Security

Board Responsibilities for Data Security and Privacy

This blog outlines the responsibilities for corporate boards to make sure their companies stay well away from any failings that would force regulatory audits or fines upon them for non compliance with regulatory guidelines.

Anirban Banerjee
Dr. Anirban Banerjee is the CEO and Co-founder of Riscosity
Published on
10/2/2024
7
min.

Corporate boards are tasked with ensuring that sensitive information—ranging from intellectual property (IP) and end-user information to sales statistics—is handled securely. As data becomes an ever-more valuable asset, so too do the risks associated with mismanagement. Ethical considerations and compliance with data privacy laws have become paramount, and boards are no longer passive overseers; they are accountable for guaranteeing that companies are adhering to security and privacy best practices. In some instances, board members can face serious consequences, including removal or financial penalties, if they fail to adequately oversee data security practices.

The Growing Responsibility of Corporate Boards in Data Management

Corporate boards must make sure that sensitive data is managed responsibly and in compliance with relevant laws and regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and various other national and international data protection frameworks. These regulations typically demand that companies collect, store, and use data with transparency and for legitimate purposes, ensuring that it is safeguarded against breaches or misuse. Failure to meet these standards not only leads to legal penalties but also risks significant reputational damage.

"Data is the new oil," noted Clive Humby, a data scientist, and this analogy holds true for corporate governance. Just like oil, improperly managed data can become a major liability, and the board must ensure that the right strategies, technologies, and teams are in place to handle this asset responsibly.

Corporate boards, therefore, must prioritize the oversight of data governance frameworks within their organizations. This means paying close attention to data privacy, cybersecurity, and ethical standards across the entire enterprise. If a company mishandles its data or falls short of regulatory compliance, board members may not only risk shareholder dissatisfaction but also face legal consequences.

The Ethics of Data Collection, Usage, and Storage

It is no longer enough for companies to simply protect data from cyberattacks. The ethical implications of data collection, usage, and storage are also significant concerns. Businesses are entrusted with the personal information of their customers and must be transparent about how that data is being used.

For instance, using consumer data for purposes beyond what was originally agreed upon, or failing to delete data upon a user’s request, can result in both ethical breaches and legal violations. Corporate boards are expected to ensure that their organizations are adhering to ethical data management practices in addition to legal requirements.

Philosopher and author Peter Singer once said, "The responsibility of companies to act ethically extends far beyond the need to avoid breaking the law." This concept resonates deeply when it comes to data governance. A company might technically comply with data privacy laws but still act unethically by exploiting user data in ways that undermine consumer trust.

Board Accountability: When Things Go Wrong

In recent years, we’ve seen examples of companies that have faced significant penalties due to data breaches and privacy violations, with corporate boards being held accountable for these lapses. Facebook (now Meta) is a prime example. In 2019, the company was fined $5 billion by the Federal Trade Commission (FTC) for privacy violations, a direct result of the Cambridge Analytica scandal. Although the company itself faced the fine, pressure mounted on its board, and shareholders called for the removal of some board members for failing to prevent the breach.

In another example, the board of Target faced intense scrutiny after the company experienced a data breach in 2013 that exposed the credit card information of millions of customers. Target ultimately settled for $18.5 million with affected states, and its then-CEO, Gregg Steinhafel, was forced to resign, partially due to board pressure. In this case, the board was criticized for not doing enough to prevent the breach and for not prioritizing cybersecurity measures.

More recently, Equifax's 2017 data breach, which affected 147 million individuals, resulted in a settlement of $575 million. Equifax's board faced significant criticism for its failure to address basic cybersecurity vulnerabilities, and several executives, including the CEO, were removed as a result. The scandal highlighted how a lack of robust oversight from the board can directly impact the company and its leadership.

Legal and Ethical Considerations: Holding Boards Responsible

As these examples demonstrate, corporate boards can no longer afford to overlook the importance of data security and privacy. Board members can face significant consequences if their companies are found to be in violation of data protection laws. In many cases, directors have a fiduciary duty to shareholders to ensure that the company is complying with relevant regulations. Failure to fulfill this duty can lead to lawsuits, fines, and even removal from the board.

Furthermore, the ethical responsibility of corporate boards extends beyond regulatory compliance. Companies are now expected to act as stewards of user data, ensuring that it is collected and used transparently and ethically. Failure to do so can damage a company's reputation and erode consumer trust, which can be even more costly in the long run than any financial penalty.

Focusing on the Right Areas: A Blueprint for Board Oversight

To mitigate these risks, corporate boards should prioritize several key areas:

  1. Data Governance Strategy: Boards must ensure that their companies have a comprehensive data governance strategy in place that includes policies for data collection, usage, and storage. This strategy should be continuously updated to reflect evolving regulations and ethical considerations.
  2. Cybersecurity Investments: Boards need to advocate for and oversee investments in robust cybersecurity technologies, including firewalls, encryption, and threat detection systems, to protect sensitive data from breaches.
  3. Regular Audits and Assessments: The board should mandate regular security audits and assessments to ensure compliance with data privacy regulations. This includes tracking third-party data sharing and conducting internal reviews of how sensitive information is handled.
  4. Accountability of Key Roles: Board members should look toward specific employee roles, such as Chief Information Security Officers (CISOs), Chief Compliance Officers (CCOs), and Chief Data Officers (CDOs), to ensure data security and privacy policies are being enforced across the company.
  5. Training and Awareness: Boards should also promote cybersecurity awareness training for all employees, ensuring that everyone in the organization understands the importance of data privacy and security practices.

Conclusion

The responsibilities of corporate boards in overseeing data security and privacy are immense and ever-growing. The examples of Facebook, Target, and Equifax serve as cautionary tales for what can happen when boards fail to adequately prioritize data protection. By focusing on strong governance strategies, regular audits, and holding key roles accountable, boards can safeguard their companies against lawsuits, regulatory audits, and the loss of consumer trust. After all, in a world where data is the new currency, its ethical management is not just a legal obligation but a moral one.