Does your board exercise proper oversight over cybersecurity
risks? Directors and officers have fiduciary duties to protect
the assets of their companies. This obligation covers digital
assets, including corporate information, applications, and
networks. The scope of the obligation is defined, in part, by laws
and regulations that impose specific privacy and security
obligations on companies.
CyLab identified the following areas as specifically
Reviewing budgets, security program assessments, and top-level
assigning roles and responsibilities for privacy and
and receiving regular reports on breaches and IT risks.
The report also noted that little attention is focused on risks
related to vendor management and observed:
the low response for vendor management is concerning because it
indicates that the privacy and security of data at cloud and
software providers and outsource vendors are receiving little
In comparing findings across industries, CyLab found that the
financial sector has some of the strongest privacy and security
practices in place, while energy and utilities had some of the
weakest governance practices.
The report concludes with a set of recommendations to boards and
senior management. These recommendations include:
"Review existing top-level policies to create a culture of
security and respect for privacy. Organizations can enhance
heir reputation by valuing cyber security and the protection of
privacy and viewing it as a corporate social
"Review assessments of the organization's security
program and ensure that it comports with best practices and
standards and includes incident response, breach notification,
disaster recovery, and crisis communications plans."
"Ensure that privacy and security requirements for vendors
(including cloud and software-as-a-service providers) are based
upon key aspects of the organization's security program,
including annual audits and control requirements. Carefully review
notification procedures in the event of a breach or security
"Require regular reports from senior management on privacy
and security risks."
"Require annual compliance audits and test incident
response, breach notification, disaster recovery, and crisis
Data breaches, and loss of user data and other sensitive
information, pose significant legal and reputational risks for
companies. All companies should ensure that they have the systems
and policies in place to manage risks to digital assets. These
systems need to be regularly evaluated and properly resourced: this
requires top-level attention from senior management and the
To view Foley Hoag's Corporate Social Responsibility
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.