Transcription of DATA SECURITY AND DATA PRIVACY ISSUES FOR BUSINESS …
1 data SECURITY AND data PRIVACY ISSUES FOR BUSINESS CLIENTS. Lisa E. Underwood [B]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.. SEC Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber- Risks: Sharpening the Focus, Speech at the New York Stock Exchange (June 10, 2014). data SECURITY and data PRIVACY have been the hot topic in the BUSINESS world for the last several years. With high profile data breaches impacting millions of customers across the globe, the BUSINESS that hasn't addressed the probability of not if but when the breach will occur has its head in the sand. There are multiple ISSUES this topic includes: the internet of things, storing data in the cloud, bring your own device (BYOD), PRIVACY notices on websites and data tracking. Should a company counterattack a hacker? Will there be a federal law on data breach notification?
2 All of those fascinating topics, and more, are beyond the scope of this paper. This paper will provide a primer on certain big picture ISSUES for boards of directors. data SECURITY and data PRIVACY ISSUES are not the responsibility of only the information technology department. Various BUSINESS functions, whether the BUSINESS is large or small, need to be involved. These typically include IT, the board of directors, legal, human resources, public relations, the CFO and the PRIVACY Officer. In addition, outside resources should be utilized when a BUSINESS is assessing its data SECURITY and data PRIVACY needs. For example, a cyber-insurance carrier should be consulted to determine what type of coverage is appropriate and to ensure the coverage is sufficient. Outside legal counsel may be necessary if in-house legal is not well versed in data PRIVACY matters. In addition, using outside counsel as soon as a breach occurs can assist in retaining the attorney-client privilege.
3 Prior to data breaches becoming a daily news event, some IT departments were having difficulty gaining buy-in from their board of directors regarding the importance of spending time and resources on data PRIVACY and SECURITY . As the horror stories of the Target, Sony, Anthem, and Home Depot breaches, to name a few, became daily topics of conversation, management came to appreciate that it is no longer an anomaly to have a breach but something to anticipate and even expect. If management needs additional encouragement to spend the time and resources on a good data PRIVACY and SECURITY analysis, IBM and Ponemon Institute conduct an annual study on the cost of data breach incidents in the United States, which is always eye opening. According to the May 2014 study, the average cost of each lost or stolen record containing sensitive information was $201 per compromised record. The average total cost paid by organizations with a data breach 2015 Wyatt, Tarrant & Combs, LLP.
4 The author would like to thank Martha Ziskind and Matt San Roman for their assistance with this Article. increased from $ million to $ million in Other interesting findings include the following: More customers terminated their relationship with a company that experienced a breach than in the prior year. Financial services industries are even more likely to have customers leave after a breach. The average abnormal churn rate between 2013 and 2014 increased fifteen percent.. Malicious or criminal attacks rather than negligence or system glitches were the main causes of data breaches. The cost of lost BUSINESS increased from $ million to $ million. Lost BUSINESS costs include a higher than average loss of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Malicious or criminal attacks cost more per record, at an average of $246 per record as opposed to an employee mistake, which costs an average of $161 per record.
5 BUSINESS continuity management in remediation reduces the cost of a breach. Having a strong SECURITY posture or incident response plan in place prior to the incident reduces the cost of a breach by $17 to $21 per record. Some factors increase the cost of a data breach. For example, notifying customers too quickly before forensics are complete increased the cost by an average $15 per record. 2. One of the high profile breaches of the last few years was Target, which provides data PRIVACY and SECURITY industry professionals with a number of valuable lessons. This paper will address a few of those lessons. The Chief Executive Officer of Target resigned in May 2014. During 2013 and 2014, Target spent a total of $252 million on the massive data breach it sustained in 2013. Even after receiving a total of $90 million in insurance proceeds, Target suffered a net total cost of approximately $162 million over those two years.
6 Practice Point #1 . buy adequate cyber insurance coverage relative to the size and scope of your BUSINESS (as discussed more below). On May 28, 2014, citing the data breach of November 2013, the proxy advisor Institutional Shareholder Services recommended Target replace seven of ten directors. ISS's recommendation and (unsuccessful) efforts demonstrate that shareholders are paying ever closer attention to this area. In addition, four derivative suits by shareholders have been filed, which assert that Target failed to take reasonable steps to maintain its customers' personal and financial information in a secure manner. The cases have been consolidated and are pending in the United States District Court for the District of The consolidated complaint alleges claims for breach of fiduciary duties, waste of corporate assets, gross mismanagement, and abuse of Specifically, the 1 Ponemon Institute Report 2014 Cost of data Breach Study: United States May 2014.
