privacy disclosures - international association of privacy ... · that results in real costs •...
TRANSCRIPT
ROPES & GRAY LLP
Privacy Disclosures:The SEC Gets Into the Act (and Boards Should too)
IAPP Annual Meeting 2013 Jim DeGraw [email protected]
ROPES & GRAY2
Agenda
• Security Disclosure Trends
• SEC Specific Guidance
• Implementation Choices
• Additional Concerns for the Board
• Thoughts for Oversight and Guidance
33683273_1.pptx
ROPES & GRAY3
The Data Loss Driver --
• Data losses generally result from both unauthorized intrusions -- data security breaches – and mishaps
• Two common types of data security breaches:– Third-party criminal acts
• Cyber-intrusions (e.g., network hacks, data skimming)• Theft of physical assets (e.g., stolen laptops)
– Insider theft or compromise
• And then there’s the negligent insider– Inadvertent data disclosure (e.g., mistaken website
postings)– Lost laptops, tapes, drives, etc.
33683273_1.pptx
ROPES & GRAY4
It’s a Large, Noticeable Problem
• Since 2005, – ~ 600 million data records reported as potentially compromised– Across ~3,600 US publicly announced data security breaches
• In 2012 in the U.S.– 680 publicly reported data security breaches (13 per week)– 27.5 million records potentially compromised
• All types of information is attacked or lost– From SSNs to trade secrets
Sources: Privacy Rights Clearinghouse, http://www.privacyrights.org/data-base.
33683273_1.pptx
ROPES & GRAY5
That Results in Real Costs
• Critical need to manage response, publicity, defense, costs -- R&G served as lead counsel in TJX, Heartland, Sony
Source: PCMag.com, Infographic: The Biggest Data Security Breaches of All Time (October 15, 2011)
33683273_1.pptx
ROPES & GRAY6
That Results in Real Costs . . .
• Estimated overall costs of breach – Approximately $194 per compromised record– Average incident cost of $5.5 million
• More than 30% of those costs reflect legal, forensic, audit, and consulting services required to address the legal exposures created by the breach.
Source: Ponemon Institute, 2011 Annual Study: U.S. Cost of a Data Breach (March 2012)
33683273_1.pptx
ROPES & GRAY7
& Enforcement Risk
33683273_1.pptx
"The privacy data breach area offers some new opportunities to expand the types of cases that we're handling ," said Eric Grover, whose seven-lawyer firm has been known for employment and nonhealth-related consumer protection cases. "When we saw the scope of what was happening, and the number of breaches that have occurred across the country in recent years, we saw that this was not a unique circumstance, and we should educate ourselves about the subject matter.“
– The Recorder, April 6, 2012
ROPES & GRAY8
Class Action Litigation is Real
• Class action complaints regularly filed alleging invasion of on-line privacy
• Normally filed within days of public announcement of breach or other event
• Generally plead combination of tort, breach of k, and violation of consumer protection, computer access, data laws
• So far, have faced difficulty alleging damages– Clapper “certainly impending” standard may make it harder
– Growing tension around cy pres settlements underscores issue
• But . . .– Expensive to defend or settle
– Continued Adverse Publicity
– Can Impact Regulatory Investigation
– Law Still Changing
33683273_1.pptx
ROPES & GRAY9
US Government Enforcement
• Federal Trade Commission– Alleges “unfair or deceptive” under Section 5 of FTCA
• "unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful” 15 USC § 45(a)
• “Deceptive” act is a material representation, omission or practice that is likely to mislead consumer, acting reasonably, to consumer’s detriment
• "Unfair" practices are those that "cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition” 15 USC § 45(n)
– Applying the “reasonable security” standard• “This reasonableness standard is flexible and recognizes there is no such thing as
perfect security.” In re Acranet
• But a business must take into account risks providing data access or systems pose and take reasonable steps to ameliorate those risks.
33683273_1.pptx
ROPES & GRAY LLP
ROPES & GRAY11
SEC Was Asked to Provide Guidance
• May 2011: 5 Senators send SEC a letter:“In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk…”
- Cites 2009 survey showing 38% Fortune 500 companies did not mention privacy or data security exposure in public filings.
- Questions whether those who do disclose adequately assess and mitigate risk.
- Wonders whether leaders of companies understand disclosure obligations regarding potentially compromised IP or trade secrets when breach occurs.
- Asks SEC to provide guidance . . . .
