Boards need to ensure that, for instance, data is managed through the whole lifecycle, from creation or collection through destruction.
The last few years have witnessed truly astounding developments in the area of information management. We've become masters at creating, storing, analyzing and uncovering the hidden value of massive volumes of information.
It seems that, every day, we're hearing about how all this big data has been used for amazing purposes, such as to improve customer service, uncover fraud, develop pharmaceutical products, predict diseases, improve airline travel and so on.
Unfortunately, it also seems that, every day, we're hearing about how big data is causing big headaches arising out of improper management and security breaches.
Recent headlines about cyber incidents have forced companies to analyze their risk of incurring information-related liability and to take steps to mitigate those risks. Concern over these issues, however, shouldn't stop with the IT department or even the C-suite. As Target and other companies have recently experienced, legal claims related to data-related events are now being asserted against corporate boards in the form of shareholder derivative actions.
Although the legal liability of board members for information-related mishaps is an emerging area of the law, longstanding principles make clear that board members have a fiduciary duty to act on an informed basis, in good faith, for the best interests of the company. The emerging area of information governance, including privacy and data security, is no exception to this rule.
Checklist of Issues to Consider
Every organization is different and presents its own unique information risk profile. Corporate boards should be informed of and take steps to address the potential sources of information risk applicable to their specific organization. Those areas may include the following:
- What types of information is the entity managing, and does it include sensitive data such as health information, credit card data or intellectual property?
- How is enterprise data being managed throughout its entire life cycle, from creation or collection through final disposition or destruction?
- Are policies and procedures in place to ensure that information with no business value or compliance/legal restrictions is destroyed in a legally defensible manner?
- Have policies been implemented relating to the company's use of information, including privacy concerns and social media usage?
- Are there policies in place to manage IT assets, including mixed-use devices (those used for both personal and business purposes), while at use and at the time of disposition?
- Have reasonable data and network security policies, protocols and procedures been created, and are they regularly updated?
- Are all information-related policies actually in effect, enforced and updated, or are they just sitting on a shelf?
- If the company engages in big data projects, is the collection, storage, use and resale of data consistent with customer consents, applicable laws and regulations?
- Is there effective vetting and management of third parties that handle the company's data or have access to the company's computer network?
- Does the enterprise have up-to-date plans to address information-related incidents, such as a data breach, and are those plans vetted and practiced, before a breach ever happens?
Responsibility for the management of enterprise information and mitigation of information-related liability has now reached the board level of many corporations. Active oversight by engaged and informed board members can reduce those risks to the corporation as well as to the members of the corporate board themselves.