The security of information

The security of information, whether personal data or company data, is the responsibility of the directors of a company. Such responsibility may be devolved but all roads are always directed and re-directed to those who are charged at the most senior level with the safe custody of the assets of a business. Thomas Bennett, Founder of V Henry & Co, explains why directors are well advised to look after information and how personal and business consequences follow if they do not.
The security of information, whether personal data or company data, is the responsibility of the directors of the company. Such responsibility may be devolved of course, but, all roads are always directed and re-directed to those who are charged at the most senior level, with the safe custody of the assets of a business. Directors are well advised if they know how to look after information. Personal and business consequences follow, if they do not.
For directors of listed businesses, the legal and regulatory burden is heavy. It gets ever heavier. The latticed framework of information within large companies whose trade crosses country borders and from one legal jurisdiction to another, adds further weight. Managing the laws of one country may not be nearly enough. Yet knowing all relevant laws of all countries where trade is carried on, or information is processed, may be too much. There is that balance of over-kill and risk.
Much advice in the field of information a security and the law, focuses on personal data. This is understandable. Having personal knowledge of others, however used, carries significant corporate and personal responsibility, as it should. A less travelled area is the responsibility of the directors of listed companies for securing corporate data, that is, the value inherent in the intellectual property and related goodwill, owned by the business. A cursory look at most balance sheets will show where the value of a company is. Protecting and growing shareholder value is the raison d’etre of good management. Failure to protect corporate data from loss and theft will invariably lead to the destruction of shareholder value and curtailment of careers.
Corporate law can be kind to those who direct listed businesses and fail. Failure is usually relative, a hastened departure, comfort money and a new face or a quick promotion. A revolving door – life goes on. Still; corporate law need not be kind. The law does have teeth. Directors who are primarily responsible for the preservation of value within a company, need to be aware of how vulnerable they are. And how they can mitigate the information security risks they face when protecting their business from the best of the worst of the risks to data integrity which exist in our increasingly inter-woven world.
UK Law and the Personal Liability of Directors
In the UK, directors of all companies – executive and non-executive, public and private, have a general duty to promote the success of the company.[1] Directors must show reasonable care, skill and diligence.[2] As one may assume that directors of listed businesses are highly competent, it is a short step to assume their responsibility for the control of the security of corporate and personal information within their charge. Should they fail, The Companies Act 2006 affords shareholders the right to pursue directors for negligence or breach of duty.[3] Where a share price can be decimated through failure to protect corporate data[4], willing activist shareholders and those with deep pockets may have potential redress beyond the revolving door at the top.
Corporate governance principles will apply. Under the current version of The Combined Code,[5] published in September 2014, directors are “responsible for determining the nature and extent of the [significant] principal risks.. [they are].. willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.”[6] The related guidance, published by the FRC[7], sets out what a company’s internal control systems should do. This includes risk recognition and treatment, risk mitigation, legal compliance and enhanced external reporting.[8] Risk assessment includes the evaluation of information and communication systems (and processes to review their effectiveness). In other words, directors are (well) advised to isolate, understand and, treat information to mitigate the contextual and commercial risks that come with it.[9]
It is not obligatory for companies to comply with The Combined Code. If you do not, you must explain why you do not. However, under the Listing Rules[10], there are a number of requirements for directors to state the company’s position with respect to The Combined Code. Directors must ensure that the auditors review statements made under Principle C.[11] S.418(2)(b) Companies Act 2006 requires directors to make diligent enquiry and tell auditors of any factors that may be relevant to the auditor’s assessment of the accounts. To impart this duty properly, a director’s reach must extend to those who are the custodians of information security within the company. Failure to impart this duty could result in being charged with a criminal offence.[12]
If a company is hacked and information is misappropriated, prima facie, the breach of security must be disclosed to the market.[13] A listed company must act with integrity toward holders and potential holders of its listed shares. A company cannot, by virtue of its silence, create a false market in its shares. If valuable information is stolen, listed companies must notify a regulatory information service of the breach. If personal data is stolen, the ICO should be informed too.[14]
Under S.90[15] of the Financial Markets and Services Act 2000, corporate issuers can be liable to individuals who invest on the basis of published information that is untrue, misleading or contains omissions, provided the person discharging managerial responsibility knew that the statement was untrue, misleading or reckless. There is too, the possibility of liability for misleading statements – misrepresentation, negligent misstatement and pursuit under the tort of deceit. If S.90 applies, directors (as well as the company) are liable to compensate individuals who acquired shares in the company and suffered loss as a result of an untrue, or misleading statement or omission.