33683273_1.pptx
ROPES & GRAY12
And SEC Division of Corporate Finance Does
• CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011)– Intended to be consistent with disclosure considerations for any
business risk
– Mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts
• Emphasizes that disclosures of that nature not required under securities laws
– But, being victim of a cyber attack can lead to substantial costs and other negative consequences:
• Remediation costs
• Increased cybersecurity protection costs
• Lost revenue
• Litigation
• Reputational Damage
– So, concludes companies should review on an on-going basis, under existing securities laws, cybersecurity risk disclosures.
33683273_1.pptx
ROPES & GRAY13
CF Disclosure Guidance: Topic No. 2
• Risk Factors to Discuss (Reg. S-K Item 503(c)):– Aspects of business that give rise to material cybersecurity risks
– Outsourcing risks
– Cybersecurity incident experience, to extent material individually or in aggregate, including description of costs and consequences
– Risks that may remain undetected for an extended period
– Insurance coverage
• Keys:– Discussion should depend on particular facts and circumstances
– May need to disclose known or threatened incidents to place risk in context
– Avoid boilerplate
33683273_1.pptx
ROPES & GRAY14
CF Disclosure Guidance: Topic No. 2
• MD&A– Address if costs or other consequences (or risk) is reasonably likely to have a material effect
• Description of Business– Provide disclosure if incidents materially affect products, services, customer/supplier relationships or
competitive conditions
• Legal Proceedings
• Financial Disclosures
• Before an Incident
• During / After an Incident
• Disclosure Controls & Procedures
33683273_1.pptx
ROPES & GRAY15 ROPES & GRAY24
How does it work? Zappos . . .
• January, 2012: Zappos suffers data breach. Millions of user accounts compromised. Publicly announced, but Zappos breach not mentioned in Amazon 10-K. . . . . SEC reads the website notice . . .
• - SEC – Amazon (March 12, 2012):
• - We noticed the Zappos breach. Did you consider expanding your disclosure? You actually experienced an attack.
• - If so, address whether fuller disclosure would provide proper context and address potential reputational harm
• - Amazon – SEC (April 9, 2012):
• - 24 million user accounts compromised; no full credit card numbers or actual passwords
• - No material impact on business; indeed, transitory as seen by revenue numbers after 1 month
• - SEC – Amazon (April 18, 2012):
• - Expand notice to say breaches have happened
31709542_2.pptx33683273_1.pptx
ROPES & GRAY16
Zappos
We Could Be Harmed by Data Loss or Other Security B reaches As a result of our services being web-based and the fact that we process, store and transmit large amounts of data, including personal information, for our customers, failure to prevent or mitigate data loss or other security breaches, including breaches of our vendors’ technology and systems, could expose us or our customers to a risk of loss or misuse of such information, adversely affect our operating results, result in litigation or potential liability for us and otherwise harm our business. We use third party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support and other functions. Some subsidiaries had past security breaches, and, although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Although we have developed systems and processes that are designed to protect customer information and prevent data loss and other security breaches, including systems and processes designed to reduce the impact of a security breach at a third party vendor, such measures cannot provide absolute security. Amazon.com, Inc. Form 10-K for FY 2012 (1/30/13)
33683273_1.pptx
Amazon Privacy Policy:
We work to protect the security of personal information you provide to our websites during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. We restrict access to your personally identifiable information to employees who need to know that information in order to provide products or services to you. We maintain physical, electronic and procedural safeguards to guard your nonpublic personal information.
ROPES & GRAY17
Netflix
SEC
We note you derive a significant percentage of revenue from online subscriptions . . . . Please tell us whether you have experienced attempts to disrupt your internal systems. . .
Netflix
Our servers and those of third parties we use in our operations
- are vulnerable
- periodically experience attacks
If successful, could harm business, be expensive to remedy, damage reputation.
Company has implemented certain systems to thwart, no assurance of success.
No insurance.
33683273_1.pptx
Netflix Letter to SEC 7/25/12
ROPES & GRAY18
Netflix
Our reputation and relationships with subscribers would be harmed if our subscriber data, particularly billing data, were to be accessed by unauthorized persons.• We maintain personal data regarding our subscribers, including names and, in many cases, mailing addresses.
