New England Biz Law Update
Historically, this column has chronicled issues identified as “hot spots” that demand heightened attention from a board of directors. A review of these columns echoes the French axiom, “plus ca change plus la meme chose” — “everything changes and everything remains the same.”
Boards are, always have been, and will remain responsible for strategy, “tone at the top,” election and removal of the CEO, and the “duty of care” to supervise significant elements of company performance.
Below are three current board “hot spots.”
GDPR
GDPR is the European Union’s new General Data Protection Regulation.
Generally, any organization with 250 or more employees, located anywhere in the world, is required to provide “usage notices” for data collection from data subjects (any person in the EU). Certain data cannot be used for any purpose without express permission of the data subject.
GDPR controls your company if you are dealing in the EU even electronically, as the key is not your location, but rather the location of data subjects. Any company with web presence will potentially be affected by GDPR.
What are the concerns of privacy professionals? I refer to the National Association of Corporate Directors’ spring 2018 “Director FAQ.”
Foremost is negative publicity from noncompliance. One example is the “hit” Facebook took this spring by reason of unauthorized disclosure of personal data.
But privacy professionals are almost equally as concerned about regulatory penalties. It is likely the EU will take a particularly egregious case and draw a line in the sand to make sure that everyone, worldwide, is paying attention.
Minimum fines are the greater of 10 million euros or 2 percent of annual worldwide revenue, and can run as high as 20 million euros or 4 percent of total annual worldwide revenue.
Over half of privacy professionals also are concerned with civil litigation. The GDPR provides that “any person who has suffered material or nonmaterial damage” through its violation has recourse through litigation. The reference to “nonmaterial damage” suggests use of class actions, creating economy of scale in pursuing numerous smaller claims.
Does your entity collect personal data from data subjects of the type that is subject to regulation? Regulated data is processed in an automated or semi-automated context, or is otherwise collected to be placed in some “filing system.” “Personal data” must relate to a person who is identified or identifiable. The identification can be indirect, by reference to a Social Security number, a street address, or a name used in social media, or to specific physical, psychological, genetic, economic or cultural indicators.
NACD recommends that management be asked about an entity’s connection to GDPR (whether through customers, operations or European partners); whether the legal team is fully up to speed; exactly what personal data the entity collects; how long the data is kept; and what the industry “best practices” are.
GDPR also contains general principles for companies processing personal data. Companies must collect data transparently and need consent in order to utilize it in many ways. Boards might ask for an understandable articulation of the process to obtain consent. Management should be asked whether data subjects are adequately advised as to how personal data will be utilized, and whether the company provides a clear mechanism by which a data subject can ask that personal data be “forgotten,” e.g., deleted.
There are certain totally prohibited categories of data collection. Racial demographics are banned without express consent, unless such data is collected to adhere to employment, Social Security or social protection laws. Personal data can be maintained only when necessary for a particular purpose; directors can ask about the company’s reasons for data retention. Boards can ask how accuracy of data is maintained.
Boards also should inquire granularly about cyber security with respect to data that is subject to GDPR; general cyber protections may be inadequate to comply with EU standards. Use of pseudonyms, encryption and regular testing are recommended.
NACD notes that complying with GDPR involves coordination of many entity functions: IT, legal, compliance, HR, audit, privacy, procurement, risk management, sales and marketing. Directors should inquire as to how these silos are monitored. Among other questions, they should ask: “Let’s say I am a data subject and I ask that my data be deleted. How exactly are you going to find my information within company records?”
If your company is in the business of processing and controlling the data (rather than, for example, being an end-user of data for marketing or sales), the board should make sure that a DPO (data protection officer) has been named to monitor GDPR compliance, with specific tasks contained in written policy. Establishment of a formal board committee specifically to oversee GDPR compliance also has been recommended.
The board should determine whether the company has clear protocols for notifying authorities within 72 hours of any data breach unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” That is a short period to be certain about the impact of a given breach, the scope of which may not be immediately apparent.
Finally, if GDPR is violated, boards should confirm the obligation of management to advise particular persons or committee members, and the point at which the entire board should be advised.
Boards are, always have been, and will remain responsible for strategy, “tone at the top,” election and removal of the CEO, and the “duty of care” to supervise significant elements of company performance.
Institutional investors
Public company directors must consider the principles promulgated by the Investor Stewardship Group (ISG). Until recently, “activist investor” meant a corporate raider seeking changes to promptly increase share price. Recently, boards have been trained to take seriously an approach by activists, and to consider the merits of what is being proposed.
Enter institutional investors, which have historically eschewed association with activism, voting with management in all but rare circumstances. Fifty large institutional investors, with an aggregate investment of more than $22 trillion in U.S. equity markets, have banded together in forming ISG and have published corporate governance guidelines.
The ISG encourages directors to apply these guidelines to their boards, and the group will evaluate alignment with these principles in making institutional investments. The ISG encourages its member institutional investors to be transparent in how they vote their proxies, which will impact on the extent to which boards pay attention to ISG principles.
What are the ISG principles?
- Boards are accountable to their shareholders (not management).
- Shareholders are entitled to voting rights in proportion to their economic interests (no weighted votes or nonvoting shares).
- Boards should reach out to shareholders to understand their perspectives.
- Boards should have an independent leadership structure (independent chair or independent lead director).
- Boards should develop management incentives that align with long-term strategy of the company.
ISG evinces a jaundiced eye for anti-takeover measures. Boards also are asked to explain reactions to significant shareholder proposals. Independent directors should be available to speak with shareholders, boards should look at governance gaps to make sure that each board contains a mix of “direct industry expertise and experience and skills,” and boards should “embody and encourage diversity, including diversity of thought and background.”
The majority of directors should be independent, and key committees (audit, executive compensation, nominating/governance) should be entirely independent.
Sexual harassment
Today, public boards remove CEOs, regardless of their business performance, if there is credible demonstration of sexual misconduct. Why is that?
First, boards need to understand what constitutes sexual harassment. There actually is a definition under federal law, under the Civil Rights Act of 1964. Among other things, perhaps counter-intuitively, a victim need not be the person who is being harassed, but any person who feels the effects of the offensive conduct. Economic injury need not be shown. The harassment need not be sexual; it is illegal, for example, to make an offensive comment about women in general. It is also unlawful to retaliate against somebody for filing a harassment complaint.
Boards must make sure that written policies are in place, and training is undertaken, to avoid sexual harassment, sexual discrimination, or the establishment of a discriminatory workplace. In certain states, the board should make sure that management avoids pay scale gender discrimination; Massachusetts has just adopted a statute specifically prohibiting such discrimination.
The board should make sure that a company’s non-harassment program contains the following elements: a clear reporting mechanism by which claims of harassment can be brought; establishment of an independent board with female and minority directors who presumably will have greater sensitivity to these issues; in larger companies, establishment of both a committee to monitor diversity and inclusion and an executive level position, such as a chief diversity and inclusion officer, with responsibility for behavior in the workplace; and most importantly, establishment of a “tone at the top” whereby management makes it clear that harassment and discrimination are unacceptable.
Because non-harassment is conceptualized as flowing from the top, transgressions by C-level executives take on paramount importance. Particularly in the case of a CEO who is talking the talk but not walking the walk, boards in today’s environment are perceived as having little choice but to terminate employment.
Boards also should consider whether executive employment agreements should contain penalties such as negative adjustments to stock options or bonus programs, or even claw-backs from prior earnings, in the event a firing is premised on sexual misconduct.
Stephen M. Honig is a partner at Duane Morris in Boston.
