The role of a chief financial officer continues to grow and shift, and it’s become obvious in this age of expanding technology and big data that a crucial component of a company’s financial health depends on its data privacy and data security programs, regardless of the nature of the business.
First, understand that data privacy is not the same as data security. The former is an individual’s ability to control the collection, use, and disclosure of his or her information. There are laws and regulations in just about every country that dictate how a company can use an individual’s information, which are more or less restrictive depending on the jurisdiction.
But data privacy is not just a consumer issue. Issues arise in the context of employee data as well, whether that of your employees or those of your customers and vendors, ensuring that these issues cut across every industry.
“Data security,” on the other hand, refers to the security measures that companies have in place to protect that data once they have it. Data security is what maintains the confidentiality, integrity, and availability of data within your possession, custody, or control. But the two terms are closely connected: if you do not have data security, you necessarily have a data privacy issue.
In the United States, failure to have adequate data privacy policies and data security regimes most typically leads to one of two consequences, or both: regulatory enforcement actions and consumer class-action lawsuits. These claims are based on a failure (or alleged failure) to either (1) meet contractual obligations or regulatory requirements to provide notice and choice to data subjects as to the collection and use of their data, or (2) maintain “reasonable and appropriate” data security measures. In either event, the company may end up with significant costs and, often more importantly, potentially huge losses in consumer confidence and brand value.
Investors and potential acquirers are catching on to this risk. Even five years ago, data privacy and security were not on the radar of most corporate transactions. Companies would perform due diligence on a target and look at all the standard risk factors: tax issues, environmental issues, employee arrangements, intellectual property issues, licenses and permits, debt, and other aspects of financial health among them. But as sensitivity to data and its value has risen over the recent years, a company’s data can become a significant asset, often to the point of being the critical one justifying a deal.
But it also can be the reason a deal gets killed. No one wants to invest in a company only to have it hacked due to poor data security and then become the target of a regulatory investigation for unfair and deceptive trade practices due to poor privacy disclosures. Add in the potential in that scenario for the company’s key data assets to be stolen and sold on the black market or posted online, and it becomes clear why investors are paying attention. A company’s data privacy and security practices are often now at the forefront of due diligence requests and are garnering their representations and warranties in deal documents.
These issues are not specific to social media and e-commerce companies. Every company in today’s economy is collecting and using data in some respect. For example, manufacturing data resides in manufacturing systems, human resources data is often outsourced to a third-party data hosting environment, and more data and analytics are being collected via company websites than ever before. If you do happen to be in the consumer space, collecting credit cards, accessing health insurance and financial information, or selling products or providing services on-line, your risk necessarily increases proportionally.
So What Can You Do as CFO?
- Stay informed. Clearly a general trend is for you to stay informed as to the practices of your company. Where data is involved, the company’s financial profile and brand are always at risk. The time to ask whether you have a privacy policy, appropriate technical security measures in place, and a written information security plan is not when facing a due diligence request or trying to populate a data room.
- Plan ahead for investments. CFOs are usually in the best position to anticipate the need for an influx of capital. Requests for information on your data privacy and data security are only going to become more and more important to potential investors. Plan ahead to keep your data privacy programs, security measures, and written information security plans updated. Having them updated and ready to disclose as necessary will leave you poised to make a good impression on investors.
- Plan ahead for divestments. On the flip side, CFOs are also usually first to know if a business or portion of a business will be divested. As a result, you can prepare your internal data assets to help facilitate a divestment. Most companies keep all their data in the same systems, which creates some unique challenges when only part of a company is divested. Prepare data assets ahead of time to separate out assets of business units that may be subject to divestment, which has the benefit of smoothing the transition to the buyer as well as reducing the risk of exposure of any of the retained data assets.
- Keep data risk at top of mind. When commercial deals cross your desk for spend approvals, ask questions about the data transfers involved and whether data privacy and security have been contemplated. If a vendor will have your data, what kind of security is in place? How will you get your data back from the vendor in the event the relationship goes south? And always remember that the dollar value of the deal does not equal the risk involved in this area. Often deals of relatively small dollar value present significant risk, such as by outsourcing the hosting of employee human resources data.
- Compliance is your new best friend. Regulators understand that data breaches are going to happen; hackers are too good and technology is too susceptible to manipulation. But you can minimize the risk by implementing robust compliance programs ahead of any issue and in the handling of any issue after the fact. Invest time and resources in ensuring that active and well-maintained data privacy and security programs and plans are in place so that your business can respond quickly and appropriately to any data incident.
- Create a culture. Many companies are just now starting to pay attention to this issue and the associated risks. By visibly pushing an agenda from the top of sensitivity to data privacy and security, you create a culture that places value on the processes and procedures that can help minimize risk.
As a CFO, you can and should play a role in keeping your company focused on managing the data it collects, uses, and stores. As the value of data increases, particularly in conjunction with the potential risk associated with it, potential investors, buyers and business partners are only going to increase their scrutiny on a company’s data practices.
Keeping abreast of changing data privacy and security requirements is necessary, but not enough. Understand your company’s business models and data practices and how they may be changing at any given time, as doing so will put you and your company in the optimal position to approach investors and potential buyers or business partners.
Jessica Franken and Heather Buchta are both partners and members of the data privacy and security team at the law firm Quarles & Brady.