Simplify, prioritize, focus, get into action, and stop worrying about legal exposures
Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, by Charles Cresson Wood
- INCREASING LAWSUIT RISK: Lawsuits involving Directors’ & Officers’ personal liability are increasing at a rapid pace, and regulators at both the state and federal level have publicly stated that it is their intention to hold Directors & Officers personally liable for serious lapses in the information security and privacy area. For example, see former Securities and Exchange (SEC) Commissioner Luis A. Aguilar’s remarks, offered in 2014 during a speech entitled “Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus.” In addition, modern legislation like the Sarbanes-Oxley Act of 2002 requires that corporate officers make representations about the adequacy of internal controls (which of course includes information security and privacy controls). Information security and privacy matters are now so important that they can spell the downfall of major worldwide firms, as was the case with Arthur Andersen, the famous high-flying accounting firm, which had employees who destroyed information that was placed on a legal hold during the Enron hearings (Arthur Andersen went out of business as a result). Since it confirms that the Directors & Officers are presently “fully compliant,” this new book helps to markedly reduce the risk of being sued.
- INCREASING LAWSUIT SETTLEMENTS: The numbers related to information security and privacy lawsuit settlements continue to climb to astronomical levels. In 2019, Facebook settled a privacy case with the Federal Trade Commission for $5 billion, and the liability of CEO Mark Zuckerberg was a central bargaining issue in the settlement discussions. Meanwhile, stockholder derivative suits, alleging a breach of duties by Directors & Officers, have markedly increased in recent years. Many suits are settled for over $100 million (one 2012 example is the $2.43 billion settlement for the BofA/Merrill Lynch merger securities stockholder settlement brought against the firm as well as the Directors & Officers). Similarly, Equifax recently settled a private class-action lawsuit for a 2017 breach for $1.38 billion, after previously settling with the Federal Trade Commission for $425 million related to the same breach. See Steven Gladstone’s article entitled The Future of D&O Insurance, appearing in Risk Management (2004) for more examples. Since this new book shows that the Directors & Officers are presently “fully compliant,” the need to enter settlement talks is markedly reduced, and the amount of such settlements agreed upon (if any) is likewise probably markedly reduced.
- INCREASED REGULATOR INVOLVEMENT: Governments, including the European Union and the State of California, have decided that corporations are not doing enough these days, and they have enacted new legislation such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Meanwhile every state has its own data breach notification laws, and the array of requirements to which all corporations must adhere has expanded markedly in the recent past. Indicating the new climate, in 2015, former US Department of Justice Deputy Attorney General Sally Yates issued an influential memo indicating that (a) individual executives were to be henceforth individually targeted at the onset of prosecution of corporate wrongdoing, (b) involved corporate entities would be deemed cooperative only if they designated the individuals involved, (c) there would be no entity fine settlements creating a “clear plan” preventing executive prosecution, and (d) Department of Justice staff should pursue civil charges against individuals regardless of their ability to pay. In in 2018 speech, Deputy Attorney General Rod Rosenstein reaffirmed much the same the intentions behind the “Yates Memo,” indicating that pursuing the individuals responsible for corporate wrongdoing remained a top priority in every investigation (particularly “senior management or the board of directors”). Since the process defined in this book confirms that the Directors & Officers are “fully compliant “with all of their material legal duties, the likelihood of regulator investigations and prosecutions is most likely markedly reduced if that process is performed.
- NO OTHER SOLUTION: The vast majority of risk assessment methods focus on operational and technical matters related to information security and privacy. At the present time, the new book described on this web site provides the only standardized process-based solution to determine whether or not Directors & Officers at a corporation are in “full compliance” with all their material legal duties in the area of information security and privacy. For an attorney at a law firm to research and write a comparable scripted process, with a comparable set of thousands of citations and references, would take at least 1,000 hours of billable time. Using a conservative billable rate of $250/hour, that puts the cost of developing a comparable scripted process, and researching the extensive current requirements of the law, close to, if not well beyond, $250,000. Even if your organization sought to develop its own solution, it would still take years to come up with such a solution, while if your organization uses this book, it can begin a Duties Audit as soon as the book is received. Furthermore, this paragraph only deals with the development of the process. Then there is the cost of following the process that has been developed. The cost of hiring a Lawyer Auditor to perform the Duties Audit process described in this book is only about $25,000, making it not only cost-effectively employed in many different circumstances, but also cost-effectively performed every year going forward in time. Thus, this new book provides the only commercially available method to expediently and definitively confirm that the Directors & Officers are “fully compliant” with all their material legal duties, in the domain of information security and privacy.
- DRAMATIC SIMPLIFICATION: The book described on this web site is approximately 1,100 pages long, but the result of a Duties Audit™ project (the Professional Opinion) is only one-page long. That Professional Opinion indicates whether or not the Directors & Officers at the auditee firm are now performing their legal duties, in all material respects, in the information security and privacy domain. Of course, if a Management Letter, indicating the remedial actions that are needed to come into full compliance is warranted, that will be several additional pages. But the material presented to the Directors & Officers, whether delivered in these reports or during the optional presentation at the end of a Duties Audit, is direct, actionable, responsive only to their legal duties, and specific about what they must now do if they have not been shown to be “fully compliant.” Through the express delegation process defined in this book (to a designated Project Manager), through the outsourcing of the technical work to an independent attorney (the Lawyer Auditor), and through the use of the scripted process and extensive reference material in this book, a Duties Audit can be cost-effectively accomplished in several weeks. The explicitly scripted nature of the process defined in this book allows the hand-off to other parties with both prudence and confidence.
