- Cybersecurity Duties of Private Organization Governing Boards and Management
- April 23, 2015
- Law Firm: Fred L. Somers Jr. P.C. - Atlanta Office
- Cybersecurity may be defined as “whether and how electronic data and systems are protected from attack, loss, or other compromise.” The United States does not currently have a comprehensive law dealing with data security similar to the Data Protection Directive used by the European Union. Instead, the Federal Trade Commission (“FTC”) supplements industry-specific legislation with its authority under Section 5 of the Federal Trade Commission Act. Section 5 states the FTC has the authority to investigate “unfair or deceptive acts or practices in or affecting commerce.” The FTC has used Section 5 to pursue investigations of “unfair” or “deceptive” data security and privacy practices, usually relying on the “deception” aspect more so than claims of “unfairness.”
Several pieces of federal legislation have been introduced but not yet passed by Congress. To avoid a Section 5 violation, the FTC suggests that organizations adopt a “privacy by design” strategy, offer simplified choices for businesses and consumers about their data, and allow greater transparency of practices. The privacy by design principle encourages companies to consider potential privacy and data security issues at every stage of organization product, or service development. Furthermore, two applied principles support the baseline privacy by design guidance: Organizations should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
Organizations should maintain comprehensive data management procedures throughout the life cycle of their products and services.
In 2014, NIST released the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework). Notwithstanding the NIST Framework is not a regulation or official standard of care, one expert has expressed the notion it will likely become a “de facto standard of care” through case law and public opinion”. The NIST Framework is one place where a court may look when considering whether a company exercised a standard of care. Though the Framework may not be “dispositive,” it will likely be “influential” in such decisions. In a sense, the Framework may serve as a “gap-filler” for the piecemeal collection of laws that currently relate to cybersecurity concerns.
Feedback to the Framework indicates that closing gaps in cybersecurity risk and Internet provider management identified through the use of the Framework is especially challenging for organizations that do not have existing cybersecurity programs. At the same time, some smaller and medium companies are productively using the Framework to identify and manage their cybersecurity risks. One small rural telephone and Internet provider told participants that his information technology staff was initially concerned that the Framework would be a burden. They weren’t engaged, he reported, “Until we realized that we can use the Framework as a way of helping to guide how we do things, rather than as an additional thing to do.” He later added, “When we focused it down to one, two or three items we were trying to make some improvements on, with associated references, we found that actually very helpful.
NIST publishes a cybersecurity framework (CSF) reference tool available on the web. It may be downloaded either in MS Windows or Apple OS X. This software is not subject to copyright protection and is in the public domain.
The NIST CSF reference tool is a FileMaker runtime database solution. It represents the Framework Core which is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions - Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.
The CSF Reference Tool allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.
Organizations are using the Framework in a variety of ways. Many users have found the Framework helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. The Framework core mappings are being used to demonstrate alignment with standards, guidelines, best practices, and, in some cases, to regulatory requirements. The Framework is also being used as a strategic planning tool to assess risks and current practices.
Some organizations used the Framework to benchmark performance; others explicitly avoided applying the Framework in this way. Those who considered benchmarking detrimental were considering its use as a means of comparing between organizations. Generally, those who favored use of the Framework for benchmarking were largely focused on measurement within their own organization.
While some ambiguity exists within the Framework and CSF Reference Tool, NIST is endeavoring to improve its coherency and efforts are underway to make the Tool a more user friendly software. One priority will be to develop and disseminate information and training materials that advance use of the Framework, such as actual or exemplary illustrations of how organizations of varying sizes, types, and cybersecurity capabilities can practically employ the Framework to make themselves more secure.
Needless to say, in the interim, all private organizations, even smaller ones such as voluntary mutual benefit organizations, e.g., trade associations and private clubs, need to implement cybersecurity measures to protect confidential data pertaining to their members, employees and trade secrets. The CSF Reference Tool is among the few present resources that yield guidance to this process.
Takeaways from the foregoing include the following:
- 1. Directors and management must be mindful of their fiduciary duty to protect the organization’s trade secrets and privacy of their members and employees. If a cybersecurity incident occurs, an organization’s governing board and management will need to be able to prove they have met their duty for safeguarding company assets. A cybersecurity incident has been defined as an occurrence that actually or potentially results in adverse consequences or poses a threat to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences. A protocol to fulfill this duty should be a part of an effective cybersecurity plan.
