Managing Sensitive Information

Effective governance relies upon free and open deliberations among board members to reach a conclusion. Privacy is obviously essential for this process, and therefore, utilizing an electronic board portal can help in a number of ways. Designed with confidentiality as a primary objective, board portal access is restricted only to board members and select executives. All sensitive information is held within this protective envelope. This eliminates any risk of unauthorized viewing by IT or support staff. Portals provide a closed-loop email system subject to document retention policies, permitting a full and complete purge of individual messages. This allows boards to hold unfettered, private discussions without having to worry about how their deliberations might sound taken out of context.

Clearly, though, the boardu00e2u20acu2122s final decisions and supporting materials must be preserved, and here is where a board portalu00e2u20acu2122s document retention capabilities can help. The general counsel can determine a preferred policy for the retention period and set up rules that will stand up to external scrutiny. This supports any requirement for discovery in a professional and time-sensitive manner. Further, the most recent portals are able to extend their document retention policies to locally stored documents on board membersu00e2u20acu2122 laptops, an essential but sometimes ignored part of the process. This is particularly relevant for boards whose directors annotate their board books prior to meetings.

Privacy versus transparency

At first glance, the requirements for privacy and transparency seem to clash. Most of the corporate governance scandals over the last few years have hinged upon companies shielding the true nature of their finances from public disclosure. Itu00e2u20acu2122s not unreasonable for shareholders to question whether this emphasis on privacy is just more of the same. Surely the owners of the company have a right to know exactly what is going on in the boardroom?

Transparency is only effective if the information shared is accurate. Too often, attempts at examining every piece of information can create an atmosphere where people spend their time manipulating the information for external presentation, rather than focusing on debating a difficult decision. This effect is already well understood in areas such as medical records and attorney-client privilege. In both these areas, the benefits of privacy in encouraging honest disclosure among a restricted set of parties outweigh the benefits of uncovering fraud.

Boards need to address difficult decisions, many of which exist within an uncertain legal framework. For a large global company, decisions may need to take into account different national jurisdictions, particular with regard to competition and cartel laws, which can vary greatly. What is legal in one country may not be in another.

Consider also the threat of lawsuits. A significant amount of board time may be spent deliberating legal matters arising from shareholder class-action suits, patent infringements, and HR-related claims. Surely the intraboard deliberations should be subject to the same privilege, whether or not an attorney is present. Difficult decisions often require the evaluation of unpalatable options. Taken out of context, these could cause real harm.

If directors are constantly looking over their shoulders, knowing that everything written will be recorded for future review, their response will be simple and predictableu00e2u20ac”they wonu00e2u20acu2122t write it down. They will go back to voice-based and face-to-face collaboration. This will slow down and harm the process of deliberation, with no increase in transparency.

It is self-evident that transparency is critical for effective corporate governance. But this also means accuracy and fairness, if it is to have any meaning. Supporting privacy of deliberation ensures that boards can arrive at the best possible decisions that can then be held up to public scrutiny.

It would be wrong to imply any of this is easy and that choosing the right balance is straightforward. Different industries, companies, and boards will choose different policies, and these may change over time. Ultimately, the role of technology is to implement what that policy is, not to dictate it purely on the grounds of what is technically feasible.

Technical requirements

While keeping Web-based content secure is a fairly mature and understood area, extending that security perimeter to include laptops is much harder. But the need is pressing. All one has to do is turn on the news to be reminded how often large files of sensitive information are lost because of laptop theft. Leaked board content such as M&A proposals and financial forecasts can have substantial fiscal consequences. Premature disclosure of restructuring or HR issues can have a devastating impact on employee morale.

Also, discoverability can be a major source of anxiety for directors. Private laptop content can include e-mails and casual annotations that, taken out of context, could be misleading and damaging.

General disk encryption and password-protected documents alone do not support any form of centralized document retention. Other approaches often require a user to sacrifice ease of use to improve security. This compromise is frequently unpalatable to the user or unacceptable to the IT department. On one end of the spectrum this might include draconian measures such as prohibiting downloading of data or even a ban on the physical movement of computers. On the other end of the spectrum, and certainly more common, are those situations where security standards are gradually but significantly lowered, or even blatantly circumvented until no more standards exist and data is regularly exposed, sometimes resulting in serious information leaks.

However, the latest generation of board portals employs sophisticated functionality to support the twin requirements of privacy and discoverability for both centrally stored and locally stored content. This functionality includes six key features:

  • A closed messaging system in lieu of regular e-mailu00e2u20ac”Regular e-mail is copied in several third-party servers as it travels across the Internet. Even encrypted content would still disclose the existence of communications between named parties.
  • A guaranteed deletion programu00e2u20ac”Too often, IT systems maintain backup copies of content with no regard for retention policies.
  • The ability to support document retention policiesu00e2u20ac”This is important for both at central repositories as well as locally downloaded content.
  • The ability to manage rights access across disparate groupsu00e2u20ac”These groups may include individual directors, committees, executive staff, inside counsel, and the corporate secretaryu00e2u20acu2122s office.
  • Having no audit trails of director deliberations.
  • A full encryption of contentu00e2u20ac”This must be maintained at all times, both at rest and in transit, as well as both centrally and locally.
  • Conclusion

For boards that operate in an increasingly fast-moving corporate environment, systems must assure the privacy of deliberation, which is essential to effective governance. For the corporate secretary, automated syncing and content push gives organizations a rapid-response capability to ensure that directors always have the latest updates at their fingertips. For the general counsel, remote purging allows enforcement of the preferred retention policy and gives a firm handle on discoverability.

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.