5 Key Legal Issues for CIOs in 2024

Chief information officers deploy technology that enables the business, and they strive to put the best IT staff “on the ground.” Projects, budgets, technology investments, strategy, and collaboration are all top of mind, but should a working knowledge of the law and legal issues also be front and center? 

We live in a litigious society. And, while there is a general feeling among CIOs that they are protected from legal actions by their companies’ liability policies, that’s not always the case. 

Here are five top-of-mind legal issues for CIOs in 2024: 

1. Corporate liability insurance has its limits.  

Companies typically provide their top executives with liability insurance, including the CIO, if officers are sued personally. Many CIOs think that this coverage fully shields them from legal actions, but there are exceptions.

All corporate officers, including the CIO, have duties of loyalty, good faith, due diligence, and care. If a CIO has advance notice of a new product or exemplary sales result that will cause the company stock to rise and invests in the stock with advance knowledge of quarterly results, he or she can be sued by shareholders for self-dealing and breach of a fiduciary duty.  

If a CIO knows of a network security breach and chooses to remain silent about it, or if they fail to make information available to the board  when they request it, the CIO may be liable because that CIO can be regarded as the steward of systems and data. Thus, they have a duty to protect and administer those assets.  

Related:Fake News, Deepfakes: What Every CIO Should Know

Acts like embezzlement, stealing company resources or committing wrongdoing against the company are also grounds for personal liability that corporate liability policies won’t cover. 

Why this matters: CIOs might do their best to dot all the I’s and cross all the T’s, but the fact remains that they are the single most important officer when it comes to stewardship of information and technology. If they fail to inform or disclose issues, or if they abuse IT resources and responsibilities that are expected of them, a corporate liability policy may not shield them 

2. IT is closely linked to intellectual property loss.

Employees in IT have unique and sometimes unlimited access to sensitive corporate information. There are temptations to take and sell this information, or to take vital trade secrets and IT “secret sauces” to competing companies that employees hire into. 

When an intellectual property loss occurs, the CIO is going to be on the “hot seat.” 

Why this matters: Losing intellectual property that IT is expected to protect is an unpardonable sin in most organizations. Loss of intellectual property is an enormous risk to companies and could well result in a CIO losing his job. 

Related:What Can a CIO Do About AI Bias?

3. Ownership of applications that your own staff develops can be questioned.

You decide to adopt low- and no-code application development, or to use report generators that are available on major software packages such as those for CRM or ERP. Your staff comes up with revolutionary and insightful ways to use these reports that give your company a distinct competitive advantage, but the vendors of these reports also see a value in making the reports available to their entire client bases, which include your competitors. 

Can you stop it? Only if you’ve included as part of your contract with them that you are the sole owner of the products you develop, even if you are using their tools to do the development. Some vendors will agree, but others won’t. 

Why this matters: Creating breakthrough reports and insights contributes to the company’s intellectual property wealth, and it can provide unique competitive advantages. This is why it’s important for the CIO to establish your organization’s right to ownership of the products your team creates.

Related:Data Sovereignty, Compliance Shape IT Leadership

The time to do this is when you first sit down with the vendor to negotiate your contract. There should be a clear understanding as to who owns what and define a way that you can migrate these reports to another platform if you decide to leave the vendor.  

4. Employee issues can result in litigation.

It goes without saying that harassing employees in any form is a personal liability issue, but so is failure to ensure a proper handling of employee issues when an employee is headed for termination. 

There are “at will” employment states in the US where you don’t have a legal responsibility to show an employee isn’t competent if you fire someone. Even those CIOs in “at will” employment states need to document employee performance with specific examples of assignments and projects that didn’t meet standards.  

If an employee termination is challenged legally, having documentation of the facts is critical, as is having someone else in the room, such as an HR representative, as a witness to what was said when during the meeting with the employee. 

5. Company disasters and security breaches are significant risks that CIOs are accountable for.

In one of the most publicized data breaches ever, the CIO of Target ended up resigning after personal information was stolen from as many as 70 million customers, including 40 million debit and credit card accounts. Memories of that disaster are still fresh in most CIOs’ minds. 

That also is why it’s a best practice today for CIOs to directly engage with CISOs and network and system administrators to discuss an organization's security status, in addition to funding quarterly security IT and cyber audits by outside firms so vulnerabilities can be discovered and patched before bad actors find them.

Why this matters: If you delegate security to your CISO or network administrator and never follow up personally on it or advocate for audits, you could be found negligent in the performance of due diligence and care that is expected of you as a corporate executive. Your corporate liability policy may not cover you, and your employment could be at stake. 

Final Remarks 

There are many things on the plates of CIOs, and it’s a challenge to keep everything top of mind. Still, cybercrime alone is projected to reach $90.5 billion in losses in 2024. In this environment, it’s imperative for every CIO to have a fundamental understanding of legal issues.

As the Greek philosopher Heraclitus once stated, “If you do not expect the unexpected, you will not recognize it when it arrives.”