You can’t do it all, in a field as robust and evolving as data privacy and security. The purpose of this checklist is to describe the core oversight duties of those in the board room and the C-suite, as-of spring 2013. As such, this checklist is focused primarily on setting values and priorities, and the assignment of roles, structure, and process.
Please note: (1) There is no one-size-fits all, so consider the unique circumstances of your organization; (2) Although much has been written about privacy and security generally, law and scholarship specifically regarding the duties of the board and senior management regarding privacy and security issues is significantly less developed.
- Decide, preliminarily, the relative importance of privacy and security issues to your organization.
Comment: Consider the following:
- Are you in a highly-regulated field such as finance or healthcare?
- Do you control or have access to large amounts of data?
- Are trade secrets or other proprietary information especially valuable assets?
- Importance of customer expectations and public perception?
- What are your competitors doing?
- Any known substantial and specific threats / risks?
Benchmark: Corporate directors (48%) and general counsel (55%) listed “data security” as their number-one concern (ahead of operational risk and company reputation). Source: 2012 Corporate Board Member / FTI Consulting, Inc., “Law and the Boardroom Study: Legal Risks on the Radar.”
- Allocate reasonable financial, human, and technical resources.
- Do you have confidence in your IT team / CIO?
- Do they have a sufficient budget?
- Philosophy: Treat trade secrets, “Big Data,” and other critical proprietary information with the same level of care and attention you devote to the preservation and growth of other core assets.
- Appoint a [Chief Privacy Officer (CPO)][Chief Information Security Officer (CISO)][other management-level person with “privacy and security compliance” as an explicit or sole component of the job description].
- For this item, like virtually all others on the checklist, the minimum duty will vary with the size of the organization and the quantity and type of information and data held (including whether the industry or data-type is regulated, such health organizations under HIPAA or financial organizations under Gramm-Leach Bliley, or any entity collecting information from children on-line under COPPA.
- This person should monitor for compliance requirements: (a) applicable law; (b) contractual obligations (e.g., in NDAs or security provisions in other agreements); (c) your own policies; (d) certification / compliance programs in which you participate (e.g., EU Safe Harbor, TRUSTe); (e) industry norms, as following short may be negligence).
Benchmark: Among smaller and mid-size organizations, a dedicated Chief Privacy Officer is still relatively rare.
- Retain [or at least identify] experienced legal counsel.
- Receive updates on legal developments from time to time.
- Involve in substantial transactions such as M&A and key vendors.
- If there is a substantial international component to your data and security issues, strongly consider retaining country-specific or region-specific legal counsel.
- Retain [or at least identify] computer forensic consultants; other consultants such as PR.
- In the event of a breach and/or an event that may involve litigation, I recommend an outside computer forensic firm.
- This item may be most appropriate for larger organizations.
- This item is more appropriate to a CIO or General Counsel, and not the board-level.
- Assign a committee of the board with oversight of privacy and security issues, and explicitly add responsibility for privacy and security to the committee’s charter. Consider creating a committee if no appropriate committee exists. (e.g., a “Risk Committee” (or similar) for which privacy/security could be one aspect of enterprise risk.)
Comment: Applicable for larger entities. This could also be housed in a Risk Committee, Compliance Committee, or other committee of the board. Smaller entities may prefer keep this function within the full board.
Benchmark: Among Global 2000 entities, 96% have an Audit Committee, 56% have a Risk / Security Committee, and 23% have an IT / Technology Committee. Source: “Governance of Enterprise Security: CyLab 2012 Report,” Jody R. Westby.
- Receive information. The board and senior management should receive periodic reports and information from the CIO, IT and General Counsel regarding significant security risks, issues, breaches, and other items.
Comment: The board of directors and senior management should receive enough information to be familiar with the organization’s top privacy and security issues and how the organization is managing those items.
- Conduct an audit. Include administrative, technical and physical elements.
- Oversight by full board or a committee such as the Audit Committee.
- Self-audit vs. outside audit?
- Brand-name audits such as (old) SAS70 (new) SSAE 16?
- If possible, benchmark your organization against similar organizations to avoid falling behind (negligence for failing to meet industry-standard).
- Do you know what your own policies are and do you follow them?
- Do you comply with contractual or similar obligations to others (e.g., abide by NDAs; Payment Card Industry requirements).
- Focus on the most important assets.
- Written policies. Then communicate and train.
- Agreement tool kit.
Comment: Make available solid templates for: NDAs or similar with employees, vendors, partners. Specialized agreements as required such as Business Associate Agreements under HIPAA. The agreement tool kit should be disseminated to appropriate personnel with contracting authority, along with training in how to use, plus report and track exceptional terms and requirements.
- Diligence on key vendors and partners. How are their practices? Any breaches?
Comment: This may be as simple as a Google search: you don’t want to be partners with a known data-bungler. Include privacy and security diligence as part of M&A and other major transactions.
- Review insurance coverage.
Comment: Is general liability, errors and omissions sufficient? Consider “cyber risk” or “privacy liability” coverage (there’s a difference between these two). Be cautious regarding exclusions, especially “force majeure” / “act of God/war,” in light of foreign-government-sponsored hacking.
Benchmark: Only 35% of public companies have cyber insurance. Source: Chubb 2012 Public Company Risk Survey.
- Revisit privacy and security issues from time to time; stay current.
- Insure at least one member of the board is knowledgeable in IT issues.
Comment: If your full board still isn’t sure what the Internet is and doesn’t use email, they will not be in a position to critique inputs on all of the above.