Vol. 80, No. 8, August 2007
As the opportunities and risks arising out of the use of information technology in modern business have expanded, so has the need for board of directors' oversight. Yet many boards are neither constituted nor focused properly to provide such oversight. This article explores why boards need to provide greater oversight of information technology, data privacy, and security and provides practical suggestions on how they can do so.
The Changing Role of Information Technology Affects Corporate Governance
The role of information technology in business has changed dramatically over the past 50 years. In the late 1950s and early 1960s, companies used information technology primarily to automate manual processes. The vacuum tube and microchip displaced slide rules and double-entry accounting ledgers. By the 1980s, businesses began using information technology to fundamentally change their processes and structures, usually on a departmental or business unit basis. Electronic publishing displaced manual layouts and hot metal typesetting. Customers placed orders by electronic data interchange rather than by mailed forms. By the 1990s, companies were adopting complex software systems to fully integrate processes so that raw materials could be ordered, products manufactured, and financial results reported, all out of the same enterprise resource planning system. SAP, Oracle, JD Edwards, and PeopleSoft became household names within the business community. By the turn of the 21st century, companies began to use information technology to connect to and integrate with the outside world and thereby create a kind of virtual company.
Mark F. Foley, Michigan 1981, is a partner at Foley & Lardner LLP, Milwaukee, in the litigation and information technology practice groups.
Most of this change occurred with the stated goal of achieving efficiency. In this context, most companies limited board oversight to ad hoc consideration of individual projects that were sufficiently large to require capital budget approval.
But information technology is now often what differentiates one enterprise and its products or services from others. When information technology provides a competitive advantage or becomes pervasive throughout the enterprise, it becomes the company. A company that fails to recognize and seize opportunities to apply information technology in new strategic ways dooms itself to a not-so-slow death. As information technology becomes the key to strategic enterprise differentiation, an ad hoc approach to board oversight is no longer sufficient, if it ever was.1 As a strategic asset, information technology oversight now falls squarely within the board's role of providing strategic vision and its role of providing a check on the chief executive officer's (CEO) own vision and plans.
A need for greater board oversight also flows inexorably from the board's fiduciary duty to preserve and protect the company's critical assets. Those assets once consisted primarily of physical assets, such as plant and equipment, plus financial assets, such as bank accounts and receivables. Today the most important assets may well be electronic information, intellectual property, and the company's "brand" or reputation. These assets can be put at risk by loss of confidentiality, integrity, or availability.
Confidentiality means keeping the access to and use and dissemination of information controlled to the extent required by law, contract, or business need (such as the protection of trade secrets or business plans). Integrity means keeping data and systems reliable - secure against modifications by well-meaning but ill-informed employees, as well as secure against modification by viruses and by competitors, hackers, or others who might want to maliciously modify data or take control of systems to attack other networks. Availability means enabling data access to those who need it to do their jobs efficiently, effectively, and creatively, while preventing or defeating activities that can reduce the efficiency or availability of critical business systems, such as denial-of-service attacks against Web sites or Web-accessible data, introduction of viruses, Trojan horses, and other malicious software, spam attacks, and the like.
Protecting these assets requires top down policy development and enterprise-wide implementation. Rules and procedures must be established for proper access to and use of information assets. These rules must be enforced, and managers must be held accountable because failures are likely to cause harm.