With respect to billing data, such as credit card numbers, we rely on licensed encryption and authentication technology to secure such information. We take measures to protect against unauthorized intrusion into our subscribers' data. If, despite these measures, we, or our payment processing services, experience any unauthorized intrusion into our subscribers' data, current and potential subscribers may become unwilling to provide the information to us necessary for them to become subscribers, we could face legal claims, and our business could be adversely affected. Similarly, if a well-publicized breach of the consumer data security of any other major consumer Web site were to occur, there could be a general public loss of confidence in the use of the Internet for commerce transactions which could adversely affect our business.
• In addition, we do not obtain signatures from subscribers in connection with the use of credit and debit cards (together, “payment cards”) by them. Under current payment card practices, to the extent we do not obtain cardholders' signatures, we are liable for fraudulent payment card transactions, even when the associated financial institution approves payment of the orders. From time to time, fraudulent payment cards are used on our Web site to obtain service and access our DVD inventory and streaming. Typically, these payment cards have not been registered as stolen and are therefore not rejected by our automatic authorization safeguards. While we do have a number of other safeguards in place, we nonetheless experience some loss from these fraudulent transactions. We do not currently carry insurance against the risk of fraudulent credit card transactions. A failure to adequately control fraudulent credit card transactions would harm our business and results of operations.
Netflix, Inc. 10-K (FY 2012)
33683273_1.pptx
ROPES & GRAY19
Netflix
Privacy Policy:Netflix takes information security very seriously and uses reasonable administrative, technical, physical and managerial measures to protect your personal information from unauthorized access. For example, we utilize Secure Sockets Layering, an industry-standard protocol for certain of your transmissions to us, in order to encrypt certain personal information that you send to us through the registration and sign up process.
Unfortunately, no security system can be guaranteed to be 100% secure. Accordingly, we cannot guarantee the security of your information and cannot assume liability for improper access to it. By using our service, including our website and user interfaces, or providing information to us through any means, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Netflix service.
33683273_1.pptx
ROPES & GRAY20 ROPES & GRAY25
The Hartford?. . .
• Hartford had no breach, and 2011 10-K had vanilla disclosure
• SEC :
– Have you had breaches?
– Are you under attack?
• Hartford agrees to revise risk factors (Letter to SEC May 16, 2012):
– No breach
– Subject to attack
– Systems may be insufficient to prevent breach
– Maintain cyber insurance
• See Also – ABInBev (Letter to SEC August 31, 2012) (to Company’s knowledge, no breach; will
continue to monitor; will update disclosure if material).
– Target (Letter to SEC June 27, 2012) (data security incidents to date not material)
31709542_2.pptx33683273_1.pptx
ROPES & GRAY21
When do you update the disclosure?
• Series of letters asking for revision of risk factor “beginning with your next Form 10-Q”.
– SEC Letter to NYSE Euronext (Aug. 7, 2012)• Have you experienced any incidents of unauthorized access?
• NYSE: Not ones that have resulted in material adverse affect, but we’ll update Q3 10-Q to say so (NYSE Euronext Letter to SEC (Aug. 20, 2012)).
– SEC Letter to Equifax (Sept. 7, 2012)• You disclose you may be vulnerable. What is the actual experience, for context?
• Equifax: will update beginning with next 10-Q (Sept. 24, 2012):We are regularly the target of attempted cyber and other security threats and must continuously monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses and other events that could have a security impact. Although we have not experienced any material breach of cybersecurity, if one or more of such events occur, this potentially could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen.
33683273_1.pptx
ROPES & GRAY22
When do you update the disclosure?
• SEC asks for revision of risk factor “beginning with your next Form 10-Q”.
– SEC Letter to Wynn Resorts (July 26, 2012)• None of risk factors or other sections of 10-K specifically address cyber
risks.
• We note press reports that hotels becoming targets.
• Wynn Resorts: Not aware of any successful attacks, but will update disclosure beginning with next 10-Q (Wynn Resorts Letter to SEC August 9, 2012).
33683273_1.pptx
ROPES & GRAY23
Wynn Resorts
• 10-Q:Our information technology and other systems are su bject to cyber security risk including misappropriation of customer information or other b reaches of information security.
