Big data presents a range of central corporate governance challenges – how do we protect the growing body of data? To what extent do we need to digest and understand this data? What can we, and often more importantly, what should we, be doing to exploit it? These have been seen as business questions, but they are also profoundly important governance questions that companies and boards are facing at a time when Australia’s corporate governance framework itself is being transformed.
Corporate governance framework
The corporate governance landscape in Australia is undergoing fundamental change right now. On one level, the prescriptive requirements have been dialled up (eg, the new Banking Executive Accountability Regime (BEAR)), but more importantly, the overall scrutiny on governance is at extreme levels. The Hayne Royal Commission, APRA’s report into the Commonwealth Bank of Australia, proposed changes to the ASX Corporate Governance Principles and Recommendations, increased penalties for breaches of the Corporations Act, embedding ASIC officers in the four major banks and AMP – each of these evidence the growing focus on the leadership of companies.
Regulators (such as ASIC, APRA and the ACCC) have recently begun displaying a willingness to adopt a more interventionist approach, with a desire to identify and prosecute more breaches of the relevant legislations they are custodians of. This renewed emphasis on enforcement further increases the pressure on companies, boards and management teams.
As a result of this shift in the climate, the articulation of the role of the director is also changing. Previously it was accepted that directors had an oversight role in the company, now there is a growing expectation that directors have a granular understanding of the business and its material risks.
There is a profoundly important intersection between this alteration of our corporate governance regime and future practices around a company’s collection, use and protection of data.
Realistically, for all the opportunities data as an asset presents for businesses, data has created three entirely new categories of risk for boards to manage:
- risks around failing to protect data;
- risks around failing to digest the data they have; and
- risks that flow from misusing data they have access to.
1. Failing to protect your data
This risk is the most obvious and well understood at this stage of the development of the data economy. Given the growing value we place on data, it comes as no surprise that cyber security is fast becoming a primary risk area for companies. The ASX in mid-2017 found that 80% of companies expect an increase in cyber risk over the next year while 50% of company boards are only somewhat confident their company is secure against cyber attacks. Five years ago, cybersecurity as a risk for businesses was not listed in the top 10 risks by Australian boards. Today, it is largely considered to be number one. The question that naturally follows is: what must directors do to secure company data in order to discharge their duties? ASIC Commissioner Cathie Armour has noted that directors should “be actively thinking about whether cyber security should be assessed more regularly than other risks” and should “think about lifting their capability” in the area.
In the US, shareholders have already brought an action against directors (Target Corporation in 2013) for a perceived disregard of their duties in relation to a data breach affecting 40 million Target customers. In Australia, we are yet to see directors’ liability in relation to data breaches be tested. Nevertheless, the prospect of such litigation may not be too far away. The idea of ‘stepping stone’ litigation becomes relevant here. First, an action will most likely be brought against the corporation for an alleged breach of data-related legislation or terms (for example, of the Notifiable Data Breaches provisions). Then, once corporate fault is established, it becomes open for a regulator to allege that there has also been a breach of directors' duties (most commonly under section 180 of the Corporations Act, in respect of a breach of the duty of care and diligence). Of course the ‘steps’ between the ‘stones’ are not always simple. It must be established that the director has not exercised due care and diligence, but ASIC has been assertive in prosecuting the ‘stepping stone’ line, as recently seen in action against the directors of AWB and the ultimately unsuccessful action against Mariner’s directors (for a breach of the takeover bluffing prohibition). It is not yet clear what ‘due care and diligence’ means in relation to data security but given ASIC’s approach to ‘stepping stone’ litigation, it is not hard to imagine this being tested.
The APRA Report is seen by many as the du jour of the current atmospherics in corporate governance and contains several lessons for boards. APRA stressed the need to adopt ‘chronic unease’ with the board (and staff at all levels) looking out for current and emerging risks. This recommendation is particularly relevant for data risks and was highlighted by APRA as one of the key risk areas where preparation, management and implementation of appropriate systems significantly mitigates the risk.
A helpful piece of guidance on this front in trying to understand what is expected of a board is ASIC's 2015 Report 429. In that report, ASIC encourages a review of board-level oversight of cyber risks and cyber resilience as part of a company's systems managing the material business risks. It also underlines the need to plan ahead for cyber risks in any governance and risk management policies/practices. Without amounting to a concrete statement of the burden on directors to consider data security, this does shed some light on what might be required of directors in the future in discharging their duties of care and diligence.
We’ve seen in the US with Yahoo and Wendy’s that directors can be held accountable for data breaches. In 2016 Yahoo announced two incidents; one in September and one in December. After the September disclosure, Yahoo's share price dropped 3.06%. After the December disclosure, Yahoo's share price dropped 6.11%. Shareholders of Yahoo filed a securities class action, claiming that the share price drop was foreseeable, given the lack of security imposed on Yahoo's users’ personal information.
Similarly, the fast-food franchise Wendy's experienced a data breach, and the disclosure of the breach caused Wendy's share price to decline. A few months after disclosure of the breach, Wendy's shareholders filed a shareholder derivative action against Wendy's and 19 of its current and former directors. The pleadings included claims for breach of fiduciary duty, waste of corporate assets, unjust enrichment and gross mismanagement.
The suits against Yahoo and Wendy's were eventually settled. In the Wendy's case, as part of the settlement, Wendy's agreed to adopt remedial and prophylactic technology and cyber security measures. These included the creation of stronger data security protocols and the establishment of a board-level committee to oversee Wendy's technology and cybersecurity. These cases not only demonstrate that directors can be held accountable for data breaches, but also show the importance of establishing data protections before breaches occur – highly relevant for Australian directors obligated to exercise an increasingly scrutinised level of care and diligence.
2. Failing to digest the data you have
Less well understood at the moment is the intersection between the change in Australia’s corporate governance landscape and data that may be available to boards to assist with better decision-making or detecting wrongdoing earlier. The paradigm shift in the corporate governance landscape can be distilled as a change in the question that is being asked of directors: no longer “what did you know about this issue?”, instead, the question that is now being posed is, “Why didn’t you know about this issue?”
The potential impact of this attitude shift is magnified when layered with the growing volume of data available to companies and boards. Directors will need to answer the question, “Why didn’t you know about this issue?”, in the context of having large quantities of data that, despite having been unstructured and unused at the relevant time, may, after the fact, evidence the very issue in question.
Recently, in the Supreme Court of Western Australia, the Westgem case exemplified the importance of understanding the underlying data potentially available to directors. Broadly, in the Westgem case, a dispute arose over the admissibility of a data file. Westgem’s liquidator sought to admit as evidence of Westgem’s finances a ‘Quickbooks’ data file, which was generated by Westgem using an electronic accounting system. The Court considered that the data file was prima facie evidence of the matters stated or recorded in it (ie, the data files were admissible). That is, it was found that the data files was a ‘book’ of the company and that a report that the company did not actually have, but was necessary to create to make sense of the underlying data the company did keep, was also a ‘book’ of the company.
The possible implications of this case for directors are considerable. If underlying data files and their possible extrapolations are considered ‘books’ of the company, it follows that directors might be found to fail their duty of care and diligence when making a decision if information contained in data files could have been distilled and used to make a better decision.
If it can be shown after the fact that the right information was available somewhere in the company, even though it never percolated up to the board, it is going to become increasingly hard for directors to say they did the right thing at the time.
The importance of properly understanding underlying data was a focal point of APRA’s CBA Report. APRA noted the importance of establishing processes and mechanisms in order to analyse data to identify trends that are indicative of systemic problems. This approach to data analysis has also been utilised throughout the Royal Commission. Data sets have been tendered throughout the hearings which evidence a series of smaller alleged breaches, and it has been submitted to the Royal Commission that this is indicative of a broader systemic problem, reflecting failures of governance from board-level down.
The BEAR legislation is another example of where data will become important in proving compliance or failures. The Explanatory Memorandum accompanying BEAR makes clear that the regime is designed to apply to poor conduct or behaviour “that is systemic and prudential in nature”. Data will be front and centre and contemplating the reasonable steps required of accountable persons under the BEAR legislation (including directors).
Expectations that unstructured data can and should be understood may very well make compliance with these types of obligations extremely difficult.
3. Misusing data
APRA’s CBA Report highlighted the ethical questions that boards face today:
At its simplest, conduct risk management goes beyond what is strictly allowed under law and regulation (‘can we do it?’) to consider whether an action is appropriate or ethical (‘should we do it?’). The ‘can we/should we’ distinction is a recurring theme in the Inquiry.
This concept is permeating most corporate governance discussions today. The proposed revision of the ASX Corporate Governance Principles and Recommendations (edition 4) articulates the “should we do it?” question as preserving and maintaining a listed entity’s ‘social licence to operate’ (which requires an entity’s board and management to have regard to “the views and interests of a broader range of stakeholders than just the entity’s security holders”). Similarly, ASIC Commissioner John Price, quoting a Deloitte report, recently stressed that organisations today are “increasingly judged on the basis of their relationships with their workers, their customers, and their communities, as well as their impact on society at large—transforming them from business enterprises into social enterprises”.
The consideration of potential misuse of data has recently extended into this territory, beyond an analysis of what is legal to an analysis of what is ethical – with community expectations front of mind. Often consumer data available to companies and boards contains personal and sensitive information, and just as importantly, can be utilised or exploited in ways which are confronting to the average data user.
With the prevalence of rich data sets, this poses difficult ethical questions for companies and boards: “What should we do with this data that we have at our disposal?” Or, often more importantly, “What shouldn’t we do with the data we have at our disposal?”. You have to remember that boards are also charged with driving shareholder value, and the majority of the targeting type options available are legal.
Many of the largest and most successful businesses today centre around the collection and utilisation of consumer data. In these cases, the ethical questions are even more pressing and difficult for directors to answer. One example at the extreme end of the spectrum is Facebook’s reported ability to identify the emotional state of a user by monitoring posts and photos in real time to determine when people feel ‘stressed’, ‘defeated’, ‘anxious’ etc. With such a powerful analytics tool at their disposal, the ethical question facing Facebook’s board is whether it should it exploit this data to maximise advertising revenue?
As it stands, the price that boards and companies pay for misusing the data at their disposal is, for the most part, a reputational price for non-compliance with community standards – culminating at its worst with a loss of office for board members who oversee unethical decision-making. However, as the corporate governance landscape shifts, so too will this outcome. These cannot be seen in isolation. The role of the corporation (and as a consequence, the idea of corporate governance) may be redefined to extend beyond simply maximising the interests of the company within the confines of the law and the misuse of data is nudging things in this direction. The time is coming in Australia where companies and directors are expected to consider a broader range of stakeholders.
Reflections on the Royal Commission, the APRA Report and all the other corporate governance fireworks of the past 12 months are front and centre for all Australian directors. Considering how those sit with the possible implications of data misuse will be fundamental.
Avoiding the consequences of getting that type of “should we?” question wrong (or failing to ask it at all) needs to be a major focus for Australian boards right now.