chevron-down Created with Sketch Beta.

Business Law Today

June 2023

Why It’s Now Time for the Independent Legal Auditing of Information Security and Privacy Compliance

Charles Cresson Wood

Summary

  • Information security and privacy losses continue to increase, and corporate risk-reduction efforts taken to date are not reducing either these losses or the attendant worries of corporate litigation attorneys.
  • In the wake of continuing very large losses from ransomware and other types of attack, corporate Directors & Officers are increasingly being named as the defendants in fiduciary-duty-related shareholder lawsuits.
  • To bring trust back to the stock market during the Great Depression, independent financial audits were required, and likewise, we must now independently audit the performance of corporate Directors & Officers regarding their minimum legal duties.
  • To shift the prevailing incentive systems based largely on economics, there must be a new way to objectively and reliably measure the performance of directors & officers, in the domain of information security and privacy.
Why It’s Now Time for the Independent Legal Auditing of Information Security and Privacy Compliance
iStock.com/Grzegorz Lewandowski

Jump to:

When asked to identify the area that presents the greatest risk to their organizations, 62 percent of respondents in a recent Baker McKenzie survey of 600 senior litigation attorneys at large companies on four continents indicated that their top concern is the area of cybersecurity and data-related disputes (theft of trade secrets, ransomware, and privacy violations). To those of us working in the information security and privacy area, this finding is not surprising because much the same result was returned by a variety of other recent surveys.

What is noteworthy is that this risk area continues to be at the top of attorneys’ list of concerns. Evidently, the risk-reduction measures taken by the large organizations that comprised the survey’s respondents (and that have the most money to spend on these problems) are not lowering risk exposures to reassuring levels. Something is seriously wrong here, and it has been getting worse for decades. In order to turn this dangerous trend around, we urgently need greater personal involvement of the leadership, including expanded budgets for this crucial area.

That’s why this article proposes that we now deploy independent third-party legal compliance audits, examining the actions taken (or not taken) by the directors and officers, to make sure that the information security and privacy area is being properly addressed. The compliance auditing approach proposed here asks only whether the directors and officers are doing all that is now required by law—something that they should already be aware of and attending to, but, unfortunately, in many instances are not. This type of independent compliance audit has many uses, including vetting a prospective vendor on which a firm will soon critically depend, vetting a firm that is about to be acquired or merged with another, vetting a firm in which a large investment will soon be made, and vetting a firm that has requested access to a trade secret at another firm.

The Legal Compliance Audit Process

Parallels to the Financial Audit Process

The best frame of reference to illuminate the proposed legal compliance audit process is the historically proven independent financial audit process, which is already widely performed for publicly listed companies in the United States. The intention of expressing a one-page professional opinion on a certain topic is the same, except in the legal compliance audit the opinion states whether the directors and officers are in full compliance with all their legal duties, in all material respects, in the domain of information security and privacy. In both types of audit projects, a confidential management letter is also issued to the top management of the auditee organization if there are control deficiencies that need to be rectified.

In both types of independent audits, the auditor must be truly independent from the auditee organization, although the legal compliance auditor has a higher standard than an independent financial auditor does. The legal compliance auditor must meet all of the independence requirements of an independent financial auditor as well as all of the requirements of independent attorneys preparing professional opinions. In this way, the process fits with the existing expectations of the business world surrounding independent audits, and also fits with the professional obligations of all licensed attorneys doing this type of work.

As with the financial auditing process, in the legal compliance auditing process there are published journal articles, professional association ethics statements, professional association guides, and published treatises that can help ensure that the process of generating a professional opinion covers certain essential topics and is performed in a high-quality, repeatable manner. In the case of the legal compliance audit process discussed in this article, those topics include setting up the engagement so that both attorney-client privilege and attorney work-product doctrine can be used to protect the information gathered and generated.

Like the financial auditing process, the proposed legal compliance audit process is intended to balance out excesses and imbalances that can no longer be sustained. As will be explained in detail below, the current excessive focus on profits and other financial metrics, which primarily benefit shareholders, board members, and top management, must be rebalanced with metrics that incorporate the needs of other constituencies, such as business partners and customers.

