Inside: Communications with boards of directors regarding privacy and information security governance
General counsel have a unique role in crafting the organizational response to the recent headlines, and increasing privacy and information security risk facing organizations and their boards of directors.
February 10, 2014 at 03:00 AM
11 minute read
The original version of this story was published on Law.com
The previous articles in this series suggested ways in which a general counsel might develop a positive working relationship with a chief information officer (CIO) and information on establishing a data governance committee to ensure responsibility, accountability and sustainability of data practices.
This article focuses on how general counsel can communicate to its board of directors. Specifically, we will look at the key considerations by a board as the organization establishes data governance.
General counsel should be prepared to assist the board by evaluating the degree of risk and harm, making specific recommendations in the areas of the retention of outside experts to educate the board, helping establish the oversight of this risk either at the appropriate committee level or the director level of the board, and reviewing insurance coverage that could be required in the event of a critical or material loss of the organization's data.
Determining the degree of risk or harm
Only after a complete risk assessment and comprehensive understanding of the data environment is the time right to speak with the board about the relative degree of risk or harm. Unfortunately, in the context of risk management, there is not a “one size fits all” approach.
The primary reason for a preliminary determination of the risk is to appropriately balance the degree of harm that might result as a failure to mitigate the risk. For example, if a compromise of the organization's security controls leads to loss of critical data that results in a material impact on the profitability of the organization and leads to a restatement of earnings, or worse, catastrophic financial loss leading to bankruptcy, the consequences for the individual board members in their failure to address the risk could be grave.
In the alternative scenario, an organization whose value is not directly determined by the maintenance of its data assets may have a different approach relative to addressing risk, thereby necessitating an approach smaller in scope and more modest in oversight.
Recommendations for outside experts
General counsel should be prepared to identify under which circumstances the board needs outside experts to assist in decision making related to privacy and information security risk. Although internal experts in these areas may exist within the organization, there should be independent technical advice for areas that present material risks to the organization.
For example, depending on how the internal reporting structure is organized, there may be difficulties in establishing unfiltered and direct communication to the board on these issues. If the individuals primarily responsible for information security report to the CIO, who reports to the chief operating officer (COO), there is a risk that important information may not be directly communicated or independently communicated to the board.
Most importantly, outside experts can educate individual board members and assist them in carrying out their fiduciary obligations relative to the appropriate level of inquiry on matters related to information security affecting the organization. General counsel may also recommend and help select additional board members with technical backgrounds to make the need for outside advisors unnecessary.
Board oversight of the risk
General counsel should be prepared to offer guidance in the area of board oversight and board ownership of privacy and information security governance. Specifically, the board should determine where responsibility for oversight of information security issues resides. The board should determine whether these areas are the responsibility of an independent director, a committee of the board or a similarly empowered group with designated oversight responsibility.
Once this determination is made, the board should consider in which manner it will review reporting on issues related to information security. Depending on the risk of harm, the board may need more frequent updates, closed sessions to evaluate sensitive findings, or to consider utilizing outside counsel depending on the degree of risk of harm being reported. Careful thought and planning should be given to maintenance of the attorney client privilege, the application of the business judgment rule and in consideration of the evaluation of the risk of harm.
Review of cyber insurance and D&O insurance
General counsel should be involved in the review of insurance coverage for cyber liability and coverage for claims against directors and officers in the event of the loss of data is material. A comprehensive review of the specific policies in place, the limits of the amounts under those policies and the exclusions should be carefully understood and evaluated frequently by the board.
Depending on the risk of harm evaluation, current coverage may need to be updated or changed to further protect the organization. The general counsel should consider attending any meetings between the risk management function within the organization and the organization's insurance broker if the organization is not otherwise self-insured to make certain the risk is properly understood.
Given the changing nature of these risks, insurance coverage should be reviewed quarterly, and the market for new insurance products related to cyber security risk should be closely monitored.
Conclusion
General counsel have a unique role in crafting the organizational response to the recent headlines, and increasing privacy and information security risk facing organizations and their boards of directors. A small degree of preparation in advance of a massive data breach or loss could have significant impact when managing a catastrophic risk to the organization. If the organization confronts these issues in advance, the greater the likelihood of having a strong, credible and defensible program in place to manage these risks when they arise. To the extent the organizations fail to address these risk, they will have to answer to a very long list of affected individuals, regulators, plaintiffs' counsel and shareholders.
