Cybersecurity: Is the Internet a Legal Issue for Cooperative Boards?
This article summarizes a presentation given before the Coordinating Council of Cooperatives on April 13, 2019.
Introduction
As more and more of the activities of cooperatives are intertwined with the Internet, the legal issues arising from that relationship continue to evolve and become more complex. It is important for Boards of Directors to consider the effects and put in place policies governing numerous issues related to the Internet, such as Board of Directors communications, building webpages, building, infrastructure, and even something as simple as the use of cell phones.
It is important for Boards of Directors to consider policies governing the use of Internet communications among themselves, shareholders, and outside third parties.
Recommendations
As a starting point, we recommend that individuals serving as directors create a separate and dedicated email address for their cooperative communications. It is preferable that the cooperative set up its own secure Internet group with restricted access so that email communications between directors is controlled and protected from distribution. In addition, by using their personal email addresses directors open those accounts to electronic discovery in some litigation circumstances.
IT Security
Another issue for boards to consider is security; a great deal of proprietary information including information about individual shareholders and their finances is transmitted between the management and the Board of Directors. This creates a serious security concern both of the IT system being used and the more serious issue of carelessness or misuse by directors. It is important that the cooperative has a reasonable IT security system in place, and the board should consult with its manager as to whose and what system is being utilized. More important is that the board has a clear policy about control and security of information provided to board members so that they are forewarned of this issue; and should there be a breach, that there is a defense that the cooperative took reasonable efforts to protect the information. This type of protocol is extremely important, as evidenced by the case of Biondi v. Beekman Hill House, where a board member’s discriminatory intent was evidenced by an email and resulted in a substantial cash award, which the individual board member had to pay. His disclosure was not covered by the insurance company because it was intentionally discriminatory.
Employee Policies
Cooperatives should also consider having written policies for building staff and personnel related to the Internet. This will protect the cooperative from liability arising from an employee’s misuse of the Internet, illegal activity, pornography, etc. It also is beneficial in managing day-to-day employee issues. It is easier to write up an employee for misusing the Internet if there is a policy clearly outlining what is and is not allowed, i.e., the employee who watches Netflix all day.
Internal Communications
If a cooperative has a webpage or has a building-wide Internet system for communicating between shareholders and employees and in some cases the entire shareholder community, it is important that the board formulate a policy governing this as well. Cooperatives that have an open webpage or Facebook pages are painfully aware of how quickly dialogue between shareholders can spin out of control. This is especially true for directors, who often are the victims of horrendous personal attacks from shareholders. The general perception has been that the cooperative or Board of Directors had no recourse against these allegations; however, a series of recent cases has indicated that individuals engaging in abusive behavior may be subject to slander and libel laws for their behavior. (Trump Four v. Bezvoleva and Harway Terrace v Shlivko)
Conclusion
In considering the numerous security and personal issues involved with the board’s use of the Internet and emails, it is important that boards consider both how best to utilize the Internet and how to protect themselves from it and from misuse by directors and shareholders. Boards may also wish to consider a review of their insurance policies to see if cyber and Internet issues are covered under their current policies, and if not, whether a specific Internet policy could be beneficial.