Why It’s Now Time for the Independent Legal Auditing of Information Security and Privacy Compliance

39 Min Read By: Charles Cresson Wood

When asked to identify the area that presents the greatest risk to their organizations, 62 percent of respondents in a recent Baker McKenzie survey of 600 senior litigation attorneys at large companies on four continents indicated that their top concern is the area of cybersecurity and data-related disputes (theft of trade secrets, ransomware, and privacy violations).[1] To those of us working in the information security and privacy area, this finding is not surprising because much the same result was returned by a variety of other recent surveys.[2]

What is noteworthy is that this risk area continues to be at the top of attorneys’ list of concerns. Evidently, the risk-reduction measures taken by the large organizations that comprised the survey’s respondents (and that have the most money to spend on these problems) are not lowering risk exposures to reassuring levels. Something is seriously wrong here, and it has been getting worse for decades.[3] In order to turn this dangerous trend around, we urgently need greater personal involvement of the leadership, including expanded budgets for this crucial area.[4]

That’s why this article proposes that we now deploy independent third-party legal compliance audits, examining the actions taken (or not taken) by the directors and officers, to make sure that the information security and privacy area is being properly addressed. The compliance auditing approach proposed here asks only whether the directors and officers are doing all that is now required by law—something that they should already be aware of and attending to, but, unfortunately, in many instances are not. This type of independent compliance audit has many uses, including vetting a prospective vendor on which a firm will soon critically depend, vetting a firm that is about to be acquired or merged with another, vetting a firm in which a large investment will soon be made, and vetting a firm that has requested access to a trade secret at another firm.

The Legal Compliance Audit Process

Parallels to the Financial Audit Process

The best frame of reference to illuminate the proposed legal compliance audit process is the historically proven independent financial audit process, which is already widely performed for publicly listed companies in the United States. The intention of expressing a one-page professional opinion on a certain topic is the same, except in the legal compliance audit the opinion states whether the directors and officers are in full compliance with all their legal duties, in all material respects, in the domain of information security and privacy. In both types of audit projects, a confidential management letter is also issued to the top management of the auditee organization if there are control deficiencies that need to be rectified.

In both types of independent audits, the auditor must be truly independent from the auditee organization, although the legal compliance auditor has a higher standard than an independent financial auditor does. The legal compliance auditor must meet all of the independence requirements of an independent financial auditor as well as all of the requirements of independent attorneys preparing professional opinions. In this way, the process fits with the existing expectations of the business world surrounding independent audits, and also fits with the professional obligations of all licensed attorneys doing this type of work.[5]

As with the financial auditing process, in the legal compliance auditing process there are published journal articles,[6] professional association ethics statements,[7] professional association guides,[8] and published treatises[9] that can help ensure that the process of generating a professional opinion covers certain essential topics and is performed in a high-quality, repeatable manner. In the case of the legal compliance audit process discussed in this article, those topics include setting up the engagement so that both attorney-client privilege and attorney work-product doctrine can be used to protect the information gathered and generated.

Like the financial auditing process, the proposed legal compliance audit process is intended to balance out excesses and imbalances that can no longer be sustained.[10] As will be explained in detail below, the current excessive focus on profits and other financial metrics, which primarily benefit shareholders, board members, and top management, must be rebalanced with metrics that incorporate the needs of other constituencies, such as business partners and customers.

The ESG Framework

To achieve this rebalancing, we must have seriously motivated leaders at the top of our corporations. Rather than increasing legal accountability, the legal compliance audit process only checks to see whether the leadership is currently performing the minimum that is now required by law. There is already ample precedent to demonstrate that directors and officers are currently being held accountable for information security and privacy problems.[11] When directors and officers become better acquainted with their existing personal legal accountability, that will help motivate them to pay greater attention to, and hopefully provide additional funding for, the critically important information security and privacy area.

By incentivizing the adoption of this type of new leadership attitude, the proposed solution described here fits within the environment, social, and governance (“ESG”) area—specifically, the governance area.[12] Interestingly, in the Baker McKenzie survey mentioned above, the second category of concern in terms of greatest risk to their organizations, cited by 58 percent of respondents, was ESG issues. Thus, the proposed compliance audit approach addresses both the No. 1 concern and the No. 2 concern of litigation attorneys surveyed.

Ease of Use

Further improving the attractiveness of the legal compliance audit approach is the fact that the audit methodology is ready to go, can be deployed immediately by any firm in any industry, and is applicable to firms legally domiciled in any state/territory/district in the United States. This ease of use extends beyond adoption, and includes ease of comparison of the results with other firms that have also gone through such a compliance audit.

Levels of Sophistication

There are three distinct levels of sophistication associated with the legal compliance audit process, and they all pertain to the information that is generated as a result of performing the audit: (1) internal use only, (2) shared only with selected third parties, and (3) publicly released.

If the compliance audit process is being used for the first time, then the results may be for internal use only. The results can be used to raise the awareness level of the directors and officers, generate a list of control-related remedial actions, align the actions of management at multiple levels in the organization, and create a new incentive system for the directors and officers. These internal-use-only results can also be used as critical inputs an internal legal compliance process, such as those supported by governance, risk, and compliance (“GRC”) tools.

