Understanding the SEC’s Focus on Governance
“There is no such thing as bad publicity,” a notorious circus promoter allegedly once said.[1] And cybersecurity sure has had its fair share lately. Hardly a month, week or day goes by without another news flash that some company, government institution or law enforcement agency has been hacked. Just this morning I turned on my computer to the following Yahoo Finance headline: “The pillars of American finance are under attack.”[2] This was after falling asleep the night before to a television show my wife was watching in which a money manager arrives at his office to find his company has been hacked.[3] Even SEC Commissioner Luis A. Aguilar gave a shout out to cybersecurity in his address to the 12th Annual Boardroom Summit and Peer Exchange in New York last week. In his remarks regarding the principles critical to good corporate governance, he cited a “cyber-attack” as a “foreseeable man-made crisis” to illustrate the importance of a board’s oversight role in risk management.[4]
Certainly there is nothing wrong with all this publicity given the existential threat that cyber-attacks present. Unless, of course, the only take away is that company officials need only install the latest encryption software or draft a policy statement incentivizing employees to use complex passwords to fulfill their duties. After all, a cyber-attack is just one of numerous issues that threaten an organization’s information and ultimate survival.
Don’t get me wrong, encryption and complex passwords are cyber musts, not should(s). For in this perplexing and overwhelming landscape of the known and the unknown, encryption is a known, as are hackers. It is known that there are hackers holed up in foreign territories intent on stealing valuable financial information, and it is known that encryption neuters such efforts. Even Secretary of Defense Donald Rumsfeld would call this scenario a “known known.”[5] But to limit an organization’s information management to a handful of basic cyber-attack defenses would be irresponsible.
Information, or knowledge, is an organization’s most valuable asset. It is what makes it competitive in the modern marketplace. For some, the value may lie in intellectual property, such as patents, trademarks or trade secrets. For others, it may be a customer database built up over decades of sales. For still others, it may be a set of algorithms for assessing mega volumes of data and discerning what trades are most likely to succeed. But if the risks associated with information are not managed in accordance with the organization’s main objectives and strategies, it can also be the source of enormous liability, unnecessary costs, and damage to one’s reputation.
Eighty percent of a modern company’s value is based on the information or knowledge it possesses.[6] Protecting this knowledge from various risks involves a much more extensive game plan than simply securing computers, laptops and cell phones with registers, encryption and two-factor authentication. Instead, anyone accountable for an organization’s survival must arm it with a much more comprehensive and holistic effort. This effort must be crafted to protect various and numerous types of information from various and numerous types of risks. In short, to be reasonable, to be prudent, to live up to ones fiduciary duty, one must develop, implement, and maintain an all-inclusive information governance program.
To discuss all of what information governance entails is in itself ambitious, particularly in one blog. Therefore, I have broken the discussion into Three Parts. In Part 1, I will introduce the various and numerous types of information that must be managed and protected, as well as the equally varied and numerous attendant risks. In Part 2, I will proffer the position that establishing an information governance program is critical, especially since almost all information today is created electronically and the risks are therefore enormous. And lastly, in Part 3, I will address how a fiduciary can best build an effective information governance program.
But first, here is a list of the types of information and risks that an organization must manage. Compiled by Charles R. Ragan, this gives you an idea of what is at stake.[7]
- Proprietary information (e.g., intellectual property). Information that has a competitive value must be protected from unauthorized disclosure or misuse. For instance, a trade secret can lose its status as such if its owner does not take reasonable measures to keep it secret.
- Contractually protected information. When organizations consider new business arrangements or technologies, they usually receive information under the terms of non-disclosure agreements. This information must be protected from misuse or theft per the agreement.
- Challenges to sound record keeping. Information that has business value should be maintained in such a way as to ensure its accuracy, integrity and availability for later use. Retaining unnecessary and excessive volumes of such information undermines these objectives.
- Legal hold. Information that may be relevant to a pending suit or investigation must be identified quickly and preserved once an action (or inquiry) is reasonably anticipated.
- Retention policies. There are many challenges in developing and implementing retention policy schedules. Apart from any litigation requirements, an organization is required to retain different categories of information for various periods, depending upon the jurisdiction. Determining the retention schedule for an organization is a labor-intensive and expensive effort.
- Data protection and privacy. Jurisdictions all over the world, including the 50 states in the US, have adopted comprehensive regulations for data protection and privacy regarding “personally identifiable information” (“PII”). But these regulations are oftentimes as diverse as the jurisdictions themselves. PII, for instance, has been so broadly defined as to include information on an e-mail header. In the United States, not only is the definition of PII as varied as the jurisdictions, but the notification steps an organization must take in the event of a breach are also varied. In short, organizations face a web of conflicting and constantly changing privacy obligations that must be understood and followed.
- Conflict between data protection regulation and pretrial discovery. The privacy and data protection regulations of many jurisdictions do not allow for the transfer of personal information without the consent of the data subject. These regulations often conflict with the expectations of US courts that all information relevant to the claims and defenses of litigants in an action will be freely exchanged during discovery.
- Personal Identifiable Information (“PII”) and security breaches. The enhanced risk of security breaches and attendant release of personal information, including health and financial information.
