A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities and obligations are not appropriately addressed. In other words, directors should understand the risks and the business dependency on data governed by data protection and privacy regulations and what is on the horizon that could seriously impact the business, before it appears in the news. Four legal experts, from different industries and with different clients suggest ways to approach board education and persuasion when it comes to managing data.
Carly Alameda, Litigation Partner at Farella Braun & Martel LLP
“Even though boards of for-profit companies are often composed of sophisticated business people with a strong understanding of the company and industry they serve, they may not fully appreciate the particular cyber threats that exist. What data or information does the company possess that others may want, where is it, and how is it protected? What systems might be vulnerable to hackers? The board of directors needs to understand the answers to these questions as it applies to their company. Directors need to understand these risks so they can ask the right questions and fulfill their oversight role.”
Tom Widgery, Senior Director of Privacy and Information Governance at SVB Financial Group
“Financial services boards have become much more aware and concerned about data protection and the risks of security vulnerabilities in recent years. After all, it is a rare quarter when there is not a story about a security breach or hacking attempt in the news somewhere these days. Staying ahead of the board and anticipating questions on impacts to your organization from the current headlines is a challenge. The key to helping a financial services board is to latch on to an example that they understand, get their attention and leverage it to discuss the broader privacy implications that can lead to reputational risk.”
K Royal, Assistant General Counsel of Privacy and Compliance at CellTrust Corp.
“The key to being helpful to the board is to frame the concerns in a context to which the board members can relate. For example, when discussing issues around targeted behavioral advertising, the board members engaged with an example of Viagra. Not the one I would want to discuss necessarily, but one that all individuals had seen ads for and understood. What you need to avoid is dire predictions without a near-miss event. Individuals making significant decisions about a company become exhausted when faced with unrelenting risk. On the other hand, many privacy professionals present the ‘sunny’ side of their activities without providing a fair risk-based view. There is always a balance to hit, but mostly, board members want actionable items with a plan and measurable results.”
Olga V. Mack, General Counsel at ClearSlide, Inc.
“The board must have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Having a concrete, written plan in place is key to ensuring a company understands the issues, is maximizing its preventative efforts, and can react and put its best foot forward during an attack or breach event. Cyber attacks happen fast, and there may be the need for a company-wide response within hours, or less. The board should ensure the plan is sufficient to facilitate the necessary actions well in advance of any attack.”
For further discussion with Carly Alameda, Tom Widgery, K Royal, and Olga V. Mack please join the “Cyber-heist your Corporate Mindshare: How to Engage the C-suite and Board” panel at 2:35pm on June 8 at the TRUSTe Privacy Risk Summit 2016. Register here.