The ESG Framework

To achieve this rebalancing, we must have seriously motivated leaders at the top of our corporations. Rather than increasing legal accountability, the legal compliance audit process only checks to see whether the leadership is currently performing the minimum that is now required by law. There is already ample precedent to demonstrate that directors and officers are currently being held accountable for information security and privacy problems. When directors and officers become better acquainted with their existing personal legal accountability, that will help motivate them to pay greater attention to, and hopefully provide additional funding for, the critically important information security and privacy area.

By incentivizing the adoption of this type of new leadership attitude, the proposed solution described here fits within the environment, social, and governance (“ESG”) area—specifically, the governance area. Interestingly, in the Baker McKenzie survey mentioned above, the second category of concern in terms of greatest risk to their organizations, cited by 58 percent of respondents, was ESG issues. Thus, the proposed compliance audit approach addresses both the No. 1 concern and the No. 2 concern of litigation attorneys surveyed.

Ease of Use

Further improving the attractiveness of the legal compliance audit approach is the fact that the audit methodology is ready to go, can be deployed immediately by any firm in any industry, and is applicable to firms legally domiciled in any state/territory/district in the United States. This ease of use extends beyond adoption, and includes ease of comparison of the results with other firms that have also gone through such a compliance audit.

Levels of Sophistication

There are three distinct levels of sophistication associated with the legal compliance audit process, and they all pertain to the information that is generated as a result of performing the audit: (1) internal use only, (2) shared only with selected third parties, and (3) publicly released.

If the compliance audit process is being used for the first time, then the results may be for internal use only. The results can be used to raise the awareness level of the directors and officers, generate a list of control-related remedial actions, align the actions of management at multiple levels in the organization, and create a new incentive system for the directors and officers. These internal-use-only results can also be used as critical inputs an internal legal compliance process, such as those supported by governance, risk, and compliance (“GRC”) tools.

The next level of sophistication involves generating a professional opinion that is shared with one or more specific parties, such as a business partner who is considering the disclosure of a trade secret to the auditee firm. The professional opinion can give the third party additional assurance that the auditee firm is set-up, managed, and governed in such a way that it can be trusted. Other third parties that would be interested in confidentially receiving such a professional opinion include insurance companies, major investors, lenders of a significant amount of money, and firms participating in a merger or acquisition deal. One particularly useful example of this confidential-release-to-a-third-party approach involves a release to a regulator, such as the Federal Trade Commission (“FTC”), as a part of a consent decree or nonprosecution agreement.

The most sophisticated use of this compliance audit process involves making the professional opinion public information and then revealing a new “fully compliant” opinion every year thereafter. This would generally be undertaken only after the auditee firm has received several years of “fully compliant” professional opinions—and after it has gained confidence that it can predictably continue to generate these same “fully compliant” professional opinions every year going forward. This public disclosure can be leveraged for public relations purposes, for marketing purposes, and to achieve competitive advantage (where excellent security and privacy are, for example, made part of the product or service offering). This last approach to using the results of a compliance audit can also be used to rehabilitate the damaged reputation of a firm that has recently suffered a highly publicized major breach.

Specific Reasons for Use of Legal Compliance Audits

Revelations of Misrepresentations

There is ample evidence that many firms these days are failing to perform adequate due diligence before they enter into major investments, mergers and acquisitions, and other high-risk transactions (signing outsourcing services contracts, disclosing trade secrets to third parties, and entering into other critical business partnerships). In a surprisingly large number of recent situations, companies are publicly shown to be lying, twisting the truth, and otherwise misrepresenting what is actually going on. By performing the proposed legal audit process, these misrepresentations, in many cases, will be readily revealed because the state of information security and privacy legal compliance is a litmus test of good internal management and governance. This audit process is accordingly very useful when evaluating third parties prior to entering into a variety of high-risk transactions, such as when an insurance company considers issuing directors and officers (“D&O”) liability insurance.

A very large and well-known venture capital, for example, invested $210 million in FTX, an amount that now has been written down to $0. This and a number of other venture capital firms evidently failed to sufficiently investigate what was happening internally at FTX before making their investments. Later, after FTX declared bankruptcy, it came to light that there was a very serious lack of corporate governance mechanisms. For example, FTX was revealed to have no complete list of its own bank accounts, no separation of customer funds and company funds, no complete list of its employees, and no board of directors. It also lacked adequate teams to handle cash management, accounting, auditing, risk management, and information security. If the independent legal compliance audit approach had been performed before this investment in FTX was made, the venture capital firm undoubtedly would have decided not to proceed with the investment.