- Ever-changing landscape of technologies. Modern technologies, including social media and smart devices, allow for the immediate transfer of data or images to unlimited people with just a few clicks or swipes of a finger. These advancements pose obvious risks to sensitive information, including trade secrets and other intellectual property.
- Trend to allow employees to BYOD. In an effort to attract the best and the brightest, many organizations are succumbing to pressures to allow workers to Bring Your Own Devices (“BYOD”) to work. The introduction of these devices into the workspace opens a plethora of issues, starting with the most dangerous, mixing company life information with home life information. The proliferation of smart devices also introduces the need for conversancy with different operating systems (e.g., Apple vs. Android) as well as new security protocols. And to the extent information on such devices may be sought for litigation or an investigation, the organization (or its vendors) will have to become familiar with an array of harvesting techniques, a costly endeavor since collection techniques vary amongst devices and operating systems.
- Movement to the cloud. To capitalize on economies of scale, many organizations have considered moving data “into the cloud.” While incredibly attractive from a business perspective, cloud operations come with risk since data will be commingled with the data of others and will no longer be under the immediate control or possession of the organization, which may impair the ability to respond to discovery requests or evaluate claims of internal malfeasance.
- Third Party Vendors. An organization must perform due diligence on all third party vendors who have access to any of its information to make sure they have commensurate data security. You are only as good as your weakest link.
- Legacy data. Also referred to as “debris” data, legacy data has neither an owner nor any continuing value. If the organization does not dispose of such information after its useful life, and when it is no longer subject to a duty of preservation, but instead allows it to linger, the organization will find itself spending money to store and manage information with no business value, and potentially great legal liability and/or costly discovery requests.
- Big Data. Taking the opposite position from the one above regarding legacy data, some organizations are grappling with the issue of “Big Data” and whether or not to keep lots of data and subject it to algorithms and new searching techniques that can produce significant business opportunities.
As one can surmise after a quick review of this list, some subjects are highly technical, some relate to legal obligations, and some relate to business strategies. Even so, senior managers often proclaim that their employees shall and do comply with all of the above. Is it reasonable to expect employee’s to be versant with such a diverse and expansive set of requirements? Keep in mind, when it comes to retaining electronic employment related information, this would require that your average employee navigate twenty different federally mandated retention periods. I suspect that regulators will be very circumspect if you try to pass this one on them.
Likewise, simply designating a single individual to be your Chief Information Officer (CIO) or Chief Information Security Officer (CISO) is also not going to keep regulatory water from sinking your vessel. The courts have noted that information-related issues touch numerous different disciplines, and no matter how talented your CIO/CISO, she cannot be solely responsible for governing all information issues. You need help and input from a team of experts from various disciplines to tackle these complex matters.
Commissioner Aguilar’s remarks last week echoed these same sentiments when he instructed company leaders to “strive for a deeper level of insight, broader subject matter expertise” and to populate their boards with a diverse group of individuals possessing “the appropriate skills, experience, and judgment to govern effectively.”[8] He went so far as to call it their “fiduciary duty” to do so.[9] The Commissioner’s words coupled with the current trend by the courts to expand the fiduciary duty of loyalty of company officers to include enterprise “risk oversight” should persuade all organizations to pull their generals together to address information governance seriously, very seriously.[10]
Though these information issues are faced by all companies, the responding governance of one organization may differ from the next, depending upon each organization’s business objectives, specific legal obligations, and risk tolerance. Regardless, company leaders have a responsibility to ensure that the organization considers these diverse information-related issues and optional approaches so that the organization’s program is aligned with its overall goals and strategies, rather than a hodgepodge scheme driven by individual disciplinary biases. In the end, an organization should generate a multi-disciplined and comprehensive information governance program with legal, records, IT, and business all playing a role. I will argue why in Part 2.
Endnotes:
[1] Phineas Taylor “P.T.” Barnum.
[2] Crowe, Portia. “The pillars of American finance are under attack.” Business Insider. Yahoo Finance, 18 Oct. 2015. Web. 18 October 2015.
[3] “…Through Partnership.” Sean Jablonski, et al. Satisfaction. USA Network, Season 1, Episode 5, 14 Aug. 2014. itunes. Web 18 Sept. 2014.
[4] The Important Work Of Boards Of Directors, SEC Commissioner Luis A. Aguilar, 12th Annual Boardroom Summit And Peer Exchange, New York, NY, Oct. 14, 2015.
[5] “There are known knowns” is a phrase from a response United States Secretary of Defense Donald Rumsfeld gave to a question at a U.S. Department of Defense (DoD) news briefing on February 12, 2002 about the lack of evidence linking the government of Iraq and the supply of weapons of mass destruction to terrorist groups.
[6] Jay Ranade, renowned governance professor at ISACA NY Chapter, adjunct professor at N.Y.U and St. Johns, and World Power Breaking Champion.
[7] Charles R. Ragan, Information Governance: It’s a Duty and It’s Smart Business, 19 RICH. J.L. & TECH. 12, at 4-6.
[8] Commissioner Luis A. Aguilar, supra note 3.
[9] Id.
[10] In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) and its progeny.