The next level of sophistication involves generating a professional opinion that is shared with one or more specific parties, such as a business partner who is considering the disclosure of a trade secret to the auditee firm. The professional opinion can give the third party additional assurance that the auditee firm is set-up, managed, and governed in such a way that it can be trusted. Other third parties that would be interested in confidentially receiving such a professional opinion include insurance companies, major investors, lenders of a significant amount of money, and firms participating in a merger or acquisition deal. One particularly useful example of this confidential-release-to-a-third-party approach involves a release to a regulator, such as the Federal Trade Commission (“FTC”), as a part of a consent decree or nonprosecution agreement.[13]

The most sophisticated use of this compliance audit process involves making the professional opinion public information and then revealing a new “fully compliant” opinion every year thereafter. This would generally be undertaken only after the auditee firm has received several years of “fully compliant” professional opinions—and after it has gained confidence that it can predictably continue to generate these same “fully compliant” professional opinions every year going forward. This public disclosure can be leveraged for public relations purposes, for marketing purposes, and to achieve competitive advantage (where excellent security and privacy are, for example, made part of the product or service offering). This last approach to using the results of a compliance audit can also be used to rehabilitate the damaged reputation of a firm that has recently suffered a highly publicized major breach.

Specific Reasons for Use of Legal Compliance Audits

Revelations of Misrepresentations

There is ample evidence that many firms these days are failing to perform adequate due diligence before they enter into major investments, mergers and acquisitions, and other high-risk transactions (signing outsourcing services contracts, disclosing trade secrets to third parties, and entering into other critical business partnerships). In a surprisingly large number of recent situations, companies are publicly shown to be lying, twisting the truth, and otherwise misrepresenting what is actually going on.[14] By performing the proposed legal audit process, these misrepresentations, in many cases, will be readily revealed because the state of information security and privacy legal compliance is a litmus test of good internal management and governance.[15] This audit process is accordingly very useful when evaluating third parties prior to entering into a variety of high-risk transactions, such as when an insurance company considers issuing directors and officers (“D&O”) liability insurance.

A very large and well-known venture capital, for example, invested $210 million in FTX, an amount that now has been written down to $0.[16] This and a number of other venture capital firms evidently failed to sufficiently investigate what was happening internally at FTX before making their investments. Later, after FTX declared bankruptcy, it came to light that there was a very serious lack of corporate governance mechanisms. For example, FTX was revealed to have no complete list of its own bank accounts, no separation of customer funds and company funds, no complete list of its employees, and no board of directors. It also lacked adequate teams to handle cash management, accounting, auditing, risk management, and information security. If the independent legal compliance audit approach had been performed before this investment in FTX was made, the venture capital firm undoubtedly would have decided not to proceed with the investment.

Heightened Awareness of Legal Duties

Another reason to perform an annual compliance audit is that it increases the level of awareness[17] of the directors and officers when it comes to their legal duties, specifically in those areas where they may not be performing all that the law currently requires. While certainly this group wants to know how to avoid personal liability, these leaders also want to know what their job as a director or officer entails, as the law sees it. Many people in this group have not received a clear and succinct job description when it comes to the relatively new domain of information security and privacy. A legal compliance audit helps to ensure that the directors and officers understand, and are in fact performing according to, those same requirements.

The annual performance of such an audit also creates a metric that measures performance according to that same job description. An internal audit preparation process, such as that conducted by many publicly listed firms for the financial audit process, can ensure that the firm receives a “fully compliant” opinion every year. An annual legal compliance audit also can be a significant motivator to ensure that the minimum required by law has been met: D&O bonuses, promotions, perks, and related incentives can be tied to receiving a “fully compliant” professional opinion from the audit process.

This annual reconsideration, which can be institutionalized into a part of the governance and management reporting system (aka the GRC reporting system), also creates new opportunities, such as going well beyond the minimum to achieve competitive advantage, to create a favorable public relations image, and to better market existing products and services. Third-party trust in the firm receiving this type of legal compliance audit will be built up over time if the organization can show a string of “fully compliant” opinions using an independent audit process such as this.[18]

Recognition of Funding Needs

A big part of why the information security and privacy area continues to be increasingly litigious and disputed is that the existing incentive systems at many organizations have been designed such that the organizations allocate insufficient resources to this increasingly critical area.[19] Typically, the information security and privacy area is seen as a line item in the budget that does not bring in revenue and does not generate profit. In addition, decision makers see the information security and privacy domain as an undesirable expenditure because it requires long-term, sustained expenditures in order to be successful.[20] In contrast, great emphasis is placed on existing financial performance metrics, such as stock price and whether stock options are exercisable (“in the money”)—metrics grounded in short-term results. Use of these metrics for decision-making often leaves information security and privacy underfunded not only because information security and privacy are long-term endeavors but also because there is no inspiring dramatic prize for a firm that remains quietly reliable due to its excellent information security and privacy. Furthermore, these financial metrics are historically firm-oriented, when the new reality of a tightly interconnected technological world requires that we expand our horizons to include the needs of other entities.

