Enterprise Liability for Information Security

Director, Trustee, and Officer Liability for Information Security

Richard D. Marks Davis Wright Tremaine LLP

1. Introduction

1.1 Recent intense focus on corporate malfeasance is resulting in changes to corporate safeguards and related reporting requirements.

1.2 These quantum increases in corporate obligations parallel new government regulation of privacy and security issues at the federal and state level.

1.3 Legislators and government regulators increasingly view corporate electronic infrastructures as vital to the well-being of the corporation and its customers. Further, they view protecting electronic information systems as vital to the nation’s economic health and, indeed, to its security.

1.3.1 The USA Patriot Act, Pub. L. No. 107-56, 115 Stat. 272 (2001), shows Congress’s and the President’s determination to bolster substantially the legal protections for electronic infrastructure.

1.3.2 Creation of the National Infrastructure Protection Center , www.nipc.gov, is but one example of the practical steps that the federal government is taking to protect electronic infrastructure through more sophisticated effective law enforcement techniques and resources.

1.4 In consequence, there is a new legal standard of care developing, one related specifically to corporations’ electronic infrastructures and the information they hold. This standard of care is enforceable both civilly and criminally, and it will probably be enforced against directors and officers, among others.

1.5 The initial impact of new legal standards of care for information security will fall on such regulated industries as financial services, health care, and transportation. However, the new standards will rapidly be applied to non-profit enterprises and to privately held businesses.

1.6 These new duties will soon demand greater time and attention from corporate boards in their oversight activities, and officers in their management of operations.

1 2. Corporate Obligations for Information Security under GLB

2.1 The Gramm-Leach-Bliley Financial Services Modernization Act 1999 (Pub. L. 106-102, 113 Stat. 1338, codified as amended in various sections of 12 U.S.C. and 15 U.S.C.) (“GLB”), as a concomitant to consumer (and “customer”) privacy protections, imposes significant security obligations on corporations offering financial services

2.2 GLB, 15 U.S.C. § 6801 deals explicitly with security obligations for financial services:

§ 6801. Protection of non-public personal information

(a) Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a), each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards –

(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized assess to or use of such records or information which could result in substantial harm or inconvenience to any customer.

2.3 GLB, is enforced by seven federal “functional regulators” (FTC, SEC, Board of Governors of the Federal Reserve System, Board of the National Credit Union Administration, Office of the Comptroller of the Currency, FDIC, and Director of the Office of Thrift Supervision) and by state insurance regulatory authorities, based on the domicile of the insurance company. 15 U.S.C. § 6805.

2.4 Federal agency rules enforce these statutory requirements. For example, the applicable regulation from the SEC states:

2 § 248.30 Procedures to safeguard customer records and information.

Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

These policies and procedures must be reasonably designed to: (a) Insure the security and confidentiality of customer records and information; (b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

2.5 The National Association of Insurance Commissioners (NAIC) has adopted Standards for Safeguarding Customer Information Model Regulation, NAIC Model Laws, Regulations, and Guidelines (No. 673) (the “Model Safeguarding Regulation) to implement GLB’s safeguarding requirements.

2.5.1 Purpose of NAIC Standards for Safeguarding:

This regulation establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, pursuant to Sections 501, 505(b), and 507 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, 6805(b) and 6807.

2.5.2 Selected duties from NAIC Standards for Safeguarding:

A licensee's information security program shall be designed to: A. Ensure the security and confidentiality of customer information; B. Protect against any anticipated threats or hazards to the security or integrity of the information; and C. Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

The licensee: A. Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems; B. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and C. Assesses the sufficiency of policies, procedures, customer information

3 systems and other safeguards in place to control risks.

The licensee: A. Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; B. Trains staff, as appropriate, to implement the licensee's information security program; and C. Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.

The licensee: A. Exercises appropriate due diligence in selecting its service providers; and B. Requires its service providers to implement appropriate measures designed to meet the objectives of this regulation, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

2.6 New York State has adopted a regulation implementing the NAIC model regulation, Standards for Safeguarding Customer Information, N.Y. State Insurance Dep’t. Reg. No. 173 (11 NYCRR 421), Feb. 7, 2002. It specifies in part:

This Part establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, pursuant to sections 501, 505(b), and 507, codified at 15 U.S.C. 6801, 6805(b) and 6807, of the Gramm-Leach-Bliley Act.

