Yawning in the Face of Privacy Risks

Industry Unprepared

Not surprisingly, the lack of executive involvement is reflected in the poor preparation of U.S. industry to protect privacy and security. On March 30, 2012, the U.S. Department of Homeland Security released its National Preparedness Report (the "Report"), which Presidential Policy Directive 8: National Preparedness requires. The Report describes the nation's progress (or lack thereof) in preparing for the threats and hazards to 31 core capabilities. The survey describes U.S. preparedness, showing the U.S. core capabilities ranked by average state/territory levels. A score of 100 percent would mean that all U.S. states and territories attained their desired capability levels. Figure 2 provides an overview of the Report's findings.

The number of cyber-attacks, including attempts to gain unauthorized access to information and attempts to compromise the integrity, availability, or confidentiality of systems has increased significantly in the past several years. Last year alone, there were more than 26 million new strains of malware released into circulation. That is nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cybersecurity incidents or information breaches. Moreover, this serious problem may be subject to underreporting: only 50 percent of owners and operators at high-priority facilities participating in the Enhanced Critical Infrastructure Protection security survey said that they report cyber incidents to any external parties. This leads to the question, just how bad is it if this is all that are reporting these incidents?

Cybersecurity was the single core capability where states have made the least amount of overall progress, with an average capability level of 45 percent. On the positive side, most infrastructure protection stakeholders now identify cybersecurity as a priority issue for their programs. Eighty-one percent of respondents have adopted cybersecurity control frameworks and/or methodologies. On the negative side, however, 45 percent stated that they had not taken the basic step of establishing a formal risk management program. Sixty-six percent had not updated information security or disaster recovery plans in at least 2 years.

Management's Responsibilities

Recent breaches, together with lawsuits and enforcement actions, are forcing boards and executive to change how they govern personal information and other digital assets. At a minimum, businesses must ensure that they have robust processes and systems in place to protect privacy and security.

The Securities and Exchange Commission recently issued its Disclosure Guidance on Cybersecurity, which requires that public companies disclose the risks of cyber incidents if they materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. While this has limited or no application to privately held firms, it nevertheless codifies the importance of transparency of a company's cyber privacy and security practices. Officers and directors will not be able to meet their fiduciary responsibilities and compliance obligations if they are not exercising adequate governance over the privacy and security of their networks, computer systems, and data.

Direct Oversight

The National Association of Corporate Directors (NACD), the leading membership organization for boards and directors in the United States, recognizes the importance of information security. It recommends four essential practices for boards of directors:

1. Place information security and privacy on the board's agenda.
2. Identify information security and privacy leaders, hold them accountable, and ensure support for them.
3. Ensure the effectiveness of the corporation's information security policy through review and approval.
4. Assign information security to a key committee and ensure adequate support for that committee.

ISO 27001: Management Commitment

Much like the NACD recommended practices, ISO 27001 sets out the elements of the commitment that management must make to an information security program. To pass the ISO 27001 certification, a company must provide evidence of management's commitment to the following:

• Establishing policy
• Ensuring plans and objectives are established
• Establishing roles and responsibilities
• Communicating the importance of security
• Providing sufficient resources
• Training
• Competencies

It is not enough for a company just to establish these elements of an information security program. Management must also review the company's security plans at regular intervals, at least annually. And, while ISO 27001 is not a legally binding standard, it is accepted by industry as an appropriate standard for security. Executives who fail to meet industry standards for security and privacy are creating a risk for litigation for their companies—and for themselves.

Litigation Risks

Data breaches can expose companies to a wide variety of lawsuits, including class actions ² and shareholder derivative action ³ lawsuits. Indeed, there has been a surge in liability lawsuits filed by parties against companies and boards for inadequate security/privacy safeguards. To date, however, private lawsuits attempting to hold businesses liable for injuries to consumers resulting from security breaches have been generally unsuccessful. Although there have been calls to apply common law theories of liability for security breaches, ⁴ to date courts have generally been reluctant to impose such liability. The Federal Trade Commission (FTC), however, has grown increasingly active in pursuing claims and penalties against companies that it believes are responsible for not implementing reasonable measures to protect personal data from security breaches. The FTC has used its "Section 5" ⁵ authority to file complaints against businesses that have experienced security breaches.

Conclusion

In April 2011, Sony suffered one of the largest ever Internet security break-ins when hackers stole millions of customers' personal information, including birth dates, email addresses, user names, passwords, log-ins, and security questions. These break-ins occurred just 2 weeks after Sony laid off a substantial number of security personnel responsible for protecting customer personal data. According to claims in one of the lawsuits it is facing, Sony made this reduction despite its awareness that the affected network faced serious security challenges. ⁶ According to litigation filed in California, Sony spent "lavishly" to protect the security of its own data while failing to do so for customer data. ⁷

The data breaches exposed Sony to a variety of lawsuits, including class actions. In addition, the security breach exposed Sony to incredible expense. It is projected that Sony's security breach could ultimately cost the company more than $1 billion. ⁸ The breach also knocked off more than 6 percent of the company's shares. ⁹ Industry experts in Japan project that the breach will ultimately cost Sony 100 billion Japanese yen, or $1.25 billion, from lost business, various compensation, and brand damage. ¹⁰

The Sony breach illustrates why board members and senior executives can no longer afford to simply assign these issues to IT for handling. Privacy and data security are serious issues requiring active board and executive involvement and guidance. They are no longer issues that boards and senior executives can ignore. Those companies and executives failing to take privacy and security seriously expose their companies—and themselves—to a variety of lawsuits and enforcement actions.

Perhaps expensive litigation and billions in damages will finally pique the interest of boards and senior executives. It may even wake them up.