When to own up to an information security problem; and when to stay silent, is as much an art-form as it is of a reasoned choice based on precedent. There is very little precedent; and even less reporting (the disclosure by TalkTalk being an exception). Directors of listed businesses are offered a smorgasbord of regulations and latticed law to digest. Whether through fiduciary duty, or the stretch of the common law, penalties on a personal level are apparent with a just a little digging. And of course, companies are exposed too. If the risks and regulations are well understood, senior directors can react accordingly. If not understood, it just might not do, as a director of a listed business with personal culpability a distinct possibility, being un-knowing or badly briefed on this growing threat in this complex space. It is a truism – the nature of information risk has changed. New laws have impacted the ambit of liability. Executives and non-executives who made reputations in the distant past, need take note of the recent present; and position for the immediate future.
Managing Information Risk – Best Practice
Most of the information known to man has been created in the last two years.[16] Information has value. Of course it has. The internet does not start and stop at Google. The value of information in the Dark Web[17] is immense. High-end hacking is often a difficult crime to detect. Prosecutions are rare. It takes seconds for millions in corporate value to be transferred to a pen drive. Disgruntled employees sell information. Sabotage and carelessness are difficult to control. Unencrypted laptops are left on trains and mobile phones don’t make it home with their owners. The information security risks are clear. How best to navigate these mutating risks, is a key question. Isolating the underlying principles which offer assistance, may help:
Know yourself. The spectrum of information security risk is coloured by the type of business, geographic spread, barriers to entry and the degree of supplier and customer integration. An engineering company, with an extensive cross border supply chain, selling a product involving millions of hours of intellectual evaluation, is markedly different from a professional services firm unlikely to make money if a fire alarm forces evacuation of the building. Risk – the effect of uncertainty on objectives[18], is bespoke for every business.
Know the law. Where data, personal or corporate, crosses borders, it attaches to the laws of countries who treatment of data and risk, may show significant variability. Although drifting together, the European Union and The United States hold to different principles when it comes to responsibility for data. China has its own way[19]; approach; in Asia, APEC countries[20] have developed a coordinated perspective; and the Commonwealth has defined its own approach.[21] Within Europe, the graduated responses of nation states transposing Directives into domestic law, needs to be understood. Which jurisdiction applies to which data? How is conformity with the law managed when data travels outside of the EU? If personal data, has consent from the data subject been obtained? Are binding corporate rules being used instead? If corporate data, how is corporate governance managed? Under Sarbanes Oxley, mandatory provisions apply; in the UK, there are limited mandatory provisions. Is encryption being undertaken; what – nation by nation, are the regulations that facilitate encryption or not? If breached, who do you notify, if at all? Is data being transferred to the Cloud? The Cloud – what is the jurisdiction of the destination of data?
Know your suppliers. Information insecurity can bite at its weakest point. Any evaluation of the information security status of a business requires a survey of the data integrity of the supply chain. Listed businesses can force their supply chain to upskill their security provision – the threat of loss of contract is usually enough. If contracts are simply evidence of the retention or transfer of risk, how is information security risk transferred to the supply chain (or indeed to customers) so that risks are known and managed? Sometimes standard contract clauses are used; sometimes they are not – a review is required of all relevant contract terms. Exposures should be understood; directors need to know, either way. General Counsel; outside advisers – all may help.
Know your chain of command; create a citadel. With all that whole-company management entails, executive and non-executive directors should sleep easy knowing that information security management involves a thicket of advisers – internal (Chief Information Security Officer, General Counsel) and external – advisers with very particular specialisms (info-sec consultants; systems developers and lawyers who understand the space intimately). Advisers need to disseminate policies and standards that must be acted upon. Suppliers contracts must be robust; employments contracts and staff handbooks must set out the default position for non-adherence; management systems should evaluated by objective parties and the report evaluated by the board. With devolved mechanisms which entail personal responsibility, the chain which reports compliance must stretch from low to high. All must buy-in, regardless of who they are. A citadel – graduated defences – technical, human – all integrated, should underpin a clear chain of command.
Standards; systems and defence. There are several information security standards which are country-centric or of wider application. In the UK, the National Cyber Security Strategy is well regarded and comprehensive. The Cyber Security Essentials Scheme is highly thought of as an organizational standard. More widely, the prevailing international standard for most is ISO27001[22] which offers a system for information security management which allows a company to use the most amenable risk treatment plan bespoked for the business in question based on a structure applicable to other ISO standards.[23] These standards are important. Where the law in this area is fragmented and often obtuse, the use and adoption of standards represents a proactive step to evidenced efforts at protection; and part of the citadel allowing a company to show that it did all that it could.
