Oscar Wilde’s famous definition of a cynic as someone who “knows the price/cost of everything and the value of nothing” resonates just as much today as it did 127 years ago.
If we look at the value of a brand or indeed the value we place on our personal privacy and data, then it should be glaringly obvious that CEOs need to take an ethical rather than a cynical approach to legislation governing data protection and cybersecurity regulation.
We are living in a world with an increasingly complex, global regulatory landscape. It’s also a world in which cyber security attacks compromising personal data seem to occur on a near daily basis.
Dido Harding, the former Chief Executive of TalkTalk, a $2 billion UK telecommunications company, was forced to leave her post only 18 months after the company was hit by a cyber-attack affecting tens of thousands of customers.
The same is true of Richard Smith, CEO of Equifax, who “retired” abruptly following a data breach. Target’s Chairman, President, and CEO, meanwhile, all resigned following a data breach in 2013.
According to multinational cybersecurity and anti-virus provider Kaspersky, the average cost of an enterprise data breach is $1.41 million. And that doesn’t even include the cost of fines and other penalties. Marriott, for example, is facing a $123 million fine for a data breach. UK regulators have announced their intention to fine British Airways a record £183 million ($230 million). And Uber has been fined in the United States, the UK, France, the Netherlands, and Colombia.
Quite frankly, if data protection, cyber threats, and increased security regulation aren’t keeping CEOs awake at night, then I don’t know what is.
Although the U.S. doesn’t yet have a unified federal privacy law, Silicon Valley and indeed businesses throughout the entire state of California are learning to adapt to the new California Consumer Privacy Act (CCPA), which comes into force in January 2020. Moreover, the CCPA might well apply to an organization even if that organization doesn’t have a physical presence in California.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations meeting these thresholds will be required to implement and maintain reasonable security procedures and practices in protecting consumer data, including a “Do Not Sell My Personal Information” link on the organization’s home page and designated methods for submitting data access requests, including, at minimum, a toll-free telephone number. Failure to comply brings with it a host of sanctions and remedies, including fines of up to $7,500 for each intentional violation and statutory damages of up to $750 per California resident and incident.
Without a doubt, this is a landmark consumer privacy law and other states are already following California’s lead – all of which should lead CEOs to ask whether or not they will be impacted by CCPA; when does the EU’s General Data Protection Regulation (GDPR) apply to U.S. companies; and whether they are prepared to comply with Brazil’s new General Data Protection Law, slated to come into effect on August 15, 2020.
Obviously, stiff penalties and enforcement actions are areas of great concern, as is the damage to brand reputation and loss of trust that can occur in the wake of a data breach. But perhaps the most costly impact of such breaches will be private litigation and class action lawsuits.
Given that, what can CEOs do to avoid the headlines, heavy fines, and the possibility of having to appear before Congress?
The bad news is that checking the boxes to pass compliance requirements is just not enough – and perhaps could be classed as taking a “cynical” approach. Sure, the boxes need to be checked. More importantly, though, CEOs need to:
- Ensure that a culture of privacy runs throughout their organization by consistently focusing on awareness, education and engagement;
- Break down any organizational silos that still exist so that privacy (data protection) and security teams are working closely together;
- Recognize that compliance is a journey not a destination;
- Understand where their data is held;
- Make certain that data security is a top-tier, board-level priority;
- Confirm that an incident response plan is in place;
- Determine whether appropriate back-up procedures are in place in order to minimize downtime; and perhaps most importantly
- Become a privacy evangelist.
All of these new laws are an attempt to bring regulation up-to-date with the reality of the digital world. Responsible CEOs need to respond to them by taking a proactive approach to privacy and security.
Yes, there are hefty fines for non-compliance, but these shouldn’t be regarded as a “cost” of doing business. Rather, the CEO should be looking instead at the importance of instituting a companywide culture of data privacy, security, and ethics, and the value that doing so can add to the overall business.
Have you read?
# Best CEOs In The World 2019: Most Influential Chief Executives.
# World’s Best Countries To Invest In Or Do Business For 2019.
# Countries With The Best Quality of Life, 2019.
# Most Startup Friendly Countries In The World.