- 2. Management should address disclosure obligations and appropriate communications. Training employees on effective internal and external communication before a cybersecurity incident occurs and during the incident can prevent escalating troublesome issues further. Early attention and training on communicating factually without speculation and establishing channels for seeking assistance can serve an organization well and reduce costly remedial efforts.
- 3. The organization should participate in public-private partnerships and law enforcement Interactions. Industry and government forums for sharing threat information, response strategies, and cybersecurity best practices can be a useful part of a company’s cybersecurity program. However, there should be a strategy for organization participation and training for individuals involved in the computer related activities to reduce risk and avoid conflicts with clients or government authorities.
- 4. The organization should assess the regulations relevant to its circumstances, including federal and state-level data security and breach notification laws. However, avoid overinvesting in “check- the-box” compliance efforts that may hinder more effective cybersecurity measures.
- 5. The organization should appoint or identify legal counsel to become familiar with the security program and legal issues potentially raised by its implementation. These individuals should be prepared to bring any policy issues or potential legal risks to senior management or the board.
- 6. Management with the aid of counsel can help prevent escalation of an cybersecurity incident to a crisis by helping guide sessions to prepare the company with a plan of action for incident response. Identify key internal and external resources for managing incident response, consider involving senior management in a tabletop exercise, and consider in advance what legal issues are implicated during an incident.
- 7. Vendor/supplier contracts and obligations to members can both implicate cybersecurity-related risk. Create a due diligence checklist and approach to cybersecurity issues, review contractual provisions, and review the vendor oversight program to integrate cybersecurity risk considerations into approach.
- 8. Effectively Use Insurance. Insurance can be a valuable way to protect an organization and its governing board, officers and managers. However, the exclusions and conditions of the insurance policy should be examined carefully before purchasing it. Notwithstanding, cybersecurity insurance products have improved since their first introduction to the market over a decade ago, some policies may have undesirable or overly restrictive conditions or exclusions.
- 9. Monitor and Strategically Engage in public policy. Stay informed of developing policy standards, engage in advocacy via industry associations, and engage in conversations on key issues so that policymakers and industry leaders are aware of company positions and concerns.
The company’s board should set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility. In some cases, a risk committee, executive/operating committee or the audit committee will be given the oversight charge.
Some audit committees may need better information about the company’s processes, and they should leverage that information to understand what oversight is necessary. They should understand whether management has the right people and processes in place.
The audit committee’s action plan will depend on the company’s level of maturity in managing security risks. It may require more attention and time in sectors where these risks and the potential for damages are highest, such as financial services institutions.
Depending on the circumstances, some boards of directors may want to consider bringing someone with a deep understanding of IT issues onto the board or audit committee.
Audit committees should inquire about the state of specific security programs and then ask for benchmarks. They should also ask for an explanation of the measures that are in place to prevent or detect attacks.
Practical examples of data leaks occur frequently in the use of smart phones, tablets and personal laptops use by employees in the course of their employment duties. Failure to periodically change pass codes, properly secure pass codes and preclude access to sensitive data except for those persons with a need to know, are but few of the measures to enhance data security. The recent media frenzy over Hillary Clinton’s personal laptop contents containing sensitive U.S. government data is a lesson all organizations should be mindful of in prohibiting the storage of sensitive organizational data on personal laptops, tablets or smart phones.
What is needed by all private organizations possessing confidential and sensitive data is a roadmap or checklist of the matters to be periodically audited. Also, the audit committee or persons responsible for running the checklist should be monitored to ensure their adherence to the established data security procedures and currency with the cybersecurity protocols being advocated by the experts.
The NIST Handbook addresses this issue by breaking down computer-based security controls into three functions: technical controls, management controls, and operational controls. While an IT unit could manage the technical subset, other controls require procedures, training, and risk assessments for an organization based on the types of information and risks involved.
As most trade associations, private clubs and other mutual benefit organizations harbor sensitive date respecting their members, employees and trade secrets, it is a primary duty of the governing board and management to see the persons serving in the cybersecurity auditing function are properly trained and employing the appropriate procedures as approved by the board.
If for example, the organization is in possession of social security or taxpayer identification numbers or credit card information respecting its members and employees, then the auditors need to confirm the organization is adhering to principles and regulations addressing the security of this data. A primer “Protecting Personal Information: A Guide for Business” is available for this purpose from the Federal Trade Commission website.
In summary, organization governing boards and management need to focus on protecting the organization’s and its members’ and employees’ sensitive and private data. This data in the wrong hands may result in disastrous legal consequences for the organization and the persons whose data has been compromised.