The excessive focus on short-term financial results is well-known and has led to major breaches of system defenses—and was, in fact, one of the allegations of the plaintiffs in two recent, high-visibility shareholder lawsuits, respectively involving LastPass[21] and SolarWinds.[22] In defense of those in the D&O group, particularly those who genuinely want to do the right things, under the traditional short-term financial-results-oriented system, they have often found themselves pushed into making decisions that favor short-term financial results at the expense of long-term organizational sustainability.[23]

By using ESG metrics, such as the legal audit process described here, we can move away from an overwhelming focus on short-term financial results and instead obtain a more balanced scorecard emphasizing more sustainable and justifiable decisions in the long term. This, in turn, will increase budgets for information security and privacy, and it will help to align the objectives of stakeholders such as business partners, customers, employees, investors, regulators, and insurance companies. Excellent information security and privacy, as reflected by a “fully compliant” professional opinion resulting from a legal compliance audit, is a win-win for all of these stakeholders. The world has become far too interconnected not to make decisions based on a multiparty framework.

Focus on Directors and Officers as a Practicality and a Deterrent

The legal compliance audit process places an incentivizing focus on directors and officers. An audit focus on the actions of the directors and officers is warranted because they set the direction of the entire firm they govern and manage, and they are also the ones who are named as defendants in lawsuits after a major problem.

This audit focus is also warranted because they are the subject of a good deal of recent legislation and regulation.[24] The number and scope of externally dictated requirements for information security and privacy are being markedly increased, for example by the U.S. Securities and Exchange Commission (“SEC”), which has proposed new rules for disclosures in this area about the level of board expertise, the type of board risk management oversight, and recent material incidents.[25]

Public statements made by both federal and state regulators have also recently included the intention to hold corporate directors and officers personally liable for serious lapses in this same area. For example, former SEC Commissioner Luis A. Aguilar indicated that personal liability was one potential result of “failing to implement adequate steps to protect a company from cyber-threats.”[26] Echoing the same perspective, recently retired SEC Chairman Jay Clayton, at his confirmation hearing, stated that “individual liability is the greatest deterrent.”[27] Similarly, former U.S. Department of Justice Deputy Attorney General Sally Yates issued an influential memo indicating that (a) individual executives were to be henceforth individually targeted at the onset of prosecution of corporate wrongdoing, (b) involved corporate entities would be deemed cooperative only if they designated the individuals involved, (c) there would be no entity fine settlements creating a “clear plan” preventing executive prosecution, and (d) Department of Justice staff should pursue civil charges against individuals regardless of their ability to pay.[28]

Financial Incentives

Of course, there are also increasingly significant financial reasons to do a better job in the information security and privacy area. One reason why information security and privacy risks are of such great concern is the very large dollar amounts associated with shareholder suit settlements, regulatory fines, and court judgments. Furthermore, violations of the General Data Protection Regulation (“GDPR”), if they involve the rights and freedoms of data subjects, can involve fines of up to four percent of worldwide annual turnover (sales).[29]

Given that 55 percent of large companies worldwide are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of these breaches,[30] it makes very good sense to have an annual independent audit process that identifies those businesses that are particularly risky, as evidenced by their failure to meet the minimum required by law. This can help other businesses avoid investing in, or becoming business partners with, firms such as FTX. Prevention and avoidance are far less expensive than recovery, repair, reputation rehabilitation, and dealing with the legal aftermath of these incidents. For example, the cost of remediation for a ransomware attack can be thirty times the cost of prevention, according to a survey by Accenture.[31]

Below are notable examples of recent legal activity, which highlight the potentially enormous financial benefits of the legal compliance audit process.

Facebook. Facebook agreed to the largest FTC civil penalty ever imposed on a company for violating consumers’ privacy, in response to the Cambridge Analytica scandal. That 2019 case was resolved with a fine of $5 billion (not a typo).[32] This penalty was not the end of the matter for Facebook: the company recently settled a user class action civil suit related to the same incident for $725 million.[33]

Part of the FTC settlement involved use of a third-party privacy program assessor, similar to—but even more intense scrutiny than—the legal compliance audit process described here. Per the settlement agreement, Mark Zuckerberg, the chief executive officer (“CEO”) of Facebook (now Meta), must certify every quarter that Facebook is compliant with the new privacy program. If he falsely certifies this status, Zuckerberg will be subject to both civil and criminal penalties. This FTC strategy makes the CEO markedly more personally accountable for information security and privacy than in the past.[34]

Yahoo! In 2016, Yahoo! announced several data breaches that had taken place in 2013 and 2014, which had impacted three billion users. As a result of these disclosures, the purchase price in the then-underway acquisition of Yahoo! by Verizon was reduced by $350 million.[35] Following these events, the Yahoo! shareholders filed a securities class action suit against the company and certain directors and officers. This lawsuit was settled for $80 million.[36]

