The fallout surrounding recent board leaks at Hewlett-Packard ("HP") has raised many questions about "board leakage" (see sidebar - What Happened at HP). While it must be left to the American judicial system and the Securities & Exchange Commission to assess how the HP board handled the investigation of its own members, it is clear that companies should take a hard look at how they deal with the materials such as the board book, agendas, attendance, minutes, committee materials and other corporate governance-related documents.
Let's face it, board members are usually very busy people - running successful businesses and juggling many business interests. With so much on the go, it is easy to see how accidental disclosure might occur. By handing sensitive material over to be copied or by leaving confidential material on the corner of one's desk, controls begin to erode and the risks of leakage begin to materialize. Though disclosure can be accidental, reducing the risk is critical in protecting your company's information and reputation.
What Happened at HP
Hewlett-Packard's board of directors is under fire for conducting an investigation of its own members — as well as members of the press — to find out who leaked confidential information to the media.
Using a technique known as "pretexting," investigators for the board obtained portions of directors' and journalists' Social Security numbers and then misrepresented themselves to phone companies to obtain phone records.
Hewlett Packard has received a notice of formal investigation from the Securities and Exchange Commission. HP's former board chair Patricia Dunn, who ordered the investigation, and four others who conducted it have been charged with four felony counts for using deception to obtain the personal phone records of board members, HP executives and nine reporters.
Go Electronic (but not electronic mail)
Traditional methods of distributing information are fraught with risk. Paper is too easily copied, scanned, re-distributed and left lying around. And, documents e-mailed to board members often end up lost in in-boxes or immediately printed to paper. Either way, with these traditional methods of distribution the risk is high that documents will be misplaced and/or improperly discarded. The solution is to disseminate information electronically in a much more controlled manner – one that minimizes the possibility that documents are left lying around to be discovered by prying eyes.
The Extranet Solution
One of the best ways to disseminate sensitive information is not new. In fact, the technology has been around for years and is in use by companies worldwide to provide secure access to documents and confidential data every day (over the Internet). The solution is to use a website secured using encryption - known as Secure Socket Layer or SSL. Everyday, SSL protects millions of consumers and businesses as they perform e-business transactions such as online banking and online purchasing. But SSL in itself may not sufficiently reduce the risk. Companies must also consider how board members will interact with the secure website and determine just how the posted information will be handled.
Add Tight Controls for Paper
When board members securely access material online, companies should consider tight restrictions on printing and copying. While the intent is not to hamstring members, tight controls are a sure way to reduce risk. One approach that is gaining popularity is to only allow board members to view documents online ahead of meetings – but to not allow printing. While companies that have Extranets can go paperless, they can also opt to give directors hard copies of sensitive materials at meetings and ensure that they leave the hard copies to be destroyed (because everything will be available electronically). In the end, the online solution will be readily adopted if it is simple and easy to use. But, be prepared for some initial "hand-holding" to ensure that directors that are not tech-savvy are able to quickly access information.
Hosting Options – Consider your Law Firm
Many companies can (or have) setup their own facilities to meet this challenge. Third party software providers can also fit the bill. However, these options can themselves raise concerns for some. For instance, the director who calls a third party provider for technical support will often move quickly from a technical question to a more substantive question about posted material (e.g. – "Why can't I find the document outlining our merger proposal with ABC company?").
For some, the solution is to ask outside counsel to host their Board Extranet. There are some obvious reasons why. There is a high level of trust that already exists between a company and its outside counsel. Furthermore, outside counsel acts on behalf of the company, often maintains corporate minute books, may have a partner sitting on the board and may act as corporate secretary. That said, there are a few things to keep in mind. Firstly, not all law firms have invested in the appropriate technology to securely host such Extranets. Secondly, some offer third-party solutions branded as their own so you may in fact be engaging other third parties. Before you change your traditional methods and move online, be sure to fully understand the proposed solution and be sure that you are sufficiently reducing the risk of accidental disclosure.
How can Gowlings assist you?
We can work with you in reviewing your hosting options and even set-up and host your Company Board Extranet. Please contact Jason Mervyn of Gowlings for any further information you may need on Extranet Solutions for your Corporation.
The foregoing overview is intended to provide general information only and is not intended as legal advice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.