Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Why Boards and C-Level Executives Are Sailing in Dangerous Waters

Posted by Steve O'Neill, Esq.

Fri, Oct 30, 2015

C-level guide to Data Governance

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance. It warned in stark terms:

Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i]

As enterprises have shifted to digital systems where workflows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk. Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel. While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available to be of real value. 

"The value and integrity of these systems has become ever more fraught with risk"

The proliferation of information assets in volume and type is unprecedented in history. Many of the management processes for creating, transmitting, storing and destroying paper records in a bygone era do not convert well into the digital information world – with retention of email being the most notorious example. Not surprisingly, today’s enterprises strain to cobble together legacy paper records management systems together with a variety of policies and SOPs governing digital information. These other policies were likely developed independently (in “silos”) and not in concert with an overall information governance strategy. The range of such policies is broad and involves ever-changing technical, legal, human resources and other expertise:

  • Document retention policy
  • Records retention schedules
  • Code of Ethics
  • Email retention policy
  • Audit and compliance
  • Employee use of technology
  • Information Security
  • Privacy
  • Social Media
  • eDiscovery and Legal Hold
  • Bring Your Own Device
  • Outsourcing to Cloud
  • Home Computers
  • Backup
  • Disaster recovery
  • Regulatory reporting

How does a business enterprise purport to comply with all of these non-integrated and inconsistent policies? When employees at all levels are the individuals who create, store and manage valuable records and information assets, what could possibly go wrong?

"Is it reasonable to expect individual employees who create, transmit, modify and store information assets to reach out to the General Counsel for guidance as some policies direct?"

Many organizations attempt to cover their information assets by asserting in a written document retention policy or corporate code of ethics that employees are required to comply with all applicable policies and laws. Some examples of this practice are listed below:

Policy Mandate Responsibility Source
“It is the Company's policy to comply with all applicable laws, rules and regulations." “It is the personal responsibility of each Netflix Party to adhere to the standards and restrictions imposed by those laws, rules and regulations, and in particular, those relating to accounting and auditing matters.” (Netflix Party includes all employees)
Netflix Code of Ethics
“Employees, while acting on behalf of the company, must comply with laws, regulations, and our own policies and procedures even if conduct prohibited by our policies and procedures is otherwise legally permissible.”   “Employees are required to read, review and understand the Code and to help ensure that others do so as well. Failure to comply with the Code may lead to discipline of up to termination of your employment, significant fines to you and Lowe’s, and criminal sanctions by regulatory authorities.”
Lowes Code of Business
Conduct and Ethics
“Some laws affect everyone, such as those concerning equal employment opportunity and occupational health and safety. Other laws primarily affect employees and Contractors in particular roles, such as those concerning the operation of our transportation networks, financial reporting and customer service. The laws that govern our activities may be complex, but ignorance of the law does not excuse you from your obligation to comply.” “The Code applies to every director, officer and employee of FedEx Corporation and its subsidiary companies throughout the world. You should read this Code together with any other FedEx policy, manual or handbook that applies to your job.” 
FedExCode of
Business Conduct and Ethics
“The law requires us to maintain certain types of corporate records, usually for a specified period of time.”   “We expect all employees to fully comply with any published records retention or destruction policies and schedules . . . “ MidasDocument RetentionPolicy (2011)

Realistically, is it reasonable to expect individual employees who create, transmit, modify and store information assets to reach out to the General Counsel for guidance as some policies direct? 

Perhaps the lesson for Boards and their C-Level executives is that even a perfectly worded set of Information Governance policies, which attempts to place responsibility for management of information assets on every employee, is inadequate unless it is accompanied by vigilance, training and a business culture that harmonizes ethics with the bottom line. Without commitment and guidance from the top of an organization, policies are window dressing. In a 1988 interview commenting on the role of the chief executive on ethics in government, Governor Michael Dukakis immortalized the phrase: “A fish rots from the head first.”

"Without commitment and guidance from the top of an organization, policies are window dressing."

Given the growing risks of financial, information security, legal and reputational harms resulting from poor management of information assets, directors and executives need to do more than “have” a policy to comply with their fiduciary duties. Responsible and cost-effective Information Governance (aka Data Governance) programs can be implemented in phases utilizing existing technologies. Legal, IT, security, compliance and Records & Information (RIM) policies can be harmonized through a cross-disciplinary effort. But without an unmistakable mandate from the Board and C-Level team, information governance initiatives will die the death of a thousand meetings, employees will resist necessary change management, the results will amount to more window dressing and those at the top will still be sailing in dangerous waters.



[i] Book published by Business Law Section of the American Bar Association: E. Michael Power & Ronald L. Trope, Sailing in Dangerous Waters: A Director’s Guide to Data Governance 1-2 (2005)