Heightened Awareness of Legal Duties

Another reason to perform an annual compliance audit is that it increases the level of awareness of the directors and officers when it comes to their legal duties, specifically in those areas where they may not be performing all that the law currently requires. While certainly this group wants to know how to avoid personal liability, these leaders also want to know what their job as a director or officer entails, as the law sees it. Many people in this group have not received a clear and succinct job description when it comes to the relatively new domain of information security and privacy. A legal compliance audit helps to ensure that the directors and officers understand, and are in fact performing according to, those same requirements.

The annual performance of such an audit also creates a metric that measures performance according to that same job description. An internal audit preparation process, such as that conducted by many publicly listed firms for the financial audit process, can ensure that the firm receives a “fully compliant” opinion every year. An annual legal compliance audit also can be a significant motivator to ensure that the minimum required by law has been met: D&O bonuses, promotions, perks, and related incentives can be tied to receiving a “fully compliant” professional opinion from the audit process.

This annual reconsideration, which can be institutionalized into a part of the governance and management reporting system (aka the GRC reporting system), also creates new opportunities, such as going well beyond the minimum to achieve competitive advantage, to create a favorable public relations image, and to better market existing products and services. Third-party trust in the firm receiving this type of legal compliance audit will be built up over time if the organization can show a string of “fully compliant” opinions using an independent audit process such as this.

Recognition of Funding Needs

A big part of why the information security and privacy area continues to be increasingly litigious and disputed is that the existing incentive systems at many organizations have been designed such that the organizations allocate insufficient resources to this increasingly critical area. Typically, the information security and privacy area is seen as a line item in the budget that does not bring in revenue and does not generate profit. In addition, decision makers see the information security and privacy domain as an undesirable expenditure because it requires long-term, sustained expenditures in order to be successful. In contrast, great emphasis is placed on existing financial performance metrics, such as stock price and whether stock options are exercisable (“in the money”)—metrics grounded in short-term results. Use of these metrics for decision-making often leaves information security and privacy underfunded not only because information security and privacy are long-term endeavors but also because there is no inspiring dramatic prize for a firm that remains quietly reliable due to its excellent information security and privacy. Furthermore, these financial metrics are historically firm-oriented, when the new reality of a tightly interconnected technological world requires that we expand our horizons to include the needs of other entities.

The excessive focus on short-term financial results is well-known and has led to major breaches of system defenses—and was, in fact, one of the allegations of the plaintiffs in two recent, high-visibility shareholder lawsuits, respectively involving LastPass and SolarWinds. In defense of those in the D&O group, particularly those who genuinely want to do the right things, under the traditional short-term financial-results-oriented system, they have often found themselves pushed into making decisions that favor short-term financial results at the expense of long-term organizational sustainability.

By using ESG metrics, such as the legal audit process described here, we can move away from an overwhelming focus on short-term financial results and instead obtain a more balanced scorecard emphasizing more sustainable and justifiable decisions in the long term. This, in turn, will increase budgets for information security and privacy, and it will help to align the objectives of stakeholders such as business partners, customers, employees, investors, regulators, and insurance companies. Excellent information security and privacy, as reflected by a “fully compliant” professional opinion resulting from a legal compliance audit, is a win-win for all of these stakeholders. The world has become far too interconnected not to make decisions based on a multiparty framework.

Focus on Directors and Officers as a Practicality and a Deterrent

The legal compliance audit process places an incentivizing focus on directors and officers. An audit focus on the actions of the directors and officers is warranted because they set the direction of the entire firm they govern and manage, and they are also the ones who are named as defendants in lawsuits after a major problem.

This audit focus is also warranted because they are the subject of a good deal of recent legislation and regulation. The number and scope of externally dictated requirements for information security and privacy are being markedly increased, for example by the U.S. Securities and Exchange Commission (“SEC”), which has proposed new rules for disclosures in this area about the level of board expertise, the type of board risk management oversight, and recent material incidents.

