impossible for ideas to compete in the marketplace if no forum for
DUE CARE IN SECURITY MANAGEMENT
Author: Darryl Dodson-Edgars
paper gathers a number of references that address the general concept of
executive obligations and liabilities in the context of security of the
underlying business systems and other information-based corporate assets.
The information below is presented with extracts and quotations from
reputable sources that discuss the general subject of
research corroborates the statements quoted below about the scant information
available describing actual lawsuits. The
reasoning behind this has roots stretching out to public image and the
potential harm that comes with publicity about security violations. Cases are quietly settled out of court to minimize the risk
of adversely influencing shareholder and general public impressions of the
the paucity of evidence, there is wide agreement regarding the obligations and
liabilities of senior management and directors in fulfilling their fiduciary
is deeply dependent on the systems in place that support the processing and
distribution of information and financial transactions.
This takes many forms today, both internal and external in reach.
Securing the assets of the company is the responsibility of the
executive management team and the directors.
Violations of security can take many different forms, typically based
upon the nature of the associated threat.
These violations can culminate in either civil or criminal offenses.
with an effective compliance program have the opportunity to greatly
reduce penalties for violations of almost all federal statutes.
Companies are expected to exercise due diligence and be innovative in
designing and implementing their own security programs.
The United States Sentencing Commission adopted a set of Sentencing
Guidelines in 1991 applicable to all organizational defendants in criminal
the Sentencing Guidelines apply to all corporations, the larger the
organization the more formal the program should be and the greater the penalty
for failure to comply. Much more
is expected of a large publicly traded corporation than a small business.
court held that a director's obligations include a duty to assure that a
corporate information and reporting system exists. The failure to do so could
render a director personally liable to shareholders for losses caused by
non-compliance with applicable legal standards.
a recent article, “See You in Court” in CIO Magazine,
the author said “…To
hear some people tell it, corporate liability for failed information security
is the coming apocalypse. Several experts predict a flurry of personal injury
lawsuits filed by customers whose personal information has been disclosed,
corporate lawsuits based on damage caused by security breaches at business
partners and class-action lawsuits filed on behalf of irate stockholders.”
The author then quoted Ed M. McPherson III, Atlanta-based director of
PricewaterhouseCoopers, from a recent
meeting of a group assembled in New York City to learn about cybercrime's
impact on shareholder value. McPherson
said "It's going to be the next asbestos".
Security vendors are banking on it.
For instance, Redwood, California-based Recourse Technologies worked
with Daniel Langin, a defense attorney for several early Internet cases, to
explore whether corporate officers could be held personally liable for
information security breaches. His
conclusion? “You bet. It
takes one clear bellwether case to say you have this liability, before
officers and directors wake up".
of 2001, CIO Magazine had not found any such liability lawsuits.
However, several sources indicated that third-party damages are being quietly
settled out of court. As a rule, it's cheaper for companies to make
confidential settlements than to defend themselves.
It also helps avoid publicity that might give stockholders and
Wright Tremaine LLP made reference to a document assembled for
guidance to Directors of Boards regarding compliance issues.
While this document is aimed at the health care field,
the guidance is applicable across most business sectors.
This guide outlines the Fiduciary Responsibilities in a very clear
manner. It states:
fiduciary duties of directors reflect the expectation of corporate
stakeholders regarding oversight of corporate affairs. The basic fiduciary
duty of care principle, which requires a director to act in good faith with
the care an ordinarily prudent person would exercise under similar
circumstances, is being tested in the current corporate climate. Personal
liability for directors, including removal, civil damages, and tax liability,
as well as damage to reputation, appears not so far from reality as once
widely believed. Accordingly, a basic understanding of the directorâ€™s
fiduciary obligations and how the duty of care may be exercised in overseeing
the companyâ€™s compliance systems has become essential.
within the duty of care is the concept of reasonable inquiry. In other words,
directors should make inquiries to management to obtain information necessary
to satisfy their duty of care. Although in the Caremark
also discussed later in this educational resource, the court found that the
Caremark board did not breach its fiduciary duty, the courtâ€™s opinion also
stated the following: “[A] directorâ€™s obligation includes a duty to
attempt in good faith to assure that a corporate information and reporting
system, which the Board concludes is adequate, exists, and that failure to do
so under some circumstances, may, in theory at least, render a director liable
for losses caused by non-compliance with applicable legal standards.”