There was also a derivative complaint brought against Yahoo!’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste. Also alleged in the complaint was that Yahoo! officials knew about the data breaches before they were publicly disclosed and that these defendants sold their stock holdings before the breaches were made public. This suit was settled for $29 million.[37] Later, Altaba, Yahoo!’s successor in interest, agreed to pay a further penalty of $35 million in resolution of the SEC’s first data breach enforcement action, again relating to the same data breach incidents.[38] A separate consumer class action lawsuit, which was focused on the same breaches, was settled for $85 million.[39] This last action is particularly noteworthy because it resulted in the plaintiffs’ lawyers receiving approximately $11 million in fees and expenses, and in that respect presented a potential multimillion-dollar payday. While derivative lawsuits filed against directors and officers, alleging that they breached their fiduciary duties, may be difficult to mount and win, they are not impossible in the information security and privacy domain—and a bunch of plaintiff attorneys are likely to now try their hand at this game.[40]

Target. The cost to a business from a single information security and/or privacy problem[41] can be horrendous, even in those cases where the involved legal actions are dismissed or abandoned by the plaintiffs. Consider what happened at Target. In 2013, the payment card data and personal details of approximately 70 million Target retail store customers were stolen by hackers. On the day the breach was announced, the stock price dropped almost 2.2 percent, representing a reduction of $890 million in the market value of the firm.[42] Target’s EBIT (reported earnings before interest and taxes) decreased by 28.6 percent in the four quarters after the breach, compared to the four quarters before the breach.

As a result of the breach, the firm became embroiled in investigations and lawsuits with forty-seven states and the District of Columbia. The resulting settlement, announced in 2023, involved $18.5 million paid to the states and the District of Columbia.[43] Interestingly, part of the settlement involves the retention of an independent third party to do a comprehensive security assessment, again not too far away from what this article is proposing. Of further concern to the directors and officers is a multidistrict consumer class action suit, which was pending at the time that this article was prepared.[44]

In its 2016 10-K report, Target reported a total of $292 million of breach-related expenses. Target also suffered a severe blow to its brand, it paid a great deal for legal defense costs, and its president was forced to resign.

In addition, Target’s board was distracted by a shareholder derivative lawsuit that dragged on for years, involving exchanges of thousands of documents, interviews with sixty-eight witnesses, and consultations with a variety of potential expert witnesses. Although that Target case was eventually dismissed, shareholder cybersecurity-related derivative lawsuits are an increasing threat.[45] Beyond paying fines and damages, directors and officers also need to worry about losing their seats on the board of directors, their executive employment positions, significant value in the shares they own, and stock options and performance bonuses. They additionally need to worry about the erosion of their personal reputations, paying legal fees that D&O liability insurance does not cover, plus paying regulatory fines as well as civil suit damages. Although rare, they may also go to prison if a criminal law has been violated, but in all cases they suffer health-taxing stress as a defendant in a high-profile lawsuit or criminal prosecution.[46]

Legal Defenses Created When Legal Compliance Audits Are Used

As a side benefit of the proposed compliance audit approach, an admissible evidentiary paper trail is created by a third-party lawyer auditor. This evidence can later be used not only to defend the auditee corporation, showing that the directors and officers were in fact diligent in their efforts to be compliant with all relevant legal obligations, but also to personally defend the involved directors and officers. Hopefully, disclosure of the fact that these compliance audits were annually performed, and then used to make internal decisions related to information security and privacy, would be enough to cause those who are considering legal actions to seriously reconsider the advisability of proceeding. The circumstances supporting the use of the following three notable legal defenses—which are suitable for a defense against both civil claims and criminal charges—are created when this compliance audit process is performed.

Business Judgment Rule

The first of these three possible affirmative legal defenses involves the business judgment rule. In its general formulation, the factors for this defense require that the directors and officers acted in good faith, with the care that an ordinary prudent person in a like position would exercise under similar circumstances, and also acted in a manner that they reasonably believed to be in the best interests of the corporation.[47]

A legal compliance audit provides support for the business judgment rule because it involves the provision of an independent expert’s advice—in a form designed to be admissible in court—about the reasonable and appropriate course of action that is in the best interests of the corporation. The performance of a legal compliance audit also supports the use of the business judgment rule because it shows good faith in that it creates evidence that the directors and officers acted reasonably and intended to faithfully perform their legal duties.

Acting on the Advice of Counsel

The second possible legal defense involves acting on the advice of counsel. In its general formulation, the factors for this defense require that, “before taking action,” the directors and officers “in good faith sought the advice of an attorney whom [they] considered to be competent, . . . for the purpose of determining the lawfulness of [their] possible future conduct”; and to enable that attorney to do a proper job, they “made a full and accurate report” to this attorney about all material facts relevant to the matter and then acted in strict accordance “with the advice of [their] attorney who had been given a full report.”[48]

This type of legal audit process involves the retention of a competent attorney who follows a scripted process[49] in accordance with professional ethics, much the way that independent financial auditors follow a scripted process in accordance with professional ethics. While the burden is on the directors and officers to show that they followed the recommendations found in the management letter detailing needed changes, they are likely to be highly motivated to follow such advice because if they follow the lawyer auditor’s recommendations, they avoid significant legal problems, not to mention attendant business problems such as adverse publicity, damage to the company’s brand, and time lost to handling problems that need not have taken place.

