Many Corporate Boards Are Pretty Much Waiting to Get Hacked, Report Says

At this point, the lengths companies go to in order to protect data, keep it secure, and prepare for e-discovery is old news. Data breaches — and the news coverage that usually follows — have frightened many companies into at least attempting to ratchet up data security policies. Likewise with retention practices. There have been enough e-discovery horror stories that most companies, and especially their lawyers, know they need to start prioritizing this stuff.

Strangely though, you don’t often hear much about data security within corporate boards. But it turns out that the boards of many multinational corporations with hundreds of millions of dollars in revenue are way, way behind the curve on data security.

Company boards are doing everything from printing out physical copies of thousands of pages of sensitive material, to sending unencrypted information to personal e-mail accounts, unsecured iPhones, and home computers. The Thomson Reuters report, released Wednesday, gives a harrowing account of disasters waiting to happen….

The survey, “Better Board Governance: Communications, Security And Technology In A Global Landscape Of Change” [PDF], reported results from 70 international companies in a variety of industries. Half had a revenue of more than $500 million.

The report paints a picture that would make most corporate lawyers start grinding their teeth compulsively. From the official press release:

Most major corporations surveyed have significant security gaps that leave sensitive board-level information open to information theft and hacking…

The survey found that information provided to members of corporate boards of directors is often in unencrypted email accounts and computers, or otherwise provided in forms that are easily lost, misplaced or stolen. The Thomson Reuters Governance, Risk & Compliance survey polled general counsel and board members at leading global corporations across a wide variety of industries.

Sponsored

According to the report, standard precautions that companies take with normal employees are frequently ignored when it comes to the board. The report, which features mostly corporations based in the UK, is worth looking at. It’s fairly short and full of easy-to-read charts and graphs. But here are some of the highlights:

“Most companies do not set up email accounts for their board members for the distribution of board documents; only 10% [elect] to do this. Indeed, the majority (73%) of respondees would send documents to their boards using private, non-commercial e-mail addresses.”

“Given that companies today often go to great security measures to protect sensitive information shared with executives and employees, it is highly surprising to find that most respondees (61%) still deliver their board documents physically, in paper format, by courier.”

“Despite the fact that there was a high dependence on distribution of documents to boards via personal email channels, most companies included board emails within their organisation’s document retention policies (63%). Yet only 30% were confident that board members destroy all copies of board related emails and materials in line with these policies.…

Should they be presented with a scenario where they would they be required to conduct a discovery process, this would then require the majority (58%) to canvass computers, files and other data storage maintained by board members at their homes or businesses.”

From an e-discovery perspective, that last point is the most bloodcurdling. At the Legal Technology Leadership Summit a few weeks ago, several panels discussed the utmost importance of organized, consistent retention policies. If those aren’t in place when legal holds arise, things get really expensive and time-consuming really quickly. (It can also get ugly for outside counsel.)

Sponsored

The last thing the company wants to do is ransack board members’ homes, especially when many of them don’t live nearby (or God forbid, live in a different country) and, as the report claims, belong to the boards at several companies. What if they have sensitive information about the other companies they work with on the same computer? They will not take kindly to lawyers copying or confiscating their data.

It’s also unnerving that this stuff is floating around on unprotected iPhones and home Wi-Fi networks. (Here’s a reminder of what can happen if somebody illegally accesses your home Internet network.) The Thomson Reuters report says 4 percent of companies even admit they have had to deal with board members with lost or stolen mobile devices.

“While most corporations take extraordinary measures to protect information shared with executives and employees, board members — often being outside directors — operate largely outside of a corporation’s secure computer networks and many of their strict internal security policies,” said David Craig, president of Thomson Reuters Governance, Risk & Compliance, in a statement. “The survey found that information given to the board is treated with inadequate levels of care and security with alarming frequency, placing information at risk of loss, theft and exposure.”

Yikes. Let’s hope the report spurs some progress.

Better Board Governance: Communications, Security And Technology In A Global Landscape Of Change
[Thomson Reuters Governance, Risk & Compliance]


Christopher Danzig is a writer in Oakland, California. He previously covered legal technology for InsideCounsel magazine. Follow Chris on Twitter @chrisdanzig or email him at cdanzig@gmail.com. You can read more of his work at chrisdanzig.com..

CRM Banner