Good chief executive officers pay close attention to every aspect of the business they are charged with running, from yesterday’s sales and production numbers, to the look and feel of next winter’s advertising campaign. As well they should: After all, the board, shareholders, employees and even the public hold the CEO accountable for the success or failure of the entire enterprise.
Yet the number of malicious and accidental data leaks and privacy abuse scandals seems to be expanding exponentially. Just in the past few days, organizations ranging from the neurology department of Massachusetts General Hospital in Boston to the Mastercard operation in Germany and Capital One in the U.S. experienced breaches.
The reasons behind the various incidents are being exposed though corporate announcements, government filings and investigative reporting. So, it is becoming apparent to us as data security and privacy attorneys that under all of the technical or operational reasons lies one essential fact: Too few CEOs and boards of directors are taking ownership of both their company’s policies and procedures and how the business responds when the unthinkable happens.
Some Things CEOs Cannot Delegate
“That’s why we have an IT department,” seems to be the attitude of many in the corner office. “It’s their job to deal with data security.”
In the days when protecting information mostly meant keeping viruses from infecting the servers, this sort of hands-off delegation was acceptable. It was the job of IT. But as Facebook and Equifax have discovered, not only are incidents front-page news but the company’s brand can suffer even more than the size of the fines and class action lawsuits.
As a result, it is increasingly important for both CEOs and members of the board to take ownership of how their company protects its data. It is distressing that a survey published earlier in 2019 in Corporate Board Member magazine found that less than half of public company directors thought their meetings spent enough time on security and privacy matters.
There are five broad questions each CEO and director needs to be asking in this area.
1 – What data do we hold? This is a basic who, what, where and why question. If the head of the company doesn’t know what information it has or who is responsible for protecting the data on a daily basis, then you won’t be able to respond quickly when there is an incident. Having a good grasp on the information environment inside a business is not only good in the event of a breach or incident, it also enables the CEO to direct a response to the legal and regulatory requirements that come into play.
2 – What threats exist to the data we hold? Identifying and addressing any vulnerable security spots provides the basis for knowing the likelihood of one occurring as well as the potential damage that may result from a breach or incident that may threaten a critical system. Obtain information on what steps are in place to assess and deal with these risks. The details on implementing the resulting policy can be given to IT but the person in charge needs to set the priorities.
3 – Who uses our data? In a broad sense, the chief executive must know which vendors and others outside the company have access to the data, why they need it and how they use it. We recommend to our clients that they have a written agreement with every outside party that details their responsibility if a breach or other incident occurs. The agreement should require the third party to indemnify the company if they were responsible for whatever caused a breach. The CEO also needs to be assured by IT that vendors are maintaining their own security controls.
4 – How do we control data access? The military and intelligence agencies have used a “need to know” approach to security for a century. Only employees who need to have access to data necessary for them to do their jobs should be given access to it. It is the CEO’s job to ensure that threats are minimized. As a matter of policy, access needs to be limited even if it is up to IT and department heads to implement the policy.
5 – How are we protecting our information? The chief executive doesn’t need to know the details but he or she does need to ask what steps the company takes to secure its data, especially if the information is being sent to any outside third parties or even carried outside the company by employees on their devices. There is one basic question to ask: Is all of our data encrypted? If the answer is no, then make sure there is a valid reason. Just as important, often encryption is viewed as a safe harbor under the breach notification laws in some jurisdictions.
Controlling Expanding Risks
The number of ways in which data and privacy can be compromised seem endless. For instance, in August 2019, Palo Alto, California’s Unit 42 security function reported that it found very few businesses are doing very much to protect security in the cloud.
At the same time, all of the Big Tech firms say they are joining the Confidential Computing Consortium to help with security issues as businesses move into the cloud and edge computing.
Every CEO has countless issues, problems and opportunities filling their desk every day. But with business being conducted electronically, the risks are real and a chief executive owes it to their employees and shareholders to mitigate the risks as much as possible.
This means asking questions and getting solid answers.
If you are a CEO or general counsel and want to have a conversation about ways to control data security and privacy risks in your organization, please call. We’ve worked in this area for a long time and can help you develop an appropriate strategy and take the necessary steps such as setting internal policies and drafting agreements with third party entities that have access to your information.