We rely on information technology and other systems to maintain and transmit customer financial information, credit card settlements, credit card funds transmissions, mailing lists and reservations information. In addition, our financial and recordkeeping processes are run from one central location at a secured off site Network Operations Center. We have substantially completed the implementation of industry best practice systems that are designed to meet all requirements of the Payment Card Industry standards for data protection, however, our information and processes are exposed to the ever-changing threat of compromised security, in the form of a risk of potential breach, system failure, computer virus, or unauthorized or fraudulent use by customers, company employees, or employees of third party vendors. The steps we take to deter and mitigate these risks may not be successful, and any resulting compromise or loss of data or systems could adversely impact operations or regulatory compliance and could result in remedial expenses, fines, litigation, and loss of reputation, potentially impacting our financial results.
• 2012 10-KWe have implemented systems that are designed to meet all requirements of the Payment Card Industry standards for data protection.
• Privacy Policy:All personal and general information that reaches Wynn Resorts is stored on a secure server that resides behind firewalls designed to block unauthorized access from outside of Wynn Resorts. Because laws applicable to personal information vary by country, our hotels or other business operations may put in place additional measures that vary depending on the applicable legal requirements. Information collected on the sites covered by this Statement is generally processed and stored in the United States.
33683273_1.pptx
ROPES & GRAY24
When do you update the disclosure?
• SEC Letter to Comcast (Sept. 7, 2012)– It appears you may have experienced cybersecurity attacks or incidents.
– If true, beginning with your next Form 10-Q, please confirm that you will simply state this fact . . . .
• Comcast Response (Letter to SEC, Oct. 11, 2012)– Hang on, let’s look at the 10-Q requirements:
Item 1A. Risk Factors. Set forth any material changes from risk factors as previously disclosed in the registrant's Form 10-K (§249.310) in response to Item 1A. to Part 1 of Form 10-K. Smaller reporting companies are not required to provide the information required by this item.
33683273_1.pptx
ROPES & GRAY25
When do you update the disclosure?
• Comcast Response (Letter to SEC, Oct. 11, 2012)– Our experience does not warrant 10-Q disclosure:
• No change in our experience with cybersecurity attacks;
• Adding a risk factor to 10-Q would mislead investors into thinking we had experienced a material attack;
• Existing disclosure consistent with guidance; and
• Investors understand that all major companies contend daily with cybersecurity attacks.– Cites Sen. Rockefeller’s 500 Letters
– Our current 10-K disclosure is compliant. It describes• Areas of business for which network and IT are critical;
• Type and nature of attacks, and other events, that could affect systems;
• Effects that a successful attack would have;
• That risks of breaches occurring have intensified; and
• Fact that cannot provide assurances.
– Will update next 10-K, including MD&A, to say regularly attacked and could have consequences
• See Also– Verizon Letter to SEC (Sept. 10, 2012)
33683273_1.pptx
ROPES & GRAY26
What’s Not Vanilla?
• Walmart 2011 10-K:If we do not maintain the security of information relating to our customers, associates and vendors, security information breaches through cybersecurity attacks or otherwise could damage our reputation with customers, associates and vendors, and we could incur substantial additional costs and become subject to litigation.
As do most retailers, we receive certain personal information about our customers, and we also receive personal information concerning our associates and vendors. In addition, our online operations at www.walmart.com, www.samsclub.com and other websites depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. We maintain security measures with respect to such information, but despite these measures, we may be vulnerable to security breaches by computer hackers and others that attempt to penetrate the security measures that we have in place. A compromise of our security systems (through cyber-attacks or otherwise which are rapidly evolving and sophisticated) that results in personal information being obtained by unauthorized persons could adversely affect our reputationwith our customers, associates, and vendors, as well as our operations, results of operations, financial condition and liquidity, and could result in litigation against us or the imposition of penalties. In addition, a security breach could require that we expend significant additional resources related to our information security systems and could result in a disruption of our operations,particularly our online sales operations.
• SEC Letter to Walmart (June 8, 2012)– Have breaches occurred?
– Please put “may be vulnerable” in context.
33683273_1.pptx
ROPES & GRAY27
What’s Not Vanilla?
• Walmart Letter to SEC (June 22, 2012)– Yes, we are attacked. None have been successful. Therefore not a material risk.
– In light of disclosure trends, we did what we did in 2012 10-K, though not required by Item 503 of Regulation S-K or the Cybersecurity Guidance.
– In future, will modify the risk factor:
Any failure to maintain the security of the information relating to our customers, associates and vendors that we hold, whether as a result of cybersecurity attacks or otherwise, could damage our reputation with customers, associates and vendors, could cause us to incur substantial additional costs and to become subject to litigation, and could adversely affect our operating results.
