Should the Board Anticipate New Digital Privacy Laws?
As digital disruptions change the way we interact with technology in large and small ways, sometimes we see laws or regulations at the local or federal level that seek to limit the ways that a company uses information. If you are on the Board, what is your responsibility to anticipate these laws and consider them?
For example, the FTC has recently acted in a way that indicates that they will potentially bring suit in data breach cases. However, there is no single standard for what data breach protections are required. Should the Board deduce FTC standards from their previous actions, and put in place additional protections based on their speculation? Or should the Board wait for explicit guidance to come out, because until the rules exist, we should go about business as usual?
49 months ago
I think any data breach case can be defended if there is a good faith attempt to secure the data. Every booard of directors should be aware of potential vulnerabilities. In some cases your insurance company can steer you to one of the better vendors. Always use a third party vendor that is highly rated and understand what type of protection you atr buying. Certainly you want your protection to evolve as the hackers get more and more sophisticated.
i believe, Industry sensitve, it is Management’s responsibility to advise a BOD of steps Management is taking to be Cyber aware, responsive, and defensive as regards to all of the Company’s normally, and fairly anticipatory cyber exposures. A good Management team and an involved progressive BOD should work together to have action plans and emergency reactive actions ready for any predictable threat or breach across the spectrum of the Company’s exposures, and an emergency “lock down “ program and action plan for those that are not.
But the initiative is Managment’s responsibility to a BOD.
Anticipate? As far as this means "expect more laws about privacy protections", I think they should, yes. If by this you mean "expect changes, put methods and controls in place to protect individual privacy", also, yes; specifically and especially if they have not already. I think the BoD needs to lead the way and ensure these changes are implemented, or they will face individual liability consequences like willful negligence accusations.
I also think that in general if a company has controls in place and is following the OECD principles, is working on compliance with GDPR right now and has an incident response/breach reporting process in place with active pre-event policy enforcement, I think that such companies should be very, very close to whatever changes might be forthcoming.