I’m going to step outside my comfort and knowledge zone this week, and practice being an armchair lawyer. While we continue to watch the details around LinkedIn and eHarmony, a new trend is starting to show up in the news coverage. As companies reveal the extent of their breaches, news articles are starting to question the organizational structures that don’t have CIO or CISO roles at the executive level. For Linked In, this appeared in two places, ZDNet and InfoRisk Today, within days of the announcement of the breach. I believe this trend speaks to the how evolving public expectations around how Executives and Boards are accountable for setting up a system of proactive security in the fabric of the organizational structure.
Historically, these org chart questions come up in the media weeks to months after the announcement of the breach, (Examples include: Sony, RSA, etc.) and may not be part of the high traffic news cycle that naturally occurs for a short period of time after the initial breach announcement. The fact that the recent articles are much closer to the original breach announcement when more people are still tuned in and paying attention, feels like it has the likely impact of exponentially raising the visibility that companies who are breached and don’t have these roles will receive less than stellar public reviews for their preparedness.
Why does this impact Corporate Directors? Because of an increasing amount of Delaware law that specifies that directors have a duty to “act in the face of a known duty to act”, as specified by Delaware precedents.
Why base off Delaware law? Delaware’s Why Corporations material states:
“Of the corporations that make up the Fortune 500, more than one-half are incorporated in Delaware.” From a legal perspective, it goes on to say that “Delaware General Corporation Law is one of the most advanced and flexible corporation statutes in the nation. It includes the Delaware courts and, in particular, Delaware’s highly respected corporations court, the Court of Chancery.”
To make this accessible, it relates the anecdote:
“A law school professor friend of mine was once asked about the merits of creating a national corporation law. He replied: “We already have a national corporation law. It’s called the Delaware corporation law.” He meant, of course, not just the statute but the case by case development of a common law of corporations that is widely accepted as American corporation law.”
If we accept that Delaware decisions are where a lot of US corporate law is refined from, then we come to the Caremark decision and its increasing impacts in other decisions. Caremark started changing the rules of the game by which Directors can be held accountable, and has continued to play out in the Delaware courts, in such cases as re Walt Disney Co. Derivative Litigation, and Stone v. Ritter.
While today, the existing law means:
Directors who implement reasonable information systems and continue to monitor such systems can help to insulate themselves from liability. As we have iterated in the past, such practices include:
- Reading all the materials given to them by management
- Reviewing public disclosures, filings and releases
- Reading analysts’ reports
- If necessary, asking management for additional information in order to have a better understanding of the company’s business and the risks it faces; and
- Ensuring that the board’s audit committee communicates on a regular and periodic basis with the company’s outside auditors outside the presence of company management.
Here’s where I take my leap into speculation. When we talk about reasonable information systems, if every breach article is followed by an analysis that implies that the existence of a CISO role would have potentially mitigated the situation; at some point it is entirely possible that a court of law, probably in Delaware, will feel that a prerequisite of a reasonable information system is the existence of a CISO, reporting directly to the board. The underlying assumption behind the news articles’ incredulity behind the lack of a CISO could be interpreted to mean that it is expected that the mere existence of a CISO would mean that the board was more likely to get timely, meaningful data that would help create a solid understanding of the InfoSec risks an organization faces. This is an opportunity to review if your CISO is providing your board that context, and alternatively, if you don’t have a CISO, do you need one soon?
What do you think? Am I premature? Overly paranoid? I’d love to hear from you. @STurnerRice