BOARD OVERSIGHT OF INFORMATION TECHNOLOGY,
DATA PRIVACY AND DATA SECURITY: THE NEW IMPERATIVE
As the opportunities and risks arising out of the use of information technology in modern business have expanded, so has the need for Board of Directors oversight. Yet many Boards are neither constituted nor focused properly to provide such oversight. This article explores why Boards need to provide greater oversight of information technology, data privacy and security, and provides practical suggestions on how they can do so.
The Impact on Corporate Governance of Information Technology's Changing Role
The role of information technology in business has changed dramatically over the past 50 years. In the late 1950"s and early 1960's, companies used information technology primarily to automate manual processes. The vacuum tube and microchip displaced slide rules and double entry accounting ledgers. By the 1980's, businesses began using information technology to change their processes and structures, usually on a departmental or business unit basis. Electronic publishing displaced layouts and hot metal typesetting. Customers placed orders by electronic data interchange, rather than mailed forms. By the 1990's, companies were adopting complex software systems to fully integrate processes so that raw materials could be ordered, product manufactured, and financial results reported, all out of the same enterprise resource planning system. SAP, Oracle, JD Edwards, and PeopleSoft became household names. By the turn of the 21st century, companies began to use information technology to connect to and integrate with the outside world, to create a kind of virtual company.
Most of this change occurred with the stated goal of achieving efficiency. In this context, most companies limited Board oversight to ad hoc consideration of individual projects that were sufficiently large to require capital budget approval.
But information technology has now become what differentiates one enterprise and its products or services from others. When information technology provides a competitive advantage or becomes pervasive throughout the enterprise, it becomes the company. The company that fails to recognize and seize opportunities to apply information technology in new strategic ways dooms itself to a not-so-slow death. As information technology becomes the key to strategic enterprise differentiation, an ad hoc approach to Board oversight is no longer sufficient, if it ever was. As a strategic asset, information technology oversight now falls squarely within the Board's role of providing strategic vision and its role of providing a check on the CEO's own vision and plans.
A need for greater Board oversight also flows inexorably from the Board's fiduciary duty is to preserve and protect the company's critical assets. Once, those assets consisted primarily of physical assets, such as plant and equipment, plus financial assets, such as bank accounts and receivables. Today the most important assets may well be electronic information, intellectual property, and the company's "brand" or reputation. These assets can be put at risk by loss of confidentiality, integrity, or availability.
Confidentiality means keeping the access, use, and dissemination of information controlled to the extent required by law, contract, or business need (such as the protection of trade secrets or business plans). Integrity means keeping data and systems reliable -- secure against modifications by well-meaning but ill-informed employees, as well as secure against modification by competitors, viruses, hackers, or others who might want to maliciously modify data or take control of your systems to attack other networks. Availability means enabling data access to those who need it to do their jobs efficiently, effectively, and creatively, while preventing or defeating attacks such as denial of service attacks against Websites or Web-accessible data, introduction of viruses, Trojan horses, and other malware, and spam attacks, etc. -- activities that can reduce the efficiency or availability of critical business systems.
Protecting these assets requires top down policy development and enterprise-wide implementation. Rules and procedures must be established for proper access to, and use of, information assets. These rules must be enforced and managers must be held accountable because failures are likely to cause harm.
Indeed, if not properly handled, misapplied information can also become a source of significant damage to an enterprise. There are three main types of information technology related risk. Regulatory risk arises from the aggressively expanding body of domestic and international laws and regulations that govern data collection, use, retention, security, and destruction. These include the Sarbanes-Oxley requirements for Board oversight of internal financial controls, the Health Insurance Portability and Accountability Act and state law equivalents for health care records, the Gramm-Leach-Bliley Act, Fair Credit Reporting Act with recent amendments, the Payment Card Industry rules for credit card transaction security, and FTC rules governing data privacy and security on Websites, the EU Data Privacy Directive, Canada's PIPEDA and provincial laws creating general data privacy rights, and legislation in myriad other countries. State regulation of the use of Social Security numbers, drivers license numbers, telephone numbers, and all manner of other specific regulations create an endless opportunity to collect, use, abuse, or dispose of information in ways that break the law. Data security breaches also create regulatory risks for public companies by unlawful disclosures of financial information with resultant insider trading or stock manipulation and antitrust violations. Non-compliance with regulatory schemes may result in orders prohibiting use of data or other practices, civil or criminal fines, imprisonment for managers and directors, or decades-long oversight by regulatory agencies.
