Recently at a conference I had the honor to be on a panel discussing security and privacy. I was asked to start with the following question: What should we be telling the board of directors about security and privacy? Given the current general state of cyber security I would be tempted to say “Boys and girls you are so screwed!” But seriously, I can condense what the board must know into two main points: 1) Your organization must have written policies and procedures to reasonably detect and mitigate cyber security incidents, and; 2) Don’t let your technical staff decide what level of risk your organization is to accept.
Written policies and procedures
It is no longer acceptable to hire “smart” people who are supposed to design and implement your organizational defenses. Doing so assumes that the staff you hire really is smart enough and that it is even possible to completely secure the organization information. They aren’t and they can’t. Every security decision is a balance between usability and security. Perfectly designed security is to simply make the information no longer available to anyone at anytime. Obviously, that isn’t going to work or you would be out of business. You must assume that at some point there is going to be unauthorized access to information. If this is information for which you have a contractual or statutory duty to protect, then your organization will have breached its contract or broken some law or regulation. It will not help you to simply tell them “But we hired the smartest people!” There is something that could help, something that might even relieve you of all liability. If you can show that you had the policies and procedures to detect and mitigate reasonable methods of unauthorized access and that no one could have stopped such an unauthorized access, then quite a few laws and regulations will give your organization a pass. Especially, if you can show that you noticed the unauthorized access, gave proper notification when required, and made changes to reduce the chances of a similar incident. For example, the HIPPA Security Rule mandates that “covered entities” must “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 45 CFR §164.308(a)(1)(i). It won’t matter if you can prove that the unauthorized access was something new and that no one could have prevented it. The regulation uses the word “must” which under the law means that you have no choice but to do what follows that word. If you can’t show that you had the policies and procedures already in place, then you will lose the argument and could place your organization in danger of significant fines and penalties. Similar language is spread throughout state and federal regulations. Between companies, such language is also in well-crafted data protection agreements (also called Information Security Agreements).
Decide what level risk the organization should accept
With the never-ending array of security products and a dizzying set of choices on how to configure them, it is no wonder that the board has no idea how the organization’s information is protected. If the decision is left to the technical staff on how to protect that information, then the technical staff is making choices about what level of risk is acceptable. This can’t be. But it is not necessary for the board to start learning each security product used in their organization. Start with these questions: 1) What information do we control?, 2) What are the contractual, statutory, and regulatory requirements for protecting this data?, 3) What is the risk to the the organization and to the data itself now and how does that risk change given the suggested security controls applied to the data and the systems that touch it? These are questions that the board should be asking the CIO (Chief Information Officer) and CISO (Chief Information Security Officer) or whatever the equivalent is for that organization. If neither the board nor the C-level staff knows the answers to these questions, then you have some serious work to do and better get to it.
For the board to ignore the impact of never asking these questions or failing to put the organization on the path to answer them, is for the board to be neglecting one of its basic duties. That basic duty is providing oversight for the shareholders. Failure to make reasonable efforts at oversight is how board members get sued and replaced.
Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like help in developing your organization’s security policies, please contact him at jcolvin@jcolvinlaw.com.