Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive. The main driver of this process is often data. For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.
While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.
On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud. This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.
Why This Penalty Is Important
While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to
[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.
The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.
The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.” This focus on a board’s knowledge of cybersecurity issues is not new. The Federal Trade Commission (“FTC”) focused on this last year.
Maintain a Strong Risk Management Program
Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:
- A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
- The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
- Reasonable policies and procedures and adequate technical controls to address these risks.
What Organizations Should Do
Before, during, and after any aspect of digital transformation, organizations should consider doing the following:
- Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
- Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
- Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.
Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.
As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks. A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.
If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to one of our Global Privacy & Security Blog authors.