Risk Management and Resiliency Planning (Privacy Alert) a Year on First Anniversary of GDPR (and six months before the California Consumer Privacy Act (“CCPA”) becomes effective)

One year after the European Union's General Data Protection Regulation (“GDPR”) effective date of May 25, 2018, two years after GDPR was adopted as EU law, can we hope that the GDPR will just go away? No, that’s wishful thinking. As of February 2019, 59,000 GDPR violations had been reported, with only about 71 enforcement actions. According to several surveys, less than 50% of American businesses are GDPR compliant.

Any implied “grace period” for non-compliance is rapidly coming to an end. You are entering the twilight zone of intentional or grossly negligent non-compliance with GDPR if you are a closely-held businesses with cross-border operations, any global digital business, digital media service provider, a website collecting user information, social media marketers, mailing-list managers (whether using customer relationship management (CRM) software or Outlook or Gmail), anyone uploading data to a “war room” (virtual data room (VDR)).

How do you get really started? It’s time for data mapping, IT risk assessment and mitigation plans, corporate risk management and resiliency plans, especially for privately owned companies such as startups, family-owned business, professional service providers (such as law firms, accounting firms, consultants and financial advisors).

Hidden Risks from Hiding (or Making False Promises that You are Compliant). By when you really need to be fully compliant? Escapism and non-compliance will work for those with short lists of customers, colleagues, foreign friends and low revenues. For those with more than a half million in revenues, you need to be compliant as soon as possible. But SMB’s need to think about special reasons for immediate compliance:

• Lenders. Bank lenders want to maintain your value as an ongoing business, both to demonstrate their own prudent (regulated) lending practices and to prevent a loss of value (such as fines or reputational damage) that might impair “loan-to-value” ratios. You might not be able to get bank financing (or any financing at all) if you cannot represent and warrant that you are in regulatory compliance, with particular reference to privacy laws.
• Investors. Business angels, venture capitalists and private equity investors will want the same assurances, since the value of their equity investment (and opportunity for an eventual exit by M&A) will decline.
• Co-Shareholders. If you are a member of the Board of Directors of a corporation (or manager of a normal LLC), you have a fiduciary duty to be prudent.
• Global Enterprise Customers. Global enterprises that are your customers and clients are already including “flow-down” mandates in their Master Services Agreements (MSA’s) and requirements for Requests for Proposals (RFP). Some might allow no change in your legal obligations until the expiration of your existing contracts. But if your MSA requires you to generally comply with all applicable laws, your enterprise customer will likely be entitled to cancel your deal unless you provide new assurances…including the right of the customer to audit your security and confidentiality covenants.
• Loss of Clientele of Publicly Traded Clients and Customers. Under federal securities laws, a publicly-traded company that neglects its legal obligations under GDPR is subject to fines for false or fraudulent disclosures. Whenever a public company’s stock price drops rapidly due to some surprise to investors, the class action litigators file a lawsuit for punitive damages due to breach of fiduciary duty. The directors of public companies thus have no choice but to adopt GDPR compliance and enforce it throughout their global supply chains.
• Valuation for Sale, Change of Control or Family “Transmission” (Estate Planning). If you are transferring your business in a sale, or inheritance context, you might consider non-compliance as a valuation risk. In valuation of private companies, a discount should apply for known risks of non-compliance with rules that could have a material adverse impact. “Uncertainty as to the stability or continuity of the future income from a property decreases its value by increasing the risk of loss of earnings and value in the future.” IRS Revenue Ruling 59-50, 1959-1 CB 237. The valuation discount become dramatic when one considers the potential impact of an actual security breach, data breach notification costs, indemnification of users, a year’s free access to reputation management services for each affected EU user.
• Financial Audit. Financial auditors have begun asking questions about privacy compliance because the auditor’s role is to identify material risks to your company’s viability. A qualified financial auditor’s opinion may constitute a breach of covenant under your revolving credit loan. It might trigger an event of default under a commercial, financial, investment or other transactional documents.
• Reputational Risks. A data security breach puts your reputation at risk. You might lose clients, employees or existing or prospective business partners. Further, restoring your reputation will be difficult, costly and potentially impossible. Even if you have strong cybersecurity, you should manage the risk by planning your message, your notifications and your story before the breach.
• Vicarious Liability for Defaults of Your Suppliers. Like the EU’s 1995 Data Protection Directive, GDPR makes you liable for the personal data breaches of your suppliers at any level of your supply chain. The CCPA does the same.
• False Advertising. Under the Federal Trade Commission’s rule on false advertising, if you advertise anything about privacy and it’s not true, that’s a violation of federal law.

