The security and information governance issues that arise with “bring your own device” or BYOD are not restricted to employees of the corporation. These issues also affect information governance practices when communicating with the board of directors. In my previous post in this series, I examined the duties that directors have in safeguarding corporate information and the questions that directors might ask themselves in assessing whether they are being prudent and diligent.
This post examines the case for a board information governance policy. The last post in this series will address the elements of a board information governance policy.
The purposes of a board information governance policy
The fundamental reasons for developing a board information governance policy are (1) to establish expectations regarding the standard of care the directors are expected to bring to the management of corporate information and (2) to assist directors through corporate procedures and technology in fulfilling their duties to protect that information.
The special position and risks of BYOD and directors
Directors occupy a special position within the corporation. Except with respect to matters reserved to shareholders, the board of directors are the ultimate decision-makers. Information that they receive is likely to be highly sensitive corporate financial and strategic information, which may not become publicly known until authorized for disclosure by the board.
The board of directors of a public corporation will be comprised of at least some non-management directors. Unlike senior officers and management directors, these “independent directors” are unlikely to be working on corporate-owned or corporate-controlled devices. These directors may not even use corporate-controlled email accounts. Instead, these directors may be using personal email accounts or those of their employer. Electronic communications with these directors and among the directors as a group will, therefore, be mediated through non-corporate-controlled information technology systems, notwithstanding that the directors are likely to be dealing with some of the most sensitive information of the corporation.
Independent directors are also more likely to have other employment or sit on the boards of other corporations. This introduces the possibility of the commingling of the corporation’s information with information of third parties in a way that will complicate the application of the corporation’s records retention and security policies.
Consider, for example, the simple issue of a corporate information security department being able to remotely control the corporate director’s mobile device to enforce security protocols. If a director is also using the same device to receive information from his or her employer and another corporation on which he or she sits as a director, who, if anyone, should have control over that mobile device? What are the consequences if the device is remotely wiped by one corporation resulting in the loss of information relevant to the other corporation?
The case for the board information governance policy
The utility of a board information governance policy is that it provides the flexibility to recognize that the information governance challenges at the board level and with senior officers communicating with directors may be different from those relating to other employees. It provides an opportunity for the directors to set out a set of guidelines to govern their information practices and heightens attention to cybersecurity issues at the board level at a time when security regulators are increasingly requiring corporations to disclose material cybersecurity risks and breaches.