After hearing about the major data breaches at companies like Target, Michael’s, and Neiman Marcus, ABC Corp. realizes it needs to protect itself from such an attack. So it consults with its attorneys, identifies where it is most vulnerable, and drafts a comprehensive cybersecurity policy. ABC’s CEO distributes a company-wide memorandum that stresses the policy’s importance and explains how the policy will be implemented. But days and weeks pass and the policy is never truly implemented: employees never create rigorous passwords to secure their laptops, the company never installs anti-virus software, an offsite back-up for important files is never created.
Six months later, ABC’s system is compromised, causing extended downtime and a public-relations nightmare from angry customers whose information has been stolen. Some of these customers bring lawsuits against ABC under state unfair and deceptive trade practices laws, claiming ABC’s express statements regarding how its cybersecurity policy protected customer data were “deceptive.” Other customers sue for breach of contract (express or implied) based on ABC’s user agreement, which agreed to protect customer data. Still other customers claim that the data breach was due to ABC’s negligence in failing to implement the policy.
At trial, ABC’s attorneys point to the company’s cybersecurity policy over and over: ABC had a policy! A comprehensive policy! The CEO testifies about how important cybersecurity is to ABC, and about all the time and energy the company put into drafting its policy. She also testifies about how she sent the company-wide memo and regularly encouraged employees to follow the policy’s requirements. But consider the answers to a few questions that plaintiff’s counsel will ask the CEO:
After drafting the policy, were employees required to secure their company-issued computers by creating any sort of password?
Did ABC Corp. ever install any type of protective software to prevent cyber-attacks?
Was an offsite back-up database ever created for important files?
Was a method or procedure established to monitor ABC Corp.’s systems for potential cybersecurity threats or breaches?
Unfortunately, the answer to each question is a damaging “no.”
The moral of this story is that adopting a cybersecurity policy is useless, and indeed potentially harmful, if it is not actually implemented. Most companies recognize the importance of cybersecurity and eagerly race to the drawing board to draft a policy. But failing to take the next step and actually implement that policy not only leaves the company vulnerable to cyber-attack, but also serves as black-and-white proof of what the company thought it should do, but did not.