Board members receive sensitive information to perform their corporate governance and risk management oversight roles. They also generate and exchange information with other Board members and with company business executives. Additionally, Board-level information governance considerations often include an added layer of complexity: many or most Board members are not company employees, and transmittal of information to and among Board members may be through channels external to company email systems.
How are the company and its Board members managing Board-level information? What types of on-boarding, director education, and information governance practices are implemented at the Board-level? Do Board members understand that Board-related information they receive or generate may be potentially discoverable in the litigation context—particularly in cases where Board member conduct is at issue or Board members are key players?
Whether information is transmitted by a board portal or hard copy, and whether communications among Board members and business executives occur through a shared board site, company-issued email addresses for Board members, or personal or other email accounts, connecting the dots between company information governance programs and Board-level information makes good business sense.
Practical Considerations - Getting Started
Following are several considerations in assessing and enhancing Board-level information governance practices and integrating Board-level and company information governance practices.
- Identify types of Board-level information and channels for Board member communications. Determine what types of information Board members receive from the company and the channels used to disseminate and share information. Assess whether company information governance policies address this information and how company expectations are communicated to the Board. Questions to consider include:
- What types of information do Board members receive and generate (e.g., Board books, Board minutes, company business briefings or legal or risk reports, audit committee hotline information, email communications regarding company and Board business, etc.)?
- Are these information types addressed in company records retention policies or schedules? Are retention expectations communicated to Board members?
- How are Board books and materials distributed to the Board? Are materials distributed electronically encrypted?
- How does the company communicate with Board members (e.g., via email, Board portal, etc.)?
- How do Board members communicate with each other about Board business?
- Does the company provide a company-issued email address for Board members?
- Do communication channels include personal email accounts or corporate email accounts that may belong to the Board member's
employer such that company information is commingled with information on personal computers or computers that belong to
another company? If information is commingled, do Board members understand the potential privacy and confidentiality considerations that may come into play? What types of information security measures are in place?
- Determine where Board-level information resides. Official Board records are likely maintained by the company's corporate secretary and identified as record types within the company's records management programs. Also consider where information sent to Board members outside of company walls may reside and how the company would execute any legal hold procedures or collection efforts, as appropriate. In addition, consider possible practices to help avoid having unique Board-related business information stored on personal or non-company issued devices. Questions to consider include:
- What group/who within the company maintains the company's Board-related documents?
- Are Board-related document types included in company records management or retention schedules?
- Does the company use a Board portal or e-books and what types of retention or preservation practices are in place?
- May Board members download Board information or materials to their personal computers or devices or annotate Board materials received electronically? Does the company define how email attachments and any Board-related business notes taken on devices should be handled?
- Do Board members commingle Board-related information with other information on personal mobile or computing devices and do they understand potential consequences of commingling such information?
- Consider company information governance policies and how they address Board-level information. Identify company policies that may apply to Board-level information and determine whether and how they may address Board-level information management and preservation practices. Questions to consider include:
- Does the company have specific Board-level information governance policies geared toward specific information types for the Board?
- Do company information governance policies address or extend to Board-level information and how are expectations communicated? Types of company information governance policies to consider include the following:
• Electronic communications policies (e.g., email, social media, mobile or personal device, etc.);
- Records retention policies (and whether Board-level record types are identified);
- Service level agreement provisions with any cloud or software providers for Board portal services;
- Legal hold policies; and
• Policies and procedures with regard to exiting or retiring Board members.
- Assess company preservation and collection practices and how they may apply to Board members and Board-related information and communications. As part of these assessment efforts, some questions to consider include:
- Do company processes for preserving and collecting electronically stored information ("ESI") extend to information within the possession of your company's Board members?
- Are any adjustments needed to help ensure that Board members receive any relevant notifications and preservation communications?
- Does the company have a plan to collect Board member information if necessary?
- What role do attorneys play in assessing whether any Board-level information should be collected?
- Do company personnel responsible for preservation and collection have processes in place to include and address Board
members and their information if necessary?
- Communicate company expectations with regard to company business information. Determine how company expectations regarding information security and information governance are communicated to the Board and whether these communications might be enhanced or refreshed. Questions to consider include:
- How does the company communicate expectations with regard to maintaining and safeguarding company business records and information?
- Are Board members provided with copies of company information governance policies that apply to them?
- Do policies address potential privacy and confidentiality considerations in the event that Board members receive and/or
communicate company-related matters on personal computer systems or devices or otherwise commingle Board information with
other information? What types of communications or measures are in place to help avoid having unique Board-related business information stored exclusively on any such devices or systems?
- Determine how information lifecycle governance practices apply to Board-level information. Assess how company information lifecycle governance policies and practices apply to Board information. Questions to consider include:
- Do company policies address Board-related information that is no longer needed for business or legal purposes?
- How do Board member agreements or arrangements address these issues?
- What happens to company information when Board members resign or rotate off the Board?
Board Member On-Boarding and Training Opportunities
Consider how information security and information governance issues are addressed in Board-level on-boarding and training programs and whether there may be opportunities to enhance these programs. Topics to consider addressing include:
• Information security and maintaining Board-related information as secure and confidential;
- Company information governance policy expectations and requirements for ESI and other Board records and information;
- Company legal hold and preservation policies and how they may apply;
- Potential discoverability of Board member information and communications; and
• Potential privacy implications and risks of commingling any Board-related ESI with personal or work-related ESI.
In today's electronic information age, information types, channels, and networks are increasingly complex. Board members perform important oversight functions and are privy to sensitive company information. As companies consider their internal information governance practices, consider taking steps to determine how those practices apply to Board-level information. One size does not fit all, but taking an integrated approach with regard to people, policies, and practices can help bridge gaps and advance company efforts to appropriately and defensibly manage its information. Consider connecting the dots on information security and information governance to help enhance enterprise risk management and e-readiness practices—at the company level, the Board level, and vis-à-vis the company and the Board.