Clearly, the organization may be at risk and directors, under extreme
circumstances, also may be at risk if they fail to reasonably oversee the
organizationâ€™s compliance program or act as mere passive recipients of
the other hand, courts traditionally have been loath to second-guess Boards of
Directors that have followed a careful and thoughtful process in their
deliberations, even where ultimate outcomes for the corporation have been
negative. Similarly, courts have consistently upheld the distinction between
the duties of Boards of Directors and the duties of management. The
responsibility of directors is to provide oversight, not manage day-to-day
affairs. It is the process the Board follows in establishing that it had
access to sufficient information and that it has asked appropriate questions
that is most critical to meeting its duty of care.
guide then detailed the description of “Due
Care”. They gave:
of Care [due care]
the principal fiduciary obligations/duties owed by directors to their
corporations, the one duty specifically implicated by corporate compliance
programs is the duty
the name implies, the duty
of care refers
to the obligation of corporate directors to exercise the proper amount of care
in their decision-making process. State statutes that create the duty of care
and court cases that interpret it usually are identical for both for-profit
and non-profit corporations.
most states, duty of care involves determining whether the directors acted (1)
in “good faith,” (2) with that level of care that an ordinarily prudent
person would exercise in like circumstances, and (3) in a manner that they
reasonably believe is in the best interest of the corporation. In analyzing
whether directors have complied with this duty, it is necessary to address
each of these elements separately.
“good faith” analysis usually focuses upon whether the matter or
transaction at hand involves any improper financial benefit to an individual,
and/or whether any intent exists to take advantage of the corporation (a
corollary to the duty of loyalty). The “reasonable inquiry” test asks
whether the directors conducted the appropriate level of due diligence to
allow them to make an informed decision. In other words, directors must be
aware of what is going on about them in the corporate business and must in
appropriate circumstances make such reasonable inquiry, as would an ordinarily
prudent person under similar circumstances. And, finally, directors are
obligated to act in a manner that they reasonably believe to be in the best
interests of the corporation. This normally relates to the directorsâ€™ state
of mind with respect to the issues at hand.
considering directorsâ€™ fiduciary obligations, it is important to recognize
that the appropriate standard of care is not “perfection.” Directors are not
to know every-thing about a topic they are asked to consider. They may, where
justified, rely on the advice of management and of outside advisors.
many courts apply the “business judgment rule” to determine whether a
directorâ€™s duty of care has been met with respect to corporate decisions.
The rule provides, in essence, that a director will not be held liable for a
decision made in good faith, where the director is disinterested, reasonably
informed under the circumstances, and rationally believes the decision to be
in the best interest of the corporation.
obligations with respect to the duty of care arise in two distinct contexts:
are many other references to the application of due care in regard to assuring
the assets of the company are preserved.
A standard guide for the certified information systems security
professional examination (CISSP) by Mike Meyers states:
management are the final data owners, meaning they have the ultimate
responsibility over the companyâ€™s assets, including data.
If management does not implement the correct security measures, they
are not practicing due care. Due care is a legal term meaning that a person or company
should take reasonable measures to protect itself and to not harm others.
If management does not practice this concept, they can be held liable
for damages that take place that could have been prevented or mitigated if
they would have taken the necessary steps.”
company, regardless of its industry, is expected to exercise due care, meaning
that they are to implement and maintain security mechanisms and practices that
protect the company, its employees, customers, and partners.”
laws have dictated that the board of trustees and senior management can be
held liable for security breaches and security faults within a company.”
are several pieces of US legislation and regulatory agencies that require
organizations to take appropriate care in safeguarding their information.
1997, the Federal Sentencing Guidelines were extended to apply to computer
crime. Under these guidelines, senior corporate officers can be personally
subject up to $290 million in fines if their organizations do not comply with
has the obligation to protect the organization from losses due to natural
disasters, code, violation of law. Management must follow the prudent man rule
that requires officers to perform duties with diligence and care that
ordinary, prudent people would exercise under similar circumstances.
The officers must exercise due care or reasonable care to carry out
Magazine also ran an article by Alison Bass in which she
interviewed Legal Expert Arthur Miller. Miller says “CIOs and corporate America also have to
protect people's privacy—or risk a jury's wrath”.
asked “What kind of legal consequences should CIOs be concerned about
as they build systems that capture personal data?”
“Every employer is required by law to provide a safe workplace for its
employees, and that extends to a safe informational workplace. Similarly, a
company and its CIO have to be concerned about a safe informational
environment for their customers because if calamity strikes and there were
things you could have done but didn't, some jury somewhere is going to smack
you across the snout with a two-by-four.”
Kolodzinski wrote on the subject of Information Security Risk Management.
