This is the third post in a series on BYOD (bring-your-own-device) and the obligations of directors relating to the protection of corporate confidential information. The first post examined the issue from the perspective of the director’s statutory fiduciary duty and duty of care. The second post made the case for a board information governance policy. This post examines the content of a board information governance policy.
The elements of a board information governance policy will vary with the nature of the corporation, the sensitivity of the information, the importance of the information to the corporation, the technical skills of the directors, and the willingness and financial ability of the corporation to invest in technological solutions. The following is a non-exhaustive list of possible topics for inclusion in a policy.
Scope of the Policy
a. Scope of confidential information
A board information governance policy should define the scope of confidential information. At a minimum, this will include all material, non-public information about the corporation and all personal information collected or used by the corporation. However, the corporation may also owe express or implied duties of confidentiality to third parties, such as suppliers, business partners, shareholders and clients, among others. It is desirable to include this type of information under the policy as well.
b. Application of the policy
A board information governance policy should also describe the types of communications and records that are governed by the policy. Does the policy only apply to communications between corporate officers and the directors or to all records relating to the director’s duties or to specific classes of records? Although the focus of this post is on electronic communications, a board information governance policy may also address printed material.
Information Technology and Security
a. Security requirements on director-owned devices
A board information governance policy might define for directors the minimum security requirements for director-owned or third-party-owned devices. The policy could also provide directors with a point-person who can assist the director in implementing those requirements or assessing compliance with them.
The content of the security requirements should be determined in consultation with the corporation’s technology department. Consideration may be given to requiring that all devices be protected by strong passwords and remote wiping technology. The policy may require operating systems of a particular version or higher with anti-virus protection of a particular version or higher.
In situations where the board is expected to receive extremely sensitive information, the corporation may require the director to agree to permit the corporation to install software allowing the corporation to control the device and wipe the device remotely. A corporation may require that directors receiving or storing highly sensitive information or personal information of employees do so only on encrypted devices.
b. Use of personal or third-party email accounts
The board information governance policy might provide guidance on the use of personal or third-party (e.g. the director’s employer) email accounts. The corporation should consider whether the use of personal or third-party accounts is consistent with the corporation’s record retention and information security policies.
If personal or third-party email accounts are permitted by the corporation, consideration should be given to establishing clear guidelines regarding the terms of service for those accounts, back-up requirements and disaster recovery protocols.
If non-personal third-party accounts are being used, such as an account provided by the director’s employer or another organization in which the director is involved, special attention should be given to determining whether the policies related to those accounts are in conflict with the corporation’s interests. It is not uncommon for employers to claim the right of ownership and the right of inspection of all communications conducted through the employer-provided email account.
a. Commingling of information
A board information governance policy should establish the corporation’s expectations regarding the commingling of corporate information with the director’s personal information or information related to the director’s employment or duties in connection with other corporations.
In addition to assessing whether commingling presents problems relating to the corporation’s records retention programs, consideration might be given to whether commingling creates an unacceptable risk of inadvertent disclosure.
The corporation should also consider electronic discovery issues in the event that the corporation’s information must be extracted for litigation. This is not simply an inconvenience issue. Is the corporation prepared to have its records reviewed in the course of another company extracting information related to litigation involving that other company?
b. Records retention and destruction obligations
A board information governance policy may address special records retention and destruction obligations relating to board materials and communications.
For example, what is the corporation’s policy regarding corporate records in the possession or control of the director at the end of his or her service? Are all records to be destroyed? If the director will retain the records, is it necessary for the corporation have an express agreement with the director to maintain those records for a minimum period of time and to provide the corporation with access to the records as may be required?
Another special issue may be records relating to committee work, including special committees appointed to review major transactions. Not infrequently the corporate secretary and management directors will be excluded from the work of these committees. Consideration should be given to whether and how those records will be retained without interfering with the independence of the work of those committees. If those records are to be retained, how will they be retained if the directors are using personal or third-party information technology and email accounts?
