"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

DUE CARE IN SECURITY MANAGEMENT

Author: Darryl Dodson-Edgars

General Introduction

This white paper gathers a number of references that address the general concept of executive obligations and liabilities in the context of security of the underlying business systems and other information-based corporate assets.  The information below is presented with extracts and quotations from reputable sources that discuss the general subject of  “Due Care”. 

My research corroborates the statements quoted below about the scant information available describing actual lawsuits.  The reasoning behind this has roots stretching out to public image and the potential harm that comes with publicity about security violations.  Cases are quietly settled out of court to minimize the risk of adversely influencing shareholder and general public impressions of the company.

Despite the paucity of evidence, there is wide agreement regarding the obligations and liabilities of senior management and directors in fulfilling their fiduciary responsibilities.

Opportunity

Business is deeply dependent on the systems in place that support the processing and distribution of information and financial transactions.  This takes many forms today, both internal and external in reach.  Securing the assets of the company is the responsibility of the executive management team and the directors.  Violations of security can take many different forms, typically based upon the nature of the associated threat.  These violations can culminate in either civil or criminal offenses.

Companies with an effective compliance program have the opportunity to greatly reduce penalties for violations of almost all federal statutes^[1].  Companies are expected to exercise due diligence and be innovative in designing and implementing their own security programs.  The United States Sentencing Commission adopted a set of Sentencing Guidelines in 1991 applicable to all organizational defendants in criminal cases. 

While the Sentencing Guidelines apply to all corporations, the larger the organization the more formal the program should be and the greater the penalty for failure to comply.  Much more is expected of a large publicly traded corporation than a small business.

The court held that a director's obligations include a duty to assure that a corporate information and reporting system exists. The failure to do so could render a director personally liable to shareholders for losses caused by non-compliance with applicable legal standards.^[2]

Lawsuits Looming

In a recent article, “See You in Court” in CIO Magazine^[3], the author said “…To hear some people tell it, corporate liability for failed information security is the coming apocalypse. Several experts predict a flurry of personal injury lawsuits filed by customers whose personal information has been disclosed, corporate lawsuits based on damage caused by security breaches at business partners and class-action lawsuits filed on behalf of irate stockholders.”  The author then quoted Ed M. McPherson III, Atlanta-based director of PricewaterhouseCoopers, from a  recent meeting of a group assembled in New York City to learn about cybercrime's impact on shareholder value.  McPherson said "It's going to be the next asbestos".   Security vendors are banking on it.  For instance, Redwood, California-based Recourse Technologies worked with Daniel Langin, a defense attorney for several early Internet cases, to explore whether corporate officers could be held personally liable for information security breaches.  His conclusion? “You bet.  It takes one clear bellwether case to say you have this liability, before officers and directors wake up".

As of 2001, CIO Magazine had not found any such liability lawsuits. However, several sources indicated that third-party damages are being quietly settled out of court. As a rule, it's cheaper for companies to make confidential settlements than to defend themselves.  It also helps avoid publicity that might give stockholders and customers pause.

Davis Wright Tremaine LLP made reference^[4] to a document assembled for guidance to Directors of Boards regarding compliance issues.  While this document^[5] is aimed at the health care field, the guidance is applicable across most business sectors.  This guide outlines the Fiduciary Responsibilities in a very clear manner.  It states:

Fiduciary Responsibilites

The fiduciary duties of directors reflect the expectation of corporate stakeholders regarding oversight of corporate affairs. The basic fiduciary duty of care principle, which requires a director to act in good faith with the care an ordinarily prudent person would exercise under similar circumstances, is being tested in the current corporate climate. Personal liability for directors, including removal, civil damages, and tax liability, as well as damage to reputation, appears not so far from reality as once widely believed. Accordingly, a basic understanding of the director’s fiduciary obligations and how the duty of care may be exercised in overseeing the company’s compliance systems has become essential.

Embedded within the duty of care is the concept of reasonable inquiry. In other words, directors should make inquiries to management to obtain information necessary to satisfy their duty of care. Although in the Caremark case, also discussed later in this educational resource, the court found that the Caremark board did not breach its fiduciary duty, the court’s opinion also stated the following: “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the Board concludes is adequate, exists, and that failure to do so under some circumstances, may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” Clearly, the organization may be at risk and directors, under extreme circumstances, also may be at risk if they fail to reasonably oversee the organization’s compliance program or act as mere passive recipients of information.

On the other hand, courts traditionally have been loath to second-guess Boards of Directors that have followed a careful and thoughtful process in their deliberations, even where ultimate outcomes for the corporation have been negative. Similarly, courts have consistently upheld the distinction between the duties of Boards of Directors and the duties of management. The responsibility of directors is to provide oversight, not manage day-to-day affairs. It is the process the Board follows in establishing that it had access to sufficient information and that it has asked appropriate questions that is most critical to meeting its duty of care.

