In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance. It warned in stark terms:
Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i]
To say that information is an asset to business enterprises is to recognize the obvious. Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection. But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk. Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel. While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available to be of real value.
The proliferation of information assets in volume and type is unprecedented in history. Many of the management processes for creating, transmitting, storing and destroying paper records in a bygone era do not convert well into the digital information world – with retention of email being the most notorious example. Not surprisingly, today’s enterprises strain to cobble together legacy paper records management systems together with a variety of policies and SOPs governing digital information. These other policies were likely developed independently (in “silos”) and not in concert with an overall information governance strategy. The range of such policies is broad and involves ever-changing technical, legal, human resources and other expertise:
- Document retention policy
- Records retention schedules
- Code of Ethics
- Email retention policy
- Audit and compliance
- Employee use of technology
- Information Security
- Privacy
- Social Media
- eDiscovery and Legal Hold
- Bring Your Own Device
- Outsourcing to Cloud
- Home Computers
- Backup
- Disaster recovery
- Regulatory reporting
How does a business enterprise purport to comply with all of these non-integrated and inconsistent policies? When employees at all levels are the individuals who create, store and manage valuable records and information assets, what could possibly go wrong?
Many organizations attempt to cover their information assets by asserting in a written document retention policy or corporate code of ethics that employees are required to comply with all applicable policies and laws. Some examples of this practice are listed below:
Policy Mandate | Responsibility | Source |
“It is the Company’s policy to comply with all applicable laws, rules and regulations. ” | “It is the personal responsibility of each Netflix Party to adhere to the standards and restrictions imposed by those laws, rules and regulations, and in particular, those relating to accounting and auditing matters.” (Netflix Party includes all employees) | Netflix Code of Ethics |
“Employees, while acting on behalf of the company, must comply with laws, regulations, and our own policies and procedures even if conduct prohibited by our policies and procedures is otherwise legally permissible.”
| “Employees are required to read, review and understand the Code and to help ensure that others do so as well. Failure to comply with the Code may lead to discipline of up to termination of your employment, significant fines to you and Lowe’s, and criminal sanctions by regulatory authorities.” | Lowes
Code of Business Conduct and Ethics |
“Some laws affect everyone, such as those concerning equal employment opportunity and occupational health and safety. Other laws primarily affect employees and Contractors in particular roles, such as those concerning the operation of our transportation networks, financial reporting and customer service. The laws that govern our activities may be complex, but ignorance of the law does not excuse you from your obligation to comply.” | “The Code applies to every director, officer and employee of FedEx Corporation and its subsidiary companies throughout the world. You should read this Code together with any other FedEx policy, manual or handbook that applies to your job.” | FedEx
Code of Business Conduct and Ethics |
“The law requires us to maintain certain types of corporate records, usually for a specified period of time.”
| “We expect all employees to fully comply with any published records retention or destruction policies and schedules . . . “ | Midas
Document Retention Policy (2011) |
Realistically, is it reasonable to expect individual employees who create, transmit, modify and store information assets to be responsible for compliance with a combination of oftentimes inconsistent technical and legal standards? Will a lowly employee in a branch office really reach out to the General Counsel for guidance as some policies direct? What could possibly go wrong?
For many companies, a Code of Ethics is now a common policy fixture. In the wake of the Enron scandal, which also brought down one of the Big Five American accounting firms, Arthur Andersen, Congress enacted the Sarbanes-Oxley Act of 2002. While a discussion of the impact of Sarbanes-Oxley on good corporate governance is beyond the scope of this article, Section 406 of the Act required the SEC to formulate rules targeted at key employees of public companies (senior financial officers) to disclose whether the company had a written code of ethics containing standards reasonably designed to deter wrongdoing. While not a true mandate, Sarbanes-Oxley triggered the broad adoption of boilerplate codes of ethics, aimed at comforting regulators, investor relations and even the public.
Ironically, it should be noted that at the very same time it engaged in criminal wrongdoing, Enron itself had a 65 page Code of Ethics that applied not just to senior officers and managers but to all employees. It was printed in booklet form for employees to read and sign. What could possibly go wrong? Indeed, in the criminal trial of Ken Lay, Enron’s CEO, the Enron Code of Ethics was part of the prosecution’s evidence to demonstrate the difference between right and wrong.
Perhaps the lesson for Boards and their C-Level executives is that even a perfectly worded set of Information Governance policies, which attempts to place responsibility for management of information assets on every employee, is inadequate unless it is accompanied by vigilance, training and a business culture that harmonizes ethics with the bottom line. Without commitment and guidance from the top of an organization, policies are window dressing. In a 1988 interview commenting on the role of the chief executive on ethics in government, Governor Michael Dukakis immortalized the phrase: “A fish rots from the head first.”
Given the growing risks of financial, information security, legal and reputational harms resulting from poor management of information assets, directors and executives need to do more than “have” a policy to comply with their fiduciary duties. Responsible and cost-effective Information Governance (aka Data Governance) programs can be implemented in phases utilizing existing technologies. Legal, IT, security, compliance and Records & Information (RIM) policies can be harmonized through a cross-disciplinary effort. But without an unmistakable mandate from the Board and C-Level team, information governance initiatives will die the death of a thousand meetings, employees will resist necessary change management, the results will amount to more window dressing and those at the top will still be sailing in dangerous waters.
[i] Book published by Business Law Section of the American Bar Association: E. Michael Power & Ronald L. Trope, Sailing in Dangerous Waters: A Director’s Guide to Data Governance 1-2 (2005)