Context is key to security and risk management. Knowing what and where content is used by the business enables better security and risk management.
In March 2017 the nation’s first cybersecurity regulation became law imposing strict cybersecurity measures on financial institutions operating in New York. The new rules specify everything from naming a Chief Information Security Officer, to risk assessments, event notification, encryption, penetration and vulnerability testing, training and monitoring and audit logs.
It seems that every day we have a slew of new sensational cases and revelations that make us stop and think “Is our privacy over? Does anyone even care? What are we to do to protect ourselves?” I say, relax, the situation is bad, but it is not as bad you might think and probably not for the reasons you might think so.
Quick – when was the last time you used your smartphone to investigate a health issue? If you are like most people you are probably a “connected patient” using smart devices to take more ownership of your health. A 2015 Pew Research Center (PEW) report shows 62% of smartphone owners use their phone to look up information about a health condition. And many of us now also use our smartphones to correspond with providers.
Communication and effective collaboration within the healthcare industry is not always as easy as it should be. Care teams – from doctors and nurses to the patients and their caregivers – need the ability to communicate efficiently, effectively, privately and securely to ensure the highest level of service. Unfortunately, this is an ongoing challenge, particularly when it comes to long term and home based healthcare.
There is only one thing certain in today’s world, and that’s uncertainty. It was certainly driven home by the election results, where everyone was certain of the outcome, until they were not. It is disconcerting to live in this environment. From random terrorist attacks to unprecedented economic and geopolitical events, we need to almost block out the news cycle. In order to survive in this environment, it is important to make a list of things that are in your control and those that are not.
Welcome back from what we hope was a happy and relaxing July 4th. Happy Independence Day! For us, July 4th is a particularly meaningful holiday. It’s an opportunity to spend time with family and friends and to appreciate the freedoms and liberties we have living in the United States of America.
In this Age of the Internet, confidential information is more easily exposed than ever before. Real-time communication tools and social media give everyone with Internet access the ability to publicize information widely. Confidential information is always at risk of inadvertent or even intentional exposure. The current cultural emphasis on transparency and disclosure—punctuated by headline news of high-profile whistleblowers, and exacerbated in the corporate context by aggressive activist shareholders and their director nominees—has contributed to an atmosphere in which sensitive corporate information is increasingly difficult to protect.
A member of a board of directors has fiduciary responsibilities to the corporation he or she serves. One important responsibility is a duty of confidentiality. The duty of confidentiality is essentially a duty not to speak about board matters to non-board members or share board materials with non-board members unless authorized to do so. Open dialogue is crucial to board deliberations. If Board members do not feel that their conversations are private or that the confidentiality of their discussions will be respected, they may feel pressure to avoid certain topic areas or to hedge their comments in a way that doesn’t serve the organization’s best interests.
The Board of Directors’ legal obligations with respect to confidentiality are often not well articulated. Confidential board information includes material, non-public information, the disclosure of which is regulated by federal securities laws and by company-wide policies and procedures. It also includes sensitive boardroom discussions that have both personal and business elements, and implications. These discussions may be amongst board members outside of the formal board meeting settings. In order for boards to function effectively, directors must feel comfortable expressing their views with board members on corporate matters honestly and freely, without concern that their conversations will be made public or intercepted by competitors.
Increasingly board members and executives travel nationally and internationally. With increased exposure to mobile communications being intercepted and even mobile device loss or even confiscation, more and more executives are concerned about containing potential confidential business conversations private now that every type of conversation seems to have gone mobile.
Concerns about leaks often increase with the election of “constituent” directors. These directors, placed on public company boards through proxy access or a proxy fight, are typically perceived—rightly or wrongly—as representatives of those shareholders that nominated them and are considered likely to share details of board deliberations with their sponsors. When a director deliberately exposes sensitive board information, boards may struggle to respond effectively, as the remedies available to the board and the company are limited, particularly since directors cannot require another director to resign. In order to protect confidential and sensitive information, boards should, at a minimum, have robust director confidentiality policies. Companies may also want to review their crisis management plans to ensure that they cover breaches of confidentiality by directors in addition to executives and employees.
Confidential Board Information
Confidential, non-public corporate information falls generally into three categories: proprietary information that is of competitive, commercial value to the company; inside information about the company’s finances, operations, and strategy; and sensitive information regarding board proceedings and deliberations. Unauthorized disclosures of proprietary information could imperil a company’s competitive advantage or commercial success while unauthorized disclosures of inside information can lead to illegal insider trading and manipulation of the company’s stock price. Company insiders may disclose information in any category that is material and non-public only in specific ways prescribed by the federal securities laws. For these reasons, all companies should have comprehensive corporate confidentiality policies that apply to employees as well as directors. The authorized processes and channels for disclosure of confidential corporate information should be well defined and understood within the company, as improper disclosures can lead to criminal and civil liability in certain circumstances.
The third category, sensitive board information, includes information to which a director is privy by virtue of his or her membership on the board of directors. In the course of fulfilling their fiduciary duties and director responsibilities, directors are entrusted with significant amounts of material, non-public information of all types; however, they also become aware of the inside story: how this confidential corporate information is discussed, used, and understood within the board itself. Directors generally know how their fellow board members view corporate executives, strategic initiatives, potential mergers and acquisitions, competitive and legal threats, and even each other. They also understand how board deliberations have developed over time. Any element of this “meta-information” may be of particular importance, may be potentially disruptive or embarrassing if disclosed, or may simply have been shared within the boardroom with the expectation of privacy. Leaks of sensitive board information—as opposed to proprietary or valuable corporate information—also can be highly damaging to a company. Such leaks can be made publicly, to the media and the investor community at large, or privately, to a director’s sponsor or other influential shareholders.
Public and Private Disclosures
The most sensational type of leak happens when a disgruntled or dissatisfied director provides confidential information to the media in order to put pressure on the rest of the board. A less dramatic but likely more prevalent type of boardroom leak is the private communication of confidential information by constituent directors to their sponsoring shareholders. Activist shareholders and the investment community are increasingly pushing for shareholder-sponsored directors on public company boards, and indeed their numbers are growing as demonstrated in the following chart.
Inadvertent exposure can be limited through corporate policy to ensure board member electronic discussions outside the boardroom are only allowed through encrypted, secure messaging applications . These applications capture a single copy of the conversation in a protected corporate archive but prevent interception, forwarding, storing and printing on board member devices and servers.
The Board of Directors may be, by policy, required to use this communication mechanism to discuss board business amongst each other or even with their constituent debriefings. This provides for complete transparency among board members and protects the confidentiality of the corporate information. Transparency is maintained by retaining a single corporate archive of the conversations in a secure corporate archive and nowhere else. The Corporate Archive can be audited; to ensure company IP as an example is not inadvertently or purposefully being leaked. These policies can easily be extended to private confidential conversations amongst executive staff of the Corporation.
Having policies that ensure that secure, ephemeral communications are enforced will assure the transparency of the communication and re-enforce trust between board directors / members.
Internet and Mobile Technologies have enabled corporations to be more efficient and for small and mid-size corporations to compete on a global scale. However, they have also increased the risk of loss of confidential information that when breached can materially impact the performance of the company. With heightened risk of data breach and increased calls for transparency by shareholders, corporations need to set new policies and compliance standards for their board members and executives to responsibly manage these risks. Interestingly technology solutions like secure, ephemeral, and compliant messaging may be a key element of such risk mitigation strategies.
For more information on how secure messaging can enable executives and the board of directors to communicate in a more confidential manner via their mobile devices, contact us.