Company data (and its misuse) has become both a hot news topic and an ethical quandary for today’s companies. From the Facebook-Cambridge Analytica scandal to the Equifax breach of 145 million sensitive customer profiles, the dangers of data today are evident. American identities and finances are increasingly put at risk whether endangered by organizations’ poor cybersecurity practices, deceptive user agreements, or opportunities to monetize.
In the latest exposé, the Wall Street Journal revealed that Google Mail (i.e., “Gmail”) messages are not as private as its users may think. Currently the world’s most popular email service with 1.4 billion users, Gmail confirmed that it allows human third parties to read private messages that were sent between Gmail users–something its users technically “agree to” by accepting the terms & conditions of third-party apps. (More information in this Diligent blog.) Given recent events, we draw two implications or discussion points for board members and corporate secretaries:
1. Is your board addressing the ethical and regulatory side of cyber risk?
We recently sat down with Spencer Stuart’s Jason Baumgarten to discuss the evolving demand for cybersecurity talent on today’s boards. (Access the interview with Jason here.) What he described was a shift in the cybersecurity landscape, which is requiring boards to think beyond just the technical side of cyber risk (i.e., NIST framework, threat reduction and response).
…people are recognizing that having a CISO on the board is not necessarily a clear path to shifting the discussion around cybersecurity. A lot of the cyber challenges that today’s companies are facing are not just the traditional cyber issues–rather, they’re regulatory, they’re business-model driven, and they involve broader ethical questions around how to interact with data.
— Jason Baumgarten, Partner, Spencer Stuart
We’ve recently launched a multi-part series on cyber risk oversight, which takes a closer look at the ethical, strategic and technical aspects that today’s board must consider. Board members should be using each news story as a dry run to examine their own company’s practices around data–and to pinpoint critical questions for discussion at the next board meeting.
2. Are you using personal email or devices to communicate or store sensitive board materials?
If nothing else, the news about Gmail’s privacy standards should spark an examination of your own board communication practices. A 2017 survey of 381 board members conducted by the New York Stock Exchange and Diligent revealed the following:
- 92% of directors indicate that “personal email accounts” are one of their preferred methods of communication, second only to “face-to-face meetings”.
- 74% of directors download board books or company documents to their personal computer at least occasionally.
While these practices may seem harmless, there are a few things today’s boards should keep in mind:
- Even when you’re sharing non-material information, personal email can provide an entry point. While most of the survey respondents said they only use personal email for non-confidential board communications, it’s important to recognize the dangers that lie beneath the surface. Personal email accounts–like any other unencrypted or ill-encrypted, digital gateway–can be used as a point of entry into a person’s computer, tablet or device.
- If used for board communication, personal email or devices may be “discoverable” in the case of litigation. The Delaware Courts have held that any electronically stored information relating to the business (or acquired during the course of conducting business) is the property of the employer and therefore discoverable during litigation. Thus, even if board members are using personal email, computers or text messaging for incidental board matters, it could all be subject to e-discovery.
- Board members are high-value targets. It’s important to remember that the vast majority of hacks or data breaches are economically motivated. This means that company executives and board members, who are often in possession of the most valuable and sensitive company information, provide the most “bang for your buck” to a bad actor.
Boards should undergo annual security training to ensure that each director understands the heightened risk associated with personal and board-related communication. For more information about secure communications–and to see how your board stacks up to other boards–download the report below.