Cybersecurity

Without doubt, the ability to digitize data allows companies to be more productive and facilitates information sharing among strategic partners. However, danger lurks as critical data and systems silently interact through internet connections. 

Data in cyberspace are continuously under siege. Hackers around the world mount daily attacks while skilled sentries defend company data banks against potential security breaches. Reports about these ongoing skirmishes hardly ever filter to the board, but when data are hacked, lost or accessed inappropriately, the reverberations resound at the board level and blast through media outlets. 

With disclosure now mandated for security breaches in nearly 20 US states, and overarching prospective federal legislation in hot debate, information security warrants intensified board scrutiny. A cybersecurity breach compromising customer records can damage a company’s reputation, thereby eroding customer trust and confidence. Should company earnings and stock price decline following a data breach, board members might find themselves dealing with serious fallout, including shareholder lawsuits. 

A growing problem

Since the CrossPoint incident in February 2005, data breaches appear to be rampant. We’ve heard about a lost backup tape at Bank of America and compromised passwords at LexisNexis. Hacking at CardSystems Solutions, the largest intrusion so far, reportedly exposed some 40 million records. 

But this rash of breaches may not signal a rising trend. ‘It doesn’t mean there’s been truly an extraordinary number of breaches recently, it just means we’re now getting notification of such breaches,’ comments Lisa Sotto, partner at Hunton & Williams LLC. Sotto references recent disclosure legislation. ‘In 2003, California enacted Senate Bill 1386. SB 1386 was the first law in this country requiring companies to notify consumers of security breaches when their personal data was accessed by an outside person,’ she states. 

According to Sotto, no copycat legislation came on the scene until 2005. ‘We know about these things now and therefore we’re seeing a much more significant effect, in stocks dropping, for example,’ Sotto says. ‘At CrossPoint, I think the number was something like twelve or 13 percent after their security breach, and other companies have experienced similar stock plunges.’ 

‘Some boards are now forming privacy committees to focus on this issue,’ continues Sotto, who believes it’s wise for directors to be proactive. ‘If there’s a significant security event, the legal liability alone will not cause as much financial damage as the loss of reputation because that will also affect whether customers and consumers are willing to do business with you in the future.’ 

Security intrusions raise questions about how companies safeguard third-party data. ‘Companies take great care protecting their trade secrets and their intellectual property,’ states Jennifer Granick, executive director of Stanford Law School’s Center for Internet and Society. ‘The problem we have today is that companies haven’t been taking great care of data belonging to third parties because it’s not their data. But they should be concerned because customers are going to know companies were negligent with this data.’ 

A legal minefield

According to Sotto, legal activity is already mounting. ‘We’re seeing class-action lawsuits. We’re seeing shareholder suits. We’re seeing action in at least one case by the SEC, action by the FTC and action by state attorneys general.’ 

‘Without strong and clear evidence that a firm is consciously trying to protect itself, it is setting itself up for future lawsuits and liabilities if it is found to be negligent in its information practices,’ comments Lee McKnight, associate professor of information studies at Syracuse University’s School of Information Studies. 

Cybersecurity poses big risks. Since data are not considered ‘tangible property,’ such loss or destruction no longer falls within the defined term of property in property insurance policies. ‘There’s been a whole market that’s developed in the insurance industry to specifically address the first- and third-party losses associated with cyber-incidents,’ says Tracey Vispoli, vice president and global fidelity manager at Chubb & Sons. 

Cyber-insurance policies may provide coverage for third-party claims like invasion of privacy or negligent disclosure of consumer or confidential information. But what happens when a company’s reputation is tarnished, when it’s not seen as a secure place to do business? Some cyberpolicies provide for companies to hire a public relations firm for damage control following a cyber-incident. However, as Vispoli affirms, ‘You can’t buy insurance to restore your reputation.’ 

Avoiding risk

One way to minimize cybersecurity problems, along with potential reputation fallout and directors and officers lawsuits is to have an ironclad, continuously monitored and updated data security program. Chris Voice, vice president of technology at Entrust, a security software company, says if he were a board member he would want the data-protection framework for his firm to include ‘clear responsibilities,’ ‘a comprehensive program’ and ‘a mechanism that allows for independent evaluation and reporting on how the organization is performing against the requirements of its information security program.’ 

‘A chain is only as strong as the weakest link,’ cautions Travis Witteveen, vice president of North American operations for F-Secure, a global security company. ‘So if I’m going to build a heavy security system, but my customers as well as suppliers have a much weaker system and can pass into my network and into my data, then all of a sudden my security investments don’t equal out to those two points.’ 

‘Board members must also consider the information supply chain and identify possible points of vulnerability, and proactively remediate,’ adds McKnight. ‘Just as one does a financial audit of prospective business partners, so too boards must also carefully consider the safe information handling practices of the [supplier] or their absence. 

McKnight recommends ‘empowering’ the chief information officer or chief technology officer to provide short but regular board briefings to ensure that directors understand how information security risks are being addressed and if any safeguards are lacking. Given the ‘very reasonable concerns of board officers for liability,’ McKnight believes that adoption of such practices ‘would demonstrate clearly that the board had acted with due care and deliberation.’