Cyber Security – A New Fiduciary Responsibility
Personal Information is now one of the most valuable assets that businesses hold in trust on behalf of customers, clients, and related constituents. Recently, several law professors at UC Davis have proposed adapting fiduciary rules to apply to online companies that collect and hold personal data from their customers. New laws would define such companies as “information fiduciaries.” The definition to whom this applies could potentially expand to any company that holds personal information of others.
Perhaps it is time to step back and take a broader view of the responsibility to protect personal information from cyber threats within the framework of “information fiduciary”. The basic idea is this: When you provide information to any company in order to receive or provide goods and services, that company should have a duty to exercise loyalty and due care in how it uses and protects that information.
Fiduciary law was developed over centuries of economic relationships, such as when ordinary people entrust their personal information to skilled professionals (doctors, lawyers, and accountants particularly). In exchange for this trust, such professionals owe their customers a duty of loyalty, meaning they cannot use their customers’ information against their customers’ interests. They also owe a duty of care, meaning they must act competently and diligently to avoid harm to their customers.
These long-established skilled professions have much in common today with new kinds of online businesses that harvest and monetize their customers’ personal data. First, both have a direct contractual relationship with their customers. Second, both collect a great deal of personal information from their customers. Customers should have a reasonable expectation to rely on the integrity of these businesses and professionals to protect their personal information from theft or abuse.
We recommend that business leaders step up to the challenge of Cyber Security, recognizing that the information held on behalf of all stakeholders deserves full protection and diligence. Don’t wait for new regulations to dictate what you know to be good business practice. Protections can be put in place at an affordable cost with subscription services such as Cyber 631. The result is peace of mind and a good night’s sleep, whether you are a Fortune 500 CEO or a small proprietor on Main Street USA.