ACC Annual Meeting Insights About Data Security 17:04, October 25, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

ACC Annual Meeting Insights About Data Security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

LawRoom had the opportunity to attend the Association of Corporate Counsel (ACC) Annual Meeting in San Francisco. In-house counsel, compliance experts, and industry leaders from companies provided topical insights into critical legal issues facing businesses of all sizes. The most interesting conversations hovered around data security. Lawyers weighed in from Gap, Dell, Intel and Zurich North America, among other organizations. Here are the big points for 2016.

Third Party Risks

Third parties are people or organizations outside of a company, like vendors, distribution partners, subsidiaries, agents, or universities. Risk increases enormously when third parties have access to company information and work within operations. According to a survey independently conducted by the Ponemon Institute (and sponsored by data security consultants), almost half (49%) of surveyed organizations stated that a third party was responsible for a data breach. Third parties may have access to personal, sensitive, or financial data of a company’s customers and employees. A data breach has known and unforeseen consequences for companies, as we’ve written:

Companies that fail to protect data can face consequences such as charges for engaging in unfair practices, falling profits, and the loss of customers’ trust. These are some common reasons why companies are making cybersecurity a top priority.

The issue is global. The EU Data Privacy Shield expressly requires businesses to hold third parties accountable for securing the data of EU citizens in transfers. Meaning, a third party mistake could be our mistake. Even in the absence of a breach, “consumers clearly worry about their personal data,” according to the Harvard Business Review. People care that a company cares about their personal data, and that necessarily includes third parties.

Fortunately, the ACC panelists provided ways for businesses to keep third parties in compliance. They recommend early efforts and a “risk-based” approach, such as performing due diligence on a third party before contracting with them, constantly monitoring, and identifying red flags. 

It’s Not Just a Legal Thing

When talking about how to explain privacy and data security risks to a company’s board of directors, some ACC panelists explained that cybersecurity is not just a legal thing. It’s a complex issue that is interwoven with business strategy and operations. For example, implementing data security measures is expensive. A company’s business leaders need to compare the cost and value of resources to the level of risk achievable, and then make a decision. The lowest cyber risk may be drastically less expensive or involve less effort than a minimal cyber risk. Board members (and really, everyone at an organization) should understand the business realities of a data security program, such as implementation and risk.

Data security regulations further make data security a business reality. The EU General Data Protection Regulation (GDPR) places huge responsibilities on businesses that conduct business within the EU to secure personal data in ways that directly impact operations. Effective now, but enforceable in 2018, it ramps up individual control of personal data and requires businesses to affirmatively demonstrate their compliance with the law through policies, voluminous documentation, processes, and possibly (but likely) new staffing.

The ACC panelists recommended that businesses educate the board. As a baseline, board members should understand “data security 101,” its many risks, and how it affects the business. The same talking points are applicable to everyone, not just the suits. Insider negligence, e.g. security risks caused by employees and company insiders, is the leading cause of data loss or theft. Cyber threats, like shadow IT and password reuse, are changing rapidly enough that all stakeholders of an organization must keep business operations and behavior up with external and internal expectations.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

You might also be interested in...

  • Severe Penalties for Violating Company PolicyDecember 9, 2016 Severe Penalties for Violating Company Policy Employees are an employer’s greatest assets, but we can also be liabilities (literally) when we don’t take our employer’s interests and workplace policies seriously. We can be fired, sued, and even imprisoned for actions that violate company policy. While we should all strive to be good […] Posted in data security, conflicts of interest
  • Don’t “WannaCry”? Take Charge & Raise Cybersecurity AwarenessJune 1, 2017 Don’t “WannaCry”? Take Charge & Raise Cybersecurity Awareness If even the National Security Administration (N.S.A.) can have its secrets stolen and exploited, what about private companies that have profit (not data security and intelligence) as their prime directive? According to the New York Times, cybercriminals turned stolen N.S.A. hacking tools […] Posted in data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog