Veta T. Richardson is President and Chief Executive Officer of the Association of Corporate Counsel (ACC), and sets the strategy for the world’s largest network of in-house counsel. With more than 40,000 members employed by over 10,000 organizations in 85 countries, ACC connects its members to each other and to the people and resources necessary for personal and professional growth. With more than 57 chapter operations around the world, Richardson’s top priorities as CEO involve continuing to increase ACC’s global footprint and charting the organization through a strategic plan and vision designed to strengthen its position as the global voice for in-house counsel.
In the increasingly complex realm of digital security, strong moral leadership, sound policies and effective communication are of paramount importance.
As consumer needs continue to define and drive the digital age, businesses have more access to personal information than ever before. From social security numbers to bank account digits, customers constantly share personal information and companies are entrusted with valuable data.
The digital exchange of information drives business and helps sustain the economy. But at the same time, it is incredibly powerful—and even dangerous—when used in the wrong way or when it falls into the wrong hands.
Organizations have an ethical responsibility to ensure they are safeguarding customer information and taking steps to protect the data entrusted to them. This necessitates analyzing and understanding where the organization’s chain of access and control of data is most vulnerable and proactively taking steps to reduce the level of exposure.
Tone at the Top Regarding Cybersecurity
Setting the tone from the top is key. A strong corporate culture of ethics and compliance must extend to issues of cybersecurity and data protection with the same level of diligence, oversight and internal reporting as applied to any other area of highly regulated, high-stakes exposure. This necessitates boards of directors asking the right questions and receiving regular reports regarding the company’s preparedness.
For C-Suite leaders, adopting corporate policies and training procedures to encompass responsibility for cybersecurity and ethical handling of data helps companies mitigate the risk of potential failures and breakdowns.
Within organizations, raising overall employee awareness and developing a shared sense of responsibility for data protection is invaluable to safeguard against cyber-threats. This is best achieved when everyone in the organization understands that the corporation’s leadership has set the issue as a top priority.
Addressing the Leading Cause of Data Breaches: Employee Error
Employee error is the leading cause of data breaches across all industries. With cyber-threats becoming more and more sophisticated each day, all businesses should establish protocols and policies to safeguard against both internal and external threats.
According to the “ACC Foundation: The State of Cybersecurity Report,” employees are the biggest source of data vulnerability for companies. The report, which includes responses from more than 1,000 in-house counsel in 30 countries, revealed that employee error is the leading cause of data breaches across all industries. While outside factors like phishing attacks and hacking by third parties are also a threat, employee error is twice as likely to be the cause of a breach. As a result, companies are examining how to avert employee mistakes and strengthen internal training and preventative measures.
Increasingly, corporations are looking to their general counsel to play a key role in development of these protocols, policies and practices. Fortunately, general counsel are well positioned to offer value in this area and to borrow from their experiences analyzing and mitigating risk in other operational areas. Cybersecurity and data protection are fast-evolving issues that are addressed on an ongoing basis by ACC’s Information Governance Committee, a network of in-house counsel who created a forum to discuss the issues, exchange best practices and share preventive measures.
According to The State of Cybersecurity Report, companies are taking steps to help employees avoid the pitfalls created by hackers, with 65 percent of the report’s respondents adopting employee manual acceptance policies on cybersecurity practices. In addition, 44 percent are mandating cybersecurity training for all employees. Further, a third of organizations test employee knowledge and preparedness at least once a year. These training efforts should remind employees about basic cyber-safety missteps to avoid, such as inappropriately forwarding internal emails or placing sensitive data in written communications.
With cyber-threats becoming more and more sophisticated each day, all businesses should establish protocols and policies to safeguard against both internal and external threats.
Although data security training is most often the responsibility of corporate IT departments, in-house lawyers do advise their companies on precautions to protect sensitive information as well as the applicable laws and regulations. Their contributions assure that the training offered to employees is sufficiently comprehensive and appropriately targeted.
More Companies Being Held Accountable
Globally, regulators and legislators are holding more companies accountable for lapses in data protection. Regulators are also looking at employee actions as they consider changes to international privacy laws. In Europe, the EU Data Protection Reform adopts a single, pan-European law for data protection. The new rules require companies to obtain individual permission before sharing data consumers provide. Singapore and Malaysia are also looking to implement similar privacy laws.
Within the last two years, the US Securities and Exchange Commission (SEC) has brought more than 70 cases against chief compliance officers for multiple violations, including data security. The agency has even gone as far as publicly calling attention to actions against “gatekeepers” to hold them accountable for the roles they play in privacy issues. The SEC is not the only government agency shining a spotlight on data security enforcement measures. The US Federal Trade Commission recently released a report on its concerns about the commercial use of “big data” and provided businesses with recommendations to limit potential harm to consumers.
Depending upon the circumstances of a data breach, scrutiny can quickly shift to the public sector and carry the potential for criminal charges. This increased regulatory focus extends to investigating allegations of corporate espionage. The US Department of Justice (DOJ) is investigating activities at Lyft, a private on-demand transportation company and primary Uber competitor. Specifically, the DOJ is reviewing Lyft’s alleged role in a massive hack into Uber’s driver list.
Globally, regulators and legislators are holding more companies accountable for lapses in data protection.
Sports teams have been implicated—the former scouting director for the St. Louis Cardinals recently pled guilty to hacking the computers and e-mails of Houston Astros employees. Even the 2016 US presidential political campaigns have been fraught with data security issues of questionable ethical nature, from data mining to allegations of inappropriately obtained voter data. These examples of proven and alleged wrongdoing shed light on the breadth and depth of ethics and compliance issues across all industries and sectors of society.
Corporate Responsibility is More Important than Ever
In a world where 943 records are lost or stolen every minute, according to the 2015 Breach Level Index, data security issues are here to stay. The business community continues to embrace the changing roles of corporate leaders, especially in the areas of cybersecurity and data protection, which present complex ethical and compliance challenges along with risks to corporate reputations and brands. In the context of cybersecurity, corporate ethical responsibility is more important than ever.
More on the Association of Corporate Counsel here.