In this digital age, an organization’s ability to collect, analyze, aggregate, associate, and securely share data around the world is mission-critical. However, an increasing number of laws have been adopted across the globe regulating and restricting the transfer of information, ranging in type from data privacy-focused regulations to national security-focused regulations.
Regulatory restrictions can present significant challenges for global organizations, as they could directly impact business transformations (e.g., new cloud sourcing arrangements, the collection of mobile and Internet data, big data analysis projects, and the like) and corporate compliance initiatives (e.g., auditing, monitoring, internal investigations, e-discovery, whistleblower hotlines, and other similar compliance undertakings).
Knowing what these restrictions are, how they impact the business, and how the organization is addressing compliance are key to the board’s oversight of data management practices, which are an increasingly fundamental business element.
Knowledge is Power
Because regulations are increasingly impacting how information may be collected, used, and transferred, it is essential for directors and executives to understand these regulations and to apply best practices. By doing so, boards can help their organizations mitigate the risk of exposure to regulatory noncompliance, in particular as the potential penalties for noncompliance become increasingly material. To accomplish this, boards must ensure that their organizations are informed of the five W’s of data to stay ahead of the compliance curve:
Who – Who are we, who are our data subjects, and who has access to our data?
Where – Where do we keep our data and where do we transfer our data?
Why – Why do we collect and transfer this data?
When –When are we retaining data and for how long, and when do we share it with others outside the organization?
What – What solutions do we have in place to safeguard regulated data and what elements are in place address any local requirements, including cross-border transfer requirements?
Data Privacy-Related Cross-Border Transfer Restrictions
Outside of the United States, many jurisdictions, including those in the European Union, regulate the collection, processing, and transfer of personal data via comprehensive data protection laws that cover a broad range of personal data and activities related to such information, including its collection, use, and transfer. Considering the ubiquity of data collection for marketing, commerce, and employment purposes, these regulations have significant implications for a broad range of businesses.
Personal data covered by these regulations is often broadly defined to include any information relating to, or that could be linked to, an identified or identifiable individual, including the following:
Email address (including work email address)
Payment card information
These regulations often restrict the transfer of such personal data across international borders unless certain conditions are met. The first question in the analysis is often whether the data is being transferred to a jurisdiction that provides similar or “adequate” protection for personal data.
If the answer is “no,” then investigate whether:
adequate safeguards have been put in place or some other justification for the transfer can be relied upon; and/or
whether a derogation applies (e.g., the data subject has consented to the transfer or the transfer is required for the performance of a contract).
It is important to note that accessing personal data remotely in a different jurisdiction from the one in which it is stored is often viewed by foreign regulators as a transfer to that other jurisdiction (e.g., viewing data stored in Germany from a computer in the U.S.). It is also noteworthy that United States’ legal protections for personal data frequently fail to meet the “adequacy” standards of authorities in more highly regulated jurisdictions, such as those in the European Union.
Data Privacy-Related Cross-Border Transfer Solutions
There are several solutions for organizations that need to transfer personal data across borders to countries that may not be deemed to provide “adequate” protection to personal data by certain foreign authorities, such as the United States. Boards should ask management teams to verify that one or more of the following solutions is in place to comply with applicable cross-border data transfer restrictions:
Consent – Where appropriate, ensure that the data subject has given his/her voluntary and unambiguous consent to the proposed transfer. It is important to note that this option may not be available for employee data in certain jurisdictions in which employees are generally not seen as able to provide voluntary consent to their employers, such as in Germany or France.
Data Transfer Agreements – Review whether or not contractual provisions designed to provide adequate protection to the personal data transferred are utilized by the organization both for internal cross-border transfers between affiliated entities and for transfers to third parties (e.g., the EU Standard Contractual Clauses).
Binding Corporate Rules – Determine whether the organization should adopt enhanced internal personal data protection policies and procedures within the group of companies, referred to as Binding Corporate Rules, and have those approved by the applicable regulators in order to rely on them as a solution.
EU-U.S. Privacy Shield Framework – For transfers of personal data from the European Economic Area to the United States, determine whether the recently approved EU-U.S. Privacy Shield Framework, which provides that organizations self-certified to the Framework are deemed to provide “adequate” protection to personal data by the European Commission, may be an appropriate solution.
These solutions will likely continue to evolve, along with the various regulations that impose the restrictions, in order to address the ever-changing digital marketplace. For example, under the new European General Data Protection Regulation (GDPR), which comes into effect in May of 2018, requirements around what constitutes valid data subject consent will have more prescriptive conditions and any new decisions by the European authorities deeming that a non-EU jurisdiction provides “adequate protection for personal data” will likely be subject to more rigorous requirements (although existing “adequacy” decisions will be grandfathered). The penalties are also increasing, with fines for violating the GDPR going up to EUR 20,000,000, or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Furthermore, beyond data privacy-related cross-border transfer restrictions, boards should also be aware that there may be additional potentially applicable cross-border transfer restrictions on organizations, including those related to national security or state secrets.
