New data privacy laws demand more proactive board oversight
Today’s executives have plenty of reasons to worry about business risks. Chief among them is compliance with sweeping new privacy regulations that apply to organizations across industries and geographies.
The consequences of noncompliance extend to the boardroom, and privacy lawsuits against directors and officers are on the rise. Plaintiffs have accused boards of neglecting their duty to oversee privacy and security risks that contribute to costly data breaches. Boards also have been sued for inadequately considering the impact of privacy compliance on business operations, as well as for inaccurate disclosure of the cost of compliance in public filings.
From the EU General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA), new laws protect broad categories of previously unregulated information that businesses routinely collect and store. A single misstep in managing these complex requirements can damage corporate reputations overnight, as well as inflict significant financial and operational harm. Companies that don’t meet privacy regulations also can face hefty fines, injunctions, and statutory damages, even in the absence of a data breach. What’s more, some mandates expressly permit consumer lawsuits for privacy violations.
As with every material risk, corporate boards have a duty to oversee compliance and monitor privacy exposures. Doing so will require appropriate reporting systems and oversight procedures. Undertaking good faith efforts to implement appropriate processes can minimize the risk of noncompliance in the first instance and can provide some level of protection for the company and the board in the event that a privacy incident does occur. For strategic, long-term defense, however, businesses should adopt a comprehensive data privacy strategy.
Getting prudent on privacy
For board members and the audit committees that serve them, executing their responsibility to help guide organizations through the maze of evolving privacy requirements will be no small effort. Information is key, and boards should start by asking management a number of questions, including:
- What privacy laws could impact the organization?
- Does the organization have the talent and experience needed to address and mitigate privacy compliance risks?
- Does the company have an up-to-date privacy compliance program?
- Does the organization have an adequate governance structure in place to operationalize their privacy requirements?
- Has internal audit included privacy risk in its annual risk assessment?
- What are the provisions for regular internal audits of privacy compliance?
It’s not all up to management, however. Board members should proactively develop proficiencies in privacy to effectively execute their responsibilities. They should become familiar with applicable privacy regulations and keep up to date on new and evolving requirements. To that end, companies should establish a regular reporting cadence to educate board members on relevant privacy rules and how management is addressing them.
Boards should also tap their company’s internal audit function to perform an independent privacy risk assessment that identifies relevant risks and reviews the processes and controls in place to mitigate them. In the absence of an internal audit function, boards should consider bringing in a third party to assess how protected information is collected, used, shared, and maintained.
A privacy risk assessment provides a systematic framework to identify protected information that is being collected and used, and to evaluate relevant risks. This process should carefully consider the organization’s current environment, including programs, processes, controls, and talent. The goal is to identify the most significant privacy risks and reduce the organization’s privacy risk profile.
Oversight obligations for board members
Corporate culture is a critical factor in the success of any organization’s information privacy efforts. Executive management buy-in and support can facilitate establishment of a strong program and help ensure that appropriate compliance resources are available. Boards should help set a pro-privacy “tone at the top” and ensure that a commitment to information privacy cascades from the C-suite throughout the organization.
Effective privacy programs are built on a comprehensive strategy that outlines clear rules to protect private information, while also documenting implementation guidelines. Boards should discuss with management the types of information the company retains and the objectives of using that information. It’s also important to verify that potential exposures are monitored and make sure that appropriate mitigation efforts are in place. Boards must also ensure that privacy risks, and their impact on the company’s finances and business operations, are appropriately disclosed in all public filings.
A robust privacy strategy should also require that adequate resources, including human capital and technology assets, are available to properly support the program. It’s a good idea to identify a privacy officer or other designated individual who is responsible for the overall program. Additionally, boards should require an annual internal audit of the privacy program. It’s also essential to develop employee awareness campaigns on new requirements and proper compliance procedures.
For most organizations, keeping pace with evolving privacy mandates and their potential consequences is an increasingly arduous challenge. Corporate boards are obligated to exercise appropriate oversight to ensure that organizations adequately assess privacy risks and implement strong mitigating processes and controls. A proactive board can bolster management’s ability to apply appropriate safeguards to help minimize data breaches and other privacy mishaps, consumer and shareholder lawsuits, and the potential negative brand impact.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.