How can I get compliant? You must change your perspective and re-think your attitude. The GDPR calls for “privacy by design.” Rethink your entire business operations for digital compliance (and, later, for digital services taxation in cross-border and U.S. interstate services). If you receive personal information about European residents, you must comply, or at least have a plan for compliance that is credible for purposes of mitigating damages.

• Data Mapping. First, you need to know your data flows and where your data is stored. If you already know your sources and uses of funds in your accounting statements, you can understand the sources and uses of private data as well as its full life cycle of collection, processing, storage, end of useful life and destruction. 
• Informed and Updated Consents of Users. Update your terms of use and privacy conditions. Data Management. Adopt and implement policies for managing personal data, for “privacy by design” and implementation. Do you need to receive personal data? If you receive IP addresses, will that constitute “personal data” under the circumstances? Can you operate using some form of anonymization?
• Data Security. Security starts at home and ends with your suppliers at all levels.
• Data Transfers. Sharing of personal data with others is a risk.
• Corporate Governance: Policy Adoption and Enforcement. Privacy compliance is for Board review and action. They can be held responsible for breaches.
• IT Governance. Every IT contract needs a privacy clause.
• Procurement Governance. Every procurement contract needs a privacy clause.
• Training. Every employee should be trained not only on cyber-security, but also on legal compliance obligations.
• Audit and Certification. For credibility, it’s advisable to conduct privacy audits. They will help identify weaknesses and can lead to certification, thus preserving customer confidence. As with financial auditing, the individuals responsible for compliance should not be auditing the systems and procedure they have designed and implemented.
• Disaster Recovery Plan / Business Continuity Plan. Such plans are expected in any supply chain. So be ready.

In conclusion, the first anniversary of GDPR marks perhaps the end of any implied grace period, or period of ramp-up of enforcement capabilities of the EU’s data protection agencies.

Board of Directors’ Governance Duties on Privacy, Compliance and Sexual Harassment: How to avoid “Falling Flat on your Facebook”

Corporate Directors must manage the company for the best in interests of stockholders and, in general, to ensure the company complies with its regulatory and contractual obligations.  Today, every company undertakes some digital transformation, using Cloud, social media, mobile devices, Big Data, analytics and potentially virtual reality, augmented reality, robotic process automation and sensor-driven “Internet of Things” like self-driving vehicles and remote controls using mobile devices. But the benefits of digital transformation come with many disruptive risks such as cyber security breaches, privacy violations that will cost serious money under the EU’s General Data Protection Regulation effective May 25, 2018, etc.  The scalability of tech “solutions” invites hackers and thieves.  At best, the company’s reputation is tarnished.

In a new threatening world, the “business judgment” rule protecting corporate directors and officers from personal liability requires greater vigilance and broader risk management.  A corporate director’s personal liability for the misdeeds of the corporation and its employees depends on how well the director planned for and responds to the “inevitable” corporate governance disaster such as:

• Neglect of safety of its workers or consumers using a useful but potential dangerous product;
• Abuses of consumer trust, such as setting up fictitious bank accounts to reward employees, without customer knowledge;
• A claim of persistent sexual harassment by the CEO (à la Steve Wynn) or;
• A business model based on unrestrained data aggregation and the “unforeseen” problem of unauthorized access or use by an authorized third parties data broker to the personal data of millions of online subscribers worldwide (à la Facebook and Cambridge Analytica).

Here are my suggestions for good corporate governance, risk management and compliance in response to digital transformation.  Just as lawyers have a duties of confidentiality and competency in technology, corporate directors have a duty of risk identification and threat management.

1. Maintaining Independent Judgment despite Lack of Control Anticipating

It may be impossible to fulfill the directors’ duty of loyalty and to maintain one’s independent judgment if the CEO owns a majority of voting control of the company’s voting shares.  That’s the case for Facebook, where Mark Zuckerberg, founder and CEO, owns about 10% of the shares but controls a majority of voting rights.  If you displease the CEO, you could get fired from the board of a valuable and prestigious company.  If you don’t displease the CEO, you might not have exercised independent judgment.   So you need to identify and implement measures that will be best for the company, which could include mandating certain actions by the CEO who is in control of your position as director.  And your D&O insurance carrier expects nothing less so as to mitigate any payouts on the inevitable derivative claims by shareholders.

