04 Dec Internet law: 12 questions for board oversight of data privacy and security
A forthcoming WISCONSIN LAWYER article, titled “Board Oversight of Information Technology, Data Privacy and Data Security: The New Imperative,” will discuss why boards of directors must provide greater oversight of information technology projects, data privacy, and data security practices than in the past.
This article also provides practical suggestions for how boards should organize and prepare for that enhanced role, and proposes a dozen questions to ask senior management in order to identify data privacy and security needs and what to do about them. The article explores those questions in greater detail.
1. To what extent is senior management involved in data protection issues?
Companies get more of what they emphasize and measure. If senior management does not show personal concern for data privacy and security, they are unlikely to be, or remain, a priority for other managers and staff. Moreover, data privacy and security cannot exist in an organization where varying policies and procedures are applied to the same data in different areas. Data adequately secured by one department, but compromised by another, is compromised, not secure. Someone at the top must enforce consistency. And information technology projects are notoriously prone to breaking budgets, arriving late, and falling short of expectations. Hands-on management by senior personnel of any major initiative is essential.
2. Is management confident that it is aware of the latest data security threats and is implementing the best available technical and procedural solutions?
“Security” is not a destination or a state of being, but a journey. As technology changes and threats morph, the enterprise must update its response. Many Federal Trade Commission complaints allege that a company failed to use long available, well recognized, and easily implemented security procedures or failed to respond to well-known threats. Companies must keep up-to-date today, tomorrow, and thereafter.
3. Has responsibility for data security been clearly assigned?
Having some one person responsible overall for data privacy and security and including that responsibility in a written job description, focuses the effort. If responsibility is dispersed among a CIO, CTO, CFO, database administrator, HR manager, trainers, etc. the likelihood of having a well-conceived and effective system diminishes greatly. Requiring that responsible person to report directly to the Board or its Technology Oversight Committee on a regular basis is a best practice that enables the Board to measure effort against outcomes and judge the quality of the company’s personnel.
4. Have the company’s data assets been successfully attacked?
The board should understand what threats the company has faced and how well it dealt with the threat. If the company has failed in the past, great effort is required. If the company has successfully thwarting past attacks, it must remain vigilant. The number, nature, and scope of past attacks will help identify where risks are greatest and where scarce resources should go.
5. Are data privacy and security considered an integral part of all new business processes?
Many failures occur because existing data are made available in new ways. Sometimes successful existing policies or practices are not implemented in new circumstances, such as the creation of new databases, network restructuring or expansion, or enterprise resource planning system implementation. Problems often arise where new business is acquired or merged, or a new distribution channel (e.g., e-commerce) opens. Data privacy and security need to be considered in each of these circumstances. Moreover, if privacy and security are not fully integrated into the everyday business processes, then they will be forgotten, ignored, or defeated.
6. Has the company identified and complied with all applicable regulatory and contractual obligations for data privacy and security?
There are hundreds of state and federal laws pertaining to some aspect of data privacy or security. These laws typically apply to specific kinds of data (e.g., health care), particular industries (e.g., financial services), or activities (e.g., website data collection). However, broad general rules apply too, such as the FTC’s prohibition of unfair and deceptive practices. Many companies also have employees or customers in other countries, and must comply with the broad data privacy and security rules in effect there.
Companies receiving data from others likely have contractual privacy and security obligations. Do company managers actually know what these contracts require? Has the company made good decisions about how to implement the potentially variable requirements in myriad contracts into a single, integrated, effective, and affordable manner? These issues must be addressed on a comprehensive and continuous basis.
7. Has the company assessed its data breach risks and established effective procedures for its operations and contractual requirements for business partners?
What will the company do if it discovers a data security breach? Suppose software placed on company servers by a hacker is transferring confidential personal information, money, or intellectual property outside the company? What if the laptop of a public company’s CFO is stolen two weeks before SEC filings are due, with complete sets of non-public, unencrypted financial data? Does the company have a response plan? Will law enforcement be called in? Will systems be shut down or allowed to operate? Who will take charge? Whom will you notify? What will the company say to regulators, data subjects, customers, suppliers, and the public? What is the timetable? Does the company have continuity plans if data are rendered unavailable? What technical and legal advisers will you need? “Who ya gonna call? Ghostbusters?”
8. What are the greatest data security risks faced by the company?
Since security is a process that never ends, there is always more that can be done, but too few resources and too little time to do everything possible. The company must prioritize its efforts based upon the greatest risks of breach and the greatest risks of loss. The board should make sure that the right strategic resource allocation decisions are made.
9. Does the company have adequate insurance for data security risks?
A data privacy or security breach may cause many kinds of losses, such as: loss of access to, corruption of, or destruction of data; publication of trade secrets or other loss of intellectual property; regulatory fines; litigation expenses; breach notification and reporting expenses; business interruption and lost profits; contract breach damages; consulting or internal technology resource expenditures to correct data security practices or to restore or repair systems and data collections; etc.
Few of these losses, if any, would be covered by a standard property casualty insurance policy. Even the computer related policies written since the mid 1990’s would not cover many of these potential losses. New policy forms do exist to insure these kinds of risks, but many companies do not have them. Companies must identify their potential data risks and make sure that they have the appropriate kinds and amounts of coverage.
10. Are all employees trained to recognize data use limits, security threats, and how to respond to them?
Having a privacy and security policy without adequate training is potentially worse than having no policy at all. If employees are not trained to recognize appropriate limits to the use of data, they will abuse it or permit others to access and use it beyond appropriate limits. Most data security breaches involve careless practices by ordinary employees, inconsistent data privacy and security practices, or some form of “human engineering” whereby an unauthorized person persuades a gatekeeper to reveal information or permit unauthorized access. Training, assessment, and updating is crucial to avoiding these problems and assuring that unauthorized activity is identified and reported promptly. Yet many organizations train only occasionally, if at all, and do not audit compliance with privacy and security policies. Boards should insist that appropriate training and assessment practices are designed and implemented, and that all employees are trained, and retrained, on an on-going basis.
11. Has the company minimized the collection, use, and dissemination of potentially sensitive data?
If I do not collect or cannot access sensitive data, I cannot misuse it, lose it, or corrupt it. Requiring that all collection, use, and dissemination of potentially sensitive data be limited to those who truly need it will eliminate many risks at little cost.
12. Has the company understood its contractual obligations and aligned its data handling and security practices with those obligations?
Many contracts will require that your company employ specified data privacy and security practices or meet certain standards. European law requires such provisions where personally identifiable information will be processed by someone other than the entity who initially collects the data. Do line managers, technology managers, and others know what the company’s contracts require it to do? Does the company have policies and procedures in place that are aligned with these requirements? If a contract requires the company to maintain specific privacy and security standards for data accessible to vendors, does the company have appropriate contractual provisions in its contracts with third parties? Does the company have the right to audit compliance by its vendors and business partners? Does it have the ability to exercise that right? Does it ever do so? Does it know how to do an effective internal or external data privacy and security audit?
Data security is a journey, not a destination. But, as the Chinese proverb says, “the journey of a thousand miles begins with a single step.” Asking these twelve questions is the all-important first step for a Board of Directors seeking to provide greater oversight of data privacy and security practices. They are but a starting point. The answers, or in some cases, the lack of answers, will provide fertile ground for deeper questions and investigations.
This article previously was published in Internet Business Law Services.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC.
WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.