Should the Board Anticipate New Digital Privacy Laws?


As digital disruptions change the way we interact with technology in large and small ways, sometimes we see laws or regulations at the local or federal level that seek to limit the ways that a company uses information. If you are on the Board, what is your responsibility to anticipate these laws and consider them?

For example, the FTC has recently acted in a way that indicates that they will potentially bring suit in data breach cases. However, there is no single standard for what data breach protections are required. Should the Board deduce FTC standards from their previous actions, and put in place additional protections based on their speculation? Or should the Board wait for explicit guidance to come out, because until the rules exist, we should go about business as usual?

Emerging Technologies
cyberlaw ,digital investigations, business laws, company incorporation ,
Regulations Compliance
Merritt B
49 months ago

4 answers


I think any data breach case can be defended if there is a good faith attempt to secure the data. Every booard of directors should be aware of potential vulnerabilities. In some cases your insurance company can steer you to one of the better vendors. Always use a third party vendor that is highly rated and understand what type of protection you atr buying. Certainly you want your protection to evolve as the hackers get more and more sophisticated.

Irwin Stein
49 months ago

i believe, Industry sensitve, it is Management’s responsibility to advise a BOD of steps Management is taking to be Cyber aware, responsive, and defensive as regards to all of the Company’s normally, and fairly anticipatory cyber exposures. A good Management team and an involved progressive BOD should work together to have action plans and emergency reactive actions ready for any predictable threat or breach across the spectrum of the Company’s exposures, and an emergency “lock down “ program and action plan for those that are not.
But the initiative is Managment’s responsibility to a BOD.

Robert Wallach, MBA,MS,BBA
49 months ago

Anticipate?  As far as this means "expect more laws about privacy protections", I think they should, yes.  If by this you mean "expect changes, put methods and controls in place to protect individual privacy", also, yes; specifically and especially if they have not already.  I think the BoD needs to lead the way and ensure these changes are implemented, or they will face individual liability consequences like willful negligence accusations.

I also think that in general if a company has controls in place and is following the OECD principles, is working on compliance with GDPR right now and has an incident response/breach reporting process in place with active pre-event policy enforcement, I think that such companies should be very, very close to whatever changes might be forthcoming.

Ross A. Leo
49 months ago
Such programs, btw, are not about the elusive "perfection prevention". They are about good faith attempts to enforce protections of reasonable strength and respond appropriately when the bad guys get around them. - Ross A. 49 months ago
Thanks, Ross. Agreed, in theory. In practice, I think a lot of companies would rather ask forgiveness than permission... - Merritt 49 months ago
I take your point, Merritt. Sad but true. - Ross A. 49 months ago

I think Board should deduce standards from their previous actions, and put in place additional protections without waiting for explicit guidance to come out

Paolo Beffagnotti
49 months ago
Although I agree personally with this point, I see no way such a thing will come to pass. Expecting companies to implement "good-will" actions like this will work only for a very few; most would regard it as a cost with no readily apparent benefit, and might in fact price them out of a given market. No, I do not think this will happen. - Ross A. 49 months ago
you are right, at least at the current stage there are no apparent benefits, just cost pop up. this will not happen in a short term, and maybe even in a longer one. - Paolo 49 months ago

Have some input?