The Inevitable 2020 is a series of virtual discussions featuring Fortune 500 executives and thought leaders with a perspective on Artificial Intelligence's inevitable impact on the way we live and work.
Data privacy, along with cybersecurity, has quickly evolved from a regulatory or compliance issue to become a critical barometer of how effectively companies implement core controls and protect the corporate brand. As such, how the board evaluates the state of data privacy and security, and how executives help boards understand what steps they are taking to ensure accountability are evolving as well.
On October 14, Text IQ’s The Inevitable 2020 Series hosted leading luminaries in the field of data privacy and security to discuss why data privacy and sound information security practices should be concerns for corporate boards - and how chief privacy officers can play a role in making sure the board is getting the right information about those concerns.
Our panel of privacy experts included:
- Morrison & Foerster Partner Miriam Wugmeister. Miriam is Co-chair of the firm’s Global Privacy and Data Security Group.
- Peter Lefkowitz, Chief Privacy & Digital Risk Officer at Citrix Systems. Peter was the 2018 Chairman of the board of the International Association of Privacy Professionals.
- Marsh & McLennan Companies Global Chief Privacy Officer, Orrie Dinstein, and
- Randal Milch is NYU Faculty Director, MSc in Cybersecurity Risk and Strategy. He was Senior Vice President and General Counsel of Verizon Business from 2006 to 2008 and then CEO and Chairman until June 2015.
The dynamic and wide-ranging conversation, moderated by Randal Milch, covers topics including how to better manage the interaction of boards and operational executives in the context of privacy and security, the impact of privacy legislation in establishing new accountability for board oversight and how to ensure that the right steps are taken to minimize brand impact from incidents like data breaches.
"Boards should now be asking these basic questions: do we have a cyber security program; how are we protecting personal information? It's really not going to be OK anymore to simply do nothing and not understand that this is really part of their purview..."
Kicking off the conversation, Morrison & Foerster (MoFo) Partner Miriam Wugmeister notes how the role of the board and the expectation of the board is changing. “There are some very specific cases where it's become apparent that the board has to do more than just take a high level interest and just wait until management comes and brings a subject that they think is important when it comes to privacy and cybersecurity.”
What emerges from this conversation is that members of the board not only need to engage before, during, and after a data breach, but will need a level of familiarity with data privacy and security – and cybersecurity specifically – so they can ask the right questions and engage appropriately.
Citrix Systems’ Peter Lefkowitz argues that given the impact to the brand that data privacy breaches can have, today’s boards not only need to understand how companies are adhering to longstanding regulatory controls defined under mandates such as Sarbanes Oxley, but also what programs are in place for cyber security. “If you have a fundamentally solid well-thought-out cyber program and privacy program, you are not going to wind up in the realm of what are considered to be bad actors because of a failure to think about these things” notes Peter.
"Fundamentally, the board needs to know that you are protecting the brand. And today, cyber and data privacy are key accountability and brand topics just like keeping clean books."
Once the board is asking those questions, how to communicate the right level of information to the board and ensure productive engagement, the specifics of engagement, who should engage the board of directors or its committees, and the frequency requirements led to much interesting discussion, some of which turned on clarifications concerning the terms privacy, cybersecurity, and data protection. Marsh & McLennan’s Orrie Dinstein notes that these are three quite different concepts and also used differently by different jurisdictions globally.
"I think that sometimes there's a jargon issue that gets in the way... it's always important to understand exactly what it is that the board is really interested in hearing about."
Where much of this has led, notes MoFo Partner Miriam Wugmeister, is the establishment of separate “specialist committees” to manage privacy, cybersecurity, and data privacy. Not only because “we are starting to see more expertise on boards in that area, but also because the organizations realize the fundamental risk” to the business.
This is just a small sample of a remarkably insightful and candid conversation among industry leaders, each with a unique vantage point.