The Background: Technology has transformed the way that directors receive and review information and communicate with each other and with management.

The Issue: Although many modern board practices are more secure and efficient than those of decades past, directors must recognize and protect against the risks posed by board service in the digital age.

The Outcome: We encourage companies to communicate clear policies for the use of board portals and other technology by directors, as well as the importance of following company policies relating to communications and document retention. While sometimes considered ministerial, these topics are in fact critical aspects of risk management.

For many corporate boards, the summer months provide a brief governance respite between the proxy season and the demands of the fall board meetings. Many companies use this time for director "onboarding"—providing orientation and training for newly elected directors—and updates to incumbent directors. Director orientation programs typically cover the company's history, industry, management, and other key aspects of its business and strategy. While these topics are essential, companies should not overlook the opportunity to educate all directors, regardless of their tenure, about key policies for information management, security, and communications. These topics are sometimes treated as mere "corporate housekeeping," but their importance in the digital era—when inadvertent missteps can have highly embarrassing consequences, at the very least—cannot be overstated.

Board Portals

Although the pros and cons of board portals can be debated, they are here to stay. Of course, board portals are not perfect systems. In fact, portal providers have been the targets of high-profile cyberattacks resulting in serious data breaches for hundreds of public companies. The intrinsic risks of these systems cannot be eliminated completely, but their security features are ever improving, and in any event are far superior than delivery by paper envelope. Moreover, a director whose email account is hacked is easily blamed for any resulting damage, while the use of a board portal insulates individual directors from individual finger-pointing.

Some directors may be hesitant to give up their board books, but company-issued and mandated iPads or other devices may soften that loss, as long as directors have access to effective support on a real-time basis as needed. In fact, even the most reluctant directors may quickly recognize the benefits of these devices. Electronic information is, of course, instantly accessible and highly portable, key features for busy people. And, of course, the electronic transmission of lengthy board materials not only saves time and money but also is environmentally friendly, in keeping with critical corporate sustainability objectives.

Finally, we advise that companies not distribute any paper copies of meeting pre-reads, as a rule and without exception. Almost any board advisor can recount stories of highly confidential board decks that were delivered to the wrong address by couriers or left in hotel lobbies or on planes, trains, or automobiles. Board portals reduce the risk that paper copies of sensitive board materials end up in the wrong hands.

Document Retention

Even when board portals are used as the sole information access point for directors, however, companies and their directors should align on clear and consistent policies for document retention. Most importantly, corporate recordkeeping is for management, not the board. The corporate secretary should, of course, keep an electronic copy of every presentation, document, or other paper sent or presented to the board or any committee in an official file. This frees individual directors of the responsibility for keeping copies of anything themselves.

Corporate secretaries can facilitate this document retention policy by collecting all copies of materials furnished to directors at board or committee meetings as the directors exit the boardroom. Some companies also send an overnight courier envelope to directors a few times a year so that directors may easily return to the company any stale board materials or other documents instead of destroying them. In addition, the corporate secretary should delete dated material from the board portal on a continuous basis after a period determined to be appropriate by each company and its board.

Director Communications

Board portals also provide a secure and convenient email platform for director communications with management and other board members. Directors, like all other company representatives, should be reminded of good-sense guidelines for electronic communications, especially email, that may be sensitive in substance or tone or intended to be private. Private communications can quickly become front-page news, and deleted emails are never really gone. Further, email is not the proper venue for director debates with management or each other, and directors should always provide substantive comments by phone, not by email. And the "reply all" email function should rarely, if ever, be used.

In addition, directors should never use personal email accounts or devices for board business. Although most directors are cautioned to use only company email accounts and devices for company business, few may fully appreciate the potential consequences for failing to do so. Directors who use their personal email accounts or devices for board communications risk not only the security of confidential corporate information but also their own privacy; those accounts and devices—including home computers—may be subject to search in the event of litigation or an investigation. Although discovery rules vary among jurisdictions, discoverable items may include a wide range of electronically stored information, including email, texts and other instant messages, voicemail, postings on social networking sites, and information stored on personal computers, phones, or other electronic devices, if they are used for board business.

In addition, directors may have a duty to preserve electronic information that is relevant to pending or anticipated litigation. If a judge or jury finds that directors destroyed documents or deleted emails or other information, even from their personal accounts, the judge or jury may infer that the content of those deleted items would have been unfavorable to the directors or to the company. This type of "adverse inference" can of course be very damaging in litigation.

The No's of Note-Taking

Directors must also be aware of guidelines for note-taking. Almost all information recorded during a board meeting may be subject to discovery in the event of litigation or an investigation—including directors' notes. If they wish, directors should be permitted to take notes on the board portal or by hand. They should understand, however, that notes should be taken only to facilitate the director's review of materials and remind her to ask questions—not to memorialize discussions. Further, directors should be required to deliver all notes to the corporate secretary at the end of each board or committee meeting, and the secretary should erase all electronic notes from the board portal on a regular basis.

It has been said that directors might retain their notes until they have reviewed the draft minutes of the meeting. Absent truly extraordinary circumstances, this should be left to management—the directors' obligation is not to make or keep records, including records of board processes. This also is another reason for the corporate secretary to prepare and circulate draft minutes promptly after each meeting. Although minutes may not always be ready for review within days of a board meeting, they—like fish and guests—quickly become stale.

More importantly, however, corporate minutes are part of the permanent corporate record. Minutes should demonstrate that the meeting was properly called and that a quorum was present, and they should note the directors and other individuals who participated—including lawyers, in order to establish attorney-client privilege where appropriate. The corporate secretary should also establish guidelines for the content of minutes of board and committee meetings. Corporate minutes must be accurate, complete, and readable, but they are not intended to be a complete transcript of a meeting or a record of each question asked and comment made.

The board practices of the modern era are dramatically different from those of the pre-internet age. Directors and companies should embrace board portals and other new and more secure technologies, but they must be aware of the risks of the digital environment. These matters are not merely clerical or housekeeping issues—they are critical risk-management practices.

Three Key Takeaways

  1. All directors, regardless of tenure, should be reminded regularly of corporate guidelines for board communications and the use and management of company information, whether in tangible or digital form.
  2. Management, not the board, is responsible for corporate recordkeeping, and even the most well-intentioned directors may put sensitive company information at risk if they fail to follow corporate protocols.
  3. While many companies advise directors of their policies on email, note-taking, and document retention, directors should appreciate the full range of possible consequences if those policies are not followed—particularly if litigation or an investigation ensues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.