Indeed, if not properly handled, misapplied information can become a source of significant damage to an enterprise.2 There are three main types of information-technology-related risk:
Regulatory Risk. Regulatory risk arises from the aggressively expanding body of domestic and international laws and regulations that govern data collection, use, retention, security, and destruction. These include the Sarbanes-Oxley requirements for board oversight of internal financial controls,3 the Health Insurance Portability and Accountability Act and state law equivalents for health care records,4 the Gramm-Leach-Bliley Act,5 the Fair Credit Reporting Act with recent amendments,6 the payment card industry rules for credit card transaction security and Federal Trade Commission (FTC) rules governing data privacy and security on Web sites,7 the European Union Data Privacy Directive,8 Canada's PIPEDA and provincial laws creating general data privacy rights,9 and legislation in myriad other countries. State regulation of the use of Social Security numbers, driver license numbers, and telephone numbers and all manner of other specific regulations10 create endless opportunities to collect, use, abuse, or dispose of information in ways that break the law. Data security breaches also create regulatory risks for public companies if unlawful disclosures of financial information with resultant insider trading or stock manipulation and antitrust violations occur. Noncompliance with regulatory schemes may result in orders prohibiting data use or other practices, civil or criminal fines, imprisonment for managers and directors,11 or decades-long oversight by regulatory agencies.12
Litigation Risk. Inadequate data privacy and security practices also can lead to litigation risk. Data breaches have resulted in class action lawsuits filed on behalf of aggrieved data subjects, business partner claims for breach of contractual obligations, employee claims for harassment and discrimination, and shareholder suits.13 Litigation risk also arises from the inability to locate and produce electronic information completely, accurately, and timely under the new Federal Rules of Civil Procedure and emerging parallel state law guidelines.14
Enterprise Continuity Risk. Finally, inadequate data controls may create enterprise continuity risk. That is, loss of customer contracts and confidence, loss of trade secrets, inability to access or use important data, disruption of operations, loss of stock market valuation, or other data breach consequences may result in debilitating financial loss that destroys the company as a going concern.
The risks and threats from inadequate information technology and data security are real and significant. They go to the heart of the company's existence and success and therefore demand careful attention from the board of directors and senior management.
Board Structure for Information Technology Oversight
For most companies, it is unrealistic to ask the entire board to provide in-depth oversight of information technology. Boards generally meet only four times per year. During these few meetings, directors must address strategic and compliance issues, whether set before them by management or required by law. It is now common for public company board meetings to last two days and to require substantial premeeting preparation. Directors are reluctant to commit more time, and CEOs are reluctant to ask them to do so for fear of driving away qualified individuals. Boards increasingly are torn between the need to give greater time and detailed attention to more subjects and the need to limit overall demands on directors. The use of a board subcommittee to provide information technology oversight is the most promising solution.
Many companies choose to use the audit committee as the key oversight body for information technology. This makes sense to the extent that a company has used its audit committee to oversee Sarbanes-Oxley compliance, because that itself necessarily involves an information technology security component.15 But audit committees often are fundamentally ill-suited for information technology oversight. Their strength is in the area of financial reporting and controls, a focus too limited to address the overall role and importance of information technology in the modern enterprise. Moreover, service on audit committees traditionally has involved interaction with the financial officers of the company, and the committees therefore have been populated by individuals with strong finance credentials. Information technology oversight, in contrast, requires interaction with the chief informatin officer (CIO) or chief technology officer (CTO) and facility with different terminology and practices. Use of a specialized, qualified information technology subcommittee is a better choice than reliance on the board as a whole, or on the audit committee alone.
The best choice, however, may be a combination of oversight by a specialized technology committee and limited oversight by the audit committee. In this structure, the technology committee focuses on the strategic uses of technology in the business, while the audit committee reviews information technology policies and procedures as part of its overall audit process. This method, if properly coordinated, also can achieve cost and time savings by using existing resources from internal and external audit functions for information security oversight.16
Another reasonable option is including oversight of data privacy and security issues within the purview of an enterprise risk management committee. Boards increasingly are asked to provide oversight of risk management throughout the enterprise, including credit, regulatory, underwriting, operational, strategic, disaster, and human resources risks. The use of risk management committees is gaining adherents.17
Frequency of Board Involvement with Information Technology
Boards need to focus on information technology matters more frequently and in greater depth than in the past. When information technology played a less strategic role, oversight rationally could be limited to individual events or crises that demanded immediate attention. These might include planned events, such as implementation of an enterprise-wide technology change, an acquisition, a merger, or major outsourcing, or unplanned events, such as a hurricane, a patent infringement suit, or a data security breach.
Today, however, boards must review information technology issues on an ongoing basis as an integral part of their strategic oversight function. Boards must consider the general impact of information technology on costs, operations, competitiveness, growth, and profitability. They must help managers develop a strategic role for information technology and then both assist managers in implementing the vision and hold them accountable for doing so. This can only come about if in-depth information technology discussions are integral to the board's role, and if a subcommittee or delegate gives substantial attention to these issues between board meetings.
