Security breaches that put credit card numbers and personal information of customers or employees into the hands of those who would misuse the information or sell it on the black market make headlines almost on a daily basis. Whether the breach occurs through hacking, a dishonest employee, or a misplaced laptop or backup tape, the risks that come with lost or stolen data are real and can have a devastating effect on business. At the Directorship Boardroom Roundtable in New York on information privacy and network security, Lisa Butera, president of the professional liability division of AIG Executive Liability, spoke about the trends AIG has recognized over the last seven years, ever since AIG began underwriting insurance products to protect against identity and data security liability.
While not a new problem, Butera pointed out that about a year ago AIG expanded its data security discussions from the offices of the CIO and CTO to the boardroom, as it evolved into a corporate governance issue. “While the risk for a breach is there, the fear has not yet surfaced in boardrooms as much as we would have thought,” she said.
E. Norman Veasey, former chief justice of the Delaware Supreme Court, now a senior partner at Weil, Gotshal & Man¬ges, provided some measure of relief to any director losing sleep over the repercussions from breaches at TJX Cos., CVS, and others. In the area of compliance: “My advice is just to make sure that you understand exactly what management is doing; ask every question you can. The board of directors has to understand what they’re doing—understanding is a big compliance area—and do it as though you were to be grilled in a deposition about what you did to see to it that these controls were in place, that compliance was done correctly. It is, after all, the management’s responsibility.”
That is not to say that boards should sleep easy on the issue either, Veasey warned. “In the area of compliance, there is a case, Stone v. Ritter, that simply says directors who utterly fail to set up a compliance program and utterly fail to monitor the program could be liable. But directors are not expected to be perfect either in transaction or in compliance oversight.”
Everyone is at Risk
While certain industries are more vulnerable than others—think healthcare, banking, airlines, and retailers—“any company that has employees is at risk. Any company with a website is at risk,” Butera said.
Louis Lipschitz, a director at New York & Co. and other companies, suggested that the opportunity to use and share data properly requires that we take vigilant steps to ensure that the risks don’t begin to outweigh the benefits of properly using data and information. “Twenty years ago, my company was investigated by the SEC and they wanted to know how many people had access to sales information. I was able to name six people. Today, everybody in the company has access to that information…even vendors, so that they can fill orders that much faster. So while you’re measuring risk from a liability standpoint, the risk of not using that data properly is far greater.”
For Marty Evans, data is personal. The 30-year veteran of the U.S. Navy, who was the first woman to command a U.S. naval station and retired as a rear admiral in 1998, now serves on the boards of Lehman Brothers and Office Depot, among others. She has been subjected to at least three personal identity breaches that she knows of. One instance was the publication of her personal data in the Federal Register when she was being confirmed as a commissioned officer. In her role as director, data security is a growing concern, and she questions how to properly integrate IT strategy into the boardroom.
Georges Ugeux, speaking for the “less-micromanaging” camp, asked whether it’s a board issue at all. “I believe that this is part of the risk that the CEO has to assume. If we make it a board issue, I can tell you what’s going to happen. We’re going to find consultants who are going to cost a lot of money to come back and say you have to treat this. The reality is that this is the day-to-day risk of being CEO of a company. It’s up to the CEO to explain to the board how the different risks are being managed. Maybe it becomes a line item for each committee.”
Debra Perry, a director at MBIA and Conseco and former senior managing director of global ratings at Moody’s, suggested that boards or committees of boards begin to think about risk oversight by first defining the operational risks endemic to their business. “These would be the risks that can contribute to significant financial loss, a material financial loss, or to a significant disruption in liquidity—each of which could be deadly to an enterprise—I think that if you get those down and then incorporate those into some routine overview of enterprise risk management, then you’ve got the topic more or less covered.”
Board Information Security
What can board members do to reduce their own culpability? In between board meetings, is it advisable to talk about issues via email or cell phone? Veasey said no. “The ‘e’ in email stands for eternal,” he said. “Emails should primarily be used to communicate scheduling information and things like that. Any sensitive emails that would go back and forth between directors should be done very cautiously. I think it’s very good to have face-to-face meetings of directors and face-to-face meetings of committees. Even when you have a call-in to a committee meeting, it should never be done on a cellphone, always on a landline. That’s my advice.”
What about board meeting minutes? Again, some sage advice from Veasey: “Take detailed long-form minutes. Distribute copies of the minutes and make changes based upon people’s recollections. Once the minutes are approved, notes should be thrown away because they could be confusing or misleading. “If they’re bad minutes, you could have a problem like they had in Disney v. Ovitz. The reason that went to trial was because the minutes were so bad the plaintiffs were able to allege but couldn’t show that these directors had an ‘I-don’t-care’ attitude about their responsibilities in this area. So the good news in the Disney case was directors were found ultimately not to be liable. The bad news is that they had to go to 35 days of trial at great reputational risk and expense. Minutes are very important.”
AIG’s Butera said in cases of information security, it’s a matter of looking at the risks. “In terms of liability, again I come back to the fact that the risk is very real. Because we have not yet seen the large multimillion-dollar settlements in terms of litigation, directors may not yet be as fearful as the data suggest they should. In addition to bringing up the matter of data and security controls and examining various forms of protection against such breaches, I think there is an obligation on the part of directors to ask the tough questions, to make sure that the controls are in place.”