Tuesday, April 3, 2018

Board of Directors’ Governance Duties on Privacy, Compliance and Sexual Harassment: How to avoid “Falling Flat on your Facebook”

Corporate Directors must manage the company for the best in interests of stockholders and, in general, to ensure the company complies with its regulatory and contractual obligations.  Today, every company undertakes some digital transformation, using Cloud, social media, mobile devices, Big Data, analytics and potentially virtual reality, augmented reality, robotic process automation and sensor-driven “Internet of Things” like self-driving vehicles and remote controls using mobile devices. But the benefits of digital transformation come with many disruptive risks such as cyber security breaches, privacy violations that will cost serious money under the EU’s General Data Protection Regulation effective May 25, 2018, etc.  The scalability of tech “solutions” invites hackers and thieves.  At best, the company’s reputation is tarnished.

In a new threatening world, the “business judgment” rule protecting corporate directors and officers from personal liability requires greater vigilance and broader risk management.  A corporate director’s personal liability for the misdeeds of the corporation and its employees depends on how well the director planned for and responds to the “inevitable” corporate governance disaster such as:
  • Neglect of safety of its workers or consumers using a useful but potential dangerous product;
  • Abuses of consumer trust, such as setting up fictitious bank accounts to reward employees, without customer knowledge;
  • A claim of persistent sexual harassment by the CEO (à la Steve Wynn) or;
  • A business model based on unrestrained data aggregation and the “unforeseen” problem of unauthorized access or use by an authorized third parties data broker to the personal data of millions of online subscribers worldwide (à la Facebook and Cambridge Analytica).
Here are my suggestions for good corporate governance, risk management and compliance in response to digital transformation.  Just as lawyers have a duties of confidentiality and competency in technology, corporate directors have a duty of risk identification and threat management.

1. Maintaining Independent Judgment despite Lack of Control Anticipating

It may be impossible to fulfill the directors’ duty of loyalty and to maintain one’s independent judgment if the CEO owns a majority of voting control of the company’s voting shares.  That’s the case for Facebook, where Mark Zuckerberg, founder and CEO, owns about 10% of the shares but controls a majority of voting rights.  If you displease the CEO, you could get fired from the board of a valuable and prestigious company.  If you don’t displease the CEO, you might not have exercised independent judgment.   So you need to identify and implement measures that will be best for the company, which could include mandating certain actions by the CEO who is in control of your position as director.  And your D&O insurance carrier expects nothing less so as to mitigate any payouts on the inevitable derivative claims by shareholders.

2. Identify Worst Scenarios for Your Particular Business and Your Value Chain

From an insurer’s perspective, risk management requires identification and assessment of risks for probability and adverse impact. The digital economy increases the number and nature of risks.

Public companies must identify their risk profile in their quarterly and annual SEC reports.  Private companies must likewise disclose key risks on private placement memoranda, loan applications, and prospective acquirers in shareholder meetings under the principle of shareholder democracy.  For Wynn Resorts, an empire built on gambling casinos and flashy entertainment, the risks of sexual predation by the founder, who has access to private suites and private transportation, was predictable to directors who focus on high-probability risk analysis.   For Facebook, a director who understands the business model of vacuuming personal data from subscribers and their network of “friends” for resale to “data consolidators” like Cambridge Analytica could predict a failure of accountability in the value chain.  At a minimum, all supply chain contracts should guarantee that the corporation’s trusted data and business secrets will be protected and that any governmental mandates (such as privacy protections) applicable to the supplier’s services should flow down to the supplier.

Since worst case scenarios change over time, anticipating how changes in laws, politics and public opinion becomes part of the director’s job too.  No one asked, but it’s your duty to worry and plan.

3. Insulate and Compartmentalize Processes; Identify Failure Switches

The Titanic sank because it hit an iceberg at high speed at night.  Appropriately, the captain went down with the ship, but so did many hundreds more.  The ship was designed to withstand four breached compartments, but not five.  The lessons today are, don’t accelerate in risky waters and insulate and compartmentalize to insulate the business operation from cumulative, cascading risks.

For international companies, a private cloud might effectively limit risk.  Minimization of cross-border transfers of sensitive personal data can be done by using multiple servers, two in each country (the second is for failover).   Insulation can also be achieved by pseudonymization, a new concept advocated by the EU’s GDPR that stops short of full encryption but achieves compliance … until the code is broken.

4. Incentivize Prudent Behaviors by Employees

Wells Fargo made the mistake of incentivizing its bank branch officers to create new accounts not requested by the customers.  The IT department and compliance departments were asleep and could have stopped this fraud.  While few customers were adversely affected, some suffered.  So, prudent employees should be rewarded for not taking excessive risks and, in a complex organization, be encouraged to question the validity and prudence of decisions in other departments, especially where teamwork is needed for global integration.  And maybe consider small penalties for thoughtless behaviors, like opening spam attachments.

5. Monitor Compliance by Internal and External Audits

An airtight outsourcing service agreement does not guarantee compliance.   In the world of “Tech As A Service,” SaaS agreements should still require service providers to hire trusted independent external auditors for cybersecurity and business process management.   Audits under SSAE 16 type 2 and ISO compliance principles are no guarantee, but they help demonstrate prudent business judgment.

6. Appointing Compliance Officer Reporting to the Board

While compliance should be built into the company’s DNA through leadership at the top and company policy manuals, appointing an internal auditor and compliance office can give the directors access to someone who worries for them.

7. Run Away at Your Own Risk

Normally, a director has the remedy of resigning as director in case of policy differences that cannot be reconciled.  But running away might not be possible.   In tort law, the doctrine of “last clear chance” imposes liability on the actor who fails to use all reasonable efforts, at the last minute before a disaster, to protect the imminent victim from a third-party’s foreseeable misdeeds.  In corporate law, the fiduciary duty of loyalty may include a duty to not leave the corporation stranded when it falls into difficulties, since a new director might not be able to rectify the problems as quickly as the knowledgeable director seeking to walk away.   So the director’s job is never done, especially if there is no easy alternative but to persevere in the exercise of prudent business judgment.  No one hired you to quit when the risks are high and no one else can do a quick turn-around.

8. Identify Your Goals as Director and Apply Early Warning Systems

In the 1960’s, the NORAD “distant early warning” system deployed advanced radar to identify incoming hostile missiles.  Today’s corporate director needs a system for identifying goals personally and for the corporation, with metrics, triggers and analytics for situations hostile to the corporation.  If you don’t have the time or courage to set up your own warning systems, you might consider letting someone else do the job.  Or characterize your role as “just an advisor” to the board.