Companies no longer have the luxury of putting off or failing to address privacy and security issues. Those that have performed risk assessments in the past to protect against security risks need to revisit and likely revise their procedures in light of new risks and rules. Those that never have performed risk assessments must do so now. Companies need to ensure they have prepared for and protected themselves against potential attacks from a myriad of sources that include disgruntled employees, hackers, domestic competitors, foreign intelligence services, and terrorists. They also must make certain they comply with the new rules. A company that fails to take notice of the changed landscape and does not take appropriate remedial steps places not only its assets and goodwill at risk, but it exposes the officers and directors to civil liability and criminal punishment.

Two federal laws have had a significant impact: Gramm-Leach-Bliley Act of 1999 (GLB) and the Sarbanes-Oxley Act of 2002. By now, most companies are aware of the GLB Acts requirements regarding disclosure of their privacy policies. However, only now are companies coming to understand the impact of Sarbanes-Oxley, which requires executive and financial officers to establish and maintain internal controls that ensure the maintenance of documents and accuracy of information contained in financial reports. Many companies have not yet established the required mechanisms to guard against the destruction, deletion, and/or alteration of pertinent information from whatever source, including internal or external hackers. Officers and directors are beginning to realize that penalties for failing to comply are serious.

Matters of State