Insufficient Time to Discover the Incident and Take Action

The third of these legal defenses involves a defendant’s claim that the incident could not have reasonably been discovered in sufficient time for the directors and officers to have taken action. In its general formulation, the factors for this affirmative defense require that evidence of the need for the directors and officers to take remedial action could not have been discovered within the time frame involved even though the directors and officers had exercised reasonable due diligence.[50]

The legal compliance audit establishes proof that the directors and officers exercised reasonable due diligence. As mentioned, the legal compliance audit process results in a one-page professional opinion indicating whether the directors and officers are fully compliant with all their material duties in the domain of information security and privacy. If they are deemed presently not compliant, the lawyer auditor provides the directors and officers with a management letter detailing needed remedial actions. These recommendations are responsive to the unique legal requirements that the directors and officers at that auditee firm face (which, in turn, are based on a review of industry-specific laws and regulations, in-force consent decrees, contractual agreements, and related firm-specific legal obligations). So, the performance of this legal audit involves the retention of an independent attorney not just to identify whether the directors and officers are compliant with all of their material legal obligations but also to double-check internal efforts to identify all relevant legal requirements. This management letter and the annual preparation of a list of all relevant legal requirements (which is accomplished as part one of the compliance audit), as well as an internal risk-management system that regularly reviews progress on identified and needed improvements, help to establish that the directors and officers did all that they could reasonably do, from a legal standpoint.

Beyond taking all reasonable actions to protect the organization and its constituencies (customers, employees, business partners, shareholders, etc.), and performing the legal compliance audit described here (and responding to the deficiencies noted, if any), there is not much that the directors and officers can do to prevent or avoid the breach itself given that information system attacks are now often automated and happen extremely fast. Thus, a very good defensive claim can be made that such incidents, if and when they do occur, could not reasonably have been discovered or responded to in sufficient time to have reduced the losses that were sustained. Instead, the efforts of the directors and officers should be focused on doing everything they can do, to further exclude the attackers from their systems, restore the integrity of their systems after a breach, restore reliable versions of files from backups, switch over to alternative facilities, control the damage done by adverse publicity, notify third parties, and the like.

Legal Compliance Audits and the Sarbanes-Oxley Act: Parallel Strategies

The scandals occurring during the dot-com bubble, and the subsequent crash of the stock market (for example Enron, WorldCom, and Tyco International), prompted Congress to focus on the actions taken by company leaders when it passed the Sarbanes-Oxley Act of 2002 (“SOX”). Section 404 of that law requires that publicly listed companies must establish internal controls over financial reporting processes and document those controls, test them, and maintain them in an effective state.

Based on the hearings surrounding the dot-com bubble scandals, it is clear that the “tone from the top” (messaging provided to employees from the top management and the board) is absolutely critical. If the tone from the top is to cut corners, bend the rules, and do whatever you need to do in order to make lots of money—as it was at Enron—then multiple employees engaged in fraud and misrepresentation will be the predictable result.[51] However, if the tone from the top is honesty, ethics, integrity-mindedness, legal compliance, and a focus on community, then the result will be a successful and sustainable company. In the words of the former chair of the SEC: “If you’re a new leader in an organization, my advice is to let people get to know you—and your values. Let them know how serious you are about doing the right thing [about being fully compliant with the law].”[52]

SOX provides a barometer indicating the tone from the top. That law is noteworthy because it puts two members of the top management team (the chief executive officer and the chief financial officer) at these companies on the spot, increasing their personal accountability and personal liability. They must sign quarterly forms stating that they have reviewed the internal disclosure controls over financial reporting (in a 10-Q or 10-K statement). Because they are on the line legally, because their name appears on these forms, the process surrounding the generation of financial statements, and the internal controls that go along with that process, have improved notably since SOX went into effect.[53]

Like SOX, the legal compliance audit process that this article proposes can have a markedly reorienting effect on both the board and top management, such that information security and privacy are both markedly improved.[54] The process of annually reviewing whether the directors and officers are in compliance with all of their legally required duties in the domain of information security and privacy creates a new incentive system and a new point of reference that guides decisions throughout the year. Thus, this annual compliance audit process not only reduces the long-term costs of information security and privacy but also improves the tone-at-the-top messaging from the leaders—thereby, and most importantly, improving the trustworthiness of the firms using this approach. Trust in today’s high-tech world critically depends on security, privacy, transparency, and compliance,[55] and the legal compliance audit process can help markedly improve the level of trust that a firm receives.

  1. Cybersecurity and Data Are Key Disputes Concerns in 2023 Says New Survey from Baker McKenzie, Baker McKenzie (Jan. 10, 2023) (annual litigation forecast).

