Thomson Reuters recently published its 2012 Board Governance Survey Report, Meeting Expectations of Board Governance: Board Oversight, Communications and Technology in a Global Landscape. The report notes the increased workload for the Corporate Secretary. On average, among responding corporations, 92 board books are created annually – each an average of 116 pages. That’s over 10,000 pages of board materials per year! Much of that material is sent to outside directors and advisors electronically. A disturbing aspect of the report is "a surprising absence of security measures taken in board communications." This includes:
Unsecured email risk - A majority of survey respondents said they regularly use unsecured personal email addresses, such as Gmail or Hotmail accounts, to send confidential board material to their directors.
•The report says "47% of respondents indicated that they never encrypt their board materials, and 18% indicated that they only occasionally encrypt their information. This is of concern, considering the risk for both the Directors and the company in terms of reputation, monetary fines, potential for discovery and negative publicity associated with board materials getting into the wrong hands."
Bring-Your-Own-Device (BYOD) risk - Directors using their own, unsecured mobile devices (laptops, tablets and smartphones) to download and transport confidential board materials.
•63% of respondents said their Board members keep confidential board documents on their private mobile computing devices.
•9% of respondents reported their directors had their mobile devices lost or stolen, thereby putting confidential information at risk.
Most companies’ efforts to manage these risks apparently are limited to making these confidential electronic records subject to a document retention policy. Only 30% of survey respondents were confident that directors destroy all copies of board-related emails and documents, potentially making those records subject to electronic discovery in investigations or litigation. Many companies do not routinely include in litigation holds their outside directors’ personal devices and personal email accounts.
A better approach to managing these risks is to:
•Transmit confidential information using encrypted email or a secure board or email portal
•Ensure personal devices are encrypted and device access is secured by a reasonably strong password (not a 4-digit PIN) or by biometric authentication, such as on the new iPhone 5S
•Require two-factor authentication for access from mobile devices to online email accounts
•Enable BYOD security solutions that keep confidential data off of portable devices entirely through streaming (a method of accessing data stored in the Cloud and viewing it on the mobile device without actually downloading it to the mobile device); if data does need to go to the device, use remote wiping solutions
For information about ZixCorp’s industry-leading email encryption or its innovative BYOD solution ZixOne, please visit zixcorp.com.