Inside: Communications with boards of directors regarding privacy and information security governance

A look at the key considerations by a board as the organization establishes data governance

The previous articles in this series suggested ways in which a general counsel might develop a positive working relationship with a chief information officer (CIO) and information on establishing a data governance committee to ensure responsibility, accountability and sustainability of data practices.

This article focuses on how general counsel can communicate to its board of directors. Specifically, we will look at the key considerations by a board as the organization establishes data governance.

General counsel should be prepared to assist the board by evaluating the degree of risk and harm, making specific recommendations in the areas of the retention of outside experts to educate the board, helping establish the oversight of this risk either at the appropriate committee level or the director level of the board, and reviewing insurance coverage that could be required in the event of a critical or material loss of the organization’s data.

Determining the degree of risk or harm

Only after a complete risk assessment and comprehensive understanding of the data environment is the time right to speak with the board about the relative degree of risk or harm. Unfortunately, in the context of risk management, there is not a “one size fits all” approach.

The primary reason for a preliminary determination of the risk is to appropriately balance the degree of harm that might result as a failure to mitigate the risk. For example, if a compromise of the organization’s security controls leads to loss of critical data that results in a material impact on the profitability of the organization and leads to a restatement of earnings, or worse, catastrophic financial loss leading to bankruptcy, the consequences for the individual board members in their failure to address the risk could be grave.

In the alternative scenario, an organization whose value is not directly determined by the maintenance of its data assets may have a different approach relative to addressing risk, thereby necessitating an approach smaller in scope and more modest in oversight.

Recommendations for outside experts

General counsel should be prepared to identify under which circumstances the board needs outside experts to assist in decision making related to privacy and information security risk. Although internal experts in these areas may exist within the organization, there should be independent technical advice for areas that present material risks to the organization.

For example, depending on how the internal reporting structure is organized, there may be difficulties in establishing unfiltered and direct communication to the board on these issues. If the individuals primarily responsible for information security report to the CIO, who reports to the chief operating officer (COO), there is a risk that important information may not be directly communicated or independently communicated to the board.

Most importantly, outside experts can educate individual board members and assist them in carrying out their fiduciary obligations relative to the appropriate level of inquiry on matters related to information security affecting the organization. General counsel may also recommend and help select additional board members with technical backgrounds to make the need for outside advisors unnecessary.

Board oversight of the risk

General counsel should be prepared to offer guidance in the area of board oversight and board ownership of privacy and information security governance. Specifically, the board should determine where responsibility for oversight of information security issues resides. The board should determine whether these areas are the responsibility of an independent director, a committee of the board or a similarly empowered group with designated oversight responsibility.

Once this determination is made, the board should consider in which manner it will review reporting on issues related to information security. Depending on the risk of harm, the board may need more frequent updates, closed sessions to evaluate sensitive findings, or to consider utilizing outside counsel depending on the degree of risk of harm being reported. Careful thought and planning should be given to maintenance of the attorney client privilege, the application of the business judgment rule and in consideration of the evaluation of the risk of harm.

Review of cyber insurance and D&O insurance

General counsel should be involved in the review of insurance coverage for cyber liability and coverage for claims against directors and officers in the event of the loss of data is material. A comprehensive review of the specific policies in place, the limits of the amounts under those policies and the exclusions should be carefully understood and evaluated frequently by the board.

Depending on the risk of harm evaluation, current coverage may need to be updated or changed to further protect the organization. The general counsel should consider attending any meetings between the risk management function within the organization and the organization's insurance broker if the organization is not otherwise self-insured to make certain the risk is properly understood.

Given the changing nature of these risks, insurance coverage should be reviewed quarterly, and the market for new insurance products related to cyber security risk should be closely monitored.  

Conclusion

General counsel have a unique role in crafting the organizational response to the recent headlines, and increasing privacy and information security risk facing organizations and their boards of directors. A small degree of preparation in advance of a massive data breach or loss could have significant impact when managing a catastrophic risk to the organization. If the organization confronts these issues in advance, the greater the likelihood of having a strong, credible and defensible program in place to manage these risks when they arise. To the extent the organizations fail to address these risk, they will have to answer to a very long list of affected individuals, regulators, plaintiffs’ counsel and shareholders.

Join the Conversation

Advertisement. Closing in 15 seconds.