by Lori Smith on November 28, 2018
4 minute read
*This article is Part 1 of a two-part series on Fiduciary Duties of Officers & Directors from John Beardwood's presentation at the Smart Technology Privacy Summit 2018.
If there’s one topic on the mind of board members these days, it is the financial penalties incurred for failing to comply with the new security and privacy laws. That’s precisely why the topic of fiduciary duties of officers and directors was such a critical session at the Smart Technology Privacy Summit 2018.
In his keynote presentation, “Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors”, John Beardwood, Partner at Fasken Martineau LLP, explains three important reasons why board members need to step up their fiduciary game and take existing privacy and security regulations more seriously. Here they are summarized below.
Reason #1: Avoid Harm to Shareholder Value
One of the primary directives of any board is preserving shareholder value. In an era where privacy and security is on the forefront of consumers minds, more and more shareholders are taking a keen interest in the security and privacy policies of the companies in which they invest.
With new regulations demanding transparency from companies to their shareholders, it’s imperative that security and privacy compliance is achieved so shareholders can feel confident with their investment.
There’s a problem though. Privacy regulations are often amorphous and vague, and this applies both to North American and European legislature. For instance, Canada’s privacy regulation, PIPEDA, says that “you must have reasonable and appropriate security measures”. With such a vague definition, it’s tempting to leave the details to a company’s Chief Information Officer (CIO) or Privacy Officer. But, it’s becoming clear that board members need to remain up-to-date on the evolving regulatory landscape in order to fulfill their fiduciary duties.
In other words, if a board of directors’ primary aim is to preserve and increase shareholder value, it’s in the board members’ best interest to be familiar with the finer points of privacy and security legislation.
Reason #2: Privacy & Security Regulators Require Compliance
A lot of the current interest in consumer privacy stems from the growing number of news stories detailing the fallout from cataclysmic breaches. As John discussed at the Summit, one of the most notorious of these examples was retail store Target’s 2013 data hack, with over 40 million customers’ personal information exposed over a three week period.
The consequences for Target were dire. As John explained, even though the data breach was due to vulnerabilities from a third-party vendor, Target was ultimately held liable, to the tune of a $10 million class action lawsuit and upwards of $250 million to close the breach. They also had to develop a whole new security program, hire a Chief Intelligence Officer and train employees on how to maintain privacy.
Another very famous example John mentioned was the Ashley Madison case, where users’ private data was breached, exposing numerous extramarital dalliances. Regulators found multiple gaps in security protocol, 80% of employees were completely untrained on security measures, and the necessary information security infrastructure to prevent breaches was simply not in place. Notably, regulators were prepared to hold the board responsible for their lack of due diligence.
The point is — with more and more cyber attacks threatening the security and privacy of consumers data, companies and the boards that govern them, need to take a serious look at their privacy programs and security policies and make sure they are compliant.
Reason #3: Self-preservation
A more recent trend in data breach cases is shareholders and regulators are holding the board accountable and taking legal action against individual members.
For example, in the case of Target, there were a number of derivative lawsuits made against the members of the board personally. Shareholders also published a recommendation to not re-elect a number of the board members specifically because of the cyber security breach.
Moreover, the costs of covering a data breach tend to be very expensive and it’s quite likely the company’s insurance policy will not cover the whole bill. For instance, Target had to pay $291 million in costs. Insurance covered $90 million. That left $201 million of damages, for which they didn’t have coverage. As John put it:
“It’s enough to make any board member quiver in their boots.”
In short, directors and officers are facing more scrutiny and have more expectations to be diligent under the new privacy laws. While no successful lawsuit for a security or privacy breach has come against a board yet, John warns us it would be foolish to consider directors and officers immune from derivative risk. For self-preservation alone, security and privacy due diligence starts, and ends, with the board.
To protect the company, customers and shareholders from the fallout of a security breach, board of directors need to be aware of all company privacy and security processes, where the gaps remain and the risks involved for not complying. John summed it up well in three key points, but as data breaches and the demand for privacy controls grow, the fiduciary duties of officers and directors will continue to be scrutinized and expectations for due diligence will increase.
- Read Part 2 of this summary post to find out John’s 10 Best Practices for helping your board stay compliant with new security and privacy laws.
- View John’s full power point presentation and recording of “Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors” on our Recap of the Smart Technology Privacy Summit 2018.