* * * * Section 421.2 Information security program.

Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

Section 421.3 Objectives of information security program.

A licensee's information security program shall be designed to: (a) Ensure the security and confidentiality of customer information;

4 (b) Protect against any anticipated threats or hazards to the security or integrity of such information; and (c) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

Under this regulation, the license is required to assess risk, manage, and control risk; oversee provider arrangements; and adjust its information security program as necessary in light of factors such as changes in technology, the sensitivity of customer information, the licensee’s own changing business arrangements, outsourcing arrangements, and external threats. Violation of the requirement to maintain a comprehensive information security program is an unfair method of competition or an unfair or deceptive act and practice in conducting an insurance business in New York (§ 421.9).

3. Corporate Obligations for Information Security under HIPAA

3.1 The “Administrative Simplification” title of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, enacted August, 21, 1996, codified at 42 U.S.C. § 1320d, specifies a high standard for both security and privacy of “Individually Identifiable Health Information” in 42 U.S.C. § 1320d- 2(d)(2):

Each person described in section 1320d-1(a) of this title (each “covered entity,”) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards – (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated – (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person.

3.2 By virtue of HIPAA’s rules for preemption of state law that is not more stringent than HIPAA, this standard becomes the standard of care in state law tort actions (e.g., for negligence, invasion of privacy, or breach of confidence in the patient- physician relationship).

3.3 Under 42 U.S.C. § 1320d-6, there are criminal penalties for violating the standard in 42 U.S.C. § 1320d-2(d)(2) and its implementing regulations:

Wrongful disclosure of individually identifiable health information (a) Offense A person who knowingly and in violation of this part – (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating

5 to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section. (b) Penalties A person described in subsection (a) of this section shall – (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

3.4 HIPAA’s privacy rules, as amended, contain a “mini” security rule, 45 C.F.R. § 164.530 (c):

(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

(2) Implementation specification: Safeguards.

(i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

4. Evolution of the Business Judgment Rule

4.1 The purpose of the business judgment rule is to protect corporate directors who make good-faith, informed decisions from liability in the event the decisions turn out to be ill-advised.

4.2 The business judgment rule is described variously as a presumption that corporate directors act in good faith in the best interests of the corporation; as a rule restraining courts from substituting their business judgments, made in hindsight, for the business judgments of corporate directors; or as a rule for judicial review

6 of trial courts that are called upon to evaluate the consequences of corporate business decisions. See generally, H. Lowell Brown, The Corporate Director’s Compliance Oversight Responsibility in the Post Caremark Era, 26 Del. J. Corp. L. 1 (2001); Michael W. Peregrine, The Business Judgment Rule and Other Protections for the Conduct of Not-for Profit Directors, 33 J. of Health Law 455 (2000).

4.3 The business judgment rule has been developed, among other sources, in a series of Delaware cases.

4.1.1 Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125, 130 (Del. 1963) (directors have no duty affirmatively to seek out corporate employees’ wrongdoing: “[A]bsent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.”).

4.1.2 Smith v. VanGorkom, 488 A.2d 858 (Del. 1985) (board decision must be “informed”).

4.1.3 In re Baxter International, Inc. Shareholders Litigation, 654 A.2d 1268 (Del. Ch. 1995) (permissible under Delaware Code for corporation to exempt directors from personal liability, and plaintiff must then show bad faith, intentional misconduct, or knowing violation of law).

4.1.4 Kahn v. MSB Bancorp., Inc., 24 Del. J. Corp. L. 266, 1998 WL 409355 (Del. Ch.) (protection under the business judgment rule may be lost through gross negligence).

4.1.5 In re Caremark International Derivative Litigation, 698 A.2d 959 (Del Ch. 1996) (even though directors and officers may not be liable for wrongdoing that they have no reason to suspect, they have an affirmative duty to establish a compliance system).

4.4 The business judgment rule creates a directors’ duty to pay attention, in order to exercise informed judgment. Thus, directors risk losing the rule’s protection if their decisions are (1) negligent or (2) unconsidered, where due attention would have prevented the loss. See Caremark at n.1. Often, the level of negligence required in business judgment rule analyses is that of gross negligence.

4.5 The business judgment rule is applied to non-profit corporations as well, by statute, case law, or both. See, e.g., Scheuer Family Foundation v. 61 Associates, 582 N.Y.S.2d 662, 179 A.D.2d 65 (1St. Dept. 1992) (business judgment rule protects good-faith decision of directors of not-for-profit corporation under Not-for-Profit Corporation Law § 717(a)).

4.6 The business judgment rule is applicable, and particularly suitable, for evaluating the

7 conduct of directors in enterprises operating in regulated industries. See, e.g., In re Oxford Health Plans, Inc. Securities Litigation, 192 F.R.D. 111 (S.D.N.Y. 2000) (directors’ breach of duty, amounting to gross mismanagement and waste, not protected by business judgment rule, which covers both board’s affirmative misconduct and its nonfeasance, or failure to discharge the board’s duty to supervise; motion to dismiss second count of complaint, based on failure to make pre-suit demand, denied).

5. The Business Judgment Rule and the Federal Criminal Sentencing Guidelines for Organizations

5.1 Under the Sentencing Reform Act of 1984, Pub. L. 98-473, Title II, § 212 (a)(2) 1984, codified at 18 U.S.C. §§ 3331-4120, the U.S. Sentencing Commission promulgates federal criminal sentencing guidelines. (The guidelines are available at www.ussc.gov.)

5.2 Chapter 8 covers sentencing of organizations. To minimize sentence upon conviction, an organizations must have in place “an effective program to prevent and detect violations of law.” In summary, the elements of an effective program are: 5.2.1 Establish compliance standards;

5.2.2 Assign High-level personnel overall responsibility for the program;

5.2.3 Use due care not to delegate substantial discretionary authority to those with propensity for illegal activity;

5.2.4 Establish means effective communication of the programs’ compliance standards;

5.2.5 Take reasonable steps to achieve compliance with standards;

5.2.6 Enforce the standards consistently through appropriate disciplinary mechanisms;

5.2.7 All reasonable steps to respond once an offense is detected (including preventing further similar offenses).

5.3 “[T]he ‘applicable industry practice or the standards called for by any applicable government regulation’ should assist an organization in determining how to implement an effective compliance program. Indeed, under the organizational guidelines, failure to follow industry practice or government regulations ‘weighs against a finding of an effective program to prevent and detect violations of law.’” Diana E. Murphy, The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics, 87 Iowa L. Rev. 697, 704 (2002) (footnotes omitted). (Judge Murphy, of the U.S. Court of Appeals for the Eighth

8 Circuit, is Chair of the United States Sentencing Commission.)

5.4 As the business judgment rule has developed, it has changed specifically to embrace these elements of a compliance plan from the Federal Sentencing Guidelines. Caremark, 698 A.2d at 969-70:

Modernly, [the question of the extent of the board’s duty to monitor] has been given special importance by an increasing tendency, especially under federal law, to employ the criminal law to assure corporate compliance with external legal requirements. . . . In 1991, pursuant to the Sentencing Reform Act of 1984, the United States Sentencing Commission adopted Organizational Sentencing Guidelines which impact importantly on the prospective effect these sanctions might have on business corporations. The Guidelines offer powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts. . . . Any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.

5.5 Reduced to essentials, the business judgment rule and the federal criminal sentencing guidelines require constant feedback loops to the board of directors (or similar governing body, however denominated). Each loop includes the board’s setting and communicating standards appropriate to the business (particularly if it is a regulated business), and then monitoring compliance and its enforcement. This effectuates the board’s duty to monitor.

6. Corporate Malfeasance, Sarbanes-Oxley, and Reporting on Vital Corporate Vulnerabilities

6.1 The Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745 (2002) imposes on publicly held corporations new duties that are based on, but transcend, financial reporting.

6.2 Section 404 of Sarbanes-Oxley requires the SEC to prescribe rules requiring annual reports to contain an “internal control report” that

6.2.1 States management’s responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and

6.2.2 Assesses the “effectiveness” of the internal control structure and procedures for financial reporting

9 6.3 Two predictable effects of Section 404 requirements

6.3.1 Internal controls for financial reporting will require assessment of information system and associated business process security in order to evaluate reserve and related requirements under GAAP.

6.3.1.1 The importance of a secure information infrastructure will be recognized as central to evaluating the operational capabilities, and hence the financial health, of business enterprises.

