By Mindi Giftos
Husch Blackwell’s Madison office managing partner
Almost a decade ago, McKinsey & Co. surveyed board directors about their level of understanding of the risks their companies faced, and stunningly, nearly one-third replied that they had limited or no understanding of their company’s risk profile. This survey was carried out long before data breaches, corporate cybercrime, and data privacy and security issues became front-page news on a daily basis. Now that this dynamic category of risk has emerged fully into view, one would hope that directors would have a better grasp of their company’s risk profile than they did a decade ago.
Unfortunately, recent data does not support that notion. Corporate Board Member magazine published survey results earlier this year that found only 49 percent of directors felt their boards invest a sufficient amount of time discussing the role emerging technologies play in risk assessment at an enterprise-wide level. Only 11 percent affirmed that their boards had created technology or technology-related committees to oversee emerging technologies and the risks associated with them.
In October 2018, Forrester Consulting published the results of a survey of boardroom practices as they relate to data and technology, finding that over half of sensitive internal board communications occur over personal email, outside of closed-loop secure communication channels. Taken together, these research results provide a startling indicator that directors do not fully comprehend the importance of data privacy and security or the risks inherent in today’s technology.
There is ample evidence that emerging technologies are transformative, and the transformations they embody come with both benefits and risks. Well implemented and effectively monitored, these technologies can wholly remake a company — or even entire industries. However, there are associated risks that can be crippling.
Corporate legal departments have a role to play in making sure their boards of directors are equipped to consider in a meaningful way the emerging technologies that are rapidly transforming entire sectors of the economy. As a key member of the management team, the general counsel in particular is well positioned to educate directors about the risks that come hand in hand with the opportunities in connection with emerging technology, especially those present at the intersection of law and technology.
For instance, over the next decade we are likely to see a vast reformation of our laws and regulations that govern the way data is solicited, handled, shared and commercialized.
Indeed, the data-privacy reformation is already occurring; partly in response to the May 2018 implementation of the European Union’s General Data Protection Regulation, there has been a wave of legislative activity here in the U.S., particularly at the state level. Perhaps the most notable of these state-led efforts is the California Consumer Privacy Act, which will be effective Jan. 1, 2020. CCPA will likely have a far-reaching impact due to being the law in the state with the largest economy and because it was passed before similar legislation in other states.
Specifically, CCPA applies to any entity doing business in California that satisfies one of the following conditions:
- Annual gross revenues in excess of $25 million;
- Buy, sell or share (for commercial purposes) the personal information of 50,000 or more consumers, households or devices annually;
- Fifty percent of annual revenues from selling consumers’ personal data.
While similar legislation in other states will no doubt continue to emerge, the GDPR, CCPA and other related proposed legislation provide a framework from which companies can build robust privacy programs. General counsels need to prepare their boards for thinking proactively about these current and future changes in the law, such as walking directors through the needfulness of conducting internal audits that inventory and analyze how data is currently being handled at an enterprise-wide level, including e-commerce, third-party transactions, and website traffic. With the CCPA’s statutory damages of $2,500 for each violation or $7,500 for each intentional violation, systems that handle thousands of data points can rack up damages that easily reach millions of dollars. In addition to that CCPA is the first legislation in the country to provide for private litigant statutory damages for data breaches, providing further impetus to elevate compliance to the top rung of corporate concerns.
Aside from arming directors with knowledge of the current state of the law as it applies to data and technology, general counsels — in concert with other management team leaders — can also help directors understand that good governance starts with the tone at the top.
There is a cultural component to managing risk, and the words and deeds of directors contribute to that culture.