In an era where data breaches or leaks seem inevitable, business disruptions too frequent and the press all too prone to run away with a salacious story, what can the board of directors do to protect sensitive corporate data? It is all too easy for information to be inadvertently exposed—whether as a result of hacking, a slip of the finger that results in an email being sent to the wrong person, or a disgruntled employee who decides to share confidential information via a text.
Aspects of business are so interconnected—from transportation to email to facilities management to data storage—that compromise or disruption of simply one aspect can affect the entire business. And such disruptions aren’t limited to a single industry—from power companies dealing with an unexpected power outage to an IT department responding to a ransomware attack to an enterprise having to handle a major blizzard that strands employees at home—every business needs to have a business continuity plan.
In the age of technology where screen shots and forwarding of information is done with a click – our over social economy can and will share almost anything. The question is -How can an organization control the narrative of their own business, stay in control of it and avoid a PR or financial nightmare
One of the greatest compliance risks businesses face today is the wild field of communication. Communication is still taking place with old technology, like email. We saw from this year’s election how easy it is to hack email and leak it, especially when the email is not under your control anymore.
It is no secret that we are living in a digitally evolving world. The use of personal mobile devices continues to increase as constant advancements bring more and more convenience to our busy lives. With today’s smart phones you can do almost anything you want with just the tap of your finger. It leaves me wondering – what’s next?
In this Age of the Internet, confidential information is more easily exposed than ever before. Real-time communication tools and social media give everyone with Internet access the ability to publicize information widely. Confidential information is always at risk of inadvertent or even intentional exposure. The current cultural emphasis on transparency and disclosure—punctuated by headline news of high-profile whistleblowers, and exacerbated in the corporate context by aggressive activist shareholders and their director nominees—has contributed to an atmosphere in which sensitive corporate information is increasingly difficult to protect.
A member of a board of directors has fiduciary responsibilities to the corporation he or she serves. One important responsibility is a duty of confidentiality. The duty of confidentiality is essentially a duty not to speak about board matters to non-board members or share board materials with non-board members unless authorized to do so. Open dialogue is crucial to board deliberations. If Board members do not feel that their conversations are private or that the confidentiality of their discussions will be respected, they may feel pressure to avoid certain topic areas or to hedge their comments in a way that doesn’t serve the organization’s best interests.
The Board of Directors’ legal obligations with respect to confidentiality are often not well articulated. Confidential board information includes material, non-public information, the disclosure of which is regulated by federal securities laws and by company-wide policies and procedures. It also includes sensitive boardroom discussions that have both personal and business elements, and implications. These discussions may be amongst board members outside of the formal board meeting settings. In order for boards to function effectively, directors must feel comfortable expressing their views with board members on corporate matters honestly and freely, without concern that their conversations will be made public or intercepted by competitors.
Increasingly board members and executives travel nationally and internationally. With increased exposure to mobile communications being intercepted and even mobile device loss or even confiscation, more and more executives are concerned about containing potential confidential business conversations private now that every type of conversation seems to have gone mobile.
Concerns about leaks often increase with the election of “constituent” directors. These directors, placed on public company boards through proxy access or a proxy fight, are typically perceived—rightly or wrongly—as representatives of those shareholders that nominated them and are considered likely to share details of board deliberations with their sponsors. When a director deliberately exposes sensitive board information, boards may struggle to respond effectively, as the remedies available to the board and the company are limited, particularly since directors cannot require another director to resign. In order to protect confidential and sensitive information, boards should, at a minimum, have robust director confidentiality policies. Companies may also want to review their crisis management plans to ensure that they cover breaches of confidentiality by directors in addition to executives and employees.
Confidential Board Information
Confidential, non-public corporate information falls generally into three categories: proprietary information that is of competitive, commercial value to the company; inside information about the company’s finances, operations, and strategy; and sensitive information regarding board proceedings and deliberations. Unauthorized disclosures of proprietary information could imperil a company’s competitive advantage or commercial success while unauthorized disclosures of inside information can lead to illegal insider trading and manipulation of the company’s stock price. Company insiders may disclose information in any category that is material and non-public only in specific ways prescribed by the federal securities laws. For these reasons, all companies should have comprehensive corporate confidentiality policies that apply to employees as well as directors. The authorized processes and channels for disclosure of confidential corporate information should be well defined and understood within the company, as improper disclosures can lead to criminal and civil liability in certain circumstances.