Given the significant financial and regulatory burdens for non-compliance, boards need to understand how these cross-border transfer regulations may impact their organization and stay informed of their organization’s compliance position, and any risk decisions made related thereto, when it comes to both current and future data collections and uses.
As a partner at Baker & McKenzie LLP, Michael Egan advises clients across a range of industries regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. Joan Meyer chairs the North America Compliance, Investigations & Government Enforcement Practice Group at the firm.
The NACD Atlanta Chapter recently hosted an expert panel to discuss what directors should know and, more importantly, what they should be asking of management about the impact of Brexit on their corporations. The panel was moderated by Ambassador Charles Shapiro—former US ambassador to Venezuela and current president of the World Affairs Council of Atlanta—and featured Jeremy Pilmore-Bedford, consul general from the British Consulate-General in Atlanta; Mary Shelton Rose, PwC East Region advisory leader and leader of PwC’s US Brexit Response Office; and Lynn Clarke, CEO of MetroKitchen.com and director for ABARTA, Inc., Kahiki Foods, Inc., Visii.com, and the NACD Atlanta Chapter.
The takeaways from the event fell into three categories.
Takeaway 1: The Brexit outcome is uncertain, but a more moderate outcome is likely to prevail in the European Union.
To assist directors as they consider how to approach discussions about Brexit, the panel highlighted possible outcomes of the Brexit vote. Clearly, the path that would leave the least uncertainty is the one under which Britain retains access to the European single market through a series of bilateral agreements. However, a model where Britain does not continue to benefit from any part of the single market is also possible. Since the panel met, a UK court ruled that the British government requires parliamentary approval to trigger the process of exiting the European Union (EU), which adds additional complexity and uncertainty to the situation, and could give pro-EU lawmakers more opportunity to influence the direction of the exit.
While some may believe that other EU countries may want to punish the UK for Brexit by offering unfavorable trading terms, the panel seemed to agree that cooler heads will likely prevail as EU member countries focus on Britain’s role as a significant trading partner for the EU. According to Pilmore-Bedford, an upside of Brexit that is often overlooked is that Britain could begin to negotiate its own free-trade deals beyond Europe with growing countries like India.
Takeaway 2: The UK is trying to mitigate uncertainty.
Britain is attempting to mitigate some of the uncertainty about possible outcomes through outreach to companies. For example, British Prime Minister Theresa May recently met with top executives from such companies as Amazon, Goldman Sachs, IBM, and Morgan Stanley in an attempt to reassure investors.
UK officials like Pilmore-Bedford are quick to remind companies that the free movement of labor between Britain and the EU will continue until 2019 at a minimum. Also, the British government is working to enact laws that enhance legal stability for businesses. Still, with no crystal ball in hand and uncertainty even among those closest to the situation, the panel made clear that directors and management must remain vigilant.
Takeaway 3: Directors must exercise due diligence now.
Panelist Lynn Clarke showed the audience a jar of Marmite, a much-loved Unilever product in the UK. She cited an example of how, in the current climate in the UK, otherwise routine operational decisions can have significant impacts on a company’s reputation and bottom line. In the case of Marmite, Unilever decided to raise the price of Marmite in the UK, ostensibly to compensate for the sharp drop in the pound’s value following the Brexit vote. Behemoth grocery chain Tesco reacted by removing the product from its website. Analysts and consumers criticized the price hike, particularly since Marmite does not contain ingredients from outside of the UK. Clarke suggested that companies must exercise additional caution in how business is approached in the UK during this tumultuous time.
In addition, directors may pose a number of questions to management to prepare for Brexit’s impact, depending on the type of operations the company has in Europe:
Strategic Planning: Have we included flexibility in our planning to allow the company to react to scenarios as they unfold?
Investment: Do we want to consider either moving forward with investments or holding off on investments related to UK operations or acquisitions?
Clarke, on the board of a UK tech start-up, noted that start-ups in the UK may move to the EU to access existing seed-funding programs.
Pricing and Margins: Will we be affected by margin compression from goods sold to/from the UK? Should we modify our prices?
Talent: Have we assessed the likely impact of Brexit on talent sourcing to and from the UK should migration be restricted?
Supply Chain: How well do we understand our suppliers’ financial positions? Do we know which of our critical suppliers are most vulnerable to price fluctuations?
Investors: How will we communicate the financial and strategic effects of Brexit and how we plan to mitigate them to investors?
Pension Plans: Will there be concern about pension plans (underfunding, for example, due to asset devaluation)?
Technology: How will all of the above affect technology/systems as changes are needed to HR systems, VAT systems, regulatory systems, etc.?
PwC expert Mary Rose Shelton emphasized that preparing for Brexit will give directors the opportunity to explore less emphasized areas of the company such as the supply chain, human resources outside of the US, and European and other overseas operations. Given that the greatest certainty at this point is that uncertainty will reign for some time to come, smart directors will begin asking the right questions now, helping their companies adapt to conditions as they evolve. Please reference NACD’s recent publication The Board’s Role in Brexit Oversight for additional questions boards can consider in response to Brexit.
Kimberly Simpson is NACD’s first regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.
In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.
Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.
And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.
The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.
On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.
Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.
Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.
Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.
Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.
Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line. Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.
Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.