Are executives bored with warnings that their companies' personal data and other digital assets are at risk? Apparently so.1 At the very least, a large number of executives seem unwilling to heed calls for their active involvement and oversight of privacy and security programs.
This can be seen in the advanced findings of the 2012 Carnegie Mellon CyLab Governance of Enterprise Security report. The report includes a survey of major public corporations from the Forbes Global 2000 List. The finding: boards and senior management of the world's largest public companies are not exercising appropriate governance over the privacy and security of their digital assets.
How bad is it? When asked whether they get involved in the approval of roles and responsibilities of their company's privacy and information technology (IT) security programs, more than 66 percent of executives answered "Rarely or Never." Almost half of executives say that they "Rarely or Never" get involved with the review and approval of privacy and security policies.
Executive Involvement in Privacy and Security
Best Management Practice
Rarely or Never
Board reviews and approves top-level policies on privacy and IT security risks
Board reviews and approves roles and responsibilities of lead personnel responsible for privacy and IT security
Board reviews and approves annual budgets for privacy and IT security programs
Board regularly receives reports from senior management regarding privacy and IT security risks
These low numbers are not the result of executives delegating these responsibilities. Less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. Moreover, the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties issues at line responsibility levels.
Not surprisingly, the lack of executive involvement is reflected in the poor preparation of U.S. industry to protect privacy and security. On March 30, 2012, the U.S. Department of Homeland Security released its National Preparedness Report (the "Report"), which Presidential Policy Directive 8: National Preparedness requires. The Report describes the nation's progress (or lack thereof) in preparing for the threats and hazards to 31 core capabilities. The survey describes U.S. preparedness, showing the U.S. core capabilities ranked by average state/territory levels. A score of 100 percent would mean that all U.S. states and territories attained their desired capability levels. Figure 2 provides an overview of the Report's findings.
Table 1. Figure 2: Preparedness Report
Public Health and Medicine
Threats and Hazard Identification
Screening, Search, and Detection
Physical Protective Measures
The number of cyber-attacks, including attempts to gain unauthorized access to information and attempts to compromise the integrity, availability, or confidentiality of systems has increased significantly in the past several years. Last year alone, there were more than 26 million new strains of malware released into circulation. That is nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cybersecurity incidents or information breaches. Moreover, this serious problem may be subject to underreporting: only 50 percent of owners and operators at high-priority facilities participating in the Enhanced Critical Infrastructure Protection security survey said that they report cyber incidents to any external parties. This leads to the question, just how bad is it if this is all that are reporting these incidents?
Cybersecurity was the single core capability where states have made the least amount of overall progress, with an average capability level of 45 percent. On the positive side, most infrastructure protection stakeholders now identify cybersecurity as a priority issue for their programs. Eighty-one percent of respondents have adopted cybersecurity control frameworks and/or methodologies. On the negative side, however, 45 percent stated that they had not taken the basic step of establishing a formal risk management program. Sixty-six percent had not updated information security or disaster recovery plans in at least 2 years.
Recent breaches, together with lawsuits and enforcement actions, are forcing boards and executive to change how they govern personal information and other digital assets. At a minimum, businesses must ensure that they have robust processes and systems in place to protect privacy and security.
The Securities and Exchange Commission recently issued its Disclosure Guidance on Cybersecurity, which requires that public companies disclose the risks of cyber incidents if they materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. While this has limited or no application to privately held firms, it nevertheless codifies the importance of transparency of a company's cyber privacy and security practices. Officers and directors will not be able to meet their fiduciary responsibilities and compliance obligations if they are not exercising adequate governance over the privacy and security of their networks, computer systems, and data.
The National Association of Corporate Directors (NACD), the leading membership organization for boards and directors in the United States, recognizes the importance of information security. It recommends four essential practices for boards of directors:
Place information security and privacy on the board's agenda.
Identify information security and privacy leaders, hold them accountable, and ensure support for them.
Ensure the effectiveness of the corporation's information security policy through review and approval.
Assign information security to a key committee and ensure adequate support for that committee.
ISO 27001: Management Commitment
Much like the NACD recommended practices, ISO 27001 sets out the elements of the commitment that management must make to an information security program. To pass the ISO 27001 certification, a company must provide evidence of management's commitment to the following:
Ensuring plans and objectives are established
Establishing roles and responsibilities
Communicating the importance of security
Providing sufficient resources
It is not enough for a company just to establish these elements of an information security program. Management must also review the company's security plans at regular intervals, at least annually. And, while ISO 27001 is not a legally binding standard, it is accepted by industry as an appropriate standard for security. Executives who fail to meet industry standards for security and privacy are creating a risk for litigation for their companies—and for themselves.
Data breaches can expose companies to a wide variety of lawsuits, including class actions2 and shareholder derivative action3 lawsuits. Indeed, there has been a surge in liability lawsuits filed by parties against companies and boards for inadequate security/privacy safeguards. To date, however, private lawsuits attempting to hold businesses liable for injuries to consumers resulting from security breaches have been generally unsuccessful. Although there have been calls to apply common law theories of liability for security breaches,4 to date courts have generally been reluctant to impose such liability. The Federal Trade Commission (FTC), however, has grown increasingly active in pursuing claims and penalties against companies that it believes are responsible for not implementing reasonable measures to protect personal data from security breaches. The FTC has used its "Section 5"5 authority to file complaints against businesses that have experienced security breaches.
In April 2011, Sony suffered one of the largest ever Internet security break-ins when hackers stole millions of customers' personal information, including birth dates, email addresses, user names, passwords, log-ins, and security questions. These break-ins occurred just 2 weeks after Sony laid off a substantial number of security personnel responsible for protecting customer personal data. According to claims in one of the lawsuits it is facing, Sony made this reduction despite its awareness that the affected network faced serious security challenges.6 According to litigation filed in California, Sony spent "lavishly" to protect the security of its own data while failing to do so for customer data.7
The data breaches exposed Sony to a variety of lawsuits, including class actions. In addition, the security breach exposed Sony to incredible expense. It is projected that Sony's security breach could ultimately cost the company more than $1 billion.8 The breach also knocked off more than 6 percent of the company's shares.9 Industry experts in Japan project that the breach will ultimately cost Sony 100 billion Japanese yen, or $1.25 billion, from lost business, various compensation, and brand damage.10
The Sony breach illustrates why board members and senior executives can no longer afford to simply assign these issues to IT for handling. Privacy and data security are serious issues requiring active board and executive involvement and guidance. They are no longer issues that boards and senior executives can ignore. Those companies and executives failing to take privacy and security seriously expose their companies—and themselves—to a variety of lawsuits and enforcement actions.
Perhaps expensive litigation and billions in damages will finally pique the interest of boards and senior executives. It may even wake them up.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
1 A 2009 study by the Ponemon Institute suggests that senior executives may be blissfully ignorant of privacy and cyber risks because they are not informed of the full extent of the data risks. See Andy Greenberg, "What CEOs Don't Know About Cyber Security," Forbes.com, July 13, 2009.
2 A "class action" is a lawsuit that allows a large number of people with a common interest in a matter to sue or be sued as a group.
3 A "derivative action" is a lawsuit brought by a corporation shareholder against the directors, management, and other shareholders of the corporation for a failure of management.
5 Section 5 of the Federal Trade Commission Act (Act of Sept. 26. 1914, ch. 311, § 5, 38 Stat. 717, 719 (codified as amended at 15 USC. §§ 41–58 (1994))), prohibits "unfair methods of competition" and "unfair or deceptive acts or practices."