (May 3, 2011).

9Juro Osawa, "As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill," The Wall Street Journal, Asia Technology (May 9, 2011).

10Id.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More