10 Best Practices for Privacy & Security Compliance

Fiduciary Duties_Header

In Part 1 of this series, we summarize a keynote presentation by John Beardwood, Partner at Fasken Martineau LLP & world-renowned cyber security legal expert, highlighting 3 Key Reasons Why Your Board Should Care About Privacy and Security.

In this follow-up post, we share John’s 10 best practices for reducing the risk of a derivative action lawsuit and share actionable tips for achieving security and privacy compliance at the board level.

John presented the following 10 Best Practices in his keynote presentation at the Smart Technology Privacy Summit 2018. Here they are below!

#1. Make Cyber Security an Agenda Item at Your Board Meetings

  • A board’s oversight of a corporation’s cyber security and privacy programs are incredibly important. In order to make sure that the board is getting full credit for doing this, make sure privacy and security are a regular agenda item at your meetings.
  • Board members should also be requesting management to provide briefings, so the board can say they’ve stayed up to speed on the issues.

#2. Take Minutes

Maintain written records of the board discussions regarding cyber security measures, data breaches and privacy policies (for example, include these notes in board minutes).

#3. Impose Record Requirements on Management

Require management in each of corporation’s departments to maintain written records re cyber breaches.

#4. Delegate to someone to have a specific committee

It is very important to delegate control of cyber security and privacy measures and data protection programs to a board committee. Task audit committees as part of your oversight of a corporation’s financial controls and procedures or create a data protection committee.

#5. Obtain External Advice

The rules and regulations surrounding security and privacy compliance are complex, ambiguous and evolving. If you don’t have the expertise internally to make sense of them, hire third party consultants to audit the corporation’s cyber security systems and privacy policies and provide recommendations for improvements.

#6. Maintain Written Security Policies

Oversee managements drafting of legally compliant industry standard cyber security standards, programs and policies.

#7. Have a Breach Plan

To the extent there is a privacy breach, you may need to notify customers and notify the commissioner depending on the jurisdiction you’re in. It’s wise to already have a plan in place, so that you’re not wasting time figuring out what to do. Alternatively, you should have a full crisis management plan in place. Don’t leave it to the last minute, then find out you don’t have any insurance coverage. The board should oversee management’s creation of a business-wide crisis management team and/or plan to manage breaches when they occur.

#8. Hire a Chief Information Security Officer (CISO)

Someone at your organization needs to be accountable for privacy. It’s best to hire a Chief Information Security Officer (CISO) who has significant experience in IT & Cyber Security.

#9. Implement Training

Policies aren’t enough. Make sure your company has a culture that is sensitive and aware that cyber security and privacy is important. The board should oversee management’s creation of a culture that views cyber security and privacy matters as everyone’s concern; review employee training and awareness programs on the topic. You may also want to consider if Privacy by Design processes should be implemented.

#10. Adequately Insure the Risk

Ensure your corporation is adequately insured against breaches, including checking that corporation’s director and officer indemnity insurance covers the same.


To avoid having a breach of cyber security become a breach of fiduciary duty, no matter what your size, make sure your company’s privacy and security policies are up-to-date and meet the regulatory standards. If you don’t know what these standards are, John highly recommends hiring an expert to help you do an audit of current privacy programs and security systems. It is also vital to keep a record of all your updates and regularly review these updates with your board. These simple acts will make all the difference should you encounter a data breach or lawsuit situation. Plus, promoting a culture of privacy, security and data protection is always a good idea!

What’s Next?

View John’s full power point presentation and hear his audio-recording of “Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors” in our Recap of the Smart Technology Privacy Summit 2018.

Picture of Lori Smith
Lori Smith
Lori is marketing lead at Feroot Privacy

More articles