Because they are not personally stealing files or selling state secrets, public board members may feel confident that they are not part of the security problem of their local governments. In fact, the face of security has changed entirely. Boards handle highly sensitive information that is actively sought around the clock by hackers, and they alone are ultimately responsible for keeping it secure. To handle a changing portfolio of responsibilities and to conduct everyday operations with the care that they require, government boards need technological sophistication that they once outsourced to lower levels of the organization.
If you had told Andy Griffith that simple information could become a precious asset, he would have laughed you out of town. Surely Mayberry did not have a Chief Information Officer. Now that technology and security are booming industries, the new temptation is to delegate: Surely the tech team is taking care of it, so the board doesn’t have to. They would never have that attitude about the financial team, whom they assume they must vigilantly oversee.
The sidelining of information security reveals a highly dangerous misunderstanding of the true extent of board liability. As with embezzlement and money laundering, so, too, with data breaches and phishing scams: The buck stops here. Incurring cyber risk through simple ignorance and negligence leaves the board as a whole – and even each individual board member – facing ultimate legal and financial responsibility. Cyber insurance sales have risen 23% over the last five years as boards face the threats they can no longer deny. (BusinessInsurance.com, “Cyber Premiums See Steady Growth Over Five Years” )
Future lawsuits will test the precise consequences of the growing number of regulations on the books that demand accountability for violations of data security. Industry leader Aon Cyber Solutions identifies a stricter regulatory environment as a game-changer with widespread ramifications. (“Aon’s Cybersecurity 2018 Predictions: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk,” strozfreidberg.com, Jan. 8, 2018”) Pressure is rising on many fronts:
Legislation and litigation will fill in the details, but the writing is on the wall: Protecting data is a growing legal and financial responsibility enforceable by law, and boards have final responsibility.
Public bodies need tech-savvy boards because their portfolio of responsibilities increasingly calls for technological solutions to satisfy governance requirements. Four key duties facing public boards call for government actions that are unmistakably technological: managing risk, following open meeting laws, providing “open data” and complying with Americans with Disabilities Act (ADA) requirements.
Early in 2018, Aon Cyber Solutions predicted that all types of boards will be taking cyber risk concerns out of their silos and into the boardroom. According to Aon CEO Jason J. Hogg, “[h]eightened exposure will require an integrated cybersecurity approach to both business culture and risk management frameworks. Leaders must adopt a coordinated, C-suite driven approach to cyber risk management, enabling them to better assess and mitigate risk across all enterprise functions.” (Aon’s Cybersecurity 2018 Predictions)
Public boards are hardly immune from the danger. In fact, they are leading targets. Attacks have hobbled entire towns, police departments, municipal infrastructures and emergency preparedness systems. (Osterman Research Corporation 2016 whitepaper on ransomware and 2016 IBM Cost of Data Breach Report) In 2016, data breaches cost $4 million, but the real action is in ransomware, like the March 2018 attack on Atlanta, Georgia. Such attacks cost organizations $209 million in the first three months of 2016 alone, and they continue to spiral out of control. (Osterman)
California’s Brown Act undoubtedly signals an imminent trend with a recent amendment providing a technological workaround to longstanding open meeting laws. Public bodies with public-facing websites can now satisfy posting requirements by putting meeting notices, agendas, minutes and even optional meeting footage, on their websites.
Only a tech-savvy board will know how to take advantage of that labor-saving opportunity without putting data in harm’s way. It needs to know that file-sharing sites provide next to no protection from cyberintruders, that some portals are more secure than others, that 256-bit encryption is essential, as is storage on a private, cloud-based server, not merely on “the cloud.” Board members are not born with that knowledge. They must have training, and boards that recruit should court members with technological sophistication, even reserving one seat for a technical expert.
Online portals can now satisfy open data requirements in Illinois, and other states are bound to follow. Facing the new digital requirement, Chicago wasted money on an inferior platform called Socrata. While it lets users download data onto their hard drives in compressed files, it requires lots of IT staff time, provides little security for the reams of data that are published and provides no way to search the voluminous information that its archive contains. A more technologically knowledgeable board would have known to look for these features as the city found a portal solution to the open data requirement.
But do boards have the tools to handle that responsibility? Without an overhaul of board preparation, the answer is no. A 2017 survey of 428 school board officials, conducted by the National School Boards Association (NSBA) and Diligent Corp., showed a glaring lack of board education or implementation of best practices. Yet board members handle such sensitive information that they alone have security clearance to read it. A board with average technological education will “innocently” subject that information to unconscionable risk in its day-to-day operations:
Without considerable know-how, a board member is apt to compromise that data in countless ways. They could store files on a file-sharing site like Google Docs. After all, it requires a password. Right? Password protection provides insufficient protection, given that the site itself stores data on the cloud, often with no encryption or low encryption; it’s a hacker’s Candyland. Or they could download the files onto their personal devices, which themselves can be stolen or easily hacked if the user walks away from his terminal on a break while an internet app is open.
3. They hold meetings. Boards that convert to fully paperless meetings keep their information far more secure than those that distribute paper copies. Only knowledgeable board members will welcome the switch.
In these countless routine processes, board members are apt to expose privileged data to a vigilant underworld of cybercriminals. It takes uncommon knowledge to understand how to handle communications and files in the ways that keep them safe. Insider mistakes constitute the single greatest risk to information security. (Gerald Cliff, “Growing Impact of Cybercrime in Local Government: Managers Face Uphill Battle,” Public Management June 2017, p. 7) That’s why technological sophistication is now a necessity, not a luxury, on public boards.
The tide has turned: Board ignorance about technology is no longer harmless; it’s downright negligent. Public boards require above-average technological know-how to responsibly satisfy increasingly tech-based requirements affecting their divergent spheres of responsibility and to keep their often-sensitive documents out of reach as they go about their daily operations.
BusinessInsurance.com, “Cyber Premiums See Steady Growth Over Five Years”
Gerald Cliff, “Growing Impact of Cybercrime in Local Government: Managers Face Uphill Battle,” Public Management June 2017
Diligent, “School Boards Grossly Unprepared for Threat of Cybercrime: Results of the 2017 NSBA Survey.” White paper.
Osterman Research Corporation 2016 whitepaper on ransomware
Strozfreidberg.com, “Aon’s Cybersecurity 2018 Predictions: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk,” Jan. 8, 2018.