Are Your Directors Talking Enough About Privacy and Data Security?
by Stephen M. Faraci, Sr. Esq.
The number of companies suffering data breaches, and the average cost associated with each incident, continues to rise. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, the average consolidated total cost of a data breach rose to $3.8 million in 2014, which is a 23 percent increase compared to 2013.
With the number of and costs associated with data breaches on the rise, corporate fiduciaries–directors and officers–need to be attuned to their company’s privacy and data securities policies and controls. Good corporate governance, meaning the system of rules, practices, and processes by which a company is directed, can help a company manage and minimize its legal risks, difficulties, and expenses, including the risks and expenses associated with cyber-threats and data breaches. In fact, the Ponemon study specifically noted that board-level involvement is viewed as a primary factor in reducing the cost of data breach. Board-level involvement can also help a company defend itself from litigation arising from a breach, including consumer class actions, federal or state regulatory enforcement actions, and shareholder derivative suits that expose directors and officers to personal liability.
Just how effective can good corporate governance be in warding off litigation arising from a data breach? In Palkon v. Holmes, the United States District Court for the District of New Jersey dismissed a shareholder derivative suit brought against the board of Wyndham Worldwide Corporation after the company suffered three data breaches between April 2008 and January 2010, allegedly compromising personal information of more than 600,000 customers. They key to the dismissal was that Wyndham’s board of directors engaged in a meaningful, proactive process of oversight concerning cyber-threats and the company’s data security.
Below are the “top five” actions for the corporate fiduciaries of any company that collects personally identifiable information:
- Establish procedures to insure that the board is and remains informed of the company’s privacy and data security practices and controls, including regular meetings in which data security policies are discussed. In Palkon, the court noted that from October 2008 through August 2012, the Wyndham board met 14 times to discuss cyber-attacks, the company’s security policies, and proposed security enhancements, and the Audit Committee reviewed the same matters in at least 16 meetings during that same period.
- Ask questions of relevant corporate agents, including the company’s General Counsel, Chief Information Officer, and Chief Technology Officer. In Palkon, the court noted that the company’s General Counsel gave a presentation regarding any data breaches that had occurred and the company’s data security generally at every quarterly board meeting.
- Consult experts on how to enhance the company’s data security, including third-party data security experts and out-side counsel. In Palkon, the court noted that the company hired technology firms to investigate each breach and to issue recommendations on enhancing the company’s data security.
- Be sure the company has developed and implemented a data breach response plan, which includes prompt notification to stakeholders.
- Document the company’s good faith exercise of its business judgment with respect to privacy and data security, including ensuring that all minutes and resolutions are sufficiently detailed to reflect the board’s earnest consideration of privacy and data security concerns.
If your corporate governance policies and procedures reveal a proactive approach to privacy and data security, your company is not only more likely to reduce costs for any eventual data breach, but will also be better positioned to defend the myriad of litigation matters that may arise from such a breach.