2. Identify Worst Scenarios for Your Particular Business and Your Value Chain

From an insurer’s perspective, risk management requires identification and assessment of risks for probability and adverse impact. The digital economy increases the number and nature of risks.

Public companies must identify their risk profile in their quarterly and annual SEC reports.  Private companies must likewise disclose key risks on private placement memoranda, loan applications, and prospective acquirers in shareholder meetings under the principle of shareholder democracy.  For Wynn Resorts, an empire built on gambling casinos and flashy entertainment, the risks of sexual predation by the founder, who has access to private suites and private transportation, was predictable to directors who focus on high-probability risk analysis.   For Facebook, a director who understands the business model of vacuuming personal data from subscribers and their network of “friends” for resale to “data consolidators” like Cambridge Analytica could predict a failure of accountability in the value chain.  At a minimum, all supply chain contracts should guarantee that the corporation’s trusted data and business secrets will be protected and that any governmental mandates (such as privacy protections) applicable to the supplier’s services should flow down to the supplier.

Since worst case scenarios change over time, anticipating how changes in laws, politics and public opinion becomes part of the director’s job too.  No one asked, but it’s your duty to worry and plan.

3. Insulate and Compartmentalize Processes; Identify Failure Switches

The Titanic sank because it hit an iceberg at high speed at night.  Appropriately, the captain went down with the ship, but so did many hundreds more.  The ship was designed to withstand four breached compartments, but not five.  The lessons today are, don’t accelerate in risky waters and insulate and compartmentalize to insulate the business operation from cumulative, cascading risks.

For international companies, a private cloud might effectively limit risk.  Minimization of cross-border transfers of sensitive personal data can be done by using multiple servers, two in each country (the second is for failover).   Insulation can also be achieved by pseudonymization, a new concept advocated by the EU’s GDPR that stops short of full encryption but achieves compliance … until the code is broken.

4. Incentivize Prudent Behaviors by Employees

Wells Fargo made the mistake of incentivizing its bank branch officers to create new accounts not requested by the customers.  The IT department and compliance departments were asleep and could have stopped this fraud.  While few customers were adversely affected, some suffered.  So, prudent employees should be rewarded for not taking excessive risks and, in a complex organization, be encouraged to question the validity and prudence of decisions in other departments, especially where teamwork is needed for global integration.  And maybe consider small penalties for thoughtless behaviors, like opening spam attachments.

5. Monitor Compliance by Internal and External Audits

An airtight outsourcing service agreement does not guarantee compliance.   In the world of “Tech As A Service,” SaaS agreements should still require service providers to hire trusted independent external auditors for cybersecurity and business process management.   Audits under SSAE 16 type 2 and ISO compliance principles are no guarantee, but they help demonstrate prudent business judgment.

6. Appointing Compliance Officer Reporting to the Board

While compliance should be built into the company’s DNA through leadership at the top and company policy manuals, appointing an internal auditor and compliance office can give the directors access to someone who worries for them.

7. Run Away at Your Own Risk

Normally, a director has the remedy of resigning as director in case of policy differences that cannot be reconciled.  But running away might not be possible.   In tort law, the doctrine of “last clear chance” imposes liability on the actor who fails to use all reasonable efforts, at the last minute before a disaster, to protect the imminent victim from a third-party’s foreseeable misdeeds.  In corporate law, the fiduciary duty of loyalty may include a duty to not leave the corporation stranded when it falls into difficulties, since a new director might not be able to rectify the problems as quickly as the knowledgeable director seeking to walk away.   So the director’s job is never done, especially if there is no easy alternative but to persevere in the exercise of prudent business judgment.  No one hired you to quit when the risks are high and no one else can do a quick turn-around.

8. Identify Your Goals as Director and Apply Early Warning Systems

In the 1960’s, the NORAD “distant early warning” system deployed advanced radar to identify incoming hostile missiles.  Today’s corporate director needs a system for identifying goals personally and for the corporation, with metrics, triggers and analytics for situations hostile to the corporation.  If you don’t have the time or courage to set up your own warning systems, you might consider letting someone else do the job.  Or characterize your role as “just an advisor” to the board.