This article in our “Beyond the Breach” series was co-authored by Morrison & Foerster partners Jackie Liu and Miriam H. Wugmeister.
Thanks, in no small part, to cybersecurity’s potential impact on organizations’ bottom lines, cybersecurity has become a top-of-mind concern for boards of directors. Equifax’s September 2017 data breach is a stark example of how a breach can negatively—and significantly—impact an organization’s bottom line. To date, the company has reportedly spent over $1.4 billion investigating the breach and overhauling its information security systems because of it. The company is still on the hook for as much as another $700 million as a result of its settlement of the litigation and government actions filed against it in the wake of the breach.
We’ve previously covered what boards can do before a data breach to prepare themselves and their organizations for such an event. However, what about when the inevitable happens and an organization—your organization—suffers a data breach? What’s a board—your board—to do then, and how?
In the wake of a data breach, your board of directors should focus on the same things it would normally focus on following any crisis affecting your organization.
As the people responsible for the oversight of your organization’s strategic direction and overall performance, your board’s primary concern should be making sure that whatever problems were exposed by the breach are: (i) recognized, (ii) understood, and (iii) that there is a plan to fix them.
This requires your board to receive regular updates regarding your organization’s systems and processes that are designed to safeguard its information and networks to understand whether they helped the organization respond to the breach and limit its impact—or whether they played a role in causing it, as well as fulfill the board’s oversight responsibilities.
In addition, your board will have to consider the people-side of the equation. Do you have the right people and processes in place to respond to a cyber event? Even if mistakes were made, was there a process in place to identify the risk, escalate concerns, and make decisions in a timely way?
For example, let’s say that one of your organization's older databases was compromised. Your internal investigation determines that the database was not patched with security updates as often as it should have been because it was a legacy system that was scheduled to be decommissioned. Patching this particular program was not a priority because the IT team has to focus its time and resources on the systems the company actually use.
After promptly being presented with the findings of this investigation, your board should focus on your organization's systems and processes for patching databases. Your board should not conduct its review with the goal of placing blame. Its focus should stay on: (i) understanding what happened, (ii) getting regular reports on whether the people or processes should have behaved differently, (iii) determining whether the proper processes were used to identify and remediate the issue, and (iv) receiving updates about how the lessons learned from the incident are built into new, or newly revised, systems and processes within the organization.
In light of Marchand v. Barnhill (June 18, 2019), directors have risk oversight responsibilities and could be subjected to liability for failing to “make a good faith effort to implement an oversight system and then monitor it.” Furthermore, the board’s consideration and deliberation about the organization’s new systems and processes should be documented through written records.
The severity of a particular data security incident will dictate the role your board plays in overseeing changes to your organization’s systems and processes.
Some data breaches are the result of a one-time mistake or a particularly sophisticated bad actor. When a breach of this type occurs, your management and board may determine, after due deliberation, which is well documented, that your organization’s systems or processes did not significantly contribute to the breach. In that event, no additional oversight may be required—aside from your board’s typical oversight responsibilities—to ensure that the lessons learned from this kind of breach are implemented by your organization.
If a particular data breach exposes shortcomings in your organization's systems and processes, your board should consider delegating the task of overseeing the changes required to fix these shortcomings to one of its committees.
There is a trend to delegate cyber issues to a committee, such as the risk or the technology committee, as they may have more experience in cyber issues and might be able to provide focused guidance and oversight.
A serious data breach, however, may require the creation of a separate cybersecurity risk committee to oversee the bevy of new systems and processes—and may even result in employment changes—that your management and board agree needs to be implemented to reduce the future risk of similar breaches.
On a related note, there is a brewing debate over whether boards should have at least one director on them who has significant professional cybersecurity experience. As more organizations add board members with this experience, standing cybersecurity risk committees may become commonplace.
If—or, more realistically, when—your organization suffers a significant data breach or other cyber incident, your organization’s board of directors will have a role to play.
Its focus should be on understanding: