5 steps companies can take now to improve their data privacy and security Environmental, Social and Governance (ESG) Best Practices | Orrick, Herrington & Sutcliffe LLP


Environmental, social and governance (ESG) factors are increasingly at the center of investor and stakeholder concerns. Companies today are expected to have policies and strategies that focus on long-term value creation and provide greater visibility on a wide range of topics outside of traditional financial metrics, allowing stakeholders to better understand the ESG risks and a company’s growth opportunities.

The focus on ESG includes holding companies accountable for how they manage cybersecurity risks and protect consumer data. Cyberattacks and data theft are among the top threats to businesses, risking long-term damage to a company’s finances, justice, and reputation. The impact these threats can have on customer privacy makes privacy and data security a human rights issue that falls squarely within the category of “Social”. Additionally, existing regulatory requirements and security guidelines focused on how a company manages these risks and disclosures about them also make privacy and data security a very topical “governance” factor.

Shareholders and consumers must be able to assess the controls and processes a company maintains over a variety of privacy and cybersecurity topics in order to assess a company’s ESG risk. Below we explain five best practices that shareholders, clients and ESG rating agencies focus on when assessing a company’s ESG fitness with respect to data privacy and security, and the steps companies can take now to improve their compliance posture in this important area.

  1. Consider additional disclosures
  2. Establish information security policies and standards
  3. Identify, manage and continually mitigate risks
  4. Ensure buy-in from C-Suite and board members
  5. Report Data Breaches

1. Consider additional disclosures

Transparency in how companies collect, protect and use data can help address ESG concerns. To meet the expectations of shareholders and other stakeholders, companies must assess the quantity and quality of their disclosures regarding data privacy, security risks and governance. This includes providing shareholders with more information about a company’s privacy and data security governance mechanisms, policies and processes. For example, proxy advisor International Shareholder Services (“ISS”) rates the company’s ESG programs, in part, on whether a company discloses such things as net expenses incurred as a result of information security breaches, time elapsed since the last information security breach, the use of insurance, certification to certain information security standards, and the prevalence of information security training. It also takes into account governance factors such as the frequency with which the board is informed of information security issues and the number of directors experienced in information security who serve on the board. advice.

Given this interest in information security disclosure, companies need to consider whether it is appropriate to communicate more about how privacy and data security issues are handled by management and to disclose more about the extent and nature of board oversight of cybersecurity risk. In addition to the types of topics of interest to ISS, ESG disclosures may also include topics such as the nature and extent of law enforcement access to consumer information, if any, and a description of the company’s approach to behavioral advertising and user privacy.

However, companies must also balance the benefits of disclosure with other concerns, including protecting their trade secrets and maintaining the necessary flexibility in business processes. Given the heightened interest of the Securities and Exchange Commission and other agencies in the accuracy and completeness of disclosed information, companies must also be careful to create and follow strong disclosure controls and procedures. The appropriate information will be different for each company, depending on its risk profile and internal needs.

How to start:

Assess your current level of communication with stakeholders and customers regarding privacy and cyber topics and determine if there is more that could be appropriately disclosed in line with ESG best practices.

2. Establish information security policies and standards

To the extent that they are not already doing so, companies should implement intentional monitoring processes and policies that address every phase of data capture, including data collection, data processing, and data storage. , data aggregation and analysis, and data usage, and which may be subject to further modifications. disclosures.

As the international patchwork of data privacy and security laws and regulations continues to emerge and evolve, organizations need to stay abreast of new compliance requirements and adapt their policies accordingly.

Companies should also consider using third-party cybersecurity standards, such as the ISO/IEC 27000 series or theFramework for improving the cybersecurity of critical infrastructures.“The use of these standards can not only help manage information security risks, but also present opportunities for additional disclosure to meet shareholder and stakeholder expectations.

How to start:

On the privacy side, at a minimum, make sure you have a public privacy policy that covers all of your data usage. On the security side, establish a comprehensive written information security program and incident management plan (including disaster recovery and business continuity). Reconsider your use of third-party cybersecurity standards.

3. Identify, manage and continually mitigate risks

Actions to mitigate information security risks should include regular inspections and audits of privacy and cybersecurity policies and systems, both internally and with business partners, vendors and vendors. Data breaches are not limited to company systems, they can also be the result of weak security in the systems of business partners, vendors and vendors. For this reason, companies must conduct data security audits throughout their value chain.

It is important that companies provide training on privacy and cybersecurity requirements to all employees and ensure that attendance is documented. By educating employees about security threats and training them on the procedures to follow when a threat is identified, companies strengthen their protection against cybersecurity threats.

Audits and trainings can also form the basis of ESG disclosures that address the interests of shareholders and other stakeholders.

How to start:

Create a regular schedule to perform audits on your privacy and data security policies and systems. Continuously monitor the information security policies of your business partners, vendors and suppliers. Assess your employees’ understanding of company data security processes and policies. Determine if there are any gaps in their understanding and start developing ways to improve current trainings and mitigate risks internally.

4. Ensure buy-in from C-Suite and board members

A company’s board of directors should be informed and oversee the company’s privacy and data security strategy. There are many methods boards can use to provide this oversight. Many companies delegate information security oversight to the audit committee or other committees tasked more specifically with ESG or technology oversight. Charters should clearly reflect this responsibility.

All companies should consider whether, in addition to committee oversight, there should be a regular cadence for board review of information security matters or whether the current cadence for board of directors is appropriate to the risk and opportunity profile of the business. Companies should also ensure that the relevant committee and board receive the information they need to effectively oversee information security issues, and then make any necessary adjustments.

Additionally, boards should consider whether there is a need for directors with information security experience (e.g., CTOs) on their board. and whether this skill set should be a focus of future board recruitment and/or disclosed as part of the director’s skills matrix.

How to start:

Discuss your board’s involvement in the company’s data security strategy, assess whether there are broader organizational opportunities to improve board and committee oversight of corporate data security issues. information and increase the board’s expertise in privacy and data security.

5. Report Data Breaches

Data and security breaches can happen to even the best prepared and hardened companies. If and when breaches occur, companies should follow a well-thought-out and documented process to determine when and how to disclose information about these incidents. Key business decision makers should be involved in determining whether and how to disclose significant incidents. Disclosures may include information such as the total number of substantiated complaints received regarding breaches and the total number of customer data leaks, thefts or losses identified. Consider disclosing the existence of this process, and some of its high-level features, to meet the interests of shareholders and other stakeholders.

How to start:

Create a thoughtful and well-documented disclosure control process dealing with both emergency incidents and non-emergency complaints that includes leaders with an appropriate level of seniority. Consider what disclosure may be appropriate about the business process.

Previous Travel Transportation Market Size, Share, Growth Overview, Competitive Analysis
Next Essity included in the Sustainability Yearbook 2022