Executives, Boards Asleep on Cyber Security Face Big Risks

Cyber security is a growing problem for public companies of all sizes and those that don’t keep up to date on the issue could be placing themselves at risk of lawsuits and compromised stock performance, experts on the matter say. Ziad Kubursi, insurance organization Chartis’ national vice president and regional executive of executive liability, gives the example of Massachusetts-based TJX Companies, Inc., the parent company of T.J. Maxx and Marshalls. In a data security breach in 2007, an intruder obtained tens of millions of credit card and debit card numbers, along with the personal information of about 455,000 consumers who returned merchandise to the stores. The Federal Trade Commission determined the company failed to take the appropriate measures to protect the information. Some of those measures included using the appropriate firewalls, limiting wireless access to company networks and avoiding the storage and transmission of personal information on various computer networks in clear texts. The breach cost the company millions of dollars in settlement, investigation and plaintiff’s attorney costs, Kubursi said. The occurrence of cyber security-related lawsuits targeting top officials within companies is one of the growing trends Kubursi’s company is noticing. Technology, such as iPads and iPhones, have contributed to the breaches since the equipment creates a connection to company network infrastructures, he said. “There’s constantly breaches in security. There’s constantly theft of data,” he said. “More than ever, holding companies are more liable.” Meanwhile, he added, top company executives such as presidents and CEOs generally leave security issues to their chief technology officers, leaving the executives out of touch with their companies’ security vulnerabilities. “They just need to be a lot more active in oversight over their IT functions (and) the IT security measures and make sure they’re up to speed on what they have in place,” Kubursi said. Hit hard In 2009, security breaches of organizations led to average costs of $6.7 million, including costs for detection, notification, ex-post response and lost business, according to a study released by the Ponemon Institute in April. Forty percent of the breaches were due to negligence, 36 percent were due to system glitches and 24 percent were due to malicious or criminal attacks, according to the study’s results. Security breaches are particularly harmful to public companies, which have more requirements for reporting to the public, have higher media profiles and have stock prices that could be lowered due to negative exposure from breaches, Kurbursi said. And that is not including the harm of possible lawsuits, he added. James Cooper, business litigation attorney and partner at Levinson, Arshonsky & Kurtz, LLP in Sherman Oaks, said lawsuits targeting corporate leaders over security breaches have particularly become more prominent over the past three years. “It certainly is a brand new area of law,” he said. The best thing for companies, he added, is to first determine what the standard levels of protections are. “They need to consult with whatever the state-of-the-art is and make sure that they’re in that range of protections available,” Cooper said. “The greater the potential harm, the greater the security must be.” Kurbursi said companies at higher risk of cyber attacks are financial institutions and e-commerce Web sites.