All articles in Volume 11 Issue 11

New laws make reporting of data breaches mandatory

Boardroom Report

Directors are advised to ensure their organisations start implementing robust systems ahead of proposed legislation that will require companies to notify the Privacy Commissioner of "serious" data breaches and which will give the Commissioner enhanced powers.

This follows the introduction into Parliament at the end of May of the Privacy Amendment (Privacy Alerts) Bill 2013, which aims to amend the Commonwealth Privacy Act 1988. If passed, the Bill will come into effect in March 2014, together with the extensive Privacy Act reforms passed in November last year.

At present, while there are obligations in the Commonwealth Privacy Act to keep personal information secure, notification of a breach is voluntary and companies are encouraged to follow the Office of the Australian Information Commissioner's (OAIC's) guide.

However, Minter Ellison special counsel Veronica Scott says the proposed changes will require the Privacy Commissioner and "significantly affected individuals" to be notified about serious data breaches when:

  • Personal, credit and/or tax file information "held" by an entity has been subject to unauthorised access or disclosure, including when the loss of such information could compromise its security, in breach of the data security obligations in the Commonwealth Privacy Act (which will from March 2013 be new Australian Privacy Principle 11.1); and
  • The entity believes on reasonable grounds that the breach is "serious" because it will result in a "real risk of serious harm" to the individual. A "real risk" is defined as a risk that is not a remote risk and "harm" includes psychological, physical, reputational, economic or financial harm. Consider the OAIC guide as it applies a similar standard for assessing risk.

Scott says a notification statement must be prepared as soon as practicable after the entity decides there has been a serious data breach. A copy of the statement must be provided to the Privacy Commissioner and reasonable steps must be taken to notify each significantly affected individual. This will include using the communication channels the entity has previously used to contact them.

The Privacy Commissioner can, however, exempt an entity from notifying the significantly affected individuals of a serious data breach if he or she considers that the public interest in not notifying them outweighs the need to inform – for example, if notification would impede a law enforcement investigation or is concerned with matters of national security.

Failure to comply with the proposed changes may result in investigations and determinations that may require the entity to apologise, pay compensation or take (or refrain from taking) certain action. In the meantime, Scott says directors should note that the reputational damage arising from a serious data breach can be significant.

"High-profile data breaches by both the private and government sectors are a hot topic in the media and no doubt have contributed to the impetus to the proposed mandatory notification laws."

She adds: "In the lead up to March 2014, organisations and agencies (whether subject to the Privacy Act or not) exposed to a data breach should consult the OAIC guide and consider notifying the Privacy Commissioner in order to manage the breach and mitigate any reputational damage it may cause, and review their privacy practices and procedures to minimise the risk of data breaches."

Scott's advice to directors is: "Good privacy is good business. The best way to avoid having to report a data breach is to prevent them from happening in the first place. As March 2014 approaches and the new reforms kick in, directors should be asking their organisations how they are preparing to comply with the new regime."

She warns that the new civil penalty regime that will also take effect from March 2014 means that organisations and individuals could face significant financial penalties for repeated serious data breaches. "Staff training is essential, as the reports are that most data breaches are caused by simple human error."

Scott says privacy and data security should be key items on the agenda of risk committees, in particular the policies and procedures for responding to data breaches, taking into account the requirements in the proposed legislation and the nature of the personal information the organisation handles.

"The disclosure of credit information and more sensitive personal information is more likely to have a significant effect on affected individuals. And all new systems being developed, which involve the use or processing of personal information, should include privacy by design and privacy should be built in to the business case for new projects." "The arrangements for overseas disclosure of personal information should be reviewed because of the ongoing responsibility for data breaches by the overseas recipient organisations," she adds.

"Transparency and clarity in how organisations manage data privacy issues is key to good customer service and building a good relationship so that in the event of a crisis there is goodwill and cooperation with key stakeholders."

Adding a risk expert to your board

An international group of directors and chief risk officers has drawn up a guide to help organisations better govern risk by recruiting qualified risk directors to their boards and risk committees.

