The information security concerns relating to employees using their own devices for work (such as smart phones, netbooks and laptops) are a hot topic. Although “bring your own device” or BYOD is here to stay, the practice of employees using their own devices for employment duties creates information governance challenges.
What about the role of BYOD at the level of the board of directors? Corporate officers, including the corporate secretary, frequently communicate with board members through electronic means. Directors are also likely to communicate with one another between meetings through electronic means. It is not uncommon that these electronic communications may include preliminary evaluation of strategic matters, legal advice, draft employee compensation arrangements, material contracts and draft financial reports.
This post examines some of the duties of directors with respect to the use of their own devices and email accounts. Subsequent posts will set out the case for a board information governance policy and examine some of the elements of such a policy.
Is it really a problem?
Before dismissing the information governance challenges related to electronic board communications, consider the following questions:
- How often is information sent to directors at personal email addresses or to email addresses belonging to other companies that may employ the director?
- Does the corporation have a good handle on the device and security standards being used by directors when they are handling some of the most sensitive material non-public information of the corporation?
- What assurance is there that third-party technology policies do not create rights in the information sent to those third-party accounts, such as, for example, when a director is employed by another company?
- What happens if confidential information is retrieved and stored on a director’s personal device and the device is lost or stolen or lacks security protection? Is the device capable of being wiped?
A director’s duty of to protect corporate information
A director has a duty to bring the care, diligence and skill of a reasonably prudent person to the protection of confidential corporate information.
Directors owe a statutory duty of care in fulfilling their obligations to the corporation. Paragraph 122(b) of the Canada Business Corporations Act, RSC 1985, c C-44 (CBCA), for example, provides that directors and officers must “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances”.
In addition to the duty of care, directors of Canadian business corporations owe a duty of loyalty to the corporation. The duty of loyalty is a common law duty that has been incorporated into most corporate legislation in Canada. For example, paragraph 122(a) of the CBCA provides that every director must act honestly and in good faith with a view to the best interests of the corporation.
The Supreme Court of Canada has described this “statutory fiduciary duty” as including a duty to maintain the confidentiality of information acquired by being a director. This statutory duty also typically prohibits directors from using information acquired by virtue of their position for personal gain.
Even leaving aside the fiduciary duties of a director, a duty of confidence may arise anytime a person receives information that has a quality of confidence about it in circumstances in which there is an express or implied obligation of confidentiality.
Issues for directors to consider
The care, diligence and skill to be exercised by a reasonably prudent director depend on the circumstances. There is, therefore, no single prescriptive information governance practice that will fulfil a director’s statutory duty of care. The types of controls that a director may wish to consider deploying depend on the sensitivity of the information and its importance to the corporation.
Below is a checklist of questions that a director may wish to review as part of determining whether the director’s information governance practices are consistent with, and capable of, fulfilling the director’s duties of confidentiality to the corporation.
Device and Network Security
- Is the device only used by the director or is it shared with other people, such as family members?
- Are all devices on which the director views electronic communications and material secured by a strong password (at least 8 characters containing at least one number, one capitalized letter and one symbol) and protected by anti-virus software that is frequently updated?
- Are all devices on which the director stores corporate information encrypted? If not, are there particular types of information that should not be stored on those devices, such as personal information of employees and officers or material non-public information relating to merger discussions or financial results?
- Is the device enabled with a remote wiping technology in the even that it is lost or stolen?
- Is the director using the device when connected to wifi? Does the director use secure wifi connections? Is the director’s home network protected by a firewall?
Account and Information Security
- Does the director access information through a secure portal? If not, are there particular types of sensitive information that should only be available in this way?
- Is the director receiving information through an email address to which others have access, such as an administrative assistant? Should those third parties be bound by a confidentiality agreement?
- Is the email account protected by a strong password? Is email encrypted when transmitted? Are email and other electronic records encrypted when stored?
- Is the email address provided as part of a cloud-based service? If so, does the director understand what limitations there are on that service?
- Does the director have the technical skills to understand whether information retained on the device is being collected, used or stored by other applications without the director’s knowledge?
- Is the director storing electronic records on a third-party’s system? If so, are the records password protected or logically separated from records that can be viewed by others? For example, are records received by the director stored on his or her employer’s systems in a manner that would permit others to view or otherwise inspect those records?
- Does the director print material? Is that material stored in a secure location? Who else has access to the information?
- Does the director have the technical and administrative capability to comply with the corporation’s records retention policy? For example, does the corporation’s records retention policy require retention of emails between directors about the corporation’s business for a defined period of time? Is the director able to ensure compliance?
- If the director is using the email or electronic storage services of another corporation in which he serves as an employee, will the director have access to that email if he or she is no longer employed by that corporation? If not, has provision been made to migrate those records in the event of retirement or dismissal?
- Does the director have the technical and administrative capability to comply with a litigation hold in the event that litigation arises and records created, retained or received by the director are responsive to the issues in the litigation?
- Has the director mixed personal and business uses on the device in a way that will make it more likely that the director’s personal records or records relating to his or her duties to another corporation will need to be inspected in the event the device must be produced for litigation purposes?
- These issues may be daunting for directors. However, there are technological solutions. Directors may wish to consider more structured ways to receive board information, such as through secure portals or third-party cloud based board communication service providers.
In subsequent posts on this topic, I’ll look at these issues from the perspective of the corporation embarking on creating information governance policies for the board.