It is impossible to ignore the trend towards increased use by boards, in Australia and elsewhere, of cloud-based information technology services to create paperless board rooms, reducing the need for traditional email and paper-based communications. These services allow board papers and other information to be securely uploaded by management and then accessed remotely by directors through dedicated applications and the use of mobile devices, such as laptops and iPads.
Evolving concepts of communications
Efficient and effective communication has become an increasingly difficult task at the board level, where companies and their directors are expected to manage complex and voluminous quantities of information.
Recent Australian cases, such as Centro1, have demonstrated the need for directors to have continual access to company information and be able to analyse the information presented to them. In Centro, the Court provided little comfort to the company's directors, who relied on the quantity and complexity of the information supplied to them as a defence to allegations of negligence, reasoning that the board could control the amount and format of information received. Consequently, the standard of information oversight now expected can create problems for companies and their directors, and highlights the growing importance placed on managing the manner in which information is provided to directors, not only in terms of content but also in terms of presentation and accessibility.
Cloud-based information technology services will potentially revolutionise the manner in which management communicate with directors and directors communicate with each other. Depending on the services provided, there are many advantages associated with using the more popular devices, such as iPads, to distribute board papers to directors. For example, there are cost savings and efficiencies associated with reduced paper consumption, courier fees and time spent on document preparation. Directors have immediate access to current documents, regardless of their location. Further, with documents being stored in a central document repository (ie, the cloud), there is a corresponding reduction of physical storage space.
These services can vary substantially from a customised service developed to meet the needs of a particular company, to an 'off-the-shelf' service where a company has no control over the hardware or software that provides the service. Accordingly, given these technologies are relatively new and continuously evolving, it is important for companies to remain vigilant, to:
- ensure that any chosen cloud service is compatible with their corporate governance and operational policies; and
- take all appropriate actions to minimise risks associated with a variety of new legal and regulatory challenges arising from the use of cloud services.
Some of the more apparent legal and regulatory issues are discussed in detail below.
Confidentiality and security
When talking about confidentiality and security, there are a number of questions that must be asked of service providers. First, is your confidential information more secure by being hosted online with other companies or offline on the company's own local network? What harm would it cause your company if confidential information fell into the wrong hands? Consider what type of, and how much, information you want to upload to these services – this is sensitive information and it is important to ensure that you have control over, and can restrict access to, that information.
Ownership concerns also need to be considered and appropriately addressed. In Kriewaldt2, the Court considered whether board papers become the property of a director when provided to that director. Justice de Jersey held that when the company provided board papers to directors it was to be taken as surrendering its right to them. His Honour reached this decision because the company had not reserved its rights to recall the papers when sending them to the directors, the papers had never been recalled by the company, the directors had been free to mark and annotate the papers, and the papers had been sent without any conditions attached to their disposal. However, importantly, his Honour stated that "this is apparently not a case, I would add, where at the end of meetings, the papers are recalled." Consequently, you should consider whether you wish to implement policies to ensure that board papers are recalled at the end of meetings – discuss these options with your information technology service provider before rolling out the services at a board level.
You also need to consider whether it is appropriate to place restrictions on whether board papers may be printed or saved locally (ie, to the memory of the device), or annotated with notes. While personal notes made by directors on board papers can serve as useful reminders to busy directors, directors' notes can be requisitioned as evidence in court. This may be helpful if the notes show that the directors adequately informed themselves, appropriately questioned and considered issues, and used proper care and diligence; however, this practice can also create risk if the notes are ambiguous, incomplete or inconsistent with other records, such as the formal minutes of meetings.
These issues can lead to tensions between a company and its directors. While a company will naturally be concerned with confidentiality and security issues, directors will be motivated to ensure that their access to board papers, as well as their ability to annotate the board papers with notes, will enable them to satisfy their duties as directors, particularly their duty of care and diligence.
For a start, the board papers must be presented in a manner which allows the directors to review them to a level required to discharge their duties. From a practical perspective, it may be difficult for directors to view lengthy documents (such as financial reports) on a mobile device (where, for example, they cannot have multiple pages in front of them, as they could with hard copies). Further, those directors who are not very computer literate may find using a mobile device difficult, and until they become comfortable with the technology, it may be more time consuming and less efficient for them to review board papers using mobile devices.
Australian privacy laws generally require personal information (or other sensitive information such as health information) collected by certain organisations to remain within Australian borders unless, among other exceptions, the individual consents to the transfer or the organisation believes the recipient of the information is subject to laws that are substantially similar to the National Privacy Principles. Therefore, it is important to be aware of the types of information which directors will have access to online, as well as to consider whether or not that information will be held or accessed overseas by either the service provider or directors.
The company should also consider the risk that their data may be disclosed to the government of the jurisdiction in which their data is held by the service provider, possibly without their knowledge or consent. For example, the United States government is permitted under the USA Patriot Act3 to seek a court order for disclosure of electronic records, often without permitting notice to the user.
Reliability of access
Timely access to information is vital for directors. It is important to remember that directors have both general law and statutory rights of access, and may also have contractual rights of access, to certain company documents, including board papers, which may be primarily accessible through your chosen technology.
At common law, directors have rights of access to company documents in order to facilitate the performance of their duties, together with corresponding rights to make copies.4 Directors also have a statutory right of access to certain documents (including board papers) in the circumstances afforded under sections 198F and 290 of the Corporations Act 2001. A contractual right of access may also have been granted to directors under a Deed of Access, Indemnity and Insurance with the company, together with a corresponding right to make copies.
Technology isn't always reliable. Accordingly, it is important to not only ensure that you meet the general law, statutory and contractual rights of access, but that you also implement appropriate standards of data protection, security, back-up, redundancy and disaster recovery processes – these standards should be documented both internally within the company as well as by agreement with the relevant information technology service provider.
Subject to individual company document retention policies, some cloud services also offer the ability to permanently purge documents upon deletion. This includes the ability to irrevocably purge email messages uploaded on cloud servers, or electronic notes made by directors on uploaded documents, such as board papers.
Take the time to ensure that your document retention policies are up to date. If documents are held online by service providers, consider adopting and maintaining a robust records management policy to ensure that you are aware of what and where documents are located.
While most people engaged in business activities understand the need to keep proper records, many are unaware of the plethora of Federal and State laws that impose document retention and production obligations. This is particularly important given the emerging trend, in Australia and elsewhere, to criminalise poor document management practices. Organisations which destroy documents relevant to a Court hearing may be prosecuted for obstructing justice or be held in contempt of Court. Potential penalties include fines for the company and the individual, and in extreme cases, gaol for the individual.
There is no doubt that the use of paperless board rooms by Australian companies is increasing – numerous services are being marketed which provide better ways to manage board processes in an environment where a company's compliance responsibilities are continually evolving.
The issues raised in this update are not intended to be exhaustive, although companies must ensure that they stay alert to critical issues, such as confidentiality, security, directors' duties, privacy, access to information and document retention. This means that, before making the decision to move towards a paperless board room, you should take a few moments to consider your company's risk profile as well as its corporate governance and operational policies, so that you continue to protect your company's information and are well prepared to incorporate these technological changes into your business practices.
1 ASIC v Healey & Ors  FCA 717.
2 Kriewaldt & Ors v Independent Direction Ltd (1995) 14 ACLC 73.
3 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001.
4 Edman v Ross (1922) 22 SR (NSW) 351.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.