10 Questions Board Members Should Ask Management to Mitigate Their Company’s Risk of the Next WikiLeaks Scandal
by Heather Egan Sussman and Obiamaka P. Madubuko, McDermott Will & Emery LLP (source: www.boardmember.com)
By now, nearly everyone has heard of WikiLeaks and its reported plans to release damaging information about U.S. corporations and their executives in 2011. To add to this chilling forecast, copy-cat websites like OpenLeaks, RadioLeaks and LocalLeaks, are now popping up around the globe offering their own online platforms for whistleblowers to release damaging information about their employers. The net effect will be to make anonymous publication of sensitive corporate information easier, safer and, thus, more widespread. To respond to this emerging threat, board members should ask management these 10 simple questions to gauge whether their company is taking the right precautionary steps to mitigate risk in advance of the next public disclosure scandal.
1. What kinds of sensitive data do we use in our business?
Before a company can adequately protect its sensitive information from public disclosure, it first needs to know what types of data are used in its business processes and who has access to this information. Assessing how data flows throughout the organization is the first necessary step toward building effective protections around that information. If management has not yet performed this critical analysis, the risk of a damaging leak may be greater than they think.
2. Do we have an effective privacy and data security program in place?
The most effective privacy and data security programs take a holistic approach to protecting information. After all, a business can have the best firewall protection in the world, but this does not prevent an employee from walking out the door with trade secrets in his backpack. Effective privacy and data security programs integrate technical security measures (e.g., network protection) with non-technical measures like physical safeguards (e.g., restricting building access) and personnel controls (e.g., training to avoid “social engineering” traps).
3. Who is in charge of privacy and data security at our company?
Companies should consider appointing one or more trained privacy professionals to serve as the company’s Chief Privacy Officer. Many companies simply rely on the IT department to handle the complete privacy and security program. This can be a critical mistake, however, if the department fails to implement necessary non-technical security measures that can be equally important in preventing theft and loss of data.
4. What is the state of our internal reporting system?
Another way to mitigate the risk of external leaks is by having in place a strong internal reporting system. Companies should encourage employees to report concerns through a whistleblower program or other anonymous reporting method, promptly investigate complaints received and adopt strong anti-retaliation policies to protect those who make internal reports. Encouraging internal reporting is a hallmark of any effective compliance program, which can be a first line of defense against unwanted leaks.
5. How do we incentivize internal reporting?
Companies should recognize and reward compliance-driven individuals and include compliance-related goals in performance reviews and compensation decisions. Rewards may be monetary or they can include recognitions, intangible benefits, or additional perks like days off. If an employee feels like their report will be taken seriously or can be made without fear of retribution or penalty, internal reporting becomes the more desirable option.
6. Who runs our whistleblower compliance program?
To create a robust compliance program, companies must set the tone from the top down. This includes having a strong code of ethics endorsed by senior management, establishing clear rules and enforcing them fairly and consistently. In addition, the company should appoint someone to oversee the program, like a Chief Compliance Officer who will be accountable and keep the Board informed about the program’s effectiveness.
7. What hiring practices do we use to protect against bad actors?
Even the best infrastructure can be vulnerable when bad actors infiltrate the ranks. To mitigate this risk, companies should conduct thorough background checks of candidates in accordance with state and federal laws. Companies should also require their employees, contractors and vendors to enter into confidentiality agreements and then consistently enforce these agreements so the message is clear that the company will vigorously protect its assets.
8. Are we prepared with a litigation strategy?
Companies can prepare a litigation strategy in advance of a leak scenario to avoid being caught unprepared. Knowing what legal options may be available, including possible injunctive relief and monetary sanctions against those behind the leak, then assembling the right legal team to litigate these matters, can save precious time in the event of a public leak.
9. Do we have a media plan in place to control the impact of a leak?
Equally important is having a media plan in place for communicating with key stakeholders, including employees, customers and investors, in the event of a public disclosure scandal. Preparing in advance a messaging strategy and determining who will deliver the message can also help control the impact of an unwanted leak.
10. Have we performed a risk assessment to analyze our areas of greatest exposure?
Finally, companies need to stay ahead of the curve by conducting periodic risk assessments to make sure they are protected against possible leaks. Privacy and data security protection questions should be part of routine audits undertaken at the company and any identified weaknesses should be promptly addressed.