By Tsutomu Johnson
Each year brings a data breach that affects more and more people. Each breach also brings larger fines for companies who failed to protect information. In an effort to evade regulatory fines and consumer wrath, companies have tried to address cybersecurity risks with varying results. Meanwhile, the $120 billion cybersecurity industry — eager to sow fear, uncertainty, and doubt — pushes an array of products to address cybersecurity risks, both real and imagined. Instead of purchasing gizmos, executive leadership should rely on legal counsel to help define their legal risks and draft policies and procedures minimizing identified risks.
At first glance, it may seem odd to solve cybersecurity problems with lawyers, but regulators don’t care if a company spends thousands of dollars on cutting-edge cybersecurity technology. Regulators analyze whether the circumstances leading to a data breach violate state and national law. Accordingly, companies should understand their legal obligations to minimize their cybersecurity risks.
Cybersecurity legal obligations flow from corporate leadership’s fiduciary duty of care and loyalty; state, national and international law; and contractual obligations.
Executives and board members have a fiduciary duty of care and loyalty to the companies they serve. Failing to carry out those duties can impose personal — and potentially uninsurable — lawsuits against executives and board members. Under the duty of care, executives and board members must act on an informed basis, in good faith, and in the honest belief that their actions are in their company’s best interests. This means executives and board members must act reasonably when they assess information so they can protect the interests of shareholders. The duty of loyalty requires executives and board members to address reasonable risks to a company. In other words, executives and board members cannot reduce their cybersecurity liability by ignoring the problem.
State and national laws increasingly regulate how companies process information. On the state level, 48 states have data breach notification laws. Most of those laws simply explain how to notify individuals affected by a data breach. Some states go further. Utah, for example, requires “any person who conducts business in the state ... [to] implement and maintain reasonable procedures to: prevent unlawful use or disclosure of personal information. ...” In other words, operating without appropriate policies and procedures runs the risk of violating the law.
In the federal regulatory environment, organizations that work in industries such as healthcare, banking, insurance, finance and telecommunications face a plethora of cybersecurity obligations. For example, in the healthcare environment, federal law requires healthcare entities to implement specific privacy and security policies. Failing to do so can incur millions in fines, consumer anger and months of audits with disruptive regulators.
Another source of legal risk comes from contractual obligations. It’s a common business practice to draft service agreements insisting business partners comply with specific privacy and security laws. In the healthcare industry, health entities commonly require business partners to sign a business associate agreement, which creates an obligation to comply with federal privacy and security laws.
Once executives and board members understand their privacy and security obligations, their legal counsel should draft appropriate policies and procedures. At minimum, the policies should explain how the company governs privacy and security matters, the physical and technological security measures to prevent data breaches, and the incident response process.
With regard to governance, a designated executive should provide regular reports to the board about security assessment results, progress on addressing security matters, audits of the security system, privacy and security awareness campaigns and data breach incidents. Executives and board members should have an opportunity to review these items, recommend solutions and communicate regular privacy directives to employees. In line with the duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their duty of loyalty to the company.
Policies must set the company’s security framework for physical and technological security. There are numerous security frameworks to choose from but the most common are ISO’s 27001 standard, NIST Cybersecurity Framework, and the Center for Internet Security’s 20 Critical Controls. Of these standards, the Center for Internet Security’s 20 Critical Controls are the most approachable. They’re free, available online and provide a reasonable level of protection without breaking the budget.
Finally, policies should flesh out an incident response process. Without it, companies can waste thousands of dollars without properly addressing incidents. The incident response process should designate an incident response coordinator who fills out an incident report, reports the incident to executives and works with various departments to resolve the incident. Critically, the process should incorporate legal counsel so counsel can protect matters discussed during the incident with the attorney-client privilege.
No company wants to lose its customers’ information. No company wants to pay a fine or lose business because of a data breach. Instead of buying gadgets to solve obscure cybersecurity problems, companies should engage legal counsel who can define the legal problem and draft policies and procedures to minimize risks.
Tsutomu Johnson is an attorney at Parsons Behle & Latimer who specializes in cybersecurity and privacy law. He has helped multinational organizations draft privacy and security policies, negotiated numerous privacy and security contracts, and helped hundreds of incident response teams respond to cybersecurity events.