"An understanding of risk and its proper governance is not just about protecting organisations from large, unexpected losses, although that is very valuable," says David R Koenig, CEO of The Governance Fund Advisors and executive chairman of the Qualified Risk Director Governance Council. "Risk governance is equally about how organisations can pursue the goals they have established with more success. Qualified risk directors make those goals more achievable."

The Qualified Risk Director Guidelines were designed by the Directors and Chief Risk Officers group (DCRO), which consists of more than 1,600 directors, chief risk officers and other C-level executives from over 100 countries whose work involves the governance of risk.

In keeping with the spirit of the "audit committee financial expert", as defined by the US Securities and Exchange Commission in response to the Sarbanes‐Oxley Act of 2002, their task was to define the attributes and experiences that would be optimal for a qualified risk director to be successful.

They found that any board member designated as a qualified risk director is likely to require personal, business, and educational experiences that are somewhat unique to the role. These are detailed in the guide. The guidelines, designed for voluntary adoption, are being distributed to companies around the world and to regulators that have shown an interest in advancing the governance of risk at the board level.

However, the guidelines note: "It is not sufficient that organisations simply adopt the Qualified Risk Director Guidelines in their selection of board candidates. Successful governance of risk requires that the proper corporate environment be established by the board and then developed by the executive." In many cases, such success may be predicated on positive answers to the following five critical questions:

  1. Does the organisation have the appropriate risk governance policies for its business?
  2. Does the organisation have sufficient and robust risk management processes along with timely and actionable risk reporting?
  3. Does the management culture around risk foster an open discussion of decision-making that includes and affirms risk explicitly?
  4. Does the organisation have appropriate talent in place to identify and manage risk?
  5. Does the board properly oversee (govern) the organisation's risk?

Saying no to workplace bullies

Bullies are not just confined to school playgrounds. They are also found in the workplace. But come 1 January 2014, new measures are expected to apply to make it harder for them to flex their muscles.

Gadens partner John-Anthony Hodgen warns: "Ignore bullying claims at your peril. It's the repetitive-strain injury claim of the 21st century and will be the weapon of choice for disgruntled employees."

Hodgen is referring to changes to the Fair Work Act 2009, which includes new powers for the Fair Work Commission (FWC) to stop workplace bullying while also expanding the entitlements of employees. They will affect the right to request flexible work arrangements, union right of entry, hours of work, award penalty rates and parental leave.

On 21 March 2013, the federal government introduced the Fair Work Amendment Bill 2013 into Parliament in its further response to the recommendations of the Fair Work Act Review Panel from 2012 and the House of Representatives Standing Committee on Education and Employment's report, Workplace Bullying. We just want it to stop.

On the issue of workplace bullying, Hodgen says: "Directors have an obligation to ensure as far as is reasonably practicable the work health and safety (WHS), including the mental well-being, of workers, which is widely defined. These changes definitely up the ante in terms of general WHS compliance and potential for liability more generally where systems are found wanting or directors are involved in aiding or abetting a contravention."

He explains: "A worker who is being bullied at work will now be entitled to apply to the FWC for an order to stop the bullying. If a 'stop bullying order' is breached, the worker, a Fair Work inspector or a union can apply to the Federal Court, Federal Magistrates Court or an eligible state or territory court for relief.

"The practical implications for employers and workplaces are wide-reaching and will, if implemented, require employers to more proactively train staff, investigate, manage and mediate claims of such nature."

Hodgen says directors must be satisfied that:

  • They have an adequate complaints handling system which can be escalated internally for quick intervention.
  • Their organisation has clear, well-defined examples of unacceptable behaviour in their workplace bullying and
  • harassment policy.
  • They make non-compliance penalties clear and are prepared to enforce them through the use of just and fair disciplinary processes.
  • The anti-bullying policy is disseminated to all staff through suitable training programs.
  • The employee relations and human relations functions are resourced and trained to deal with bullying.
  • Where practical, suitable employee assistance programs are accessible to staff.
  • A suitable risk assessment is undertaken quickly when a complaint is raised to determine the level of its seriousness, its risk and what can be practically implemented to manage the situation.
  • Their organisations seek advice or assistance where necessary.
  • Their organisations look at Safe Work Australia's draft Prevention and Responding to Workplace Bullying code of practice.