As do most retailers, we receive certain personal information about our customers, and we also receive personal information concerning our associates and vendors. In addition, our online operations at www.walmart.com, www.samsclub.com and other websites depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Each year, computer hackers make numerous attempts to access the information stored in our information systems. We maintain substantial security measures to protect, and to prevent unauthorized access to, such information. As a result of those measures, the past attempts by computer hackers to gain access to the information stored on our information systems have been unsuccessful. Nevertheless, it is possible that computer hackers and others (through cyberattacks, which are rapidly evolving and becoming increasingly sophisticated, or by other means) might compromise our security measures in the future and obtain the personal information of customers, associates and vendors that we hold. Such an occurrence could adversely affect our reputation with our customers, associates, and vendors, as well as our operations, results of operations, financial condition and liquidity, and could result in litigation against us or the imposition of penalties. Moreover, a security breach could require that we expend significant additional resources to upgrade further the security measures that we employ to guard such important personal information against cyberattacks and other attempts to access such information and could result in a disruption of our operations, particularly our online sales operations.
33683273_1.pptx
ROPES & GRAY28
Comparison Point
• Walmart Privacy Policy:How We Secure Your Information
Securing your information is a company priority. Whether you are shopping on our websites or in our stores, we use reasonable security measures to help protect the confidentiality of personal information.
Online Protections
Your account information is protected by the password you use to access your online account. Please keep this password confidential. We also use a technology called Secure Sockets Layer (SSL). If your browser is capable of SSL (and most are), your account information will be protected during transport across the Internet. You can see a representation of this when you enter a secure portion of our online website (not including our mobile applications), which is any page containing any of your account information, where an image of a closed lock or a solid key should appear in the bottom bar of your browser window. If you click on this image, a small pop-up window displaying website security information will appear. This display indicates that your personal information is transmitted in encrypted form to a Walmart web server, not to some unknown or unauthorized server.
Hard Copy and Electronic Storage Protections
Personal information that is maintained in our offices or stores is subject to physical, administrative, and technical controls as well. Hard copies of sensitive personal information are maintained in locked locations or cabinets with similar restrictions for electronic storage. When disposed of, the information is shredded, destroyed, erased, or otherwise sought to be made unreadable.
33683273_1.pptx
ROPES & GRAY29
One More Comparison Point
• Citigroup 2012 10-K, Risk Factors:Citi’s Operational Systems and Networks Have Been, and Will Continue to Be, Subject to an Increasing R isk of Continually Evolving Cybersecurity or Other Technological Risks, Which Could Result in the Disc losure of Confidential Client or Customer Informati on, Damage to Citi’s Reputation, Additional Costs t o Citi, Regulatory Penalties and Financial Losses.
A significant portion of Citi’s operations relies heavily on the secure processing, storage and transmission of confidential and other information as well as the monitoring of a large number of complex transactions on a minute-by-minute basis. For example, through its global consumer banking, credit card and Transaction Services businesses, Citi obtains and stores an extensive amount of personal and client-specific information for its retail, corporate and governmental customers and clients and must accurately record and reflect their extensive account transactions. With the evolving proliferation of new technologies and the increasing use of the Internet and mobile devices to conduct financial transactions, large, global financial institutions such as Citi have been, and will continue to be, subject to an increasing risk of cyber incidents from these activities.
Although Citi devotes significant resources to maintain and regularly upgrade its systems and networks with measures such as intrusion and detection prevention systems and monitoring firewalls to safeguard critical business applications, there is no guarantee that these measures or any other measures can provide absolute security. Citi’s computer systems, software and networks are subject to ongoing cyber incidents such as unauthorized access; loss or destruction of data (including confidential client information); account takeovers; unavailability of service; computer viruses or other malicious code; cyber attacks; and other events. These threats may derive from human error, fraud or malice on the part of employees or third parties, or may result from accidental technological failure. Additional challenges are posed by external extremist parties, including foreign state actors, in some circumstances as a means to promote political ends. If one or more of these events occurs, it could result in the disclosure of confidential client information, damage to Citi’s reputation with its clients and the market, customer dissatisfaction, additional costs to Citi (such as repairing systems or adding new personnel or protection technologies), regulatory penalties, exposure to litigation and other financial losses to both Citi and its clients and customers. Such events could also cause interruptions or malfunctions in the operations of Citi (such as the lack of availability of Citi’s online banking system), as well as the operations of its clients, customers or other third parties. Given Citi’s global footprint and high volume of transactions processed by Citi, certain errors or actions may be repeated or compounded before they are discovered and rectified, which would further increase these costs and consequences.