One bad data breach can be devastating. ChoicePoint reportedly:
• Spent $2 million to notify consumers and $9 million on legal and consulting fees. See ZDNet News, 20 July 2005 (visited Mar. 30, 2007).
• Lost $15- $20 million in sales. See MSN, March 4, 2005 (visited Mar. 30, 2007).
• Paid the FTC a $10 million fine plus $5 million to compensate consumers for expenses,
• Must submit to external security audits every two years for the next 20 years. (See http://www.ftc.gov/choicepoint).
• Suffered a 22% stock price decline. Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow, Gartner RAS Core Research Note, G001427771 Sept. 19, 2006), available at http://www.choicepoint.com/news/choicepoint_1996.pdf (visited Apr. 11, 2007).
Litigation risk also arises from inadequate data privacy and security practices. Data breaches have resulted in class action lawsuits from aggrieved data subjects, business partner claims for breach of contractual obligations, employee claims for harassment, discrimination, etc., and shareholder suits. Litigation risk also arises from the inability to locate and produce electronic information completely, accurately, and timely, under the new Federal Rules of Civil Procedure and emerging parallel state law guidelines.
Finally, inadequate data controls may create enterprise continuity risk. That is, loss of customer contracts and confidence, loss of trade secrets, inability to access or use important data, disruption of operations, loss of stock market valuation, and other data breach consequences may result in debilitating financial loss that destroy the company as a going concern.
The risks and threats from inadequate information technology and data security are real and significant. They go to the heart of the company's existence and success, and therefore demand careful attention from the Board of Directors, as well as senior management.
Board Structure for Information Technology Oversight
For most companies, it is unrealistic to ask the entire Board to provide in-depth oversight of information technology. Boards generally meet only four times per year. During this time they must address all the strategic and compliance issues set before them by management and the law. It is now common for public company Board meetings to last two days, with substantial pre-meeting preparation. Directors are reluctant to commit more time and CEO's are reluctant to ask them to do so for fear of driving away qualified individuals. Boards increasingly are torn between the need to give greater time and detailed attention to more subjects, and the need to limit overall demands on directors. The use of a Board subcommittee to provide information technology oversight is the most promising solution.
Many companies choose to use the audit committee as the key oversight body for information technology. This makes sense to the extent that a company has used its audit committee to oversee Sarbanes-Oxley compliance, because that itself necessarily involves an information technology security component. But audit committees are often fundamentally ill-suited for information technology oversight. Their strength is in financial reporting and controls, a focus too limited to address the overall role and importance of information technology in the modern enterprise. Moreover, audit committees have traditionally involved interaction with the financial officers of the company, and have been populated by individuals with strong finance credentials. Information technology oversight, in contrast, requires interaction with the CIO or CTO and facility with different terminology and practices. Use of a specialized qualified information technology subcommittee seems a better choice than reliance on the Board as a whole, or on the audit committee alone.
However, the best choice may be a combination of oversight by a specialized technology committee plus limited oversight by the audit committee. In this structure, the technology committee focuses on the strategic uses of technology in the business, while the audit committee reviews information technology policies and procedures as part of its overall audit process. This method, if properly coordinated, can also achieve cost and time savings by utilizing existing resources from internal and external audit functions for information security oversight.
One more reasonable option is including oversight of data privacy and security issues within the purview of an enterprise risk management committee. Boards increasingly are asked to provide oversight of risk management throughout the enterprise, including credit, regulatory, underwriting, operational, strategic, disaster, and human resources risks. Risk management committees are gaining adherents.
Frequency of Board Involvement with Information Technology
Boards need to focus on information technology matters more frequently and go into greater depth than in the past. When information technology played a less strategic goal, oversight could rationally be limited to individual events or crises that demanded immediate attention. These might include planned events, such as implementation of an enterprise wide technology change, an acquisition, merger, or major outsourcing, or an unplanned event, such as a hurricane, a patent infringement suit, or a data security breach.
