Directors make big-picture decisions that can mean success or failure for a company. If directors cannot share information and discuss options openly, corporate governance will suffer. Recent events, described below, show the threat posed to essential board-level dialogue. Companies should review their policies and procedures to ensure their directors? security and confidentiality in performing their critical duties.
Reuters reported on Oct, 20, 2011, ?Hackers who infiltrated the Nasdaq?s computer systems last year installed malicious software that allowed them to spy on the directors of publicly held companies[.]? The report further asserted that the hackers ?attacked a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives, among other things.?
The hackers thus gained access to ?confidential documents and the communications of board directors? for ?scores? of directors.
The Director?s Desk hack is not an isolated incident. Rather, this serious, public alleged compromise of executive communications just makes concrete a widespread problem that has deserved more attention than it has received. The picture painted by the 2011 Thomson Reuters Board Governance Survey was particularly bleak.
The global survey of corporate and company secretaries and general counsel revealed a ?broad lack of security measures in communicating with board members.? The survey showed that many directors communicated through channels not appropriate for secure communications.
For example, ?A substantial majority of boards send documents to board members via non-commercial email accounts (such as Yahoo, Gmail and Hotmail).? The survey showed that most boards do not encrypt communications to board members. Those surveyed also reported uncertainty as to which company or personal devices directors use to store communications and how those devices are secured when off-site. ?In terms of physical security, ten percent of responding corporations report that they have had board members? laptops, mobile devices or sensitive documents either lost, stolen or left in public places.?
First, companies cannot rely on their directors to adopt secure communications practices on their own. People tend to communicate using the most convenient method available, with limited thought to security. Directors are no exception to this rule. Unless directors are provided practical guidelines and technical and administrative support, sensitive communications may continue to be routed through insecure channels and stored on insecure devices.
Second, companies should maintain a healthy dose of pessimism about technological solutions to the secure communications problem. No technology is perfect, and none is immune from the prospect of intrusion.
For example, the Center for Information Technology Policy at Princeton University has consistently shown that electronic voting machines and online voting systems can be compromised and the results of elections fixed. As shown by the Director?s Desk incident, director communications platforms are subject to the same sort of vulnerabilities. While boards must employ a certain amount of technology in routine communication, for the most sensitive communications a paper only distribution may make sense.
Third, companies should consider providing security support for the home offices, personal computers, and personal mobile devices maintained by directors. Security support can include technical support to ensure proper virus protection and scanning on home laptops, assistance to directors in choosing appropriate security settings, information regarding minimum security standards for operating on home and public WiFi networks, the provision of software to enable cryptographically protected storage and proper ?shredding? of electronic files, a commercial virtual private network (VPN) for internal director-to-director communications, delivery and retrieval of paper communications, and/or provision of cross-cut shredding equipment for home office use.
Because directors tend to be older than the average employee, such technical assistance may, on average, be particularly needed and welcomed.
Fourth, companies should train directors in how to report the loss or theft of confidential documents or records, whether in hard copy or electronic form. How soon should a director report a loss when an important document may just be momentarily misplaced? Who specifically should a director contact with an issue? How? Once directors have proper training, compliance and legal departments must be prepared to respond should such a report be filed.
Lastly, companies must make the personal costs of compromise clear to directors. Stock prices rise and fall based upon decisions made by boards of directors. For most modern companies, information is its greatest asset. If persons with criminal intent intercept communications to or among the directors, those persons may inflict serious damage to the company. If that interception occurred because directors and officers acted recklessly in handling confidential data, a potential exists for shareholder derivative actions or for suits seeking to impose personal liability.
To some directors, communications security may seem to be an operational matter, something that the company can provide for boards without the directors? active assistance. That simply is not the case. Just as companies must provide their directors with information and support, directors must cooperate with reasonable guidelines intended to promote confidentiality. Together, directors and compliance and legal officers can substantially improve the security of sensitive corporate communications.
**********
About the Authors
Mark Melodia leads Reed Smith?s Global Data Security, Privacy and Management practice, regularly counsels on data breach incidents for health care, financial services and technology clients, and has defended privacy class actions brought by consumers and employees in more than sixty cases throughout the country.
As a partner in the Reed Smith team, Paul Bond provides privacy compliance advice for national and international companies in the finance, healthcare, retail, and telecommunications industries.
?
?
Tags: board of directors, information security
mariska hargitay gmcr ohio news caracal beef wellington beef wellington ronnie brown
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.