Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s 2019 t Global Risk Management Survey, it is one of the top risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.
Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.
The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:
The financial and housing collapse and major recession of 2008
Toyota implicated in recalls because of brake issues
Major Banks having their credit card customers’ names stolen by computer hackers
Volkswagen was implicated in a pollution emissions scandal
Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected
Sony Pictures- Sony as well as its employees had confidential information stolen
As you can see from the examples above, there are numerous kinds of crises that a company should be prepared to handle, especially in an international context. Among them are financial crises, natural disasters including pandemics, product failures, workplace violence, cyber-attack, or hacking, and, of course, terrorism. However, most if not all have resulted in serious reputational crisis which also led to legal risk.
It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.
The problem facing any risk manager or in-house counsel is that the media in today’s society has become very anti-business. As this anti-business culture of attack has gotten worse over the last twenty years, a crisis can no longer be handled by a simple PR or marketing statement. A full-fledged crisis management operation must be put in place. Damage control is now a very serious matter for any potential crisis, no matter how small. Today, more and more companies have to consider issues that negatively affect the company’s brand and how best to counteract them.
Key considerations when considering potential brand or reputational risk caused by ethical or fraudulent behavior within the company or within the company’s supply chain:
-Compliance- does the Company have a compliance program and is it up to date?
-Compliance- does the Compliance program and code of conduct promote an ethical culture within the company?
-Supply Chain- has the Company’s vendors involved in the supply chain been vetted? Do they follow the Company’s code of conduct? Do they have compliance programs?
-Are there sound corporate governance and control processes in place?
Major considerations for handling brand risk once a crisis has started includes:
-Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
-Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
-Have the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
-Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
-Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?
Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.
Recent privacy concerns have caused many countries to beef up their data privacy laws and regulations. The EU of course, is a case in point. As is Korea and others in the Asia Pacific Region. However, the data privacy issues a company faces, are really the tip of the proverbial iceberg. What about the electronically stored information (ESI) that companies have? Electronic data! ESI exposes a company to a myriad of risks, data privacy of course one of them. Besides the multi-dimensional universe of data privacy, cybersecurity is also very important today as many companies and governments continue to get hacked. Even cybersecurity insurance is getting popular. However, companies not only have to worry about getting hacked or running afoul of the latest data privacy laws and regulations. Companies must also consider what data to even store, where to store it, how long to store it and protocols to decide how to analyze and review it. Let alone- where to find it, if it gets lost. Failure to take the where, when and how into consideration can expose the company to unforeseen ESI issues- such as violating ESI discovery laws as well as the associated document retention risks.
Electronically Stored Information- Document Retention Risks and Concerns
If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:
• Familiarity with document retention policies
• Involvement with IT personnel
• Communication to “key players” of the litigation hold
• Location and retrieval of all relevant information wherever that information might be
The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?
1. Plan of Action
A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:
• Assess the company’s current use of technology documents.
• Locate all in the company’s possession.
• Use technology to leverage legal requirements.
• Retain experts or outside consultants to above or to help implement systems/processes.
• Implement policies and procedures addressing all legal risks posed by ESI.
2. Risk Assessment of ESI
To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:
• Seeking proposals of vendors (outside experts)
• A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness
3. ESI Implementation
The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. The development and implementation of a Legal Risk Management Program (LRM) addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.
For risk managers or in-house counsel, the development of a comprehensive ESI program is crucial. Talk to your IT folks. If necessary, enlist the help of outside ESI consultants. Get your hands around your company’s ESI. Implement an ESI document management program and implement processes to handle all associated risks.
Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It first amended the PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising. Recently, additional major amendments to PIPA were passed by the National Assembly of Korea because of Big Data /AI /IoT concerns.
The amendments to the PIPA that have been adopted include: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA. A short summary follows:
1. Key Provisions of the Amended PIPA
(1) Clarification of the definition of “personal information”
As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.
(2) Introduction of “pseudonymized information”
The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.”
The amendment stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.
(3) Use of personal information within the scope reasonably related to the original purpose of the collection
The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject. The amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection.
(4) Exclusion of anonymized information from the application of the PIPA.
The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.
(5) Transfer of the Network Act’s personal information-related provisions to the PIPA.
The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA.
.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party.
Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing. Under the current PIPA, the data subject’s consent is not required for Outsourcing.
The new amendments to PIPA are meaningful in that they help provide clearer guidance to data handlers on what constitutes the lawful processing of personal information as well as setting forth standards for the secure processing of personal information. It is expected that the amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations shall take place in the upcoming months.
The other day I had lunch with a friend who was lamenting the fact his company’s sales team continued to ink deals without any regard for risk. When he asked them why they continued to do so, the reply was “that’s the way we have always done things.” Unfortunately, many companies continue to plod along doing business without regards to risk. In fact, many companies fail to look at operational risk which can lead to disaster down the road. In order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? Maybe it’s time to re-examine your risk management processes. Do they really work?
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future.
I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Maybe it did 5 years ago. But what about today?
Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws?
It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that's the way things are done” your company should continue to operate as usual.
If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:
• Familiarity with document retention policies
• Involvement with IT personnel
• Communication to “key players” of the litigation hold
• Location and retrieval of all relevant information wherever that information might be
The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?
1. Plan of Action
A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:
• Assess the company’s current use of technology documents.
• Locate all in the company’s possession.
• Use technology to leverage legal requirements.
• Retain experts or outside consultants to above or to help implement systems/processes.
• Implement policies and procedures addressing all legal risks posed by ESI.
2. Risk Assessment of ESI
To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:
• Seeking proposals of vendors (outside experts)
• A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness
3. ESI Implementation
The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. The development and implementation of an LRM program addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.
Equifax, Credit Agencies and Risk (mis-) ManagementRecently, one of the largest credit reporting agencies in the US, Equifax, joined the long list of companies that have been the victim of a major data breach. Equifax is now trying to explain how over 143 million Americans — effectively most of the U.S. adult population — had their personal data compromised.
The company tracks the detailed financial affairs of all Americans in order to gauge their credit worthiness. Along with TransUnion and Experian, they maintain personal data on millions of US citizens, but that once breached, the information can expose nearly every American adult to identity theft.
Under the threat of massive litigation, which may cause its downfall, Equifax is finding out how important it is to protect the personal information of its users and why data privacy has become a growing area of concern around the world. There are five main reasons why data privacy has become a major area of extreme risk requiring the attention of a company’s management. They are:
Managing the risks inherent in data privacy related issues can be quite a task. However, failure to adequately protect customers’ personal data will lead to great reputational harm and risk to a company’s brand.
In determining the risks a company faces, an organization must answer a series of painful questions, including but not limited to the following:
Only once these questions have been answered and the risks associated with personal data has been considered is a company in the position of creating and implementing a risk management process to handle its personal data. But remember - the tough questions must be answered first.