The board's consideration of information technology issues must include regular attention to data privacy and security. A report on the status of information security should be provided at each meeting. The board routinely should include data security in its risk management decisions.
Board Membership and Education
Proper board or committee membership also is important to achieve effective oversight. An oversight committee composed of individuals who are not comfortable with information technology will not work. But getting the right individuals to serve might be difficult. Board members are selected for many reasons - strategic business vision, experience with particular industries, chemistry with the CEO, and so on. Often individuals with these qualities lack hands'-on or strategic involvement with information technology. Board members with the sufficient level and type of experience, as well as all the other qualifications, are rare.
Managers play an important role in ensuring that directors have the requisite information technology knowledge. Managers should teach board members how information technology events or crises could affect the company's overall performance. Directors need to know from the CEO or CIO how management sees information technology contributing to strategic goals. This level of knowledge can be imparted by making information technology a regular subject of board oversight and providing frequent interaction between the CIO and the board.
Board Oversight of Information Technology Managers
Boards have always played a role in selecting or removing senior executive and financial managers. They know how to assess a CEO's or chief financial officer's (CFO) performance, because they usually have similar backgrounds and speak the same jargon. But this is not often the case with information technology management. Directors express high levels of frustration over the quality of communication with company CIOs and CTOs.18 Technology managers often speak in technical terms and focus on individual projects instead of the strategic issues that concern the board. This makes it difficult for directors to oversee performance and also to assess whether the company has the right individuals as senior technology managers. Boards without the requisite knowledge of technology matters may need to enlist a consultant to evaluate whether the right people are managing technology for the company.
Whatever information technology governance structure is adopted, the board must identify the company's personnel responsible for information technology and data security and make sure that their responsibilities are expressly defined. The board also must be sure that the roles of internal and external auditors are clearly articulated and that all personnel with information technology and security functions are held accountable.
Asking the Right Questions
To effectively oversee information technology and data security, the board must ask the right questions. The specific questions will, of course, depend on many factors, including the nature of the company's business, its immediate plans, and its strategic vision. Most boards should be asking at least the following questions.
For information technology projects:
- What business objective is this information technology project designed to meet? How is the technology going to further the objective?
- What are the underlying assumptions about how this information technology project will produce cost savings, improve business processes, or achieve strategic goals?
- How likely is it that the company will actually achieve these goals if it implements the technology?
- What is the cost of the project? What assumptions underlie this cost estimate, and what is our confidence level in the estimated cost?
- Has management considered alternative approaches or technologies? If yes, why were those rejected?
- What are the benchmarks or best practices in this area?
- How does management define success for the project?
- How will success be measured?
For data privacy and security:
- To what extent are senior managers involved in data security issues?
- Are managers confident that they are aware of the latest data security threats and are implementing the best available technical and procedural solutions?
- Has responsibility for data security been clearly assigned?
- Have the company's data assets ever been attacked? Were the attacks successful?
- Are data privacy and security considered an integral part of all new business processes?
- Has the company identified and complied with all applicable regulatory and contractual obligations for data privacy and security?
- Has the company assessed its data breach risks and established effective procedures for its operations and contractual requirements for business partners?
- What are the greatest data security risks faced by the company?
- Does the company have adequate insurance for data security risks?
- Are all employees trained how to recognize data use limits and security threats and how to respond to them?
- Has the company minimized the collection, use, and dissemination of potentially sensitive data so that each user has access only to the data required for his or her needs?
- Has the company reviewed its contractual obligations to protect data belonging to other parties and aligned its data handling and security practices with contractual obligations?
A board's dedicated technology or audit committee will need to drill deeper into these inquiries19 and report back to the full board.
Information technology has become a critical aspect of business success and a source of potentially debilitating risks. As a result, boards of directors must give greater attention to information technology in general and data privacy and security issues in particular. To be effective, boards must have the right structure, membership, agendas, and questions. Information technology, data privacy, and data security issues must be addressed on a comprehensive, systematic, and ongoing basis. Reliance on ad hoc oversight when critical issues arise is no longer a pathway to success.
