healthcare industry, the HIPAA security regulations require an identified security official to be responsibility for compliance.7 Several FTC consent decrees involving companies in a variety of non-regulated industries do likewise.8 And federal law places the responsibility for information security within each government agency on the head of such agency. 9
Evolving case law also suggests that, by virtue of their fiduciary obligations to the company, corporate directors will find that their duty of care includes responsibility for the security of the company’s information systems. In particular, it may ”extend from safeguarding corporate financial data accuracy to safeguarding the integrity of all stored data.”10 In the Caremark International Inc. Derivative Litigation, for example, the Delaware court noted that “it is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.” 11
The private sector is also beginning to recognize that the responsibility for security lies with upper management and the board of directors. The Business Roundtable, for example, has noted both that “[i]nformation security requires CEO attention” and that “[b]oards of directors should consider information security as an essential element of corporate governance and a top priority for board review.”12 The Corporate Governance Task Force Report has taken a similar position, noting that:
The board of directors/trustees or similar governance entity should provide strategic oversight regarding information security, including:
1. Understanding the criticality of information and information security to the organization.
2. Reviewing investment in information security for alignment with the organization strategy and risk profile.
3. Endorsing the development and implementation of a comprehensive information security program.
HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(2).
8 See, FTC Decisions and Consent Decrees listed in Appendix, including Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(a), p. 7; Eli Lilly Decision at II.A.
FISMA, 44 U.S.C. 3544(a).
10 E. Michael Power and Roland L. Trope, Sailing in Dangerous Waters: A Director’s Guide to Data Governance, American Bar Association (2005), p. 13; Roland L. Trope, “Directors’ Digital Fiduciary Duties,” IEEE Security & Privacy, January/February 2005 at p. 78.
Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
12 Securing Cyberspace: Business Roundtable’s Framework for the Future, Business Roundtable, May 19, 2004 at pp. 1, 2; available at www.businessroundtable.org/pdf//20040518000CyberSecurityPrinciples.pdf. The Business Roundtable is an association of chief executive officers of leading U.S. corporations with a combined workforce of more than 10 million employees in the United States. See www.businessroundtable.org.