In handling the changes, Hodgen advises boards to ensure their organisations do not:

  • Try to hide or dismiss complaints.
  • React hastily or without advice.
  • Discount training and education as effective tools to assist in the management of the risk.

"Well-designed and well-implemented training and education supported by a well-defined and fair disciplinary process can and do work."

In addition, Hodgen says boards should be:

  • Looking at complaints reporting and seeking to analyse bullying trend patterns.
  • Enquiring about staff satisfaction surveys and considering what they are really telling the board and whether they are designed properly to help manage this risk.
  • When using contractors, asking what training, policies and procedures they have in place and whether they are at the same level as their organisation's.

Is your board dysfunctional?

Does your board have directors who trust each other, are committed, are comfortable with conflict, hold each other to account and are focused on results?

If not, David Doughty, CEO of UK-based Excellencia, believes your board is likely to have some degree of dysfunctionality and is possibly in need of an intervention.

"I have been working with boards of organisations of all sizes in all sectors for a number of years and most of them exhibit some degree of dysfunctionality," says Doughty, who uses a board evaluation and diagnostic tool based on the book by Patrick Lencioni, The Five Dysfunctions of a Team.

He notes if there is no trust on the board, directors will:

  • Conceal their weaknesses and mistakes from one another.
  • Hesitate to ask for help or provide constructive feedback.
  • Hesitate to offer help outside their own areas of responsibilities.
  • Jump to conclusions about the intentions and aptitudes of others without attempting to clarify them.
  • Fail to recognise and tap into one another's skills and experiences.
  • Waste time and energy managing their behaviours for effect.
  • Hold grudges.
  • Focus time and energy on politics, not important issues.
  • Dread meetings and find reasons to avoid spending time together.

Similarly, Doughty says directors fear conflict, they will have boring meetings, create environments where back-channel politics and personal attacks thrive and ignore controversial topics that are critical to board success. They will also fail to tap into all the opinions and perspectives of board members and waste time and energy on posturing and interpersonal risk management.

Similarly, Doughty says directors fear conflict, they will have boring meetings, create environments where back-channel politics and personal attacks thrive and ignore controversial topics that are critical to board success. They will also fail to tap into all the opinions and perspectives of board members and waste time and energy on posturing and interpersonal risk management.

In addition, a board that fails to commit to being a team:

  • Creates ambiguity among the board about direction and priorities.
  • Misses opportunities due to excessive analysis and unnecessary delay.
  • Breeds a lack of confidence and fear of failure.
  • Revisits discussions and decisions again and again.
  • Encourages second-guessing among directors.

Dysfunctional boards are unable to create clarity around their direction and priorities and cannot align directors around common objectives. They move forward with hesitation and are unable to learn from mistakes.

Further, a board that avoids accountability:

  • Creates resentment among directors who have different standards of performance. Encourages mediocrity.
  • Misses deadlines and key deliverables.
  • Places an undue burden on the chairman as the sole source of discipline.
  • Does not ensure poor performers feel the pressure to improve.
  • Does not identify potential problems quickly by questioning one another's approaches without hesitation.

Doughty adds that if a board is not focused on results, the organisation will stagnate or fail to grow, rarely defeat competitors, lose achievement-oriented employees, be easily distracted and encourage individualistic behaviour where board members focus on their own careers and individual goals.

So what should boards be doing? According to Doughty, directors who can agree with most of the following are likely to be sitting on more effective boards:

  • Board members are clear on what is expected of them.
  • Board meeting agendas are well planned so that the board is able to get through all necessary board business.
  • Most board members come to meetings prepared.
  • Written reports to the board are received well in advance of meetings.
  • All directors participate in important board discussions.
  • Different points of view are encouraged and discussed.
  • All directors support the decisions reached.
  • The board has a plan for the further development of directors.
  • Board meetings are always interesting and frequently fun.

