Companies increasingly boast to the public markets about their massive digital transformations and the value of their extraordinary customer insights. In this way, data is emerging as a crown jewel asset with unique corporate-governance implications under state and federal laws. For those firms touting data and other digital resources as among their most valuable assets, compliance with evolving cybersecurity and privacy laws, regulations, customer expectations, digital norms, and best practices will be the key to unlocking this value. By the same token, when compliance and policy gaps become pronounced, data and other digital assets can become toxic; not only will they fail to serve as drivers of corporate value, but they may generate significant liabilities. This category of “toxic” data can cause firms to incur massive litigation costs and regulatory fines and penalties, as well as major reputational damage that can destroy brand equity and erode market share. In light of recent signals by the U.S. Securities and Exchange Commission that it intends to focus on these risks, companies and their advisors must now anticipate that well-funded teams of regulators will aggressively monitor corporate disclosures and investigate compliance in an effort to carry out their mission to protect investors and maintain fair, orderly, and efficient markets. In response to this evolutionary enforcement moment, this Article provides the first comprehensive review of the corporate governance of data and other digital assets under state business-entities laws and the federal securities laws, paying special attention to evolving fiduciary responsibilities to monitor, oversee, and report on the risks associated with what we call toxic data.
