U.S. embassies are still reeling from the massive leak of confidential documents revealed by WikiLeaks last November, containing embarrassing and sensitive details on dealings with world leaders and governments. So why should corporate compliance officers be concerned? Because Julian Assange, the man at the center of the controversial Website, says that the next target is Corporate America.
In numerous interviews Assange has hinted that the site has reams of documents that could be devastating to BP, an unnamed large U.S. bank, and hundreds of other companies. And he says they could be released to the public en masse this spring or summer.
If compliance officers find the Securities and Exchange Commission's plans to pay a bounty to corporate whistleblowers disconcerting, than the threat from WikiLeaks is downright terrifying. If a whistleblower goes to the SEC, the first notice of a problem will be when a government investigator comes knocking. If a whistleblower turns to WikiLeaks, the fist indication of a problem is likely to be splashed across the pages of The New York Times or The Wall Street Journal.
“We need to recognize that this is, in fact, an age of revolution,” says Keith Darcy, executive director of the Ethics Compliance and Officer Association. “There is no stopping what is becoming an increasingly transparent world.”
More than anything, WikiLeaks underscores the ease at which employees can expose massive amounts of internal documents to the public anonymously, with a simple click of the mouse. Instead of stealing boxes of paper documents, employees today only need a thumb drive, which they can easily slip in their pocket and walk out the door. Worse still, they can upload several gigabytes of sensitive data to online storage sites or cloud computing servers without ever leaving their desks.
As companies try to come to grips with the reality that information can leak so easily from their offices, many are still in the stage of assessing how, if at all, it will change what they're doing. Some are reassessing their policies on Internet use and curtailing use of social media sites that can also be an outlet for sensitive information. Asks Darcy: Do you try and ban or control social media, like China did, or try to manage it and embrace it?
As younger employees enter the workforce, it may become harder to take the former approach. Younger employees live on these social media platforms, notes Darcy. If you try and control the use of social media, “good luck trying to enforce it,” he says.
“I do think we need to train and inform employees in our organizations about the risks of these systems, the risks to the organization, and risks to them personally by exposing information or saying things that they would not want to see the light of day,” Darcy adds.
Another concern over WikiLeaks is that companies have little recourse to tell the full story, correct errors, or dispute things that are mischaracterized. Bill Prachar, a partner with the law firm Compliance Systems Legal Group, says he worries that sites like WikiLeaks will start to dictate the way companies operate for fear that the public may perceive certain decisions the wrong way. “One hopes that companies can operate without the paranoia of how it may appear on WikiLeaks,” says Prachar. But there's always the risk that something will be taken out of context, he says.
Once a leak is out, companies need to do two things: get in front of the story to set the record straight, and learn from the mistake. If it is a leak that creates embarrassment to the company, “what you have is a great learning opportunity,” adds Darcy. It's an occasion to say, “‘How can we avoid having this happen again?'”
Proactive Measures
While companies may feel helpless to avoid a leak of sensitive information onto WikiLeaks or similar sites, there are measures they can take to protect themselves from a reputation standpoint and a business standpoint.
First, the chief ethics officer or chief compliance officer position must be a senior-level position, says Darcy. “Where the role has been pushed down or subordinated, it needs to be raised up to higher levels of the organization,” he says.
“We need to recognize that this is, in fact, an age of revolution. There is no stopping what is becoming an increasingly transparent world.”
—Keith Darcy,
Executive Director,
Ethics Compliance and Officer Association
Secondly, organizations need to reinforce a culture of trust. “The single biggest determinant of organizational behavior is culture,” says Darcy. “The more we can create a culture of trust, one in which employees feel a sense of shared ownership in the reputation and the brand of the organization, the better off we are.”
Companies should also communicate that whistleblowers will be protected and treated with respect. Whistleblowers will often report a problem internally before they go to authorities if they feel like the company won't retaliate against them. “The burden is on us to make sure when people speak to us internally that we act as quickly as possible to resolve and settle those investigations,” Darcy says.
Also a centralized process should be put in place to handle all complaints. Most complaints do not go to the helpline, but to supervisors and managers, who may feel the need to conduct their own investigations. “That's a risk,” says Darcy. “We need [whistleblowers] to go to other internal channels that can better handle investigations.”
They also need to know about the results of the process, how calls are handled, and the consequences that resulted, “so people begin to see that there is a process and it does work,” says Prachar.
Technically Speaking
Roy Hadley, a partner with law firm Barnes & Thornburg says that recent WikiLeaks incidents are a “wake up call” from an information security standpoint. Nothing is safe from a breach. All data—whether within e-mails, databases, internal Websites, etc.—is potentially at risk. “It's just a question of what is more sensitive, and then trying to get your hands around that,” says Hadley.
DATA LOSS TIPS
Below Mitratech* provides some insights on what to do in case of a data loss:
In the Event of a Data Loss
When data loss occurs, litigation or regulatory action is possible. Therefore, all team members—legal, IT, internal auditors, compliance—must have the ability to:
Track a suspected or actual loss as an independent matter from the time the incident occurred to the time when the statute of limitations for legal action relating to the incident has expired or a time prescribed by a regulatory body;
Generate reports that summarize pending loss responses by type, regulation, geography, responsible party or other desired criteria;
Determine what actions particular employees, such as security response teams, took and when they took them;
Allow parties from other departments and business units to access the matter and add pertinent data and analysis;
Allow outside counsel, outside experts and service providers to access the matter and add pertinent data and analysis;
Allow the electronic submission of invoices in a way that prevents duplicative billing or billing for items that are contrary to the retainer agreement;
Issue, maintain and modify “holds” on data about the incident issued by the legal department, such as documentary data or communications; and
Track handling of data preserved as part of a particular legal hold.
*For more information, access Mitratech's White Paper in the link above right.
Source: Mitratech Holdings: Data Loss Prevention, 2010.
Once you have a handle on what sensitive data you have, that's the time to assess which employees have access to what data, and whether they should have access to that data.
Choosing a software solution should always be the last step, says Scott Giordano, an attorney at Mitratech, a legal and compliance solutions provider. “A lot of times, companies will talk to technology vendors first before they even understand what their own business needs are,” he says. Instead, he advises companies to review the roles of employees and their information needs, and then build a technology platform—complete with security measures—that supports them.
To further prevent a breach, companies should have a crisis plan in place. “A lot of companies from a compliance and governance perspective don't do that, and when something does happen, they become very reactionary,” says Hadley. That crisis plan should be multi-dimensional, involving the compliance department, legal, IT, and internal audit, “so that everybody understands what's going on and can help craft those strategies.”
An ounce of prevention is also warranted. Companies want to make sure they are not doing things that could embarrass them in the first place. Compliance officers, corporate counsel, directors, and officers have the ethical duty to protect organizations from wrongdoing and trade secrets, agrees Giordano. “That's something that has to be very thought out, systematic, enterprise-wide,” he says. “It has to be infused throughout the entire organization.”
Plenty of companies are embracing the new era of greater transparency rather than fighting against it. “There are no more secrets,” says Darcy. “So we must deal with that and build the kind of organizational structures and cultures that can withstand the full impact of greater transparency.”
No comments yet