The security and information governance issues that arise with "bring your own device" or BYOD are not restricted to employees of the corporation. These issues also affect information governance issues that arise with "bring your own device" or BYOD are not restricted to employees of the corporation. These issues also affect information governance practices when communicating with the board of directors. In my previous post in this series, I examined the duties that directors have in safeguarding corporate information and the questions that directors might ask themselves in assessing whether they are being prudent and diligent.
This post examines the case for a board information governance policy. The last post in this series will address the elements of a board information governance policy.
The purposes of a board information governance policy
The fundamental reasons for developing a board information governance policy are (1) to establish expectations regarding the standard of care the directors are expected to bring to the management of corporate information and (2) to assist directors through corporate procedures and technology in fulfilling their duties to protect that information.
The special position and risks of BYOD and directors
Directors occupy a special position within the corporation. Except with respect to matters reserved to shareholders, the board of directors are the ultimate decision-makers. Information that they receive is likely to be highly sensitive corporate financial and strategic information, which may not become publicly known until authorized for disclosure by the board.
The board of directors of a public corporation will be comprised of at least some non-management directors. Unlike senior officers and management directors, these "independent directors" are unlikely to be working on corporate-owned or corporate-controlled devices. These directors may not even use corporate-controlled email accounts. Instead, these directors may be using personal email accounts or those of their employer. Electronic communications with these directors and among the directors as a group will, therefore, be mediated through non-corporate-controlled information technology systems, notwithstanding that the directors are likely to be dealing with some of the most sensitive information of the corporation.
Independent directors are also more likely to have other employment or sit on the boards of other corporations. This introduces the possibility of the commingling of the corporation's information with information of third parties in a way that will complicate the application of the corporation's records retention and security policies.
Consider, for example, the simple issue of a corporate information security department being able to remotely control the corporate director's mobile device to enforce security protocols. If a director is also using the same device to receive information from his or her employer and another corporation on which he or she sits as a director, who, if anyone, should have control over that mobile device? What are the consequences if the device is remotely wiped by one corporation resulting in the loss of information relevant to the other corporation?
The case for the board information governance policy
The utility of a board information governance policy is that it provides the flexibility to recognize that the information governance challenges at the board level and with senior officers communicating with directors may be different from those relating to other employees. It provides an opportunity for the directors to set out a set of guidelines to govern their information practices and heightens attention to cybersecurity issues at the board level at a time when security regulators are increasingly requiring corporations to disclose material cybersecurity risks and breaches.
The next and last post in this series outlines the elements of a board information governance policy.
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