REMOTE WORKING: To lower costs, expedite the work, expand the pool of attorneys who could be retained, and protect the health of the involved persons, a Duties Audit project can be performed entirely remotely using commercially available tools. These tools include virtual data rooms (VDRs), virtual private networks (VPNs), data loss protection (DLP) systems, digital rights management (DRM) systems, data media sanitization software, on-line conferencing facilities with communications encryption, and email with encrypted file attachments. Details about these tools and related control measures are included with the extensive project management suggestions found within this two-volume book.
- IMMEDIATE DEPLOYMENT: The book provides everything that a corporation needs to immediately get into action. The material provided includes already-written material like a draft memo to solicit the participation of internal interviewees, a draft memo to appoint the Project Manager, a draft letter to solicit engagement proposals from Lawyer Auditors, standard words for Professional Opinion letters, and a draft mock-up of a Management Letter (indicating the remedial actions that are now required). Other explicit instructions address a wide variety of considerations such as how to make sure that only properly licensed attorneys are used for the Duties Audit engagement, and how to maintain attorney-client privilege. The explicit details in this book take the guess work out of the process and allow it to move ahead with velocity. For example, the book contains explicit definitions of what types of information must go into the Lawyer Auditor’s working papers, and explicit criteria for determining what constitutes “full compliance” (following existing published legal authorities). Given the serious risks that corporations now face, it is very important that all major corporations get into action right away, with an activity like the Duties Audit, and the turn-key scripted process found in this book is designed to enable these firms to do just that.
- STANDARDIZED PROCESS: The Duties Audit process is scripted, turn-key, and standardized so that the same result will be generated no matter who the Lawyer Auditor may be performing the engagement (of course, as is the case with independent financial auditing, some degree of professional judgment is also involved). This standardized Duties Audit process allows comparability of Professional Opinions across the years, so that firms can establish credible independent evidence of “full compliance” every year in a sequence of years. This in turn allows the creation of a new type of corporate reputation, as a good corporate citizen, a reputation that can be fruitfully leveraged for marketing and public relations purposes. The book includes a method, called the Institutionalized Duties Audit process, whereby “fully compliant” Professional Opinions can realistically be generated year-after-year, like clockwork, reliably, and predictably. That in turn can give auditee firms a grounded confidence to use Duties Audit Professional Opinions in business contracts, advertising materials, public relations campaigns, government document filings, investor annual reports, and elsewhere.
- TRUST CREDENTIAL: The Duties Audit Professional Opinion is the new trust credential indicating the “tone at the top” (general ethical climate) at another organization. Because both corporate culture and corporate attitudes about compliance are set at the very top of the organization, a Duties Audit provides a litmus test indicating the entire organization’s attitude about information security and privacy. A series of “fully compliant” Duties Audit Professional Opinions, obtained over multiple years, form a good indicator that an organization has established a corporate culture of integrity and compliance. While Duties Audits do not measure the details or the corporation’s compliance with all of its own legal obligations (the focus is on the duties of Directors & Officers only), these projects do offer a previously-unavailable picture indicating whether another organization can be trusted with the sensitive, confidential, or private information that is disclosed to it. The generation of Duties Audits Professional Opinions for the benefit of third party firms furthermore does not disclose anything about the internal control measures employed by the auditee firm, so it does not provide any specific information that could be used by industrial spies, disgruntled employees, politically-motivated hackers, and others. In fact, just the contrary is true—since a Duties Audit employs legal controls that are not involved in any other type of risk assessment, such as attorney-client privilege and attorney work product protection, this type of project protects the information examined more vigorously than other types of risk assessment.
- COMPELLING INCENTIVES: Since the Duties Audit process provides an explicit and standardized Professional Opinion as a result of every engagement, it can be used to enhance corporate governance systems, information technology governance systems, and governance risk and compliance (GRC) systems. These standardized Professional Opinions readily lend themselves to a variety of uses in contracts, such as the contingent renewal of a contract with a third-party business associate. This requirement for instance appears in the Health Insurance Portability and Accountability Act’s (HIPAA’s) requirements regarding the use of “business associates” for processing electronic private health information (aka ePHI). Formal recognition of such a “service level agreement” (SLA) involving annual Duties Audits in a contract, will in turn incentivize third-party firms to carefully and diligently deal with information security and privacy. The Duties Audit Professional Opinions can also naturally be used as the basis for awarding bonuses to corporate officers, stockholders voting board members off the board, issuing Directors’ & Officers’ liability insurance, and/or making a variety of other important decisions.
- ADMISSIBLE EVIDENCE: While the Lawyer Auditor’s client during a Duties Audit engagement is always the auditee firm, and behind that the stockholders, the Professional Opinion, and a related Management Letter showing remedial actions that are necessary (if the latter is warranted), also benefit a wide variety of third parties including employees, business partners, customers, creditors, and the general public. Another positive side-benefit of performing Duties Audits is that these projects additionally benefit Directors & Officers personally; since these projects help make sure that this group is diligently attending to all of its material legal duties, the resulting reports help protect the Directors & Officers against legal troubles (regulatory, criminal, and civil). The Duties Audit process generates credible evidence that could be used in a trial or settlement discussions (the Lawyer Auditor’s working papers must be prepared in a manner consistent with the Federal Rules of Evidence), and this may be of use to the auditee firm as well as to the Directors & Officers (indeed many lawsuits these days make “joint and several liability” claims). In spite of the fact that Directors & Officers may benefit personally, the Lawyer Auditor is never an attorney to the Directors & Officers, because such an arrangement would create a conflict of interest for the Lawyer Auditor.