  2. The prior year’s Baker McKenzie survey, for example, came up with the same conclusion about the area of greatest concern for corporate legal counsel. Another source with the same conclusion is a 2021 Honeywell survey of facility managers in the United States, Germany, and China. In that survey, 71 percent said that cybersecurity was their top business priority. Why Cybersecurity Remains a Top Priority for Businesses, IEEE Comput. Soc’y (Oct. 12, 2021). According to still another survey, entitled The State of Cybersecurity Resilience 2021, published by Accenture, 68 percent of business leaders feel as though their cybersecurity risks are increasing. That same survey indicated that 87 percent of the firms that have the lowest level of cybersecurity losses (dubbed “cybersecurity champions”) were measuring the maturity of their cybersecurity programs more frequently than other firms, and at least annually. This is in accord with the recommendations in this paper—that is, that the compliance audit discussed herein should be performed annually or as transactional needs require (such as for the issuance of directors and officers (“D&O”) liability insurance). In general, frequent measurement of the situation enables better management and governance.

  3. IBM Security, in its 2022 annual Cost of a Data Breach report, noted that the average cost of a data breach in the United States is now $9.44 million. These costs of a data breach have surged 13 percent in the two years from 2020 to 2022. Those firms with the greatest number of compliance failures had a substantially larger average loss—specifically, $258,293 more than the average. At the same time, those firms with a high level of board oversight had a substantially smaller average loss—specifically, a $216,707 smaller-than-average loss. See Figure 13 in that report for details. As explained later, the proposed compliance audit process increases compliance levels and increases the engagement level of directors and officers, both of which should have substantial attractive cost-related impacts on breaches.

  4. See Charles Cresson Wood & Harvey Nusz, Directors & Officers: Just Because They Don’t Perform Technical or Operational Work, Doesn’t Mean They Aren’t Personally Involved, 65 EDPACS, no. 6, 2022, at 12.

  5. See, e.g., Tribar Opinion Committee, American Bar Association, Statement on the Role of Customary Practice in the Preparation and Understanding of Third-Party Legal Opinions, 63 Bus. Law. 1277 (2008)

  6. See, e.g., Jim Fold, Lawyer’s Standards and Responsibilities in Rendering Opinions, 33 Bus. Law. 1295 (1978).

  7. See, e.g., Model Rules of Pro. Conduct r. 1.6 cmts. 5, 18 (Am. Bar Ass’n 2021).

  8. See, e.g., ABA Legal Opinion Principles (1998); ABA Third-Party Legal Opinion Report (1991); Tri-Bar II and Restatement of the Law Governing Lawyers (1998).

  9. See, e.g., Charles Cresson Wood, Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process (InfoSecurity Infrastructure 2020).

  10. In the wake of the 1929 stock market crash, Congress sought to restore confidence in the financial system with the Securities Act of 1933 (15 U.S.C. § 77a et seq.) and the Securities and Exchange Act of 1934 (15 U.S.C. § 78a et seq.). This new legislation required third-party auditors to express an opinion on the financial statements of all publicly listed companies. The process of performing third-party audits brought transparency and trustworthiness to the financial statements that had previously been questionable, and in some instances outright fraudulent. Likewise, it is through the independent compliance auditing process that a new transparency and trustworthiness can be brought to the domain of information security and privacy.

  11. Charles Cresson Wood, The Rules Have Now Been Clarified—The Minimum Legal Duties for Directors & Officers Are Both Established and Readily Determined, 20 ISSA J. 20 (May 2022).

  12. ESG is an organizational framework that considers the needs of stakeholders such as employees, customers, suppliers, and financiers. The framework was first popularized in 2004 in a United Nations report entitled Who Cares Wins. Application of this framework involves measurement of a variety of metrics reflecting progress in meeting the needs of stakeholders, in addition to meeting the financial needs of shareholders. Both information security and privacy, as well as management structure, are part of the governance areas that these alternative metrics examine. The proposed legal compliance audit approach, by examining whether the directors and officers in a corporation are in compliance with the minimum that the law requires (including fiduciary duties), involves both the information security and privacy area and the management structure area.

  13. Third-party audits of this nature can be used to confirm continued compliance with the terms of the consent decree, deferred prosecution agreement, or nonprosecution agreement. Whereas the third-party audits in those cases involve compliance with a situation-specific set of corporate reforms, in the compliance audits described in this article, the scope is restricted to compliance with all material legal duties of the directors and officers in the domain of information security and privacy. The first of the two types of third-party audits mentioned in this footnote was used, for example, by the FTC in its settlement with Facebook surrounding the Cambridge Analytica affair. See Nicole Lindsey, What Did the Consent Decree from the FTC Settlement with Facebook Really Change?, CPO Mag., May 3, 2018.

  14. An interesting contemporary case involves a firm called Frank, which was an internet gateway to financial aid for students. JPMorgan paid $175 million for the firm but later alleged that the mailing list was largely a forgery. This is an example where inadequate due diligence prior to a major transaction cost a firm big money. The legal compliance audit process can be used to detect the absence of the corporate governance mechanisms that should be in place for a firm the size of Frank. If such an audit had been performed, red flags most likely would have been detected. The same can be said for FTX, Bernard L. Madoff Investment Securities, and a variety of other Ponzi schemes. For further discussion about the Frank case, see Katherine Long, Frank, the College Loan Start-Up JPMorgan Is Suing for Fraud, Was Warned by the FTC for Misleading Students About Covid Relief Money, Insider, Jan. 13, 2023.

