Thursday, May 23, 2019

Risk Management and Resiliency Planning (Privacy Alert) a Year on First Anniversary of GDPR (and six months before the California Consumer Privacy Act (“CCPA”) becomes effective)

One year after the European Union's General Data Protection Regulation (“GDPR”) effective date of May 25, 2018, two years after GDPR was adopted as EU law, can we hope that the GDPR will just go away? No, that’s wishful thinking. As of February 2019, 59,000 GDPR violations had been reported, with only about 71 enforcement actions. According to several surveys, less than 50% of American businesses are GDPR compliant.

Any implied “grace period” for non-compliance is rapidly coming to an end. You are entering the twilight zone of intentional or grossly negligent non-compliance with GDPR if you are a closely-held businesses with cross-border operations, any global digital business, digital media service provider, a website collecting user information, social media marketers, mailing-list managers (whether using customer relationship management (CRM) software or Outlook or Gmail), anyone uploading data to a “war room” (virtual data room (VDR)).

How do you get really started? It’s time for data mapping, IT risk assessment and mitigation plans, corporate risk management and resiliency plans, especially for privately owned companies such as startups, family-owned business, professional service providers (such as law firms, accounting firms, consultants and financial advisors).

Hidden Risks from Hiding (or Making False Promises that You are Compliant)
. By when you really need to be fully compliant? Escapism and non-compliance will work for those with short lists of customers, colleagues, foreign friends and low revenues. For those with more than a half million in revenues, you need to be compliant as soon as possible. But SMB’s need to think about special reasons for immediate compliance:

  • Lenders. Bank lenders want to maintain your value as an ongoing business, both to demonstrate their own prudent (regulated) lending practices and to prevent a loss of value (such as fines or reputational damage) that might impair “loan-to-value” ratios. You might not be able to get bank financing (or any financing at all) if you cannot represent and warrant that you are in regulatory compliance, with particular reference to privacy laws.
  • Investors. Business angels, venture capitalists and private equity investors will want the same assurances, since the value of their equity investment (and opportunity for an eventual exit by M&A) will decline.
  • Co-Shareholders. If you are a member of the Board of Directors of a corporation (or manager of a normal LLC), you have a fiduciary duty to be prudent.
  • Global Enterprise Customers. Global enterprises that are your customers and clients are already including “flow-down” mandates in their Master Services Agreements (MSA’s) and requirements for Requests for Proposals (RFP). Some might allow no change in your legal obligations until the expiration of your existing contracts. But if your MSA requires you to generally comply with all applicable laws, your enterprise customer will likely be entitled to cancel your deal unless you provide new assurances…including the right of the customer to audit your security and confidentiality covenants.
  • Loss of Clientele of Publicly Traded Clients and Customers. Under federal securities laws, a publicly-traded company that neglects its legal obligations under GDPR is subject to fines for false or fraudulent disclosures. Whenever a public company’s stock price drops rapidly due to some surprise to investors, the class action litigators file a lawsuit for punitive damages due to breach of fiduciary duty. The directors of public companies thus have no choice but to adopt GDPR compliance and enforce it throughout their global supply chains.
  • Valuation for Sale, Change of Control or Family “Transmission” (Estate Planning). If you are transferring your business in a sale, or inheritance context, you might consider non-compliance as a valuation risk. In valuation of private companies, a discount should apply for known risks of non-compliance with rules that could have a material adverse impact. “Uncertainty as to the stability or continuity of the future income from a property decreases its value by increasing the risk of loss of earnings and value in the future.” IRS Revenue Ruling 59-50, 1959-1 CB 237. The valuation discount become dramatic when one considers the potential impact of an actual security breach, data breach notification costs, indemnification of users, a year’s free access to reputation management services for each affected EU user.
  • Financial Audit. Financial auditors have begun asking questions about privacy compliance because the auditor’s role is to identify material risks to your company’s viability. A qualified financial auditor’s opinion may constitute a breach of covenant under your revolving credit loan. It might trigger an event of default under a commercial, financial, investment or other transactional documents.
  • Reputational Risks. A data security breach puts your reputation at risk. You might lose clients, employees or existing or prospective business partners. Further, restoring your reputation will be difficult, costly and potentially impossible. Even if you have strong cybersecurity, you should manage the risk by planning your message, your notifications and your story before the breach.
  • Vicarious Liability for Defaults of Your Suppliers. Like the EU’s 1995 Data Protection Directive, GDPR makes you liable for the personal data breaches of your suppliers at any level of your supply chain. The CCPA does the same.
  • False Advertising. Under the Federal Trade Commission’s rule on false advertising, if you advertise anything about privacy and it’s not true, that’s a violation of federal law.
How can I get compliant? You must change your perspective and re-think your attitude. The GDPR calls for “privacy by design.” Rethink your entire business operations for digital compliance (and, later, for digital services taxation in cross-border and U.S. interstate services). If you receive personal information about European residents, you must comply, or at least have a plan for compliance that is credible for purposes of mitigating damages.

  • Data Mapping. First, you need to know your data flows and where your data is stored. If you already know your sources and uses of funds in your accounting statements, you can understand the sources and uses of private data as well as its full life cycle of collection, processing, storage, end of useful life and destruction. 
  • Informed and Updated Consents of Users. Update your terms of use and privacy conditions. Data Management. Adopt and implement policies for managing personal data, for “privacy by design” and implementation. Do you need to receive personal data? If you receive IP addresses, will that constitute “personal data” under the circumstances? Can you operate using some form of anonymization?
  • Data Security. Security starts at home and ends with your suppliers at all levels.
  • Data Transfers. Sharing of personal data with others is a risk.
  • Corporate Governance: Policy Adoption and Enforcement. Privacy compliance is for Board review and action. They can be held responsible for breaches.
  • IT Governance. Every IT contract needs a privacy clause.
  • Procurement Governance. Every procurement contract needs a privacy clause.
  • Training. Every employee should be trained not only on cyber-security, but also on legal compliance obligations.
  • Audit and Certification. For credibility, it’s advisable to conduct privacy audits. They will help identify weaknesses and can lead to certification, thus preserving customer confidence. As with financial auditing, the individuals responsible for compliance should not be auditing the systems and procedure they have designed and implemented.
  • Disaster Recovery Plan / Business Continuity Plan. Such plans are expected in any supply chain. So be ready.

In conclusion, the first anniversary of GDPR marks perhaps the end of any implied grace period, or period of ramp-up of enforcement capabilities of the EU’s data protection agencies.

No comments:

Post a Comment