Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.

On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud.  This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.

Why This Penalty Is Important

While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to

[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.

The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.”  This focus on a board’s knowledge of cybersecurity issues is not new.  The Federal Trade Commission (“FTC”) focused on this last year. 

Maintain a Strong Risk Management Program

Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:

  1. A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
  2. The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
  3. Reasonable policies and procedures and adequate technical controls to address these risks.

What Organizations Should Do

Before, during, and after any aspect of digital transformation, organizations should consider doing the following:

  1. Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
  2. Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
  3. Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.

Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.

As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks.  A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.

If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to one of our Global Privacy & Security Blog authors.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Romaine Marshall Romaine Marshall

Romaine Marshall helps clients protect their data, businesses, and reputations from cybersecurity and privacy incidents.

As a cybersecurity and privacy lawyer, he works with clients to properly secure and use electronic data, develop industry-specific cybersecurity programs, conduct risk assessments and internal privacy audits…

Romaine Marshall helps clients protect their data, businesses, and reputations from cybersecurity and privacy incidents.

As a cybersecurity and privacy lawyer, he works with clients to properly secure and use electronic data, develop industry-specific cybersecurity programs, conduct risk assessments and internal privacy audits, and respond to regulatory investigations. He has represented clients in more than 100 incidents involving data breaches, ransomware, malware attacks, security misconfigurations, wire fraud, software vulnerabilities, social engineering, and other exploits.

Photo of Jon Washburn Jon Washburn

Jon Washburn manages the firm’s information governance, compliance, and ISO 27001-certified information security programs and is a cybersecurity and technology resource for multiple Stoel Rives practice teams.

Click here for Jon Washburn’s full bio.

Photo of Jose Abarca Jose Abarca

Jose Abarca counsels companies on the many issues that could, and sometimes do, end up in court or before government agencies.

As a litigator, Jose has represented numerous companies in matters ranging from ownership disputes to bet-the-company litigation. In the energy, infrastructure and…

Jose Abarca counsels companies on the many issues that could, and sometimes do, end up in court or before government agencies.

As a litigator, Jose has represented numerous companies in matters ranging from ownership disputes to bet-the-company litigation. In the energy, infrastructure and natural resources practice areas, Jose focuses on resolving disputes involving engineering, procurement, master services, purchasing, development, and construction agreements.

Jose also assists clients in responding to cybersecurity incidents. As part of his cybersecurity practice, he works with technical consultants to conduct root cause analyses, counsels clients on their obligations to consumers, employees, and regulatory bodies, and helps design and implement written information security programs that meet relevant industry standards.