  15. See Charles Cresson Wood, What the FTX Scandal Reveals About Third Party Risk Evaluation, 21 ISSA J. 15 (Jan. 2023).

  16. Chase Peterson-Withorn, These FTX Investors Stand to Lose the Most from the Crypto Exchange Implosion, Forbes, November 10, 2022.

  17. The widespread lack of clarity about information-security-and-privacy-related roles and responsibilities among those in the D&O group is in evidence in the recent conviction of Joe Sullivan, a chief information security officer at Uber. See Charles Cresson Wood, The Serious Management Problem Illustrated by CISO Joe Sullivan’s Conviction, 20 ISSA J. 16 (Nov. 2022).

  18. Charles Cresson Wood, A Parachute for the Restoration of Trust After Your Firm Has Been Breached, 21 ISSA J., (forthcoming June 2023).

  19. Charles Cresson Wood, Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability, 43 J. Legis. 65 (Dec. 2016).

  20. For a discussion of the incentive systems that cause bad decisions to be made in the information security and privacy area, see Wood, supra note 19.

  21. See Doe v. LastPass US LP, No. 1:23-cv-10004 (D. Mass. Jan. 17, 2023).

  22. See SolarWinds Corp., SEC Form 8-K, at item 8.01 (Oct. 28, 2022) (discussing proposed settlement).

  23. The case of the worldwide accounting firm Arthur Andersen is a good example. A single decision to destroy working-paper-related evidence related to the Enron scandal, in spite of the fact that a legal hold had been placed on all data destruction activities related to this potential evidence, ultimately caused Arthur Andersen to go out of business. Misunderstanding the current information security and privacy legal situation can have very serious consequences. See Jonathan Weil, Arthur Andersen Admits It Destroyed Documents Related to Enron Account, Wall St. J., Jan. 11, 2002; see also Arthur Andersen LLP v. United States, 544 U.S. 696 (2005).

  24. For an example of the new regulations, see N.Y. Dep’t of Fin. Servs. (“NYDFS”), Cybersecurity Regulation § 500.4(a) (2023) (requiring that the chief information security officer (“CISO”) have “adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program”). In addition, laws that have been around for a while have additional provisions that are just now coming into effect, such as is the case with the California Consumer Privacy Act of 2018 (“CCPA”), which has provisions that came into effect as of January 1, 2023.

  25. Press Release, U.S. Sec. & Exch. Comm’n, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Mar. 9, 2022).

  26. The trend of increasingly holding directors and officers personally liable appears intended to force directors and officers to pay additional attention to the information security and privacy area. See Luis A. Aguilar, Comm’r, U.S. Sec. & Exch. Comm’n, Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014) (indicating that personal liability was one potential result of “failing to implement adequate steps” to protect the company from information security and privacy threats).

  27. Steven R. Peikin, Codir., Enf’t Div., U.S. Sec. & Exch. Comm’n, Speech at the New York University School of Law: Reflections on the Past, Present, and Future of SEC’s Enforcement of the Foreign Corrupt Practices Act (Nov. 9, 2017). For a practical application of this idea in law, see Wood, supra note 19.

  28. Sally Quillian Yates, Off. of the Deputy Att’y Gen., U.S. Dep’t of Just., Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015) (colloquially called the “Yates Memo”).

  29. European Parliament, General Data Protection Regulation, art. 83, Regulation (EU) 2016/679.

  30. Accenture, State of Cybersecurity Resilience 2022, at 31 (2022).

  31. Accenture, State of Cybersecurity Resilience 2021, at 24 (2021).

  32. See Press Release, Fed. Trade Comm’n, FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (July 24, 2019).

  33. This settlement was the largest settlement ever reached in a class action related to privacy. See Plaintiff’s Notice of Motion and Motion to Certify a Settlement Class and Grant Preliminary Settlement Approval, In re Facebook, Inc. Consumer Privacy User Profile Litig., No. 18-md-02843-VC (N.D. Cal. Dec. 22, 2022). In 2019, Facebook also paid a $100 million fine to the U.S. Securities and Exchange Commission (“SEC”) to settle claims that it misled investors. See Press Release, U.S. Sec. & Exch. Comm’n, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced from the Misuse of User Data (July 24, 2019). Now the Federal Trade Commission seeks to restrict the ways that Facebook can monetize the information under its control. See Press Release, Fed. Trade Comm’n, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023).

  34. Lesley Fair, What the FTC Facebook Settlement Means for Consumers, Fed. Trade Comm’n Consumer Advice (July 24, 2019).

  35. See Anjali Athavaley, Verizon Sought $925 Million Discount for Yahoo Merger, Got $350 Million, Reuters, Mar. 13, 2017.

