May is here and like Y2K before it this may be one of the more cautiously anticipated moments in business because of the oncoming wave of privacy and cybersecurity regulations that come into force in Europe. Europe’s far-reaching General Data Protection Regulation, more commonly known as GDPR, affects organizations with operations in the EU’s common market. The countdown to Y2K saw a cottage industry emerge promising Y2K readiness as cyber Armageddon was inevitable since computer clocks would allegedly not record the year 2000. GDPR readiness has evoked similar fervor and apprehension as consultants and privacy lawyers armed with countdown clocks of their own foretell of grave consequences. Unlike Y2K, which proved to be a dud, GDPR will be truly consequential for business and the world. The wave of U.S. privacy and cybersecurity debacles suggests a Dodd-Frank-styled privacy overhaul may be in the making, lest the U.S. cede privacy and cybersecurity governance to the Europeans.
While organizations should generally be concerned about GDPR and their readiness, especially since the carrots and sticks regulatory approach is light on the carrots and heavy – and troublingly ambiguous – on the punitive side. Firms caught in GDPR breaches can be fined up to 4% of their global turnover or €20 million. This regulatory regime coming into effect in an era of national retrenchment, where the rules-based system of global trade and harmonization are frayed, will likely lead to greater tensions across the Atlantic. Indeed, the prospect of an information security and privacy arbitrage, where companies seek out data privacy havens, may yield a race to the bottom. This zero-sum approach will be harmful for people, markets and regulators, especially as they all grapple with complex cyber threats that do not respect board rooms or borders. The Facebook privacy debacle, which felled Cambridge Analytica and handed Mark Zuckerberg a terse EU summons, offers a compelling post-mortem on the complexity of privacy regulation. Facebook’s Capitol Hill hearings revealed how ill-equipped policymakers are to get ahead of fast-moving systemic technology firms and the risks ubiquitous connectivity poses to the world.
Nevertheless, for the attempt at public good and for creating global equilibrium on privacy and cybersecurity norms, it is reasonable to expect a wave of new regulations. A domino rally of failed privacy and cybersecurity hygiene offers some guidance on what we can expect of prudent policymakers, that is of course if we can find any. The Verizon-Yahoo merger, for example, on the heels of Yahoo’s massive 3 record data breach, underscores the lack of adequate investor protection on cyber due diligence. Although this merger went through, the price correction of $350 million is a hefty price to pay adding to market volatility, increasing the price of acquisitions, mergers and divestitures, while lowering overall deal volume. The spike in the number of cross-border deals that are being killed on national security grounds by the Committee for Foreign Investments in the U.S. (CFIUS), is certainly not helping the case and making it harder than ever for international investors to read the temperament in the U.S.
Prospective investors who stop at legal and financial due diligence are doing their shareholders a disservice, which will yield acrimonious legal battles, in turn adding to the costs of investment flows and the heartache of buyer’s remorse. This is even more confounding when investments pursue intellectual property or intangible value that may be exiting through a cyber backdoor, as the latency of cyber threats goes undetected for years. Indeed, investors would be well advised to assume cyber vulnerabilities of the keyboard and chair variety, especially as nativist employees in a target company go rogue, to the more sophisticated technological breaches, which can lie dormant and undetected. Increasing the standards of practice for cyber pre-investment due diligence can provide reasonable assurance in the market and a seal of cyber hygiene protecting investors and deal integrity. No such measure exists today, and it should.
Sadly, most regulatory regimes, like Dodd-Frank, are backward-looking, regulating yesterday’s crisis to control for tomorrow’s risks. By this measure the Equifax breach, which exposed personal data on more than 150 million people – about the size of the U.S. workforce – was another example of privatizing gains while socializing losses. Nothing tempts policymakers to reach for their red pens and rolls of red tape more than a large-scale consumer debacle. On this score, the Equifax breach has echoes of the 2008 financial crisis that gave birth to Dodd-Frank. Indeed, the EU has recognized that in an age of rampant cyber threats protecting consumer privacy must be a central pillar of any regulatory regime. GDPR recognizes the primacy of individual data giving people the right to be forgotten, wherein firms must erase records they hold in their databases of EU citizens if prompted. Neither the enforceability nor the observance of this right to be forgotten will be easy as people’s digital breadcrumbs are spread far and wide across the dark recesses of the internet. All the more so, as basic standards of cybersecurity care are hardly observed in even the largest firms, let alone at the household level.
Like GDPR, a U.S. regulatory response to the Equifax breach should espouse the centrality of individual privacy. At the same time querying the systemic nature of firms like Facebook, consumer credit bureaus like Equifax, and payroll providers like ADP, among other systemic institutions hiding in plain sight. These firms productize people’s data without rewarding them, yet insidiously expose them to financial risks, identify theft, cyber extortion and fraud – all matters far too complex for the average consumer to navigate, hence the regulator spiral. Consumers in turn, would be wise to remember that if you are not being paid to provide a service (or paying to access it), you are very likely the raw input for a product. In this world where all of our online behavior, like so many “digital tramp stamps,” may come back to haunt us, the right to be forgotten cannot rewind the clock if you are already exposed. This is the classic definition of a moral hazard, wherein companies externalize the consequences of their risky behavior, getting away with little more than a slap on the wrist, an executive golden parachute and the occasional Congressional hot seat.
Drawing a finer parallel to Dodd-Frank, which imposed more stringent risk-adjusted capital standards on banks along with greater degrees of disclosure, the lack of recognition of intrinsic cyber risks and their cumulative effect in publicly traded firms (and in the market writ large) is a massive blind spot imperiling global financial stability. Indeed, Equifax offers consumers, executives and policymakers a teachable moment. For the 5 years preceding the breach, Equifax barely recognized that cyber threats, privacy and security are board-level priorities. Indeed, the firm’s annual reports during this period reveal as much, prioritizing growth and profits over risk management, prudence and governance. This low level of cyber risk governance would be damning of any publicly traded company, but all the more so for one that is nothing more than the central repository of millions of personally identifiable records and other data points. We can no longer accept a gap this big in risk disclosure claiming businesses are being caught flat-footed by cyber threats, especially following the volley of wake-up calls like the Wannacry ransomware attack, which spread to 150 countries over a weekend.
Clearly, a regulatory regime for risks that evolve according to Moore’s Law – with a digitally indifferent generation of technophiles born with an iPhone in their hands and data being likened to the new oil – will be fraught with gaping holes. The biggest of which is the lack of a normalized (accounting or GAAP-conforming) way of recognizing the enterprise value of data (EvD), the risk contribution and dependencies on informational assets. How this shows up on the balance sheets of the world’s largest firms, which can be brought to their knees by cyber threats, leaves trillions in risk exposure misunderstood and unhedged. If U.S regulators are to have a riposte to the wave of privacy and cybersecurity debacles and an answer to GDPR, which will see escalating fines against U.S. firms, this last point will do more to ward off systemic threats than all the others.