Doughty asks: "How many of the above statements were you able to agree with? If you disagreed with a number of them, the likelihood is that you are a member of a dysfunctional board ... If your business has a dysfunctional board, it is also likely to be a dysfunctional business."

Giving marketing a seat in the boardroom

A new paper makes a case for marketing's seat around the boardroom table in the new customer-centric world.

The paper, Marketing's Role in the Boardroom – An Evaluation Framework for Boards and Directors, notes that Australian boards have been asking the wrong questions of their marketers.

Issued jointly by the Australian Marketing Institute (AMI) and Deloitte, it also suggests that directors would benefit from a better understanding of the marketer's critical role in contributing to business strategy as well as to its development and execution.

"In an era of major digital disruption, where many Australian businesses are responding too slowly to challenges posed by new, internet-based business models, boards need to respond to the increasing power of the connected customer and focus their business strategy and operations on the customer's needs," says Deloitte partner and chief marketing officer David Redhill.

"Our recent Board Effectiveness research with chairmen and CEOs of the ASX 200 indicates that many Australian businesses in all sectors are reacting slowly to digitally disruptive change, and that those adapting their models are generally doing so because a competitor has already beaten them to it.

"It appears that the businesses being most profoundly disrupted are those that know the least about their customers, while the ones succeeding are the ones building their knowledge of their customers, deriving insights from their markets, and improving their marketing effectiveness and audience engagement through a continuous data feedback loop."

The report notes: "For many organisations, marketing is the fuel that powers business strategy. It is intrinsic to how organisations develop and position their services and offerings, approach and deliver customer service and satisfaction, and to how they connect and communicate with other businesses and the community. Ultimately, marketing is critical to how organisations find and keep customers, make money and grow.

"Yet despite its importance, few organisations have granted marketing a seat at the boardroom table; directors have tended to regard it as a curious mix of art and science, less manageable than other functions that boards discuss and monitor.

"Directors may recognise that non-financial measures, such as customer loyalty and brand recognition, are lead indicators of their organisation's financial health. And, indeed, academic research demonstrates this quite clearly. Yet, the absence of clear, embedded formulae for marketing effects on business strategy success makes it difficult to factor into board governance and oversight.

"Recent research indicates that board directors cite growth, strategy and talent management as the most critical issues Australian boards are facing. It follows then that a board's oversight of marketing as a driver of growth, a central thread of corporate strategy and a major factor in talent attraction and retention, is critical. It is time to revisit marketing's role on the board agenda and how to harness it effectively."

According to the paper, the role of the board with regards to marketing is to:

  • Assess the alignment of marketing strategy with overall corporate planning and financial objectives.
  • Ascertain that marketing planning has comprehensively identified all major marketing potential and environmental threats, and optimised this within the opportunity set.
  • Ensure the chosen strategy is executable and appropriately resourced and supported. Review results and outcomes on a regular basis.

However, key marketing activities and programs such as market research and promotional campaigns should be understood by the board without a requirement for direct, day-to-day oversight or management.

The paper suggests eight steps a board can take to assess current and future marketing performance:

  1. Identify marketing assets. Understand the potential sources of value that can be leveraged from the company's brand, customer base and collaborative relationships.
  2. Identify the metrics being used to measure the health and performance of each marketing asset. Understand the commercial rationale behind the metrics used.
  3. Identify changes to these existing metrics and the factors influencing these changes – for example, evolving market dynamics, ongoing competitor actions and shifts in business strategy and operations – relative to the previous period and strategic plan.
  4. Assess the value added by marketing in the previous period. Investigate the implications that changes in marketing assets have had on business value, relative to strategic plan and other possible past actions.
  5. Identify significant market issues, opportunities and risks and how they can be managed.
  6. Assess whether the current marketing plan adequately takes advantage of opportunities available, relative to other feasible alternatives.
  7. Evaluate period performance forecast based on planned marketing investment. Establish projected targets for marketing assets at the end of the period.
  8. Assess whether the proposed level of investment in marketing assets is appropriate to realising strategic plans.

Email Banner