ACC Annual Meeting Insights About Data Security
LawRoom had the opportunity to attend the Association of Corporate Counsel (ACC) Annual Meeting in San Francisco. In-house counsel, compliance experts, and industry leaders from companies provided topical insights into critical legal issues facing businesses of all sizes. The most interesting conversations hovered around data security. Lawyers weighed in from Gap, Dell, Intel and Zurich North America, among other organizations. Here are the big points for 2016.
Third Party Risks
Third parties are people or organizations outside of a company, like vendors, distribution partners, subsidiaries, agents, or universities. Risk increases enormously when third parties have access to company information and work within operations. According to a survey independently conducted by the Ponemon Institute (and sponsored by data security consultants), almost half (49%) of surveyed organizations stated that a third party was responsible for a data breach. Third parties may have access to personal, sensitive, or financial data of a company’s customers and employees. A data breach has known and unforeseen consequences for companies, as we’ve written:
Companies that fail to protect data can face consequences such as charges for engaging in unfair practices, falling profits, and the loss of customers’ trust. These are some common reasons why companies are making cybersecurity a top priority.
The issue is global. The EU Data Privacy Shield expressly requires businesses to hold third parties accountable for securing the data of EU citizens in transfers. Meaning, a third party mistake could be our mistake. Even in the absence of a breach, “consumers clearly worry about their personal data,” according to the Harvard Business Review. People care that a company cares about their personal data, and that necessarily includes third parties.
Fortunately, the ACC panelists provided ways for businesses to keep third parties in compliance. They recommend early efforts and a “risk-based” approach, such as performing due diligence on a third party before contracting with them, constantly monitoring, and identifying red flags.
It’s Not Just a Legal Thing
When talking about how to explain privacy and data security risks to a company’s board of directors, some ACC panelists explained that cybersecurity is not just a legal thing. It’s a complex issue that is interwoven with business strategy and operations. For example, implementing data security measures is expensive. A company’s business leaders need to compare the cost and value of resources to the level of risk achievable, and then make a decision. The lowest cyber risk may be drastically less expensive or involve less effort than a minimal cyber risk. Board members (and really, everyone at an organization) should understand the business realities of a data security program, such as implementation and risk.
Data security regulations further make data security a business reality. The EU General Data Protection Regulation (GDPR) places huge responsibilities on businesses that conduct business within the EU to secure personal data in ways that directly impact operations. Effective now, but enforceable in 2018, it ramps up individual control of personal data and requires businesses to affirmatively demonstrate their compliance with the law through policies, voluminous documentation, processes, and possibly (but likely) new staffing.
The ACC panelists recommended that businesses educate the board. As a baseline, board members should understand “data security 101,” its many risks, and how it affects the business. The same talking points are applicable to everyone, not just the suits. Insider negligence, e.g. security risks caused by employees and company insiders, is the leading cause of data loss or theft. Cyber threats, like shadow IT and password reuse, are changing rapidly enough that all stakeholders of an organization must keep business operations and behavior up with external and internal expectations.
LawRoom (powered by EverFi) delivers online compli