The third category, sensitive board information, includes information to which a director is privy by virtue of his or her membership on the board of directors. In the course of fulfilling their fiduciary duties and director responsibilities, directors are entrusted with significant amounts of material, non-public information of all types; however, they also become aware of the inside story: how this confidential corporate information is discussed, used, and understood within the board itself. Directors generally know how their fellow board members view corporate executives, strategic initiatives, potential mergers and acquisitions, competitive and legal threats, and even each other. They also understand how board deliberations have developed over time. Any element of this “meta-information” may be of particular importance, may be potentially disruptive or embarrassing if disclosed, or may simply have been shared within the boardroom with the expectation of privacy. Leaks of sensitive board information—as opposed to proprietary or valuable corporate information—also can be highly damaging to a company. Such leaks can be made publicly, to the media and the investor community at large, or privately, to a director’s sponsor or other influential shareholders.
Public and Private Disclosures
The most sensational type of leak happens when a disgruntled or dissatisfied director provides confidential information to the media in order to put pressure on the rest of the board. A less dramatic but likely more prevalent type of boardroom leak is the private communication of confidential information by constituent directors to their sponsoring shareholders. Activist shareholders and the investment community are increasingly pushing for shareholder-sponsored directors on public company boards, and indeed their numbers are growing as demonstrated in the following chart.
Inadvertent exposure can be limited through corporate policy to ensure board member electronic discussions outside the boardroom are only allowed through encrypted, secure messaging applications . These applications capture a single copy of the conversation in a protected corporate archive but prevent interception, forwarding, storing and printing on board member devices and servers.
The Board of Directors may be, by policy, required to use this communication mechanism to discuss board business amongst each other or even with their constituent debriefings. This provides for complete transparency among board members and protects the confidentiality of the corporate information. Transparency is maintained by retaining a single corporate archive of the conversations in a secure corporate archive and nowhere else. The Corporate Archive can be audited; to ensure company IP as an example is not inadvertently or purposefully being leaked. These policies can easily be extended to private confidential conversations amongst executive staff of the Corporation.
Having policies that ensure that secure, ephemeral communications are enforced will assure the transparency of the communication and re-enforce trust between board directors / members.
Internet and Mobile Technologies have enabled corporations to be more efficient and for small and mid-size corporations to compete on a global scale. However, they have also increased the risk of loss of confidential information that when breached can materially impact the performance of the company. With heightened risk of data breach and increased calls for transparency by shareholders, corporations need to set new policies and compliance standards for their board members and executives to responsibly manage these risks. Interestingly technology solutions like secure, ephemeral, and compliant messaging may be a key element of such risk mitigation strategies.
For more information on how secure messaging can enable executives and the board of directors to communicate in a more confidential manner via their mobile devices, contact us.
Over 350 Billion text messages are sent each month, many of which contain sensitive personal and corporate information. Secure, encrypted messaging options are the best way to ensure security and compliance with regulations such as HIPAA, FINRA and Sarbanes-Oxley. IBM MobileFirst Protect formally known as MaaS360 has come together with Vaporstream® to address offering secure messaging.
On December 8th at 2PM EST Vaporstream and IBM MaaS360 will jointly present integrated solutions for enterprise mobility management. MaaS360 and Vaporstream provide a unique combination that enables organizations to easily deploy a secure and compliant messaging platform. Vaporstream has incorporated the MaaS360 API’s into our solution to enable an easy to deploy, utilize and maintain solution for mobile device management and policies that can be managed at the device and application level. These include features like pin code controls and single sign-on. By utilizing this integrated approach organizations can ensure that data is not left on insecure mobile devices. They can even extend that protection beyond the devices controlled by the organization to protecting and wiping messages sent to recipients outside the organization.
Ephemeral messaging technology allows users to send a mobile message with complete control and assurance that no residual information is saved on their mobile device. IBM MobileFirst is hosting Vaporstream, the creators of this new way to look at the old SMS, to learn best practices on taking secure messaging to the next level:
- Thwart hackers with encrypted messages at rest and in transit
- Sender distribution controls to disable copy, forward and sharing of managed messages
- Recipient guards against screenshots with image obfuscation
- Any time message shredding from the user or system level
- PIN code protection to secure lost or stolen devices
Date: Tuesday, December 08, 2015
Time: 02:00 PM Eastern Standard Time
Duration: 1 hour
Register at the following link.
About the Speakers
Galina Datskovsky, Ph.D., CRM
Galina Datskovsky is currently the CEO of Vaporstream. She has also served on the board of multiple startups, assisting with strategy. Formerly Vice President of Information Governance at Autonomy an HP Company. She served as Chair, President, President Elect and Director of ARMA International (2007-2013) as well as fellow in 2014. She also served as Senior Vice President of Architecture at CA Technologies, responsible for corporate-wide architecture and design initiatives, General Manager of the Information Governance Business Unit and a Distinguished Engineer. She joined CA in 2006 with the acquisition of MDY Group International, where she served as founder and CEO. Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in information governance and associated technologies.
