When Target suffered its recent data security breach, the top headlines focused on how the personal information of up to 70 million individuals was compromised and that key leadership departed as a result. Looking one level deeper, another notable headline that has received less attention is how the Federal Trade Commission (FTC) is investigating the breach and may utilize its authority pursuant to Section 5 of the FTC Act to enforce unfair or deceptive acts and practices based on the company’s data security policies.
As the Target case demonstrates, the role that policies and procedures have within an organization has evolved from an internal control into a statutorily required component of many financial services organizations. In addition to the increased attention focused on developing policies and procedures in order to comply with legal requirements, regulatory agencies have emphasized the role that a board of directors must have in overseeing an organization’s overall risk management program, including the participation in the development of policies and procedures.
Increased regulatory scrutiny
Regulatory agencies have increasingly adopted a holistic approach to supervision and focus not only on the outcome, such as a data security breach or strict compliance with a regulatory requirement, but also on an entity’s internal controls to comply with legal requirements.
The potential exposure from an allegation that an entity’s policies and procedures are unfair or deceptive may prompt many in-house attorneys to include their board in the ongoing risk management process. Those not yet persuaded need only consider the clear mandate from several federal regulatory agencies to involve the board in the assessment and management of risk, whether arising out of a statutory requirement or an operational decision to use a vendor. Many agencies view the board as a collection of the individuals that are ultimately responsible for an entity’s policies and procedures.
Board and management oversight is a required element of an entity’s compliance management system. For example, the Office of the Comptroller of Currency, Consumer Financial Protection Bureau (CFPB) and state attorneys general observed that several mortgage servicers lacked adequate policies and procedures and many of those that existed demonstrated significant weaknesses in risk management, quality control, audit and compliance practices. As a result, the new Mortgage Servicing Rules under the Real Estate Settlement Act require servicers to adopt policies and procedures concerning borrower interaction and loss mitigation review. Further, many CFPB consent orders have found the supervised entity’s board and senior management exercised ineffective oversight and control over the compliance process. A common element of these consent orders is a requirement for the entity to submit periodic reports to the board or a committee of the board.
The FTC’s strategy towards Target is also not without precedent. In 2012, the FTC filed a complaint against Wyndham Hotel Group alleging that the company failed to maintain “reasonable and appropriate” data security to protect consumer’s personal information that resulted in the unauthorized access to this data. The FTC asserted that Wyndham represented that it used standard industry practices to safeguard customer data, yet in practice engaged in practices that “unreasonably and unnecessarily” exposed personal data.
The U.S. District Court for the District of New Jersey recently denied Wyndham’s motion to dismiss, finding the FTC has authority to enforce the unfairness standard in a data security context. Although the court did not address the merits of the case, this ruling may prompt an increase in FTC enforcement activity based on a company’s policies and procedures. It may also increase the number of actions initiated by consumers that assert a violation of state law if an organization’s internal policies and procedures produce a result that is characterized as an unfair or deceptive act or practice.
Using a risk-based approach, regulatory agencies expect a board to approve entity-wide polices to manage risk, review and approve certain plans and review ongoing results that test compliance with existing policies and procedures. Generally referred to as a “compliance management system,” an effective board must clearly communicate its expectations and engage in the ongoing management of compliance risks and issue resolution. Delegating the compliance function is reasonable, but the board cannot remove itself from this process based on the belief that a designated compliance officer has responsibility.
While senior management and a business sponsor may retain primary responsibility for the development of organizational policies and procedures, this process cannot operate in a vacuum independent of the board.