With all the risk analysis being conducted in the wake of Donald Trump’s victory in the 2016 U.S. presidential election – and my oh my isn’t there are lot of caterwauling about that signal moment in history these days; just go here, here and here for but a mere few examples – there are a lot of more close-in risks trucking companies should be thinking about.
One specific to the world of “Big Data” motor carriers continue to navigate through and one many may (or may not) be pondering is the liability risks posed by an information breach – specifically, how trucking firms might find themselves in the crosshairs of legal action due to a cyberattack or hacking incident.
Christopher Wiech, a partner in national law firm LeClairRyan, warned in a recent blog post that when cybercriminals attack retailers and other businesses – potentially placing the data of millions of people at risk –corporate executives such CEOs and CIOs may lose their jobs and could be exposed to what he calls “crippling lawsuits.”
All business executives also need be aware of any government regulations that apply, as well as industry or other standards that address data gathering, storage, protection and use, such as payment card industry or “PCI” data compliance standards, Wiech stressed.
"You need to be diligent, because your actions will be closely scrutinized in the event of a hack or other data breach," he warned.
Wiech added that the first notable case against the corporate or “C-suite” following a data incident is In re Heartland Payment Systems, Inc. Securities Litigation, where the plaintiffs alleged that the C-Suite concealed a cyberattack.
"The court dismissed the lawsuit, recognizing that 'the fact that a company faces certain security problems does not of itself suggest that the company does not value data security,'" Wiech pointed out. "But central to the court's analysis in Heartland were the actions taken by the CEO and CFO before and after the data incident."
Yet many executives aren’t taking proactive preventative measures, he emphasized.
For example, Wiech pointed to a recent IBM cybersecurity survey of more than 700 C-Suite executives across 18 industries and 28 countries found that although 94% believe that their company will "experience a cybersecurity incident" in the next two years, only 65% said they were confident about their company's cybersecurity plans.
Also troubling is that some 60% of the CFOs, human resource, and marketing executives polled by IBM said they are the "least involved" in cybersecurity measures, even though they are the individuals responsible for data most coveted by cybercriminals.
Wiech said part of the challenge is the lack of a "bright line" data security standard, putting executives on notice of exactly what their organizations should be doing when it comes to cybersecurity.
"There is no generalized standard for data security; it is a question of business judgment," he explained. "A court or jury will generally consider whether or not the executive made an informed, diligent decision on behalf of – and in the best interests of – the company and its shareholders, what is often called the ‘business judgment rule,’ but those decisions are made on a case-by-case basis."
Even though C-Suite executives are protected by that rule, he stressed that plaintiffs are not being deterred by it in their attempts to hold directors and officers personally liable for the fallout from massive data incidents, he cautioned.
"So CEOs, CIOs and other top executives can take some steps to increase their company's cybersecurity, while potentially creating a stronger defense in case of a lawsuit," Wiech noted.
Here are a few tips he offered:
- The CEO, CIO and other top executives should meet on a regular basis, and may consider working with a company’s board of directors to create a cybersecurity committee. "Your cybersecurity committee should include representatives from marketing, IT [information technology] and other technical specialists, as well as internal and external legal advisors," Wiech said.
- A cybersecurity committee needs to address specific issues such as the ways the company protects digital and other assets, while considering who has access to your data, and what your legal and other responsibilities are and to whom they're owed, he noted.
- Also, consider third-party vendors and others who handle your data, and what their security procedures are: do they measure up to the security protocols you are putting into place?
- Yet cybersecurity strategy needs balance too, he emphasized. "A company can build a vault around its data that may be nearly impossible to penetrate, but then you may be unable to use it in a real-time manner, negating or minimizing the business value of the data," Wiech explained.
- Finally, do you have processes in place if a data breach does occur? “You need to plan for it before something happens," he stressed.
"Cybersecurity is no longer just an IT issue, nor is it defensible to be naïve about cybersecurity,” Wiech pointed out. “A diligent C-Suite and boardroom should be cognizant of their company's cybersecurity risks, routinely discuss those risks, and rely on and follow the advice of experts to mitigate those risks."