6.3.1.2The critical nature of a secure infrastructure will deserve higher importance in proportion to the degree of hazard (the “threat environment”) that exists for the industry and for the particular business enterprise. In part, evaluation of the threat environment includes estimating both the likelihood of capable attacks and the practical and legal consequences of successful attacks.

6.3.2 The increased emphasis on internal controls will likely affect consideration of similar internal controls:

6.3.2.1 to implement security requirements in regulated industries (such as the financial and health care industries) for corporate compliance purposes

6.3.2.2 to measure the effectiveness of those controls for purposes of assessing potential liabilities under the regulated industry’s particular regulatory regime (e.g., GLB or HIPAA)

6.4 For publicly traded entities, these responsibilities are likely to devolve to a significant extent upon the audit committee. See Sarbanes-Oxley, §§ 204 (Auditor reports to audit committees), 301 (Public company audit committees).

6.4 The emphasis on internal controls generally, and on information systems in particular, will affect non-publicly traded enterprises, with likely emphasis on large non- profit entities.

6.5 Section 409 requires publicly traded corporations to “disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.” (Emphasis supplied.)

6.6 Section 302 requires that a publicly traded corporation’s principal executive and chief financial officers sign a certification in each annual and quarterly report filed with the SEC. They are to certify that the statements contain no untrue statement or

10 omit to state a material fact that would make the report misleading. The certification covers the officers’ responsibility for maintaining internal controls “to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities . . . .”

6.6.1 The rules proposed by the SEC to implement Section 302 explain that the certification covers more than financial information under GAAP:

The certification statement regarding fair presentation of financial statements and other financial information is not limited to a representation that the financial statements and other financial information have been presented in accordance with “generally accepted accounting principles” and is not otherwise limited by reference to generally accepted accounting principles. We believe that Congress intended this statement to provide assurances that the financial information disclosed in a report viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under generally accepted accounting principles.55 In our view, a “fair presentation” of an issuer’s financial condition, results of operations and cash flows encompasses the selection of appropriate accounting policies, proper application of appropriate accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and the inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of an issuer’s financial condition, results of operations and cash flows. 56 ======55 Presenting financial information in conformity with generally accepted accounting principles may not necessarily satisfy obligations under the antifraud provisions of the federal securities laws. See United States v. Simon, 425 F.2d 796 (2d Cir. 1969). See also In re Caterpillar, Inc., Release No. 34-30532 (Mar. 31, 1992); Edison Schools, Inc., Release No. 34-45925 (May 14, 2002). 56 See Exchange Act Rule 12b-20 and the case and proceedings referenced in n. 55 above.

Securities and Exchange Commission, Certification of Disclosure in Companies’ Quarterly and Annual Reports, 67 Fed. Reg. 57276, Sept. 9, 2002 (Final Rule).

6.6.2 These federal reporting requirements relate to state law developments such as the new California law (SB 1386) requiring any online business serving customers in California to notify customers of computer security breaches that reveal customers’ names in association with an identifying number

11 (e.g., SSN, driver’s license, credit card). Questions include:

6.6.2.1 Will companies doing business in California find it necessary to notify all customers, wherever located?

6.6.2.2 How does this change operations for banks and financial companies, which often do not publicize hacks?

7. Information Security and Enterprise Litigation Risk Management for Directors and Officers

7.1 Compliance duties in regulated industries are increasingly prescribed by federal statutes that, in turn, are reflected in regulatory schemes under state law. Both the state law frameworks includes enforcement through litigation, though private rights of action are more often found at the state, rather than the federal, level.

7.2 As a matter of risk management in general – and litigation risk management in particular – directors must assess this complex for the purpose of creating an effective program to detect and prevent violations of law.

7.3 To satisfy the requisites of the business judgment rule and the criminal sentencing guidelines, every compliance program for a publicly held or large non-profit enterprise in a regulated industry (such as financial services or health care) requires ongoing, effective monitoring by at least a committee of directors (probably the audit committee).

7.4 There is an evolving, increasingly higher standard of care created by the confluence of these developments. To satisfy the standard for an effective compliance plan for the enterprise’s information infrastructure, iterative corporate risk assessment and preplanned security countermeasures (a threat model and a response model) are essential.