  36. See Kevin LaCroix, Yahoo Settles Data-Breach-Related Securities Suit for $80 Million, D&O Diary (Mar. 5, 2018).

  37. See Kevin LaCroix, Yahoo Data-Breach-Related Derivative Suit Settled for $29 Million, D&O Diary (Jan. 21, 2019).

  38. See Press Release, U.S. Sec. & Exch. Comm’n, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 24, 2018).

  39. See LaCroix, supra note 37; see also Greg Otto, Yahoo to Pay up to $85M to Settle Data Breach Lawsuit, CyberScoop (Oct. 24, 2018); Settlement Agreement and Release, In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 5:16-MD-02752-lhk (N.D. Cal. Oct. 22, 2018).

  40. An interesting discussion, including a warning to companies and boards about the risk from shareholder derivative suits, can be found in Craig Newman, Judge Approves Settlement in Yahoo! D&O Shareholder Suits, NACD BoardTalk (Jan. 14, 2019).

  41. The IBM/Ponemon Institute Cost of Data Breach Study (2017) indicated that the average cost of a breach in the United States is $7.35 million, some 5 percent higher than the prior year, and the odds of experiencing a breach are about 25 percent per year. An Accenture/Ponemon Institute Cost of Cybercrime (2018) study pegged the average annual cost of cybercrime at $13 million per breach (worldwide), up 12 percent from the prior year. Whatever the exact numbers are, the potential losses are very large, and the probabilities of being the next victim are also very high.

  42. Such a drop in the price of the stock of attacked firms is by no means extreme. For example, two months after the announcement of the 2017 cyberattack on Equifax, the large consumer credit reporting firm, its stock price dropped by almost 25 percent. See Shinichi Kamiya et al., What Is the Impact of Successful Cyberattacks on Target Firms? (Ohio State Univ. Fisher Coll. of Bus., Working Paper No. 2018-03-04, July 2018).

  43. Cynthia J. Larose, Target Reaches $18.5 Million Dollar Settlement in Data Breach with States, 13 Nat’l L. Rev. (Jan. 19, 2023).

  44. Kevin M. McGinty, Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action, 13 Nat’l L. Rev. (Jan. 19, 2023).

  45. Kevin M. LaCroix, Target Corporation Cybersecurity-Related Derivative Litigation Dismissed, D&O Diary (July 9, 2016).

  46. According to Steven Gladstone, shareholder derivative actions alleging breach of fiduciary duties by directors and officers have increased markedly in recent years. The Future of D&O Insurance, 51 Risk Mgmt. 26 (Sept. 2004). Many of these suits have settled for well over $100 million. Some recent examples include the BofA/Merrill Lynch merger securities shareholder suit settlement ($2.83 billion in 2012) and the Waste Management federal securities law violation shareholder suit settlement ($457 million in 2001). Clearly, there is big money in shareholder derivative suits naming top management as defendants, and lapses in the information security or privacy area might trigger such a suit.

  47. Aronson v. Lewis, 473 A.2d 805, 812 (1984).

  48. United States v. Al-Shahin, 474 F.3d 941, 947 (7th Cir. 2007) (citations omitted).

  49. This scripted process is summarized in Wood, supra note 9.

  50. Bedolla v. Logan & Frazer, 52 Cal. App. 3d 118 (1975).

  51. The best methods to quickly spot a company with a bad tone at the top are explored in Wood, supra note 15.

  52. Mary Jo White, What I’ve Learned About White-Collar Crime, Harv. Bus. Rev., July–Aug. 2019, at 59 (White was the former chair of the SEC).

  53. Whether these new measures are cost-effective is another discussion entirely. See, e.g., Stephen M. Bainbridge Sarbanes-Oxley § 404 at Twenty, Harv. L. Sch. F. on Corp. Governance, Sept. 22, 2022. The scripted and very focused compliance audit discussed in this article, however, has a much less expensive, much less time-consuming, and much more cost-effective profile. See Wood, supra note 11.

  54. Unlike SOX, the legal compliance audit approach requires no legislation, no regulation, and no endorsement whatsoever from politicians—or from anyone else for that matter. It is based on existing auditing methodologies, existing legal requirements (unique to each auditee firm, but the process for identifying these and categorizing them is the same for all firms), existing ethics statements, and existing scripted processes. This makes the compliance auditing process not just immediately deployable but also flexible and adaptable so that it can be added to and used in virtually any business situation. Rather than being something imposed by the government (as SOX was), the legal compliance audit process can be optionally added to contracts, negotiations, and deals, as the circumstances require, and can be negotiated by the parties involved.

  55. A good brief article about trust in the realm of high-tech products is Roger A. Grimes, Why Security Is Really All About Trust: Once You Lose Faith in a Company and Its Products No Amount of Security Will Restore Your Trust, CSO, Mar. 8, 2016.

By: Charles Cresson Wood
© 2024 American Bar Association

Connect with a global network of over 30,000 business law professionals

18264

Login or Registration Required

You need to be logged in to complete that action.

Register/Login