Jake Frazier – Senior Managing Director, FTI Consulting & Sonia Cheng – Senior Director, FTI Consulting
As seen on ethicalboardroom.com
Information governance is often thought about in the context of IT efficiency, data security and regulatory compliance. While it is true that these are the most critical drivers for executing data governance programmes, there is an equally important factor that deeply resonates with a corporation’s board and C-suite: reputational risk.
Just as trust is a key and fragile pillar for relationships in our personal lives, it is essential – among shareholders, clients, customers and employees – for a business to thrive. Ultimately, top company leadership is responsible for managing reputational risk and ensuring that the overall direction of the company will uphold trust in the brand.
As we’ve seen countless times, failure to handle data properly often results in damaging data breaches, which beyond legal and compliance violations, break trust and allow doubt to become part of a company’s image. Thus, it is critical that the board views information governance (IG) as being about compliance and legal risk, as it must be, but also as an effort to instil a high standard for ethics and privacy into the company’s culture. By embracing this mindset, a corporation’s leadership can set the correct tone from the top down, building advocacy for actionable programmes that ensure safe and responsible handling of sensitive data, as well as strong compliance and efficiency.
“BECAUSE THE GENERAL COUNSEL HAS HISTORICALLY BEEN THE GO-TO STAKEHOLDER FOR DEALING WITH HIGHLY SENSITIVE ISSUES… THE CORPORATE LEGAL TEAM IS UNIQUELY POSITIONED TO LEAD THE CHARGE TOWARDS PROACTIVE DATA GOVERNANCE”
Because the general counsel (GC) has historically been the go-to stakeholder for dealing with highly sensitive issues – primarily for litigation and investigations – the corporate legal team is uniquely positioned to lead the charge towards proactive data governance. Given this fact, the issue of ethical obligation comes into play. In the US, federal and state laws require companies to implement reasonable security protections to safeguard personal data. There is a wide range of similar requirements around the world.
Beyond the duty to disclose, legal teams also have an ethical obligation to maintain a level of technical knowledge. In Day v. LSI Corp., in-house counsel was sanctioned for failing to document and supervise the discovery collection process and for allowing the company’s document retention policy to be ignored. In the context of IG, this is important, as legal teams must have a clear understanding about data sources and retention practices, the impact of how they choose to handle electronically stored information, and accuracy of how facts are represented to regulators, opposing parties and the courts. Ultimately, these points illustrate the fact that ethical obligations cannot be overlooked when considering the GC’s role in IG efforts.