• Review of Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process

    10 Feb 2021

    One of the great tragedies impacting businesses today is the disconnection between executive leadership and the information security function. The general assumption has long been that technical staff have everything under control and, therefore, management doesn’t need to get all that involved in IT security and compliance related initiatives. I first noticed this situation in the late 1990s working on information security security projects with clients. Shortly thereafter, I wrote about the disconnect. Oddly enough, even in the year 2021, I’m still witnessing executive disconnection with the information security function.

    Well, there is a new (from 2020) two-volume book written by Charles Cresson Wood, that can be a part of the solution to this widespread business challenge. Titled Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, this book is more like a practical guide. The two volumes are absolutely overflowing with prescriptive steps to take to properly assess and attest to compliance status with information security and privacy regulations – all from the highest levels of the business. There are separate sets of instructions in the book for the various roles involved in what Charles refers to as a “Duties Audit”.

    In speaking with Charles, he explained that this audit process can be performed by internal auditors, or internal risk managers, and does not require an independent attorney to be a part of the team. But if an auditee firm does choose to employ an an independent attorney to do the work, it will help generate credible third party documentation that is prepared in accordance with the Federal Rules of Evidence. This means the evidence is admissible in court. To have such evidence will go a long way toward protecting the Directors & Officers using various legal defenses like: (1) the business judgment rule, (2) the problem could not have been reasonably detected within the time available, and (3) the Directors & Officers were acting based on the advice of counsel.

    The Duties Audit process pulls together resources from across the organization to end up with an “independent attorney’s professional judgment indicating whether the directors and officers at a firm are in full compliance with all the material legal duties in the area of information security and privacy….a Duties Audit creates credible documentary evidence of legal compliance, helping to ensure that the directors and officers are doing all that the law now requires, in the rapidly changing and highly complex area of information security and privacy, and as a byproduct, it reduces the personal liability risk of the directors and officers.”

    The Duties Audit process, which takes a few weeks to complete, might involve the following seven roles within the organization:

    (1) directors and officers
    (2) project managers
    (3) lawyer auditors
    (4) lawyer supervisors
    (5) lawyer reviewers
    (6) lawyer validators
    (7) business process designers

    The only roles that are required for a Duties Audit are (1) an executive sponsor, such as the Chairman of the Board, (2) the project manager, who should not be the Chief Information Security Officer or the Chief Privacy Officer, and (3) the independent attorney who uses the guidance outlined in the book.

    The deliverables from the Duties Audit process that Charles outlines are:
    (1) a professional opinion, which indicates whether the directors and officers are in full compliance with all of their legal duties in the areas of information security and privacy
    (2) a management letter, in cases where a “fully compliant” result was not obtained, which details what specific areas that need work so that the next time that the process is performed a “fully compliant” result is attainable

    The layout of the book facilitates quick reference to the section on the steps each of these roles are to follow. There are tables, diagrams, and checklists – a massive amount of information (1,134 pages!) to not only improve but embolden the compliance audit process. Considering that Charles wrote the great resource Information Security Policies Made Easy, it should come as no surprise that he has created yet another masterpiece with this book.

    The importance of Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process is stated best in the executive summary:
    “For all American businesses, the information security and privacy domain has become a high-risk danger area that urgently deserves the personal attention of Directors & Officers.”

    Furthermore, referencing the situation that put Arthur Anderson LLP out of business, Charles writes:
    “The case illustrates that doing things right in the information security and privacy area – and doing so in a manner that is in full compliance with the law – is now absolutely essential.”

    Have a need for information governance in your organization? Of course you do. You really need to check out Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process. The book is text heavy but very well researched. I can’t imagine how much time Charles must’ve put into creating it all! The book is not inexpensive but the information he shares is immensely valuable. If you’re responsible, in any way, for information security and privacy compliance, especially if you serve as a corporate director or officer, get this book! If these duties are not under your purview, then share this book with your legal counsel and executive management. It’s a lot to take in – and to take on. The way that I see it, there’s really no other choice lest your organization wishes to end up losing out on business opportunities or on the wrong side of an incident or breach and all the associated consequences.

    You need a defensible IT and security governance program. Charles’s book shows you how to do it. Plus there’s the added bonus (to me, at least) of him not referencing the trendy “cybersecurity” throughout like so many people do today. Charles simply calls it what a true veteran of this field would (and should) call it: information security.