The Inevitable 2020 is a series of virtual discussions featuring Fortune 500 executives and thought leaders with a perspective on Artificial Intelligence's inevitable impact on the way we live and work.
As the privacy and security landscape continues to change, it’s important that board members know their roles, and that those reporting to the board know what information they need to provide. In our recent virtual discussion on the corporate board members’ view of data privacy, we invited a veritable who’s-who in the privacy space; they’re a cyber-attacker’s worst nightmare, and a corporate board’s best friend.
- Miriam Wugmeister
- Partner at Morrison & Foerster
- Peter Lefkowitz
- Chief Privacy & Digital Risk Officer at Citrix
- Orrie Dinstein
- Global Chief Privacy Officer at Marsh & McLennan Companies
- Randal Milch
Board’s role should be active
Miriam Wugmeister, one of the most experienced lawyers in data privacy and security, shared some of the advice with us that she regularly gives multinational corporations when called on to assist with some of the world’s most difficult privacy challenges.
“The role of the board and the expectation of the board is changing in the context of cyber and data security. It's become apparent that the board has to do more than just take a high level interest before cybersecurity incidents. The board has a specific role before, during, and after the incident."
“For many companies, cyber and privacy is core to their mission. And so the expectation is that boards are supposed to be asking those basic questions, like, do we have a cyber security program? How are we protecting personal information? And it's really not going to be okay for boards to simply do nothing and do not understand that this is part of their purview.”
Miriam Wugmeister outlines the board’s key responsibilities throughout the course of a cybersecurity incident:
Before: Before an incident, boards need to make sure that they're asking the right questions regarding governance, processes, and basic incident preparedness. Boards should be demonstrating that they're interested and ask the core questions.
During: During an incident it's really important that board members understand that they are not part of management. They of course should give their expertise. They should help. They should ask the right questions, but they are not part of management.
After: After an incident, boards need to be informed about what happened, what was the cause, what's being done to fulfill any gaps. So we're going to talk about how you help your board to fill those roles and what executives can do to prevent future incidents.
The role of a CPO has changed
The role of CPOs is evolving: "Now with GDPR, privacy officers have to have visibility into the process around security." - Peter Lefkowitz
"There are three domains - cyber, privacy, and data protection. Companies tend to conflate all three into one bucket, which leads to problems." - Orrie Dinstein
Orrie Dinstein’s list of need-to-knows for board members:
- Strategic relevant changes that are going to fundamentally change the way we work e.g. GDPR & CCPA
- Internal events that might become public events and end up on the Wall Street Journal e.g. data breaches
- External developments and trends that are likely to of relevance to an organization that the board would like to understand e.g. Schrems II
Should board members have technical expertise or should there be an expert on cyber / privacy issues?
Our panelists had slightly differing views on this point:
Expert consultant: “I think that it really depends on the dynamic of the board, and of the chairman of the board, and the leadership of the company. And, I think that if you can manage it right, then on balance, the board will be better off with having a subject matter expert, as long as it's clear that that's not a handoff to that person, and the rest of the board members can take a nap.” - Orrie Dinstein
Well-versed board: “So I think the better approach is that every member of the board should be educated and have enough knowledge to ask tough questions. And, sometimes that's what I do. I go to boards and I teach them what questions should you, as the board, be asking?” - Miriam Wugmeister
Technical expertise: “You need to have somebody in the upper ranks of the company, whether that's a board member or an executive leadership member, who has the ability to really perform oversight on the technical functions and on the regulatory functions.” Peter Lefkowitz
Join us next time for, “Prove It - What It Takes For A Successful AI POC,” on Friday, October 30th at 2 PM EST with our POC “dream team”:
- Briordy Meyers, Boehringer Ingelheim, Director, Senior Counsel eDiscovery
- Matthew Jackson, Sidley Austin LLP, Counsel Data Analytics & Discovery
- James Calvert, Troutman Pepper eMerge, Discovery Counsel
They’ll share their playbook on how to execute a successful POC at your organization.
For more info on upcoming discussions from The Inevitable 2020 Series and to catch up on-demand, visit: https://www.textiq.com/theinevitable2020.