Even the basic application of a corporate records retention policy may involve special adaptation to the board. For example, if a director is using an email system controlled by a third party, such as the director’s employer, is the records retention policy applied to that email system in conflict with the corporation’s records retention schedule. Will directors during and subsequent to their service be asked to destroy records in accordance with a records retention schedule? Should any special consideration be given to records relating to the board’s conduct during major corporate transactions, such as mergers and acquisitions or dispositions?
c. Litigation hold obligations
A board information governance policy might clarify the director’s obligations with respect to the preservation of electronic records in the event of litigation. The policy may require directors using their own devices and personal email accounts to provide access to those devices and accounts for the purposes of preserving and gathering information that is relevant to the litigation. A board information governance policy will also describe the limits on that access. For example, it may be unreasonable to demand access if the director has been sued by the corporation or in situations where the corporation refuses to provide a defence to the director or is otherwise adverse in interest to the director.
Additional issues should be addressed if directors are permitted to use email accounts and information systems that are not controlled by the directors, such as those controlled by the director’s employer. Will the director be responsible for ensuring that the third party will provide access to those systems for the purpose of preserving and gathering relevant electronic information?
a. Special Classes of Communications
A board information governance policy may also set out protocols for handling particular types of communications. Prior to developing these protocols, the corporation may wish to employ a risk analysis of the likelihood and consequences of a breach of confidence relating to particular classes of communications.
A protocol for quarterly financial information might require password protected or encrypted formats. Directors may be prohibited from communicating about undisclosed financial results by email unless password protected or encrypted. Similarly, information relating to proposed executive compensation may be sufficiently sensitive to warrant special procedures. Communications and documents relating to a merger, a major acquisition or disposition, or litigation might be restricted to secure portals through which directors could access information and communicate with one another.
Protocols may also restrict communications to certain electronic addresses. For example, the board information governance policy may require directors to use designated email addresses for communication and not resort to text messages, instant messaging services or PIN messages or forwarding email from a work account to a personal account at the cottage. These alternative methods of communication may be convenient when dealing with a major, urgent event, but may also create security, record retention and litigation management problems precisely when those issues matter most to the corporation.
Informational Conflicts of Interest
a. Sharing information with corporate parents or subsidiaries
A board information governance policy could also address potential conflicts of interest relating to information. For example, in the case of cross-appointments between parents and subsidiaries, what are the duties of directors regarding corporate information? Appellate courts in Canada have yet to wrestle to the ground the problems created by information sharing in a corporate group, although one appellate court has commented in a judicial aside that it seemed impractical to say that the directors of a subsidiary can never tell its secrets to the parent company. Nevertheless, should there be official, documented channels of communication in order to manage issues where there may be emerging conflicts of interest or where sharing of information might result in a loss of privilege?
b. Sharing information with nominating or appointing shareholders
There is significant potential for informational conflicts of interest in the relationship between a director and his nominating or appointing shareholder. Leaving aside securities laws issues relating to selective disclosure, the basic corporate rule appears to be that the director is required to maintain confidentiality. This may, of course, lead to a conflict between the director’s duties to the corporation and the director’s duties to his or her nominating shareholder.
A board information governance policy may address this situation directly for the mutual protection of the director, the corporation and the shareholder. The policy may require official, documented channels of communication. The policy may also address whether in these circumstances it is appropriate for the director to use email accounts, devices or information systems owned or controlled by the shareholder, in order to avoid the perception of impropriety.
Building Board Capacity and Compliance
a. Assistance and Education
Although directors may have a statutory duty to supervise the management of the corporation, non-management directors may not know who within the organization to call to get assistance or how to obtain information on technological issues associated with complying with their duties to protect the corporation’s information.
Consideration might be given to providing directors with direct access to a knowledgeable information technology and security professional who can assist the director in securing his or her devices and home networks and troubleshoot issues that the director has. The simple act of setting up a separate email folder on a smartphone or assisting the director in installing personal, remote wiping software may greatly enhance the security of the corporation’s information.
Depending on the technical sophistication of the directors and the technology and security complexity of the corporation’s information governance and records retention standards, corporations may also wish to consider providing education to directors upon first appointment and periodically thereafter.
b. Breach Disclosure
Directors should also have a clear understanding of their obligations with respect to what the corporation considers to be a breach of confidentiality as well as the director’s duty to report a breach. Directors should understand the protocol for losing a tablet, laptop or smartphone containing corporate confidential information.
c. Self-Audit and Review
Board self-evaluation might include consideration of whether directors and the corporation are complying with the board information governance policy. Periodic review of the board’s actual practices against the information governance policy is advisable not only to enhance compliance but also to ensure that the information governance policy is practical and does not become an unintended liability in litigation as a result of not being followed.