7 Page 1. 2 Ponemon Institute Report. Page 2. 3 Mary Davis, et al., v. Gregg Steinhafel, et al., No. 14-cv-00203 (D. Min. filed July 18, 2014). 2. complaint alleges that the Target board of directors and other officers failed to implement any internal controls designed to detect and prevent data breaches. In addition, the company aggravated the damages not only by failing to timely provide notice to consumers but also by making false statements that created a false sense of SECURITY for affected consumers. As a result, the complaint asserts that the board of directors recklessly disregarded their duties to Target and also breached their duties of loyalty and good Practice Point #2 boards need to demonstrate to their shareholders they are implementing adequate data protection procedures and actively monitoring and updating those procedures if they want to avoid D&O suits and potential liability. As additional background, practitioners should be aware of the difference between information SECURITY and information PRIVACY .
8 Information SECURITY is the protection of information in order to prevent loss, unauthorized access or misuse. Information SECURITY also involves the process of assessing threats and risks to information and procedures and controls to preserve confidentiality, integrity and Information PRIVACY is concerned with establishing rules that governing the collection and handling of personal FEDERAL AND STATE LAWS APPLY. A patchwork of both federal and state laws govern data PRIVACY and SECURITY ISSUES . If the BUSINESS is in a regulated industry, such as banking or health care, additional laws and regulators will come into play. This myriad of laws, with different reporting requirements, may conflict at times. As an example with respect to differences among the states, what actually constitutes a breach varies greatly. If a BUSINESS has a data breach involving customers in multiple states, the laws of each of those states must be complied with regarding, for example, notifying the customer of the breach.
9 The Federal Trade Commission ( FTC ) has authority to bring enforcement actions under Section 5 of the Federal Trade Commission Act against unfair and deceptive trade practices.. The FTC exercises this authority broadly against a variety of commercial entities, with certain exceptions for example, the financial services sector, to take a leading enforcement role in data breach situations. Often a company will enter into a consent decree with the FTC rather than proceed to trial. Normally, the consent decree includes a fine and specific actions the defendant must take and refrain from taking in connection with a data SECURITY and PRIVACY In 2012, FTC brought an enforcement action against Wyndham Worldwide Corporation after a series of data breaches. The FTC alleged that Wyndham and three of its subsidiaries failed to take adequate SECURITY measures to protect the personally identifiable information of over 600,000 customers in three breaches over two years.
10 The FTC claimed authority under the 4 Id. at 4. 5 Foundations of Information PRIVACY and data Protection, Peter P. Swire and Kenesa Ahmad p. 77-78. 6 Foundations of Information PRIVACY and data Protection, Peter P. Swire and Kenesa Ahmad p. 2. 7 Patricia Bailin, Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable PRIVACY and data SECURITY Practices, (Sept. 19, 2014), reasonable- PRIVACY -and- data - SECURITY -pra ctices/. This report provides an interesting analysis of FTC consent decrees. 3. unfairness prong of the FTC Act and utilized 15 45 to bring the enforcement action and seek remedies. The Wyndham case is interesting from several perspectives, namely that Wyndham is one of the first defendants to refuse to acquiesce to a consent decree andactually challenge the FTC's authority to bring enforcement actions under Section 5 in the data PRIVACY arena. DUTIES OF THE BOARD OF DIRECTORS. Under Kentucky corporate law, the statutory duty of care imposes on directors and officers the obligation to manage an entity in good faith, on an informed basis, and in a manner that they honestly believe to be in the entity's best A director or officer will be deemed to have acted on an informed basis if he acts with the care that an ordinarily prudent person would exercise in a like position in making inquiries into the BUSINESS and affairs of the entity or in regard to a particular action to be taken or decision to be The statute further provides that: (3) in discharging his duties a director shall be entitled to rely on information, opinions, reports, or statements, including financial statements and other financial data , if prepared or presented by: (a) One (1) or more officers or employees of the corporation whom the director honestly believes to be reliable and competent in the matters presented.