He reports that Charles Le Grand, Director of Technology Guidance at
The Institute for Internal Auditors, says: "The auditing profession is
under increasing pressure to provide assurance not only about the reliability
of information, but also the security and protection of critical
infrastructures on a global basis." He adds that, "although
business owners, investors, and regulators continue to be key clients of
audit services, the stakeholder role has expanded to include anyone else who
relies on an organization, its products and services, and the confidentiality
of private information in its possession."
writing is on the wall, and it is not graffiti.
Corporate officers and directors have the obligation to protect the
assets of their companies and will potentially face personal liability if they
do not act in a prudent manner to assure they have done what makes sense for
order to move forward into action, the security assessment consultant must ask
questions. The appendix contains
a listing of applicable questions. These will serve as a guideline in preparation for
interviewing clients. The outcome
of this process are action steps to appropriately secure the business to the
level that any prudent manager would consider.
to the success will be endorsement by the directors and the senior management
team. With these actions, their
exposure to personal liability will be minimized, and preservation of the
business and its ability to operate maximized to the level of risk acceptable
to the company.
on effective, efficient and continuous operations to achieve profitability.
Developing a risk-based security plan will lower the risk of business
interruption from physical or electronic events.
These protection measures involve issues of information
confidentiality, communication integrity and system availability.
executives and board of directors need a plan focusing on the essential
security concerns to lower the risk of business interruption.
A strategic, risk-based plan will ensure the company, employees,
customers and strategic business alliances are protected in the appropriate
rules and regulations. Management
teams and board of directors must demonstrate they have exercised “due
care” in the protection of business assets.
your company protected from business interruption?
is your “due care” score?
W. Ryan, “Why
Should Your Company Establish an Effective Corporate Compliance Program?”,
Partridge Snow & Hahn LLP, FindLaw
Sarah D. Scalet,
“See You in Court”, CIO Magazine, November, 2001.
4. “DWT Releases Comments
on OIG'S Issuance of Compliance Resource Guide for Corporate Boards”, Davis
Wright Tremaine LLP, FindLaw Library,
Responsibility and Corporate Compliance: A Resource for Health Care Boards of
OFFICE OF INSPECTOR GENERAL OF THE U.S.DEPARTMENT
OF HEALTH AND HUMAN SERVICES AND THE AMERICAN HEALTH LAWYERS ASSOCIATION,
Shon Harris, “Mike Meyersâ€™ Certification Passport”, Osborne
Privacy Warning”, CIO Magazine, November, 2001.
Oscar Kolodzinski, “Information Security Risk Management”,
Sentencing Guidelines Manuals and Amendments, United
States Sentencing Commission,
About the Author:
Dodson-Edgars founded Dodson-Edgars Associates in April, 2001. He has over 25 years in information
technology, including development and implementation of several major
technology plans. He is the former Chief Technology Officer for Multivision,
Inc, one of two national video clipping services with offices in New York, Los
Angeles, Chicago and San Francisco. Mr. Dodson-Edgars was brought on-board to
move the fulfillment channel from overnight messengers to video streaming over
Prior to joining
Multivision, Mr. Dodson-Edgars served as the Chief Technology Officer of
Fed2U.com, an Internet company created to devise and implement the strategy in
delivering the new federal government information portal E-commerce website.
This fast-track site was brought from inception to launch in four months,
integrating the content of a dozen Federal web sites with political news
feeds. The subscription-based business-to-business target market included
lobbyists, law firms, and organizations seeking to automate mining the
governmental data sources.
Before his work at
Fed2U.com, Mr. Dodson-Edgars spent 15 years at Boise Cascade, the $6 billion
forest products company. During his tenure at this company he served in a
variety of technology roles, including the top Web and computer technologist
for the company. His extensive background in computer programming and process
engineering lead to national award-winning software applications. He
pioneered the creation of Intranet and Extranet applications, which lead Boise
Cascade into receiving national recognition as the top manufacturing operation
poised to reap the harvest of true ERP.
While with Boise Cascade,
Mr. Dodson-Edgars also served as the chief technology officer and principal
investigator for DynaMetrix Corporation, a high-tech startup company
developing the commercialization of his patented technology under a Department
of Energy research grant.
After graduation, he spent
several years as a physicist at Naval Research Laboratories and with NASA at
Cal-Techâ€™s Jet Propulsion Laboratory. He has bachelorâ€™s degrees from the
University of California at Irvine, where he graduate magna-cum-laude in
mathematics and physics. Under a fellowship from the Naval Laboratory he
pursued Ph.D. studies in engineering at the University of California, Los
Visit the Authors Web Site
for The Business Forum Library of
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business