Copyright © 2024 Telesto Strategy, LLC
All rights reserved
Data privacy has become a critical issue in the boardroom, especially within the Industrial sector. While awareness varies, recent high-profile data breaches and privacy scandals have heightened board-level attention to these matters. The reputational and financial risks are significant, especially as these risk are no longer insurable. Accordingly, boards have begun recruiting directors with expertise in technology and data privacy as well as improving enterprise data governance and protection (as part of ESG practices). Notably, younger board members often bring a heightened sensitivity to digital and privacy risks, contributing to a more balanced and informed board composition.
Key takeaways:
- Industrial boards must stay informed about evolving data privacy regulations like GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and the SEC (Securities and Exchange Commission) Cyber Rule, ensuring they integrate compliance into their oversight and governance strategies and should do this by regularly conducting privacy audits, receiving ongoing training, implementing robust reporting systems, and recruiting members with data privacy expertise
- Boards should emphasize the importance of proactive data management, legal consultation, and transparent communication with stakeholders when privacy violations occur, learning from past cases of non-conformance and litigation
- To prepare for potential data breaches or non-conformance issues, boards should regularly engage in education and training, review industry best practices, conduct tabletop exercises, and ensure frequent updates from the Chief Information Security Officer or other security leaders
- Now that cyber risks are becoming uninsurable, boards should look to manage them as part of a governance framework in ESG reporting
The costs of each data breach are increasing steadily for industrial companies, now estimated at $4.5M per instance. In 2022 alone, manufacturing and industrial companies suffered more than 130 data breaches, which exposed 38 million records. Simply put, Industrial companies are under threat and board directors must be prepared to improve readiness and responsiveness.
Regulatory compliance landscape for data privacy
Industrial boards, given their access to extensive consumer data, must remain attuned to privacy issues and emerging technologies that may impact data security. Regulations such as GDPR, CCPA, and others are becoming increasingly central to board discussions, often within the context of ESG sub-committees. In 2023, the SEC followed suit by adopting rules requiring U.S. companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
These discussions typically cover:
- Data Collection, Consent, Security, and Third-Party Risk Management
- Cross-Border Data Transfers and Ethical Use of AI
- Risks Associated with IoT and Smart Packaging
- Handling of Employee Personal Data and Data Integration Post-M&A
Description of process for identifying, assessing, and managing material risks from cybersecurity threats. Staying informed and proactive on these topics enables boards to provide effective oversight and guidance, crucial in today’s digital environment where regulatory frameworks like GDPR and CCPA extend beyond their geographical origins, impacting global Industrial operations.
Governance learnings from non-conformance and litigation cases for Industrial companies
GDRP has had a significant impact on how companies manage and oversee employee and stakeholder data since it went into effect in 2018. On the other hand, CCPA came into force in 2020. These are new regulations. Yet, companies have faced significant penalties and fines already:
- In June 2022, vehicle manufacturer Nissan received a data breach notice from one of its third-party vendors. A poorly configured database allowed hackers to compromise customer data and exposed more than 18,000 customer records
- Parker-Hannifin, which designs and manufactures aerospace components, was the victim of a ransomware attack that compromised its systems in 2022. This attack compromised data of current and former employees, and their dependents. The company agreed to pay the impacted employees $1.75M in settlement
- In 2019, British Airways was imposed with £20M ($26M) by the UK Information Commissioner’s Office (ICO) over a 2018 data breach that exposed the personal data of around 500,000 customers
- In 2019, Marriott International was imposed with $23.8M over a data breach that exposed the personal information of up to 339 million guests
- In 2020, the Irish Data Protection Commission fined Twitter €450,000 for failing to promptly notify and properly document the GDPR reportable breach
- In 2021, Luxemburg’s data protection authority fined Amazon €746M for alleged GDPR violations related to targeted advertising practices
- In 2020, H&M was fined €35 million by German data protection authority for inappropriate surveillance and documentation of employee activities
- In 2022, Sephora agreed to pay $1.2M to settle allegations for CCPA violations
The California Attorney General (responsible for enforcement of CCPA) has issued notices to companies to cure violation rather than imposing fines. This approach has led to fewer public announcements of penalties for CCPA violations, and some companies may have reached confidential settlements. These publicized cases highlight the importance of robust data management and security practices. Boards must ensure proactive assessment, documentation, and legal consultation. In cases of non-conformance, timely and transparent communication with stakeholders is crucial. The board’s role in overseeing data privacy compliance and risk management cannot be overstated.
What can Industrial boards of directors and ESG sub-committees do?
Given the evolving nature of privacy regulations, Industrial boards should adopt the following measures to enhance their preparedness. In case of non-conformance, the board needs to:
- Assess the span and cause of non-conformance
- Engage external experts if necessary to ensure an impartial evaluation
- Ensure adequate resource allocation to address issues quickly
- Consider self-reporting to relevant authorities if required and advisable
- Ensure legal transparency and manage reputational risks through a robust communication strategy for employees, customers, and shareholders
- Implement necessary changes to prevent future non-conformance
- Determine if oversight failures occurred and take appropriate action accordingly
- Ensure all actions taken are well-documented for potential regulatory inquiries
- Require frequent updates on the progress of remediation efforts
- Evaluate insurability of cyber risk and manage cyber risk as part of governance and controls within an ESG framework
In preparation for eventualities, boards need preparation in the form of:
- Regular board education and training including benchmarking exercises
- ESG Committee reports on data privacy
- Briefings from the Chief Information Security Officer or equivalent roles
- Review industry best practices
- Tabletop exercises simulating data breaches to identify gaps in preparedness
- Regulatory updates and Board visits to company data centers or security operations
- Third-party audits and recommendations for improvement
- Annual review of the company’s overall posture regarding privacy and protection
Actions boards can take:
To further support management and the company, boards can consider the following steps:
- Require external training for the board or ESG sub-committee on privacy-related matters
- Employ a third-party specialized company to do a competitive benchmarking exercise for the board
- Require legal update regarding regulatory compliance landscape
- Employ third-party audits on data privacy governance
- Ensure data privacy is a topic for regular updates through enterprise risk management framework for the board
- Recruit board members with sufficient data management and cyber credentials and standardize a minimum requirement for future directors
- Audit the insurability of data breaches and cyber risk to determine full operational and financial exposure to the most critical risks
Questions for the boardroom:
- How effectively is our board overseeing data privacy and compliance with regulations like GDPR and CCPA, especially in managing consumer data and third-party risks?
- How do data management strategies intersect with cyber risk and good governance (as part of ESG)?
- Now that most cyber risks are no longer insurable, what new processes and systems will we need to better manage our data?
- What steps are we taking to ensure our board stays informed about the latest developments in data privacy, cybersecurity, and the ethical use of emerging technologies like AI and IoT?
- In the event of a data breach or non-conformance, do we have a clear, actionable plan for addressing the issue, engaging external experts, and maintaining transparency with regulators, customers, and shareholders?
Additional Telesto resources:
Telesto Strategy supports Corporate Directors in Industrial to mitigate ESG and climate risks, stay ahead of changing regulatory regimes, and enhance disclosures and reporting in the face of increasingly complex environments. See additional resources to equip Corporate Directors for improved CSRD implementation:
- Six Reasons Why Board Members Should Manage Cyber Risk as an ESG Issue
- What Should Boards Consider as Voluntary versus Non-Voluntary Disclosures for ESG?
- Trump 2.0 tariffs and preparedness for Industrial companies
- Atlas, our sustainability and ESG training for boards, equips corporate directors and leaders with the insights and knowledge necessary to stay up to date, mitigate risks, and seize business opportunities associated with sustainability, climate, and ESG