She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April 2010. Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University. She earned doctoral and master’s and bachelor’s degrees in Computer Science from Columbia University.
Kaushik Srinivas is a Product Manager for IBM MobileFirst Protect, formerly MaaS360. In this role, he is responsible for Mobile App Security, including the WorkPlace Partner Program and MaaS360 SDK & App Wrapping.
IBM MobileFirst Protect and Vaporstream experts will be on hand to discuss how you can integrate secure messaging into your overall Enterprise Mobility Management strategy.
Join us for an informative discussion.
Register today at the following link!
The days of working at a company and receiving a new cell phone on your first day have started to fade away. Market researcher Gartner Inc. predicts that almost four in 10 organizations will rely exclusively on a policy of Bring Your Own Device (BYOD) — meaning they will no longer provide devices to employees– by 2016, and 85 percent of businesses will have some kind of BYOD program in place by 2020.
Why is BYOD a Hot Trend?
The BYOD trend is popular amongst employees who bring their personal smartphones, tablets and laptops to the office, or use them offsite as they take their work home. Businesses benefit from BYOD programs shifting costs to the user – including costs for the hardware, taxes, voice and/or data services, and other associated expenses.
The Good Technology State of BYOD Report states that 50 percent of companies with BYOD models are requiring employees to cover all costs — and they are happy to do so. Why? Many employees don’t want to carry two cell phones to work.
Users prefer their own devices and they’d rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department. BYOD devices tend to be more cutting edge, and users also upgrade to the latest hardware more frequently than the painfully slow refresh cycles at most organizations.
Risks to Company Privacy
So the switch to mobility is in full swing and must be embraced by most organizations. But the risks to company privacy are high as employee’s access email and other potentially proprietary data on their own devices.
- Small and medium-sized businesses have been at the forefront of the BYOD trend, with almost 62 percent of American SMBs having an official BYOD policy in place as of 2013, according to research conducted by iGR, a wireless and mobile communications consulting firm.
- At least another 10 percent lack an official policy but allow employees to use their personal devices to perform work-related tasks.
- Data security and regulatory compliance are big issues with BYOD environments. SMBs often must absorb more risk than larger enterprises out of necessity. They can’t afford a security team, a chief information security officer, and all that this entails. SMB’s and Enterprise companies need to approach device and data management in a manner that secures corporate and their customer’s data, but doesn’t hinder productivity. Furthermore, when a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem.
Solutions to Consider
- For both SMB and Enterprise customers, Mobility Device Management (MDM) Solutions, like IBM Maas360, VMWare Airwatch, Good Technologies and Mobile Iron, do a good job of managing the segregation of the data on the mobile device and protecting it with encryption and pin codes. They also enable clearing this business data if the phone is lost or employee is terminated. However, when it comes to mobile communications, the text messages, emails and chats are sent to recipient devices that are out of the control of the sender’s organization and devices, beyond the reach of the MDM policies.
- Ephemeral messaging applications such as Vaporstream are designed for the BYOD world. They have the power and ease of use of email and text messaging without the liability of it. Ephemeral messages cannot be shared or stored and disappear after use. Regardless of the device, users can exchange messages securely across the enterprise, yet those messages do not remain on any devices and cannot be shared by any device, even those beyond the control of your MDM solution.
- Compliance is important in heavily regulated industries like Healthcare, Insurance, Legal, and Finance just to name a few. Keep that in mind as you shop around for an ephemeral messaging solution that will address your needs. Consider vendors that uniquely allow companies to opt for a Governance Module where they can archive messages, in a secure on premise store. These can be tagged as transient messages with a short term retention or for as long as required in regulated industries, while leaving nothing on the BYOD devices. The only copy is in your secured archive for e-discovery, no exposure on BYOD devices or copies on unintended recipient devices and servers. Vaporstream covers these requirements and helps customers meet their regulatory requirements.
As companies embrace BYOD programs, they can also meet the unique privacy challenges by taking one simple step, in addition to implementing MDM – adopting a secure, ephemeral, compliant messaging platform. Enable efficient communication without sacrificing control over confidential information. If you currently do not have a solution that addresses privacy, security and compliance for mobile messaging download a FREE trial of the Vaporstream® App today (available in the APP Store and Google Play).