This guide then detailed the description of  “Due Care”.  They gave:

Duty of Care [due care]

Of the principal fiduciary obligations/duties owed by directors to their corporations, the one duty specifically implicated by corporate compliance programs is the duty of care.

As the name implies, the duty of care refers to the obligation of corporate directors to exercise the proper amount of care in their decision-making process. State statutes that create the duty of care and court cases that interpret it usually are identical for both for-profit and non-profit corporations.

In most states, duty of care involves determining whether the directors acted (1) in “good faith,” (2) with that level of care that an ordinarily prudent person would exercise in like circumstances, and (3) in a manner that they reasonably believe is in the best interest of the corporation. In analyzing whether directors have complied with this duty, it is necessary to address each of these elements separately.

The “good faith” analysis usually focuses upon whether the matter or transaction at hand involves any improper financial benefit to an individual, and/or whether any intent exists to take advantage of the corporation (a corollary to the duty of loyalty). The “reasonable inquiry” test asks whether the directors conducted the appropriate level of due diligence to allow them to make an informed decision. In other words, directors must be aware of what is going on about them in the corporate business and must in appropriate circumstances make such reasonable inquiry, as would an ordinarily prudent person under similar circumstances. And, finally, directors are obligated to act in a manner that they reasonably believe to be in the best interests of the corporation. This normally relates to the directors’ state of mind with respect to the issues at hand.

In considering directors’ fiduciary obligations, it is important to recognize that the appropriate standard of care is not “perfection.” Directors are not required to know every-thing about a topic they are asked to consider. They may, where justified, rely on the advice of management and of outside advisors.

Furthermore, many courts apply the “business judgment rule” to determine whether a director’s duty of care has been met with respect to corporate decisions. The rule provides, in essence, that a director will not be held liable for a decision made in good faith, where the director is disinterested, reasonably informed under the circumstances, and rationally believes the decision to be in the best interest of the corporation.

Director obligations with respect to the duty of care arise in two distinct contexts:

• The decision-making function: The application of duty of care principles to a specific decision or a particular board action; and 
  
  

• The oversight function: The application of duty of care principles with respect to the general activity of the board in overseeing the day-to-day business operations of the corporation; i.e., the exercise of reasonable care to assure that corporate executives carry out their management responsibilities and comply with the law.

There are many other references to the application of due care in regard to assuring the assets of the company are preserved.  A standard guide for the certified information systems security professional examination (CISSP) by Mike Meyers^[6] states:

“...Senior management are the final data owners, meaning they have the ultimate responsibility over the company’s assets, including data.  If management does not implement the correct security measures, they are not practicing due care.  Due care is a legal term meaning that a person or company should take reasonable measures to protect itself and to not harm others.  If management does not practice this concept, they can be held liable for damages that take place that could have been prevented or mitigated if they would have taken the necessary steps.” 

“…Any company, regardless of its industry, is expected to exercise due care, meaning that they are to implement and maintain security mechanisms and practices that protect the company, its employees, customers, and partners.”

“…Many laws have dictated that the board of trustees and senior management can be held liable for security breaches and security faults within a company.”

There are several pieces of US legislation and regulatory agencies that require organizations to take appropriate care in safeguarding their information. These include:

• Federal Financial Institution Examination Council 
  

• Foreign Corrupt Practices Act of 1977 
  

• Auditing Standards including SAS 30 and FCPA Compliance 
  

• Defense Security Service 
  

• Standards of Due Care 
  

• Legal Precedence Standards of Due Care

In 1997, the Federal Sentencing Guidelines were extended to apply to computer crime. Under these guidelines, senior corporate officers can be personally subject up to $290 million in fines if their organizations do not comply with the law.

Management has the obligation to protect the organization from losses due to natural disasters, code, violation of law. Management must follow the prudent man rule that requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances.  The officers must exercise due care or reasonable care to carry out their responsibilities.

CIO Magazine also ran an article by Alison Bass^[7] in which she interviewed Legal Expert Arthur Miller.  Miller says “CIOs and corporate America also have to protect people's privacy—or risk a jury's wrath”.

When asked “What kind of legal consequences should CIOs be concerned about as they build systems that capture personal data?”   Miller replied “Every employer is required by law to provide a safe workplace for its employees, and that extends to a safe informational workplace. Similarly, a company and its CIO have to be concerned about a safe informational environment for their customers because if calamity strikes and there were things you could have done but didn't, some jury somewhere is going to smack you across the snout with a two-by-four.”

Oscar Kolodzinski wrote on the subject of Information Security Risk Management^[8].  He reports that Charles Le Grand, Director of Technology Guidance at The Institute for Internal Auditors, says: "The auditing profession is under increasing pressure to provide assurance not only about the reliability of information, but also the security and protection of critical infrastructures on a global basis." He adds that, "although business owners, investors, and regulators continue to be key clients of audit services, the stakeholder role has expanded to include anyone else who relies on an organization, its products and services, and the confidentiality of private information in its possession."

Summary

The writing is on the wall, and it is not graffiti.  Corporate officers and directors have the obligation to protect the assets of their companies and will potentially face personal liability if they do not act in a prudent manner to assure they have done what makes sense for their business. 

In order to move forward into action, the security assessment consultant must ask questions.  The appendix contains a listing of applicable questions.  These will serve as a guideline in preparation for interviewing clients.  The outcome of this process are action steps to appropriately secure the business to the level that any prudent manager would consider.

Key to the success will be endorsement by the directors and the senior management team.  With these actions, their exposure to personal liability will be minimized, and preservation of the business and its ability to operate maximized to the level of risk acceptable to the company.

Business depends on effective, efficient and continuous operations to achieve profitability.   Developing a risk-based security plan will lower the risk of business interruption from physical or electronic events.   These protection measures involve issues of information confidentiality, communication integrity and system availability.

Prudent executives and board of directors need a plan focusing on the essential security concerns to lower the risk of business interruption.   A strategic, risk-based plan will ensure the company, employees, customers and strategic business alliances are protected in the appropriate manner.

New rules and regulations. Management teams and board of directors must demonstrate they have exercised “due care” in the protection of business assets. 

Is your company protected from business interruption?

What is your “due care” score?

References:

1.        James W. Ryan, “Why Should Your Company Establish an Effective Corporate Compliance Program?”,  Partridge Snow & Hahn LLP, FindLaw Library.

2.        “as above"

3.        Sarah D. Scalet,  “See You in Court”, CIO Magazine, November, 2001.
http://www.cio.com/archive/110101/court.html 

4.       “DWT Releases Comments on OIG'S Issuance of Compliance Resource Guide for Corporate Boards”, Davis Wright Tremaine LLP, FindLaw Library,

5.         “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors”, THE OFFICE OF INSPECTOR GENERAL OF THE U.S.DEPARTMENT OF HEALTH AND HUMAN SERVICES AND THE AMERICAN HEALTH LAWYERS ASSOCIATION, 4/3/03,
http://oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf

6.        Shon Harris, “Mike Meyers’ Certification Passport”, Osborne Press, 2002

7.        Alison Bass, “Miller’s Privacy Warning”, CIO Magazine, November, 2001.

8.        Oscar Kolodzinski, “Information Security Risk Management”,
http://www.nysscpa.org/committees/emergingtech/riskmanagement.htm

Federal Sentencing Guidelines Manuals and Amendments,  United States Sentencing Commission,
http://www.ussc.gov/guidelin.htm

About the Author:

Mr. Dodson-Edgars founded Dodson-Edgars Associates in April, 2001. He has over 25 years in information technology, including development and implementation of several major technology plans. He is the former Chief Technology Officer for Multivision, Inc, one of two national video clipping services with offices in New York, Los Angeles, Chicago and San Francisco. Mr. Dodson-Edgars was brought on-board to move the fulfillment channel from overnight messengers to video streaming over the Internet.

Prior to joining Multivision, Mr. Dodson-Edgars served as the Chief Technology Officer of Fed2U.com, an Internet company created to devise and implement the strategy in delivering the new federal government information portal E-commerce website. This fast-track site was brought from inception to launch in four months, integrating the content of a dozen Federal web sites with political news feeds. The subscription-based business-to-business target market included lobbyists, law firms, and organizations seeking to automate mining the governmental data sources.

Before his work at Fed2U.com, Mr. Dodson-Edgars spent 15 years at Boise Cascade, the $6 billion forest products company. During his tenure at this company he served in a variety of technology roles, including the top Web and computer technologist for the company. His extensive background in computer programming and process engineering lead to national award-winning software applications.  He pioneered the creation of Intranet and Extranet applications, which lead Boise Cascade into receiving national recognition as the top manufacturing operation poised to reap the harvest of true ERP.

While with Boise Cascade, Mr. Dodson-Edgars also served as the chief technology officer and principal investigator for DynaMetrix Corporation, a high-tech startup company developing the commercialization of his patented technology under a Department of Energy research grant.

After graduation, he spent several years as a physicist at Naval Research Laboratories and with NASA at Cal-Tech’s Jet Propulsion Laboratory. He has bachelor’s degrees from the University of California at Irvine, where he graduate magna-cum-laude in mathematics and physics. Under a fellowship from the Naval Laboratory he pursued Ph.D. studies in engineering at the University of California, Los Angeles.