FTC Issues Timely Reminder on Data Security Oversight Role of Corporate Boards of Directors
On April 28, 2021, the Federal Trade Commission (FTC) issued a timely reminder to corporate boards directors on their ongoing responsibility to ensure that consumer and employee data is protected. The pandemic has upended “business as usual” for most companies, but it has also generated more opportunities for cyber-thieves. With more consumers shopping online and up to 33% of the workforce in the United States working remotely, there has been a significant increase in security threats and data breaches in the past year. Corporate boards of directors need to understand these risks and ensure their companies can timely respond to the risks.
Summary of FTC Guidance
The FBI’s Internet Crime Complaint Center (IC3) recently released its annual report, the 2020 Internet Crime Report. The IC3 received 791,790 complaints of suspected internet crime in 2020, an increase of more than 300,000 complaints from 2019, with reported losses exceeding $4.2 billion. A recent survey highlighted the long-term effects of a data breach on companies. Most companies understand the significant financial costs that can be incurred in responding to a data breach, the potential negative impact on a company’s reputation and resulting loss of sales after a data breach, and the legal liability issues that may arise in post-breach class action litigation and regulatory enforcement actions. Data breaches can also have a lasting negative impact on the share price of companies. The survey reviewed the share price of 34 listed companies in the United States that had suffered a breach. It found that share prices fell by 3.5% immediately after a data breach, but that the long-term effects of the breach were even greater. The average share price of these companies dropped by 15.6% in the three years after a breach and these same companies underperformed against the market by the same margin.
If that survey data is not enough to incentivize more data security oversight by corporate boards of directors, directors may be interested to learn that “board member information” is one of the top ten most valuable categories of information to cyber thieves. In the wake of the recent cyberattacks on SolarWinds Corp. and Accellion, Inc., corporate boards of directors should increase their focus on the cybersecurity challenges faced by their companies and the potential legal, reputational, and other risks their companies may face from increasing security threats and the devastating impacts of data breaches.
The FTC noted that 60% of directors planned to improve their cybersecurity oversight role over the next year. There are still a number of directors that need to do more in this area. The FTC provided the following five recommendations to help all directors enhance their cybersecurity oversight role:
1. Make data security a priority
Consumers are paying increasing attention to how companies are protecting their personal information and expect companies to proactively respond to threats to that information. The FTC has become more aggressive in challenging deceptive or unfair conduct related to the data security practices of companies and has recently settled such claims with SkyMed International, Inc. (SkyMed) and Ascension Data & Analytics, LLC (Ascension).
The FTC noted in the recent reminder that “[c]ontrary to popular belief, data security begins with the Board of Directors, not the IT Department.” The phrase “tone at the top” may be overused in the business world, but this simple phrase accurately describes the over-arching importance of the commitment of the senior leadership of any company to a particular goal and the “trickle down” impact that commitment has throughout the company. As the FTC noted, ‘[a] corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration.” The FTC suggested that companies implement the following strategies to ensure that data security is a top priority:
- Build a team of stakeholders from across the company;
- Establish board-level oversight; and
- Hold regular security briefings.
2. Understand the cybersecurity risks and challenges faced by your company
Although it may not be board’s role to manage day-to-day security operations, their role should include setting priorities and allocating the resources necessary to ensure effective security measures are in place across the company. To fulfill this important role, directors will need to have more than a basic understanding of the unique data security challenges faced by their company.
3. Do not assume legal compliance means adequate data security
The FTC noted as follows:
… compliance doesn’t necessarily translate into good security. Cybersecurity threats are constantly and rapidly evolving. A strong data security program should never be reduced to a “check the box” approach geared toward meeting compliance obligations and requirements. Instead, boards should ensure that their security programs are tailored to their companies’ unique needs, priorities, technology, and data. Boards should ask tough questions about whether their policies and procedures effectively address their company’s security risks and whether actual security practices effectively address the threats they face. That no-holds-barred conversation might include fundamental questions like:
- What kind of data are we keeping and why? And where are we keeping it?
- Are our policies and procedures adequate to protect our data?
- Are our actual security practices in line with our policies and our public-facing statements?
- Are our security investments and expenditures in line with our security risks and threats?
4. Need to do more than prevention
The recent data breaches in the news have demonstrated the importance of both a strong data security program and an agile incident response plan that your company’s team has practiced in advance through periodic table-top exercises and other real time simulations. In responding to a security incident, time is of the essence. An effective program will ensure that a security incident can be timely elevated to the appropriate level, including to the C-suite and board of directors, if needed.
A data breach incident response team leader at a company shared that after a significant data breach at the company, she could not schedule a meeting with the Chief Financial Officer to approve the contracts with the credit monitoring and call center vendors until three weeks later and long past the due date under state law for sending notices of the data breach to impacted customers. An ounce of prevention may be worth a pound of cure. However, when you need to respond to a data breach incident after your security measures failed, you may have to quickly cure some internal problems that may prevent your company from timely responding to the incident.
5. Learn from your mistakes and the mistakes of others
If your company has experienced a data breach, the FTC suggests that you take the opportunity to learn from the incident and improve your program. Post-mortem meetings are a good opportunity for everyone involved to address any issues and formulate plans to improve the process in the event of future incidents. The FTC also noted that companies and their directors can learn from the mistakes of other companies. Companies can review the SkyMed, Ascension, and other enforcement actions by the FTC. The Privacy Rights Clearinghouse maintains a database of reported data breaches. This is a valuable resource to assist companies and their directors in understanding and planning for the cybersecurity risks facing their industry.
Companies often pellet their employees with catchy slogans such as “you are essential in our ongoing effort to reduce security risk,” “do your part, be security smart,” or “don’t be shy about protecting PI.” Your company’s board of directors need to hear the same slogans. Your board of directors may also want to read the following comments from Soren Skou, the CEO of Maersk, as reported in the Financial Times on August 13, 2017, on the company’s NotPetya malware attack:
Most business problems, you will have an intuitive idea on what to do. But with this and my skills, I had no intuitive idea on how to move forward. … Until you have experienced something like this – people call them “black swan” events – you don’t realise just what can happen, just how serious it can be.
Mr. Skou participated in all calls and meetings “to be visible, and take some decisions” as the “staff rallied together as one global team.” He said that he learned there is no way to prevent an attack, but in the future, his company must “isolate an attack quicker and restore systems quicker.”
Cybersecurity events are no longer black swans. Your company and its board of directors should understand what can happen, how serious it can be, and how to nimbly respond and move forward after a data breach or ransomware attack. As the title of the FTC reminder notes, corporate directors should not underestimate their role in data security oversight.