Whether due to poor data privacy protections, weak cybersecurity controls and oversight, or anticompetitive behavior, the financial and reputational costs for noncompliance with regulations continue to rise, with governments more determined than ever to make violating the law as painful as possible to companies’ bottom lines. This aggressive enforcement approach is particularly acute in the technology, media and telecommunications (TMT) industry, where there’s an intensification of legislative and regulatory efforts globally to rein in companies that are perceived to have unfettered power and influence.
TMT companies are fighting to balance the pull of current and future regulations with the need to constantly push innovation. How does a responsible technology firm behave in this environment? In the white paper “Finding Equilibrium in an Era of Heightened Regulation,” Protiviti tackles these tough questions and provides some guidance, starting with a framework of how companies can increase their understanding of the changing expectations of today’s consumers, governments and other key stakeholders in order to make better business decisions.
In a tweet last month, U.S. Representative David Cicilline, chair of the House’s Subcommittee on Antitrust, Commercial and Administrative Law, wrote that “the American people want us to #ReinInBigTech, and that’s exactly what we’re going to do.” Cicilline is one of the chief sponsors of the American Innovation and Choice Online Act, a legislative measure designed to block tech giants from favoring their own products and services. A Washington Post article described this bill as “the epicenter of a massive power struggle between Washington and Silicon Valley.”
In addition to an increase in active legislation, enforcement actions have become more common. In the United States, the Federal Communications Commission, the Federal Trade Commission and the Department of Justice are among the agencies leading this effort.
Given this dynamic, TMT companies with U.S. operations, as a first step, should be clear-eyed about the current state of their compliance program and how the program stacks up against trends in enforcement and regulation. Having this enhanced understanding would allow them to improve or scale their program, including remediating issues, as needed.
Across the Atlantic, there are also growing pains. In late April, the European Union passed the Digital Services Act (DSA), which aims to protect the digital space against the spread of illegal content (e.g., hate speech, child sexual abuse) and protect the fundamental rights of users (e.g., restrict advertising targeting children). The DSA, which contains very broad language, requires large digital platforms and services to analyze systemic risks they create and to carry out risk-reduction analysis. It is yet to be determined, however, how the EU plans on enforcing the new law, which comes with hefty fines and a potential outright ban for repeat offenders.
In the absence of a DSA-like federal law in the United States, a number of states (at least 11 at the date of this blog’s publication) are conducting investigations into how social media platforms are using algorithms that promote violence and cause mental health issues in children. States are leading the effort to regulate internet content, because they see the federal government moving too slowly.
As one example of U.S. federal government inertia, state legislators point to the federal government’s inaction on the Child Online Protection Act (COPA), which was passed in 1998 to restrict access to material defined as harmful to minors. The law never took effect, and after several rounds of litigation, a permanent injunction against it was entered in 2009. In recent weeks, following the mass shooting incident in Buffalo, New York, which was livestreamed by the shooter, the issue of regulating online content has flared up again, and New York Governor Kathy Hochul has blamed social media platforms for not doing enough to stop the spread of this violent recording.
Meanwhile, the war between Russia and Ukraine has also affected the relationship between the government and major tech firms. As an example, the threat of cyberattacks from Russia or from state-sponsored actors, and the fear that some tech companies might knowingly or unknowingly allow their products and platforms to be misused by Russia or its proxies, is inviting regulatory scrutiny around the world. Given these concerns, TMT organizations need to reevaluate the risk of using software or hardware made in or owned by Russia (or China) to ensure that supply chain network integrity is a priority within their overall cyber resilience management. Read our recent blog “Geopolitical Tensions Exacerbate TMT Industry’s Top Risk Concerns” for more on the war’s impact on the industry.
But it is not just Russia that’s driving concerns about supply chain integrity. The U.S. Justice Department has made it clear it will pursue companies that violate Section 889 of the National Defense Act (which targets companies doing business with five Chinese companies) and Executive Order 14028 (which requires companies to conduct full risk assessments of their cyber supply chain network). Under the order, companies seeking to do business with the U.S. government are required to vet third-party providers and continuously assess their vulnerabilities and the consequences of those vulnerabilities.
To achieve this objective, companies should put together a baseline of security standards by developing a framework for a software or hardware bill of materials that supports the government’s required attestation form. Clearly, this is an issue that is getting bigger and will impact more companies in the coming years. According to one estimate, 45% of organizations worldwide will have experienced an attack on their software supply chain by 2025.
Last year, the Justice Department created the Civil Cyber-Fraud Initiative, a task force utilizing the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The goal is to hold entities and individuals accountable if they knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or neglect to monitor and report cybersecurity incidents and breaches.
Data privacy remains the most consequential issue for TMT companies. In the United States, states like California have taken the lead on data privacy regulation, with many more expected to follow.
As discussed in this blog post, there’s also been a steady increase in enforcement by the FTC against alleged privacy violators. Last year, the agency banned a spyware maker and its chief executive officer from operating in the surveillance industry, accusing them of secretly harvesting and sharing mobile data on people’s physical movements, phone use and online activities, and leaving the information exposed on the open internet. And in the EU, there are growing calls for additional privacy regulations around the use of artificial intelligence and machine learning, efforts that will only increase with the rollout of more Internet of Things devices.
What Companies Can Do Now
As a whole, the TMT industry faces significant challenges developing a culture of compliance, as the industry has not been heavily regulated in the past, with companies focusing instead on a culture of innovation and a first-to-market attitude to drive success. Those days are gone.
Established and emerging companies will need to focus on building capabilities, including staffing up on compliance, risk management, legal, privacy and legislative expertise, with clearly assigned roles and responsibilities. As part of this effort, companies should consider hiring an independent consultant to ensure that they are operating within policy, regulatory and ethical standards. Additionally, it may be prudent for some to create a chief trust officer role that will ensure the company acts with integrity and the highest ethical standards when it comes to corporate behavior in a digital environment.
Companies should also implement a comprehensive risk management framework that will enable them to break down risk silos throughout the organization and conduct regular risk assessments. Assessing and reacting to the impact of evolving regulations and enforcement to their business model should be a key part of this process. Also, many companies will need help developing a data-driven transformative risk framework model that is able to evolve quickly at the same pace as innovation.
As an example, companies should seriously consider creating a comprehensive data privacy program, if they haven’t already, and making it an embedded process. Check out this blog post on four actionable steps that technology companies can take to bolster their data privacy programs. And finally, there has never been a more appropriate time to leverage new and emerging technologies that will enable compliance with data-intensive and time-sensitive regulatory requirements.
Read Finding Equilibrium in an Era of Heightened Regulation for more recommendations on how technology companies can act responsibly and take strategic actions during these uncertain times.
Protiviti Managing Directors Matthew Moore and Kaitlin Kirkham-Cooper, as well as Associate Director Roxanne Miller, contributed to this blog post.