Public statements made by both federal and state regulators have also recently included the intention to hold corporate directors and officers personally liable for serious lapses in this same area. For example, former SEC Commissioner Luis A. Aguilar indicated that personal liability was one potential result of “failing to implement adequate steps to protect a company from cyber-threats.” Echoing the same perspective, recently retired SEC Chairman Jay Clayton, at his confirmation hearing, stated that “individual liability is the greatest deterrent.” Similarly, former U.S. Department of Justice Deputy Attorney General Sally Yates issued an influential memo indicating that (a) individual executives were to be henceforth individually targeted at the onset of prosecution of corporate wrongdoing, (b) involved corporate entities would be deemed cooperative only if they designated the individuals involved, (c) there would be no entity fine settlements creating a “clear plan” preventing executive prosecution, and (d) Department of Justice staff should pursue civil charges against individuals regardless of their ability to pay.

Financial Incentives

Of course, there are also increasingly significant financial reasons to do a better job in the information security and privacy area. One reason why information security and privacy risks are of such great concern is the very large dollar amounts associated with shareholder suit settlements, regulatory fines, and court judgments. Furthermore, violations of the General Data Protection Regulation (“GDPR”), if they involve the rights and freedoms of data subjects, can involve fines of up to four percent of worldwide annual turnover (sales).

Given that 55 percent of large companies worldwide are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of these breaches, it makes very good sense to have an annual independent audit process that identifies those businesses that are particularly risky, as evidenced by their failure to meet the minimum required by law. This can help other businesses avoid investing in, or becoming business partners with, firms such as FTX. Prevention and avoidance are far less expensive than recovery, repair, reputation rehabilitation, and dealing with the legal aftermath of these incidents. For example, the cost of remediation for a ransomware attack can be thirty times the cost of prevention, according to a survey by Accenture.

Below are notable examples of recent legal activity, which highlight the potentially enormous financial benefits of the legal compliance audit process.

Facebook. Facebook agreed to the largest FTC civil penalty ever imposed on a company for violating consumers’ privacy, in response to the Cambridge Analytica scandal. That 2019 case was resolved with a fine of $5 billion (not a typo). This penalty was not the end of the matter for Facebook: the company recently settled a user class action civil suit related to the same incident for $725 million.

Part of the FTC settlement involved use of a third-party privacy program assessor, similar to—but even more intense scrutiny than—the legal compliance audit process described here. Per the settlement agreement, Mark Zuckerberg, the chief executive officer (“CEO”) of Facebook (now Meta), must certify every quarter that Facebook is compliant with the new privacy program. If he falsely certifies this status, Zuckerberg will be subject to both civil and criminal penalties. This FTC strategy makes the CEO markedly more personally accountable for information security and privacy than in the past.

Yahoo! In 2016, Yahoo! announced several data breaches that had taken place in 2013 and 2014, which had impacted three billion users. As a result of these disclosures, the purchase price in the then-underway acquisition of Yahoo! by Verizon was reduced by $350 million. Following these events, the Yahoo! shareholders filed a securities class action suit against the company and certain directors and officers. This lawsuit was settled for $80 million.

There was also a derivative complaint brought against Yahoo!’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste. Also alleged in the complaint was that Yahoo! officials knew about the data breaches before they were publicly disclosed and that these defendants sold their stock holdings before the breaches were made public. This suit was settled for $29 million. Later, Altaba, Yahoo!’s successor in interest, agreed to pay a further penalty of $35 million in resolution of the SEC’s first data breach enforcement action, again relating to the same data breach incidents. A separate consumer class action lawsuit, which was focused on the same breaches, was settled for $85 million. This last action is particularly noteworthy because it resulted in the plaintiffs’ lawyers receiving approximately $11 million in fees and expenses, and in that respect presented a potential multimillion-dollar payday. While derivative lawsuits filed against directors and officers, alleging that they breached their fiduciary duties, may be difficult to mount and win, they are not impossible in the information security and privacy domain—and a bunch of plaintiff attorneys are likely to now try their hand at this game.

Target. The cost to a business from a single information security and/or privacy problem can be horrendous, even in those cases where the involved legal actions are dismissed or abandoned by the plaintiffs. Consider what happened at Target. In 2013, the payment card data and personal details of approximately 70 million Target retail store customers were stolen by hackers. On the day the breach was announced, the stock price dropped almost 2.2 percent, representing a reduction of $890 million in the market value of the firm. Target’s EBIT (reported earnings before interest and taxes) decreased by 28.6 percent in the four quarters after the breach, compared to the four quarters before the breach.

