Last year the Privacy Commissioner Of Canada released a follow up to the investigation on the Ashley Madison (ALM) cyber breach and executives should be familiar with the results. The commissioner commented “It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
Here are 3 takeaways for executives on Cyber Security:
1. Harm extends beyond financial impacts:
Harm from data breaches is often focused on identity theft and credit card fraud. The commissioner notes “While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long-term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.” This is important given the recent court rulings coming out of the United States ruling otherwise.
Here is the story: Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm.
It is possible an organization could be held liable for harm caused by a data breach. A standard Commercial General Liability policy will not cover these damages and a separate Cyber Liability policy needs to be purchased to cover this exposure.
2. Safeguard should be supported by a coherent and adequate governance framework
The privacy commission mentions a security framework should be “consistently understood and effectively implemented.” In Ashley Madison’s case, regulators found 75 percent of the company's staff had not received general privacy and security training. Not to mention they supported a “Trustmark” to consumers, implying information was being protected when in fact it was not.
Executives should have written security policies and procedures for the entire organization. Not only will this protect an organization and its consumers, but it will assist with documentation in the event of legal proceedings. .
3. Documentation of privacy and security practices can itself be part of security safeguards
The commissioner notes “Having documented security policies and procedures is a basic organizational security safeguard”. It is surprising how many organizations have nothing in place, especially when free resources are available such as this Cyber Liability Toolkit.
Every executive should place an organization’s attention to security as a priority. The commissioner notes this helps an organization to identify and avoid gaps in risk mitigations, provides a baseline against which practices can be measured, and allows the business to reassess practices in an evolving threat landscape.
From a Directors and Officers liability perspective I can’t stress how important it is for executives to take a proactive step towards cyber security. Something as simple as documentation of privacy and security practices can help executives if there is ever a lawsuit.
Don’t wait until your company shows up in the headline of a local newspaper, start engaging in a cyber strategy today.
See the full release by the Privacy Commissioner here: https://www.priv.gc.ca/cf-dc/2016/2016_005_0822_e.asp
Discovering risk through engaging discussions.