Investments, from purchasing a home to leasing a building to acquiring a business, require independent third parties contracted to provide reassurance on safety and compliance, and to identify issues that could be red flags. However, stepping out of the real world into the virtual, when it comes to digital compliance, most businesses either fail to have independent inspections or they choose to rely on service providers to self-certify their work. While digital interaction is now a significant part of business strategy, logistics and operations, there is a lack of standardized observance of the same governing principles.

It is the owners' or C-suite executives' responsibility to ensure that a business is legally compliant.

Corporate governance is a critical component of business management, and businesses need to recognize that it's time for a change in their governing principles to ensure that digital compliance becomes a regular part of business operations.

Where to start — assigning accountability

Before assessing a business's compliance with digital risk mandates and guidelines, first identify who will monitor compliance and how. Without accountability, a business may not have the requisite ownership of the risk to ensure it is properly addressed. The responsibility for digital risk varies by organization and is often fractured, with certain aspects being watched by different managers. Some duties have fallen to the information technology (IT) department within a business, while others may fall to marketing, public relations (PR) and sales.

While IT may report to a chief information officer (CIO), a chief technology officer (CTO), a chief security or chief information security officer (CSO or CISO), a director of technology, an IT manager, a general manager or an operations officer, those individuals are rarely supervised by a "risk manager," a director of risk management or legal counsel. The marketing, PR and sales staff rarely have the understanding of what is legally permissible and their interaction with the IT staff may be limited to ensuring that their desired content is reaching the target audience. The marketing, PR and sales staff likely will report to a national sales manager, a marketing executive or an operations manager. On occasion, those individuals may consult with an in-house or outside attorney. However, the compliance obligations are typically viewed as an operational function, rather than a risk mitigation function.

Ultimately, however, it is the owners' or C-suite executives' responsibility to ensure that a business is legally compliant and is not exposed to unnecessary financial risk. Accordingly, a business needs to determine who will be charged with the responsibilities for ensuring that the online exposure is kept to a minimum, and the owners and C-suite executives need to determine who at the upper ranks of the business will monitor the performance of such individual(s) and hold accountable those in charge of the various points of risk.

Identifying the risks

Once accountability for compliance is assigned, that individual or team must determine where the risks are and from what activities they emanate. Risks can be general, industry-specific, location specific or company-specific. At the very least, a business should recognize the following among other concerns:

  • Registration of Touch Points/Accounts — It is critical for an organization to have a clear understanding of the role of titleholder for an account. This may impact liability, reputational risk and legal control. For example, if a business owner or related entity registers a domain name in his/her/its own name, rather than the business's name, that individual or business entity may have risk for what appears at the website where the domain resolves.

    If the business has numerous corporate entities, and the domain or account is in the name of an entity that becomes embroiled in a public relations mess, such title holding could risk the reputation for both the business involved and the business holding title to the account.

    If the account is registered or owned by an in-house IT professional or an outside IT services company, and the relationship sours, the business may have a difficult and costly fight trying to regain control of the account (while typically the business will prevail, apart from the money spent on lawyers, there can be intermediate actions taken by the scorned individual to damage the business — e.g., a disgruntled former IT employee could redirect a domain to a porn site or another highly toxic or divisive site).

  • Content Management Risks — Websites and social media are primarily focused on content — the information or impression a business wants to convey and how. There are numerous risks associated with content including, but not limited to the following:
    • Copyright
    • Trademark
    • Trade Dress
    • Trade Secrets
    • Rights of Privacy and Publicity
    • Web Accessibility
    • Content Collection
    • Content Trans
    • Language/Translation
    • Child Protection
    • Storage and Content Stability
    • Expandability and Technical Concerns
    • False Advertising, False Endorsement, False Affiliatio
    • Defamation/Trade Libel
    • Brand Integrity
    • Government Concerns — Laws, Rules and Regulations.

It is critically important for a business to understand where the risks are present and how best to avoid exposure and mitigate the risk. For example, businesses are sued regularly for infringement on uses of images and music, violations of rights of publicity, false advertising and the lack of web accessibility, among other claims. Apart from the costs associated with defending these claims, the distraction from core business operations when defending claims, as well as the reputational damage that may be caused, support the expenditure of resources to avoid such claims.

  • Data Security and Privacy/Cyber Risks — It is critical for a business to ensure its systems are secure, and that internal actions (e.g., opening attachments to emails) or the introduction of third-party programs, code and functions do not adversely impact the control that a business has over its data. Exposures can include, but are not limited to:
    • Malware, including redistribution to clients, customers and others
    • Data Loss
    • Data Tampering
    • Ransomware
    • Phishing and Smishing
    • Credit Cards and Financial Dat
    • C-Suite Fraud (e.g., targeting executives to authorize financial transfers)
    • Trade Secrets
    • Failure to Function
    • Denials of Service
    • Vandalism and Reputational Damag
    • Falsified User Identities
    • Right to Be Forgotten, Right to Correct Information, Limitation on Use of Data
    • Human Failures
    • Governmental Compliance — Laws, Rules and Regulations.

Over the past several years, cyber claims have grown despite the awareness of such risks and the expenditure of resources to prepare for and prevent such exposures. While businesses may be spending more money to secure their systems and avoid exposure, they often lack oversight of the person accountable for such activities and their success. It is not sufficient that an internal IT professional self-certifies the actions they are taking to secure the business's systems.

  • Functionality/Experience Failures, such as:
    • Accessibility (the ability for individuals with disabilities to be treated fairly)
    • Code Compliance
    • Privacy, Cookies, Tracking Technologies
    • System Controls
    • Broken Links
    • Outdat

Every business will have unique risks and, depending on their geographic location and industry classification, there may be additional factors to consider (for example, privacy law compliance, minimum age for use and disclosure of specified health or financial information). Businesses also may view their social impact and the reputational issues that can arise (such as the carbon footprint to operate a website with duplicative or outdated content, political or sensitive societal preferences).

Each business owner, manager and C-suite executive who has supervisory and accountability responsibilities will need to determine the issues that are particular to their business, and the importance of compliance in each area. Vendors and lawyers offer audit services, but, ultimately, information provided by the business must be the determinative factor in compliance, and a business needs to have a resource that is educated on the risks and the requirements for compliance.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.