Citi has been subject to intentional cyber incidents from external sources, including (i) denial of service attacks, which attempted to interrupt service to clients and customers; (ii) data breaches, which aimed to obtain unauthorized access to customer account data; and (iii) malicious software attacks on client systems, which attempted to allow unauthorized entrance to Citi’s systems under the guise of a client and the extraction of client data. For example, in 2012 Citi and other U.S. financial institutions experienced distributed denial of service attacks which were intended to disrupt consumer online banking services. While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber incidents. There can be no assurance that such cyber incidents will not occur again, and they could occur more frequently and on a more significant scale. In addition, because the methods used to cause cyber attacks change frequently or, in some cases, are not recognized until launched, Citi may be unable to implement effective preventive measures or proactively address these methods.
Third parties with which Citi does business may also be sources of cybersecurity or other technological risks. Citi outsources certain functions, such as processing customer credit card transactions, uploading content on customer-facing websites, and developing software for new products and services. These relationships allow for the storage and processing of customer information, by third party hosting of or access to Citi websites, which could result in service disruptions or website defacements, and the potential to introduce vulnerable code, resulting in security breaches impacting Citi customers. While Citi engages in certain actions to reduce the exposure resulting from outsourcing, such as performing onsite security control assessments, limiting third-party access to the least privileged level necessary to perform job functions, and restricting third-party processing to systems stored within Citi’s data centers, ongoing threats may result in unauthorized access, loss or destruction of data or other cyber incidents with increased costs and consequences to Citi such as those discussed above. Furthermore, because financial institutions are becoming increasingly interconnected with central agents, exchanges and clearing houses, including through the derivatives provisions of the Dodd-Frank Act, Citi has increased exposure to operational failure or cyber attacks through third parties.
While Citi maintains insurance coverage that may, subject to policy terms and conditions including significant self-insured deductibles, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses.
ROPES & GRAY LLP
ROPES & GRAY31
What About the Board?
• 11,000+ Directors Surveyed– Top 10 Concerns: #1: Data Security – 48%
– Company has a crisis management plan in place for cyber attack?• Yes: 42%
• No: 27%
• DK 31%
– Company is prepared to detect a cyber breach?• Yes: 77%
• 1,900+ General Counsel Surveyed– Top 10 Concerns: #1: Data Security – 55%
– How well does your board manage cyber/IT risk?• Not Effective: 33%
Corporate Board Member, Legal Risks on the Radar 2012
ROPES & GRAY32
What About the Board?
• 11,000+ Directors Surveyed– Does your Company have a Social Media policy?
• Yes: 39%
• No: 38%
• DK 23%
– Does your Board have a good handle on Social Media risks?• Yes: 40%
• No: 60%
Corporate Board Member, Legal Risks on the Radar 2012
33683273_1.pptx
ROPES & GRAY33
Board Considerations
• Does the Board:– Set a tone from the top re data and security issues?
– Ensure it is properly informed on IT, cybersecurity, data usage and social media risks?
– Understand and appreciate those risks and how they are being managed?
– Review and appreciate the company’s approach to responding to breach incidents?
– Review and understand the company’s various data and security disclosure practices?
– Consider line item budget items addressing those risks?
– Review insurance coverage for IT, data and cybersecurity issues?
– Need to have a committee to whom IT, data, and cybersecurity issues are delegated as part of risk or controls management?
The business judgment rule and other procedural devices provide protection, so long as the product of a process that was either deliberately considered in good faith or was otherwise rational.
33683273_1.pptx
ROPES & GRAY34
Closing Thoughts
• Disclosures– Place the Cybersecurity Guidance in context
• Materiality standard remains the threshold
• Attacks happen – just don’t provide an intrusion roadmap
• Negligence happens too – consider all the threats to your systems
• Double-check the insurance
– Be consistent among your disclosures• Re-review privacy policies, SEC disclosures and client communications in light of one another
– Keep up with litigation, enforcement and publicity trends• And regularly revisit and update disclosures
• Board & Management– Review management structure for data privacy and security issues
• Consider whether they should remain an IT only concern
– Review policies controls for data privacy and security issues
– Review and appreciate disclosure practices
– Review board oversight and role
33683273_1.pptx