1It is fair to conclude that ad hoc oversight has been inadequate all along. Various surveys have shown that a majority of large information technology projects failed to achieve their goals and cost substantially more than estimated. See, e.g., Standish Group Chaos Report (1995), the OASIG Report (1995), KPMG Canada Survey (1997), Robbins-Gioia Survey (2001), and The Conference Board Report (2001), reviewed at http://www.it-cortex.com/Stat_Failure_Rate.htm (visited Apr. 11, 2007).
2PrivacyRights.org maintains a chronology of data security breaches beginning in January 2005. The number of individual data subjects affected by the reports in its chronology - 150 million - is staggering. See http://www.privacyrights.org/ar/ChronDataBreaches.htm (visited Apr. 12, 2007)
3Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002.
4See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936.
515 U.S.C. §§ 6801, et seq.
6Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681-1681u, as amended by the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952.
8Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, On the Protection of Individuals with Regard to the Processing of Personal Data and On the Free Movement of Such Data, establishes the foundation for privacy and security of personally identifiable information throughout the European Union (EU).
9Canada's federal data privacy law is the Personal Information Protection and Electronic Documents Act, S.C. 2000, ch. 5, Part 1, Ch. 1. Alberta, British Columbia, and Quebec also have comprehensive statutes, and Ontario has guidelines.
10For a comprehensive survey of state and federal data privacy laws, see Andrew B. Serwin, Information Security and Privacy, a Practical Guide to Federal, State, and International Law (Thomson/West 2006).
11For example, legislation implementing the EU Data Privacy Directive commonly imposes sanctions, including imprisonment, the severity of which depends on the nature of the violation and the level of intent. See, e.g., Protection of Individuals and other Subjects with Regard to the Processing of Personal Data, Act n. 675 of 31.12.1996, Arts. 34-37 (Italy) (fines and imprisonment up to two years); Data Protection Act of 1998, Art. 61 (United Kingdom) (officers may be personally liable for fines imposed for corporate violations).
12The FTC has obtained court orders and consent decrees that, collectively, establish a federal common law of data privacy and security practices for commercial Web sites. Some require specific board involvement. These orders and decrees are available at the agency's Web site.
13ChoicePoint Inc. is the poster child for data security breaches. See, e.g., "ID Data Conned from Firm," Washington Post, Feb. 17, 2005.
14Modifications to Federal Rules of Civil Procedure 16, 23, and 26, effective December 2006, established new procedures for discovery of electronically stored information (ESI). Now, litigants must analyze their ESI and design an e-discovery plan early in litigation. Electronic discovery practices recommended for state courts by the Conference of Chief Justices are similar. See Guidelines for State Trial Courts Regarding Discovery of Electronically-Stored Information (R. Van Duizend, Reporter) (Aug. 2006), (visited Apr. 10, 2007).
15See Arthur H. Bill, Audit Committee Guide: A Source of Information for Audit Committees of Public Company Boards of Directors 16-25 (3d ed. 2006).
16Smaller companies will have even greater difficulty committing the time of senior management or the board to information technology oversight. A small company should periodically undergo external privacy and security audits with formal reports to senior management or the board. If such an audit is done through counsel as part of a request for advice about the company's compliance requirements and status, the audit report may be privileged, reducing the risk of potential disclosure to future litigants.
17See, e.g., Theodore F. di Stefano, Enterprise Risk Management and the Board Room, (visited Apr. 13, 2007).
18See What the Board Needs to Know about IT: Phase I Findings (Deloitte Consulting 2006), (visited Apr. 10, 2007); Bringing IT into the Boardroom, Corporate Board Member Magazine 2006 Special Supplement; James R. Kalyvas, What the Board Needs to Know About IT, National Directors Institute Whitepaper (Apr. 2007), (visited Apr. 10, 2007).
19For additional detailed questions, see Mark F. Foley, Board Oversight of Data Privacy and Security, National Directors Institute Whitepaper (Apr. 2007), available at http://www.foley.com/publications/articles.aspx (visited Apr. 10, 2007); Information Security Oversight: Essential Board Practices, National Association of Corporate Directors (2001); Board Briefing on IT Governance, 2d ed., IT Governance Institute,(visited Apr. 11, 2007).