The range of issues confronting today’s business leaders is expanding at breakneck speed. Emerging concerns, such as geopolitical, governance, and climate risks, can have significant impacts on strategic planning, business operations, and revenue. Increased interconnectivity and disruptive technologies create opportunities but frequently have unforeseen consequences. In addition to adverse financial and operational impacts, a single misstep in managing these complex areas can damage corporate reputations almost overnight.
Against this complicated and varied backdrop, however, one emerging risk has been identified as the key issue keeping business leaders up at night. According to a recent survey by the Gartner research firm, accelerating privacy regulation is the top concern of executives across all industries.
Challenges created by the evolving privacy regulatory landscape
Privacy was once thought of as an obscure concern impacting only certain specialized organizations, perhaps in foreign countries. No more. From the EU’s General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA), new privacy requirements are cropping up around the globe. The reach of today’s privacy laws and regulations is long, capturing companies in every industry vertical and across borders. Privacy mandates now apply to broad categories of previously unregulated information that modern businesses routinely collect and store.
Simply keeping pace with new privacy mandates and understanding their impact on business operations and budgets is challenging. Non-compliance, however, is not an option. Recent laws can provide for hefty regulatory fines, injunctions, and statutory damages, even in the absence of a data breach. And as plaintiffs’ class action lawyers can attest, some laws expressly permit consumer lawsuits for privacy violations.
The stakes associated with getting privacy right now clearly extend to the boardroom. Privacy-driven lawsuits against directors and officers are on the rise. Plaintiffs have accused boards of failing to exercise their duty to oversee privacy and cyber risks in connection with costly data breach events. Boards also have been sued for failure to appropriately consider the impact of privacy compliance on business operations and for failing to accurately disclose the cost of compliance in their public filings. Directors and corporate officers have been removed from their jobs. Some have been grilled before Congress. Regulators, in addition to imposing massive fines, have required companies to create board-level privacy committees, create privacy programs, designate privacy compliance officers, improve board reporting, obtain regular third-party privacy assessments, and more.
As with every material risk a company faces, corporate boards, have a duty to oversee compliance and monitor privacy exposures. This requires the establishment of appropriate reporting systems and procedures that enable the board to discharge its oversight responsibilities. Undertaking good faith efforts to do so minimizes the risk of noncompliance in the first instance and provides protection for the company and the board if something does go wrong.