It is difficult for any executive today to not recognize that a data breach is a significant risk to his or her company. What is more difficult is for that same executive to understand that he or she simply responding to such a breach does not sufficiently address the risk. The actions or inaction of an executive prior to and subsequent to a breach are of utmost importance and can be the difference between a relatively minor breach and the loss of significant revenue, coupled with liability to third parties and regulators.
The fiduciary obligations imposed upon officers and directors of a business require them to play an active role in establishing their organization’s policies and procedures related to data security rather than relying solely on their IT department. Saying he or she didn’t have knowledge of the company’s security protocol will not relieve him or her of his or fiduciary obligation. In light of the ever-evolving technology surrounding security breaches relying on a one-time outdated information security plan will also not relieve the executive of his or her obligations.
The standard of reasonableness applied to an information security plan at the time of a breach is evolving right along with the threats to security. As a result, a plan that may have reasonably addressed security risks two years ago will no longer be deemed reasonable for purposes of today’s security risks. To mitigate damage and liability in the face of a security breach and to ensure an organization’s information security plan meets the applicable reasonable standard, having regular third-party assessments of the organization’s data security is highly recommended. Performing such regular assessments allows an organization to identify potential threats and to implement any necessary protections from such threats. Such assessments will also allow an organization to determine whether it needs to alter the methods by which security threats are detected. An assessment may even discover a breach that was previously undetected. Employing legal counsel in conjunction with a third-party forensic team will allow the business to protect the results of the assessment under attorney-client privilege and work product doctrine (this is also the case if the business finds itself needing to perform an assessment subsequent to a breach).
Knowing how an organization will respond to a breach (including recovery of the data) prior to its occurrence is also an essential factor in determining whether its information security plan is reasonable. The organization’s lack of due diligence for not knowing how it will respond to a breach and not testing its ability to respond on a regular basis, e.g., through regular phishing of employees, will be used against it when a breach does occur.
Also of importance when assessing the risk related to a security breach is carefully reviewing the organization’s insurance coverage to ensure that it will, in fact, provide the necessary coverage when the company is facing a breach. Just as with any other type of insurance, that related to security breaches can contain exclusions and/or simply not address some of the most crucial elements of loss a business may face.