Today, however, Boards must review information technology issues on an ongoing basis as an integrated part of their strategic oversight function. Boards must consider the general impact of information technology on costs, operations, competitiveness, growth, and profitability. They must help management develop a strategic role for information technology, and then both assist management in implementing the vision, and holding it accountable for doing so. This can only come about if in-depth information technology discussions are integral to the Board's role, and if a subcommittee or delegate gives substantially greater attention to these issues between Board meetings.
The Board's consideration of information technology issues must include regular attention to data privacy and security. Management should report on the state of information security at each meeting. The Board should include data security in its regular risk management decisions.
Board Membership and Education
Proper Board or committee membership is also important to achieve effective oversight. An oversight committee composed of individuals who are not comfortable with information technology will not do. But getting the right individuals to serve will be difficult. Board members are selected for many reasons - strategic business vision, experience with particular industries, chemistry with the CEO, etc. Often these individuals are of an age or experience that does not involve either hands on or strategic involvement with information technology. Board members with that level and type of experience, as well as all the other qualifications, are rare.
Management plays an important role in assuring that directors have the requisite information technology knowledge. Management should teach Boards how information technology events or crises could affect the company's overall performance. Directors need to know from the CEO or CIO how they see information technology contributing to strategic goals. This level of knowledge can be imparted by making information technology a regular subject of Board oversight and providing frequent interaction between the CIO and the Board.
Board Oversight of Information Technology Managers
Boards have always played a role in selecting or removing senior executive and financial management. They know how to assess a CEO's or CFO's performance, because they usually have similar backgrounds and speak the same language. But this is not often the case with information technology management. Directors express high levels of frustration over the quality of communication with company CIOs and CTOs. Technology managers often speak in technical terms and focus on individual projects, rather than the strategic issues of the Board's concern. This makes it difficult for Directors to oversee performance and also to assess whether the company has the right individuals as senior technology managers. Boards without the requisite knowledge of technology matters may need to enlist a consultant to evaluate whether the right people are managing technology for the company.
Whatever information technology governance structure is adopted, the Board must identify the company's information technology and security leaders and make sure that their responsibilities are expressly defined. The Board must also be sure that the roles of internal and external auditors are clearly articulated, and that all personnel with information technology and security functions are held accountable.
Asking the Right Questions
To effectively oversee information technology and data security, the Board must ask the right questions. The specific questions will, of course, depend upon many factors, including the nature of the company's business, its immediate plans, and its strategic vision. But at the highest level, most Boards should be asking at least the following questions for information technology projects:
• What is the business objective this information technology project is designed to meet? How is the technology going to further that objective?
• What are the underlying assumptions about how this information technology project will produce cost savings, improve business processes, or achieve strategic goals?
• What is the confidence level that the company will actually achieve these goals by implementing the technology?
• What is the cost of the project? What are the assumptions underlying this cost projection, and what is our confidence level in the projected cost?
• Has management considered alternative approaches or technologies? Why were those rejected?
• What are the benchmarks or best practices in this area?
• How does management define success for the project?
• How will success be measured?
For data privacy and security:
• To what extent is senior management involved in data security issues?
• Is management confident that it is aware of the latest data security threats and is implementing the best available technical and procedural solutions?
• Has responsibility for data security been clearly assigned?
• Have the company's data assets been attacked? Were the attacks successful?
• Are data privacy and security considered an integral part of all new business processes?
• Has the company identified and complied with all applicable regulatory and contractual obligations for data privacy and security?
• Has the company assessed its data breach risks and established effective procedures for its operations and contractual requirements for business partners?
• What are the greatest data security risks faced by the company?
• Does the company have adequate insurance for data security risks?
• Are all existing and new employees trained to recognize data use limits, security threats, and how to respond to them?
• Has the company assessed its data practices to minimize the collection, use, and dissemination of potentially sensitive data to only that data which is required for each user's needs?
• Has the company reviewed its contractual obligations to protect data belonging to others and aligned its data handling and security practices with contractual obligations?
A Board's dedicated technology or audit committee will need to drill deeper into these inquiries and report back to the full Board.
Conclusion
Information technology has become critical to business success, and the source of potentially debilitating risks. As a result, Boards must give greater attention to information technology in general, and data privacy and security issues in particular. To be effective, Boards must have the right structure, membership, agendas and questions. These issues must be addressed in a comprehensive, systematic, and ongoing basis. Reliance on ad hoc oversight when critical issues arise is no longer a pathway to success.