The previous articles in this series suggested ways in which a general counsel might develop a positive working relationship with a chief information officer (CIO) and information on establishing a data governance committee to ensure responsibility, accountability and sustainability of data practices.
This article focuses on how general counsel can communicate to its board of directors. Specifically, we will look at the key considerations by a board as the organization establishes data governance.
General counsel should be prepared to assist the board by evaluating the degree of risk and harm, making specific recommendations in the areas of the retention of outside experts to educate the board, helping establish the oversight of this risk either at the appropriate committee level or the director level of the board, and reviewing insurance coverage that could be required in the event of a critical or material loss of the organization's data.
Determining the degree of risk or harm
Only after a complete risk assessment and comprehensive understanding of the data environment is the time right to speak with the board about the relative degree of risk or harm. Unfortunately, in the context of risk management, there is not a “one size fits all” approach.
The primary reason for a preliminary determination of the risk is to appropriately balance the degree of harm that might result as a failure to mitigate the risk. For example, if a compromise of the organization's security controls leads to loss of critical data that results in a material impact on the profitability of the organization and leads to a restatement of earnings, or worse, catastrophic financial loss leading to bankruptcy, the consequences for the individual board members in their failure to address the risk could be grave.
In the alternative scenario, an organization whose value is not directly determined by the maintenance of its data assets may have a different approach relative to addressing risk, thereby necessitating an approach smaller in scope and more modest in oversight.
Recommendations for outside experts
General counsel should be prepared to identify under which circumstances the board needs outside experts to assist in decision making related to privacy and information security risk. Although internal experts in these areas may exist within the organization, there should be independent technical advice for areas that present material risks to the organization.
For example, depending on how the internal reporting structure is organized, there may be difficulties in establishing unfiltered and direct communication to the board on these issues. If the individuals primarily responsible for information security report to the CIO, who reports to the chief operating officer (COO), there is a risk that important information may not be directly communicated or independently communicated to the board.
Most importantly, outside experts can educate individual board members and assist them in carrying out their fiduciary obligations relative to the appropriate level of inquiry on matters related to information security affecting the organization. General counsel may also recommend and help select additional board members with technical backgrounds to make the need for outside advisors unnecessary.
Board oversight of the risk
General counsel should be prepared to offer guidance in the area of board oversight and board ownership of privacy and information security governance. Specifically, the board should determine where responsibility for oversight of information security issues resides. The board should determine whether these areas are the responsibility of an independent director, a committee of the board or a similarly empowered group with designated oversight responsibility.
Once this determination is made, the board should consider in which manner it will review reporting on issues related to information security. Depending on the risk of harm, the board may need more frequent updates, closed sessions to evaluate sensitive findings, or to consider utilizing outside counsel depending on the degree of risk of harm being reported. Careful thought and planning should be given to maintenance of the attorney client privilege, the application of the business judgment rule and in consideration of the evaluation of the risk of harm.
Review of cyber insurance and D&O insurance
General counsel should be involved in the review of insurance coverage for cyber liability and coverage for claims against directors and officers in the event of the loss of data is material. A comprehensive review of the specific policies in place, the limits of the amounts under those policies and the exclusions should be carefully understood and evaluated frequently by the board.
Depending on the risk of harm evaluation, current coverage may need to be updated or changed to further protect the organization. The general counsel should consider attending any meetings between the risk management function within the organization and the organization's insurance broker if the organization is not otherwise self-insured to make certain the risk is properly understood.
Given the changing nature of these risks, insurance coverage should be reviewed quarterly, and the market for new insurance products related to cyber security risk should be closely monitored.
Conclusion
General counsel have a unique role in crafting the organizational response to the recent headlines, and increasing privacy and information security risk facing organizations and their boards of directors. A small degree of preparation in advance of a massive data breach or loss could have significant impact when managing a catastrophic risk to the organization. If the organization confronts these issues in advance, the greater the likelihood of having a strong, credible and defensible program in place to manage these risks when they arise. To the extent the organizations fail to address these risk, they will have to answer to a very long list of affected individuals, regulators, plaintiffs' counsel and shareholders.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute readWhy ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
- 1Ben Brafman Defending Celebrity Rabbi in Lawsuit by Miami Hotel
- 2People in the News—Dec. 23, 2024—Barley Snyder, Marshall Dennehey
- 3How I Made Office Managing Partner: 'Be a Lawyer First, Foremost and Always,' Says Matthew McLaughlin of Venable
- 4Bar Report - Dec. 23
- 5Recent Decisions Regarding the Telephone Consumer Protection Act
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250