Corporate Governance: Privacy and Data Protection
With two billion users worldwide, WhatsApp experienced a rough start to 2021. Thanks to them, Signal and Telegraph on the other hand have had a great start to the year. All because of data and privacy concerns.
While we do not necessarily all read user terms and conditions in detail or at all, we know that Facebook (which happens to own WhatsApp with its 1.5 billion users and Instagram with approximately one billion monthly active users) collects user data and metadata (data about data) from their 2.8 billion monthly active users. This data is then used to push advertisements based on conversations or search engine usage, and targeted advertising takes place based on demographics such as age and location which most users freely volunteer.
Users scurried around to find alternative messaging services – and found them easily: Business Insider reported that Signal saw 7,5 million downloads in a single week in January (a 4,200 percent increase on the previous week) and Telegram saw 9 million downloads, a 91 percent increase.
Sharing of private information goes beyond social media channels though.
Scarily, CSO Online reports that all sorts of companies have been affected by data breaches. “About 3.5 billion people saw their personal data stolen in the top two of 15 biggest breaches of this century alone. The smallest incident on this list involved the data of a mere 134 million people.”
Why is this of significance to you as a board member? It is important because people (just like you) are scared of their information being leaked. They fear being exposed. They will do whatever they can to protect themselves. And they expect you to keep information that is shared with your business confidentially, confidential.
Kieron McRae, head of Sirdar Guide, shares, “As a director, you have the duty to act responsibly and in the best interests of the company. This means not taking risks that could see people’s private information being shared whether due to cybercrime or a system fault. It goes much further than just an email address or phone number being leaked – which is reasonably easy to track down anyways. It extends to information such as health records, bank account information or credit card details.”
Boards have the duty to ensure that cyber and physical risks are constantly assessed and managed, and must determine how a potential breach would be dealt with.
While privacy and data protection are responsibilities of the board, so is transparency.
Although being informed about a data breach is important to clients and investors alike, some businesses consider customer and financial impact when deciding whether or not to be open and upfront about it.
Just this past weekend, news broke of PPS encountering a cyber attack. Their clients seem to have been left in the dark for about three days after the hack which will no doubt be thoroughly investigated. On the other hand, Uber reportedly paid hackers a $100,000 ransom and then went on to hide the breach from the public for a year. Given that they are no stranger to scandal, this was just another nail in Uber’s coffin of reputation management.
McRae considers the consequences of non-disclosure, sharing, “Executives could face hostility from investors, clients and consumers if it comes to light that they have attempted to hide a data breach – whether to save face or to avoid paying fines. Imagine the reputational damage caused by covering the truth which can be much longer term than the impact of paying a fine. Warren Buffett’s wise words hold true here: ‘It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.’”
Do not let poor privacy and data management damage your bottom-line and tarnish your reputation.
The Cost of Breaches
If a board is found to have been neglecting its fiduciary duty of acting in the best interests of the business by letting data protection slip, they can be held liable in their personal capacity.
In South Africa specifically, contravention of the Protection of Personal Information Act could see directors face jailtime of up to ten years and/or being liable to pay a fine. The amount of the fine depends on aspects such as the nature of the information, duration and extent of the contravention, whether the contravention could have been prevented and failure to take reasonable steps to protect personal information.
There is no place to hide really. And while the threat cannot be removed, it can certainly be reduced.
Actions for directors and boards to take to mitigate risk include:
- Fully understanding relevant privacy acts including the implications of non-compliance – and asking reputable third parties for the right advice if there is any lack of clarity.
- Having the required corporate governance measures such as a risk and compliance matrix in place.
- Constantly reviewing business continuity and disaster recovery plans.
- Ensuring that contracts with customers and vendors refer to liability limitation and indemnity.
- Ensuring that you are covered by directors’ and officers’ liability insurance cover.