As a result of the breach, the firm became embroiled in investigations and lawsuits with forty-seven states and the District of Columbia. The resulting settlement, announced in 2023, involved $18.5 million paid to the states and the District of Columbia. Interestingly, part of the settlement involves the retention of an independent third party to do a comprehensive security assessment, again not too far away from what this article is proposing. Of further concern to the directors and officers is a multidistrict consumer class action suit, which was pending at the time that this article was prepared.

In its 2016 10-K report, Target reported a total of $292 million of breach-related expenses. Target also suffered a severe blow to its brand, it paid a great deal for legal defense costs, and its president was forced to resign.

In addition, Target’s board was distracted by a shareholder derivative lawsuit that dragged on for years, involving exchanges of thousands of documents, interviews with sixty-eight witnesses, and consultations with a variety of potential expert witnesses. Although that Target case was eventually dismissed, shareholder cybersecurity-related derivative lawsuits are an increasing threat. Beyond paying fines and damages, directors and officers also need to worry about losing their seats on the board of directors, their executive employment positions, significant value in the shares they own, and stock options and performance bonuses. They additionally need to worry about the erosion of their personal reputations, paying legal fees that D&O liability insurance does not cover, plus paying regulatory fines as well as civil suit damages. Although rare, they may also go to prison if a criminal law has been violated, but in all cases they suffer health-taxing stress as a defendant in a high-profile lawsuit or criminal prosecution.

Legal Defenses Created When Legal Compliance Audits Are Used

As a side benefit of the proposed compliance audit approach, an admissible evidentiary paper trail is created by a third-party lawyer auditor. This evidence can later be used not only to defend the auditee corporation, showing that the directors and officers were in fact diligent in their efforts to be compliant with all relevant legal obligations, but also to personally defend the involved directors and officers. Hopefully, disclosure of the fact that these compliance audits were annually performed, and then used to make internal decisions related to information security and privacy, would be enough to cause those who are considering legal actions to seriously reconsider the advisability of proceeding. The circumstances supporting the use of the following three notable legal defenses—which are suitable for a defense against both civil claims and criminal charges—are created when this compliance audit process is performed.

Business Judgment Rule

The first of these three possible affirmative legal defenses involves the business judgment rule. In its general formulation, the factors for this defense require that the directors and officers acted in good faith, with the care that an ordinary prudent person in a like position would exercise under similar circumstances, and also acted in a manner that they reasonably believed to be in the best interests of the corporation.

A legal compliance audit provides support for the business judgment rule because it involves the provision of an independent expert’s advice—in a form designed to be admissible in court—about the reasonable and appropriate course of action that is in the best interests of the corporation. The performance of a legal compliance audit also supports the use of the business judgment rule because it shows good faith in that it creates evidence that the directors and officers acted reasonably and intended to faithfully perform their legal duties.

Acting on the Advice of Counsel

The second possible legal defense involves acting on the advice of counsel. In its general formulation, the factors for this defense require that, “before taking action,” the directors and officers “in good faith sought the advice of an attorney whom [they] considered to be competent, . . . for the purpose of determining the lawfulness of [their] possible future conduct”; and to enable that attorney to do a proper job, they “made a full and accurate report” to this attorney about all material facts relevant to the matter and then acted in strict accordance “with the advice of [their] attorney who had been given a full report.”

This type of legal audit process involves the retention of a competent attorney who follows a scripted process in accordance with professional ethics, much the way that independent financial auditors follow a scripted process in accordance with professional ethics. While the burden is on the directors and officers to show that they followed the recommendations found in the management letter detailing needed changes, they are likely to be highly motivated to follow such advice because if they follow the lawyer auditor’s recommendations, they avoid significant legal problems, not to mention attendant business problems such as adverse publicity, damage to the company’s brand, and time lost to handling problems that need not have taken place.

Insufficient Time to Discover the Incident and Take Action

The third of these legal defenses involves a defendant’s claim that the incident could not have reasonably been discovered in sufficient time for the directors and officers to have taken action. In its general formulation, the factors for this affirmative defense require that evidence of the need for the directors and officers to take remedial action could not have been discovered within the time frame involved even though the directors and officers had exercised reasonable due diligence.

