The security and information governance issues that arise with
"bring your own device" or BYOD are not restricted to
employees of the corporation. These issues also affect information
governance issues that arise with "bring your own device"
or BYOD are not restricted to employees of the corporation. These
issues also affect information governance practices when
communicating with the board of directors. In my
previous post in this series, I examined the duties that
directors have in safeguarding corporate information and the
questions that directors might ask themselves in assessing whether
they are being prudent and diligent.
This post examines the case for a board information governance
policy. The last post in this series will address the elements of a
board information governance policy.
The purposes of a board information governance policy
The fundamental reasons for developing a board information
governance policy are (1) to establish expectations regarding the
standard of care the directors are expected to bring to the
management of corporate information and (2) to assist directors
through corporate procedures and technology in fulfilling their
duties to protect that information.
The special position and risks of BYOD and directors
Directors occupy a special position within the corporation.
Except with respect to matters reserved to shareholders, the board
of directors are the ultimate decision-makers. Information that
they receive is likely to be highly sensitive corporate financial
and strategic information, which may not become publicly known
until authorized for disclosure by the board.
The board of directors of a public corporation will be comprised
of at least some non-management directors. Unlike senior officers
and management directors, these "independent directors"
are unlikely to be working on corporate-owned or
corporate-controlled devices. These directors may not even use
corporate-controlled email accounts. Instead, these directors may
be using personal email accounts or those of their employer.
Electronic communications with these directors
and among the directors as a group will, therefore, be
mediated through non-corporate-controlled information technology
systems, notwithstanding that the directors are likely to be
dealing with some of the most sensitive information of the
Independent directors are also more likely to have other
employment or sit on the boards of other corporations. This
introduces the possibility of the commingling of the
corporation's information with information of third parties in
a way that will complicate the application of the corporation's
records retention and security policies.
Consider, for example, the simple issue of a corporate
information security department being able to remotely control the
corporate director's mobile device to enforce security
protocols. If a director is also using the same device to receive
information from his or her employer and another corporation on
which he or she sits as a director, who, if anyone, should have
control over that mobile device? What are the consequences if the
device is remotely wiped by one corporation resulting in the loss
of information relevant to the other corporation?
The case for the board information governance policy
The utility of a board information governance policy is that it
provides the flexibility to recognize that the information
governance challenges at the board level and with senior officers
communicating with directors may be different from those relating
to other employees. It provides an opportunity for the directors to
set out a set of guidelines to govern their information practices
and heightens attention to cybersecurity issues at the board level
at a time when security regulators are increasingly requiring
corporations to disclose material cybersecurity risks and
The next and last post in this series outlines the elements of a
board information governance policy.
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law
firms with more than 500 lawyers in six full-service offices
located in the country's key business centres. We focus on
providing outstanding service and value to our clients, and we
strive to excel as a workplace of choice for our people. Regardless
of where you choose to do business in Canada, our strong team of
professionals possess knowledge and expertise on regional, national
and cross-border matters. FMC's well-earned reputation for
consistently delivering the highest quality legal services and
counsel to our clients is complemented by an ongoing commitment to
diversity and inclusion to broaden our insight and perspective on
our clients' needs. Visit:
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).