Insurance. The use of the information insurance market in the United Kingdom is thin. Only 13% of large to mid-sized companies (turnover up to $1 billion) have dedicated cyber insurance. Uptake in the United States is much higher.[24] Underwriters in the UK are weary of information security risks which extend into the supply chain and insurance cover for the largest organizations without suitable and robust defence mechanisms may not be available (though many self-insure as a matter of course). However, good practice encourages insurance cover. If insurance is available, it should be taken. Vitiation risk should be understood; and terms should be carefully negotiated so that the directors can be assured that they can protect shareholder value.
Control the Message. Reputation risk is of fundamental concern. Share price can be a primary casualty once a data breach is disclosed. So of course, can the career of senior directors. When the confidentiality and integrity of data is compromised, damage limitation by being able to show that the business had done everything possible to manage its exposure, and that it has systems in place to curtail the more far–reaching effects of its loss. Directors have to be well briefed and rehearsed. Retaining control of the message is key.
The Future – Changing Horizons
Amongst the legal systems of the states within the European Union, or the United States, the legal landscape is changing. In the EU, the intended General Data Protection Regulation (GDPR) lies on the same time horizon[25] as the intended Cyber Security Directive.[26] Compulsory notification in the event of information security breach is increasingly the prevailing standard. The latitude of directors not to disclose data breaches to the market will come under scrutiny. It is in this context that directors of listed businesses must manage the exposure of their companies and in fact, themselves. The treatment of data, as we become ever more dependent on data, requires long-standing executives to upskill and ensure that corporate exposure is limited through a thicket of protective mechanisms which guarantee the confidentiality, integrity and availability of corporate and personal information. The price for failure can now travel beyond the corporate veil. That directors of listed businesses could be personally culpable, when understood, should concentrate the mind and result in direct benefits to all stakeholders in a company – shareholders, customers, suppliers, employees and the directors themselves. Know yourself, know the law, know your suppliers; know your chain of command and create a citadel; embrace standards, systems and collect your defences. Directors are well advised if they know how best to look after information. Personal and business consequences follow, if they do not.
Thomas Bennett LLB MSc (Oxon) Solicitor; thomas.bennett@vhenryco.com
Thomas Bennett owns V Henry & Co., and is an expert in information security law, physical and maritime security law, and finance law. He is also an ISO27001 Lead Auditor.

[1] Companies Act 2006 S.172
[2] Companies Act S.174
[3] Companies Act 2006 S.260(3); see also S.178
[4] In a recent example, TalkTalk had c.£240 million wiped off its share price (http://www.theguardian.com/business/marketforceslive/2015/oct/26/talktalk-shares-fall-another-7-after-cyber-attack)
[5] https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/UK-Corporate-Governance-Code-2014.aspx
[6] Principle C. The Combined Code
[7] https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf
[8] See note 6; Section 4; paragraph 28
[9] See also SYSC 3.26R and SYSC 3.1.1R for FCA requirements for adequate systems and controls
[10] https://www.handbook.fca.org.uk/handbook/LR/9/8.html
[11] See Listing Rule 9.8.10(2)
[12] See S.418(6) Companies Act 2006
[13]. See Disclosure and Transparency Rules 2.21R https://www.handbook.fca.org.uk/handbook/DTR.pdf
[14] This is not obligatory save for certain companies regulated by PERC; see https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf
[15] This is more particularly set out in Schedule 10 Part 2 of FSMA 2000
[16] http://www.sciencedaily.com/releases/2013/05/130522085217.htm
[17] The Dark Web consists of networks which use the public internet but which require specific software, configurations or authorization to access. It is part of the web not indexed by search engines and a haven for criminal activity.
[18] This is the ISO27000 definition of risk; see ISO/IEC 27000 Overview and Vocabulary
[19] See PLC Law Materials; Data Protection Law in China: overview http://uk.practicallaw.com/4-519-9017
[20] There are currently 21 countries in APEC; www.apec.org
[21] See http://www.cto.int/media/fo-th/cyb-sec/Commonwealth%20Approach%20for%20National%20Cybersecurity%20Strategies.pdf
[22] See ISO2002 for the 114 suggested information security risk controls
[23] See Annex A ISO; for an explanation of Annex A, go to http://www.british-assessment.co.uk/articles/isos-annex-sl-explained
[24] Numbers quoted in an article in Computer Weekly; http://www.computerweekly.com/news/2240239989/UK-lags-US-in-cyber-insurance-study-shows
[25] EU NIS Directive; see http://ec.europa.eu/digital-agenda/en/cybersecurity
[26] Go to: http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Facebooktwittergoogle_plusredditlinkedinmail