The legal compliance audit establishes proof that the directors and officers exercised reasonable due diligence. As mentioned, the legal compliance audit process results in a one-page professional opinion indicating whether the directors and officers are fully compliant with all their material duties in the domain of information security and privacy. If they are deemed presently not compliant, the lawyer auditor provides the directors and officers with a management letter detailing needed remedial actions. These recommendations are responsive to the unique legal requirements that the directors and officers at that auditee firm face (which, in turn, are based on a review of industry-specific laws and regulations, in-force consent decrees, contractual agreements, and related firm-specific legal obligations). So, the performance of this legal audit involves the retention of an independent attorney not just to identify whether the directors and officers are compliant with all of their material legal obligations but also to double-check internal efforts to identify all relevant legal requirements. This management letter and the annual preparation of a list of all relevant legal requirements (which is accomplished as part one of the compliance audit), as well as an internal risk-management system that regularly reviews progress on identified and needed improvements, help to establish that the directors and officers did all that they could reasonably do, from a legal standpoint.

Beyond taking all reasonable actions to protect the organization and its constituencies (customers, employees, business partners, shareholders, etc.), and performing the legal compliance audit described here (and responding to the deficiencies noted, if any), there is not much that the directors and officers can do to prevent or avoid the breach itself given that information system attacks are now often automated and happen extremely fast. Thus, a very good defensive claim can be made that such incidents, if and when they do occur, could not reasonably have been discovered or responded to in sufficient time to have reduced the losses that were sustained. Instead, the efforts of the directors and officers should be focused on doing everything they can do, to further exclude the attackers from their systems, restore the integrity of their systems after a breach, restore reliable versions of files from backups, switch over to alternative facilities, control the damage done by adverse publicity, notify third parties, and the like.

Legal Compliance Audits and the Sarbanes-Oxley Act: Parallel Strategies

The scandals occurring during the dot-com bubble, and the subsequent crash of the stock market (for example Enron, WorldCom, and Tyco International), prompted Congress to focus on the actions taken by company leaders when it passed the Sarbanes-Oxley Act of 2002 (“SOX”). Section 404 of that law requires that publicly listed companies must establish internal controls over financial reporting processes and document those controls, test them, and maintain them in an effective state.

Based on the hearings surrounding the dot-com bubble scandals, it is clear that the “tone from the top” (messaging provided to employees from the top management and the board) is absolutely critical. If the tone from the top is to cut corners, bend the rules, and do whatever you need to do in order to make lots of money—as it was at Enron—then multiple employees engaged in fraud and misrepresentation will be the predictable result. However, if the tone from the top is honesty, ethics, integrity-mindedness, legal compliance, and a focus on community, then the result will be a successful and sustainable company. In the words of the former chair of the SEC: “If you’re a new leader in an organization, my advice is to let people get to know you—and your values. Let them know how serious you are about doing the right thing [about being fully compliant with the law].”

SOX provides a barometer indicating the tone from the top. That law is noteworthy because it puts two members of the top management team (the chief executive officer and the chief financial officer) at these companies on the spot, increasing their personal accountability and personal liability. They must sign quarterly forms stating that they have reviewed the internal disclosure controls over financial reporting (in a 10-Q or 10-K statement). Because they are on the line legally, because their name appears on these forms, the process surrounding the generation of financial statements, and the internal controls that go along with that process, have improved notably since SOX went into effect.

Like SOX, the legal compliance audit process that this article proposes can have a markedly reorienting effect on both the board and top management, such that information security and privacy are both markedly improved. The process of annually reviewing whether the directors and officers are in compliance with all of their legally required duties in the domain of information security and privacy creates a new incentive system and a new point of reference that guides decisions throughout the year. Thus, this annual compliance audit process not only reduces the long-term costs of information security and privacy but also improves the tone-at-the-top messaging from the leaders—thereby, and most importantly, improving the trustworthiness of the firms using this approach. Trust in today’s high-tech world critically depends on security, privacy, transparency, and compliance, and the legal compliance audit process can help markedly improve the level of trust that a firm receives.

    Author