Get Directors & Officers personally engaged
with information security and privacy efforts
Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, by Charles Cresson Wood
Legal Defenses Created
POSITIVE SIDE-BENEFIT: The sole client of the Lawyer Auditor, the attorney performing the Duties Audit™ process, is always the auditee firm. As a notable positive side-benefit of performing a Duties Audit, a number of legal defenses (for both civil claims and criminal charges) are created for, and/or further supported for, both the Directors & Officers at that auditee firm, and also the auditee firm itself.
DEFENSE #1: These defenses include the business judgment rule. In its general formulation, the factors for this defense require that the Directors & Officers acted in good faith, with the care that an ordinary prudent person in a like position would exercise under the circumstances, and acted in a manner that they reasonably believed to be in the best interests of the corporation. Aronson v. Lewis, 473 A.2d 805, 812 (1984). A Duties Audit helps to provide support for the business judgment rule because it involves the provision of independent expert’s advice about the reasonable and appropriate course of action that is in the best interests of the corporation, and that expert provides that advice in a form that is designed to be admissible in court.
DEFENSE #2: These possible legal defenses also include acting on the advice of counsel. In its general formulation, the factors for this defense require that, before taking action, the Directors & Officers in good faith sought the advice of an attorney who they considered competent, for the purpose of securing advice on the lawfulness of their possible future conduct, made a full and accurate report to this attorney about all material facts of which the Directors & Officers were aware, and acted in strict accordance with the advice of their attorney who had given them a full report. United States v. Al-Shahin, 474 F.3d 941, 947 (7th Cir. 2007). A Duties Audit involves the retention of a competent attorney to provide advice about the lawfulness of the conduct of the Directors & Officers, as well as that same attorney’s provision of a report to the Directors & Officers about the appropriate remedial actions that may now be needed.
DEFENSE #3: These possible legal defenses furthermore include the incident could not have been reasonably discovered in sufficient time for the Directors & Officers to have taken action. In its general formulation, the factors for this defense require that evidence of the need for the Directors & Officers to take remedial action could not have been discovered, within the time frame involved, even if the Directors & Officers had exercised reasonable diligence. Bedolla v. Logan & Frazer, 52 Cal. App. 3d 118 (1975). A Duties Audit provides the Directors & Officers with specific instructions about the actions that are reasonable and appropriate, given the unique situation at the auditee firm, and at the same time, it also involves the retention of an independent attorney to use not just reasonable diligence--but the most-sophisticated type of diligence currently available--to investigate and document all material information security and privacy areas where the Directors & Officers may be out-of-compliance with their legal duties. In addition, when combined with what this book calls the Institutionalized Duties Audit process, that advice from legal counsel is delivered on an annual basis (to demonstrably keep the auditee firm at a “fully compliant” state from year-to-year).
ORCHESTRATION OF ROLES: This new book provides everything needed to promptly get underway with the performance of, and rapidly complete the performance of, a Duties Audit™ project, including:
- INITIAL PROMOTERS: Suggestions for initial promoters (aka process evangelists) so that they can expediently cost-justify and initiate a Duties Audit project, so that they can rapidly generate a compelling conversation about the many ways this new turn-key process can be inserted into existing business processes like a “black box,” and so that they can envision how to establish an internal process that will yield a “fully compliant” Professional Opinion predictably, reliably, and year-after-year,
- DIRECTORS & OFFICERS: Suggestions for Directors & Officers to assist them in promptly getting such a project underway, delegating the day-to-day decision-making to a project manager, and otherwise creating a new process that provides them with annual assurances that information security and privacy is being handled in full accordance with the law, but all the while allowing them to maintain control over the major decisions (such as to which third parties the Professional Opinion should be disclosed)—all the while minimizing the demands on their time by using delegation, clearly defined roles, explicit constraints on the project (such as the confidentiality controls needed to maintain attorney-client privilege), and checklists of specific tasks to be done,
- PROJECT MANAGERS: Suggestions for project managers including a structured project management process suitable for conducting all Duties Audit projects, for rapidly selecting the attorney who will perform a Duties Audit, for compiling the words (based on already-written terms and conditions provided in the book) for a contract with that attorney, for writing an information protection plan to maintain strict control over the information examined during a Duties Audit, for maintaining the protections of attorney-client privilege and attorney work product doctrine, and for managing the subsequent elective disclosure of the Professional Opinion to certain third parties,
- LAWYER AUDITORS: Required instructions for the attorneys who are performing Duties Audits (aka Lawyer Auditors), including how to leverage the extensive checklists and many references included in the book (statutes like state breach notification laws, regulations like the Red Flags Rule for the detection and mitigation of identity theft, case law like fiduciary duties obligations, treaties like GDPR, etc.), how to identify additional auditee firm legal requirements, how to zero-in on the specific legal duties of the Directors & Officers at a particular auditee firm, how to determine whether the evidence indicates that compliance exists, how to select an appropriate Professional Opinion, and mock-up forms for all of the possible Professional Opinions; also included are many types of expediting material such as engagement rules, evidence evaluation rules, working paper preparation rules, and topic suggestions for an optional presentation to the Directors & Officers,
- LAWYER VALIDATORS: Required instructions for separate independent attorneys (called Lawyer Validators) to evaluate the work of the attorney who performed a Duties Audit (called a Lawyer Auditor), including the screening process to demonstrate the Lawyer Validator’s independence, the steps that must be performed to review the work of a Lawyer Auditor, and the types of permissible one-page Professional Opinions that can be issued (indicating whether the Lawyer Auditor’s work was performed in a manner consistent with prevailing attorney ethics codes as well as the instructions in this book),
- LAWYER SUPERVISORS: Required instructions for supervising attorneys (called Lawyer Supervisors) who may optionally be involved in a Duties Audit project, to supervise the work of the attorney performing a Duties Audit (called a Lawyer Auditor); these Lawyer Supervisors can be used to (a) bring a higher-level of quality control to the work, (b) bring a higher-level of credibility to the conclusions reached (for very-high-visibility situations such as after a large publicly-disclosed breach), and (c) enable out-of-state attorneys with special expertise in the information security and privacy area to be properly licensed and employed to do the Duties Audit work in any state of the Union, and
- INTERNAL REVIEWERS: Suggested instructions for a variety of non-attorneys (such as internal audit department managers and compliance department managers) allowing them to conduct a compliance review leveraging the extensive authoritative legal material found in the book, and thereby prepare an auditee firm for the future performance of a Duties Audit that will in turn yield a “fully compliant” Professional Opinion. The extensive guidance in this book can also be informally used by an in-house attorney (a Lawyer Reviewer), or by an internal or external systems developer working on another type of project, such as screening applicants for Directors’ & Officers’ liability insurance coverage (a Business Process Designer).