Whither Confidentiality? Wikileaks and BusinessDon't spend time worrying if your firm will suffer a data leak; instead, assume it will happen and ensure you're prepared to minimize the damage
This post was written jointly with Joey Borson, a corporate controls expert.
The recent “leak” of more than 90,000 pages of classified military and intelligence documents released by WikiLeaks is yet another reminder of corporations’ vulnerability to data leakage. Governments and corporations face the harsh reality that they no longer live in a world where confidentiality is assured, much less assumed. The costs of such unexpected disclosures – in terms of liability and reputation – are very difficult to anticipate and may be impossible to prevent in the traditional sense. And without the ability to seal off confidential data with any confidence, companies need to move from a mindset of prevention to a mindset of contextualization – explaining the company’s position to a sound bite-hungry public.
We’re not saying that thorough data management efforts aren’t important, but one of the lessons of the WikiLeaks incident is that even the most sophisticated technology won’t mitigate the risk. In practical terms, the way forward requires closer integration of corporate communication teams into enterprise risk management.
Don’t Worry About Closing The Barn Door; The Barn Door Isn’t Even There Anymore
The classic image of data theft is straight from Mission Impossible. A man crawling through a conveniently sized ventilation shaft in the ceiling, then descending on an awkwardly connected climbing harness, and then surreptitiously accessing a magical computer that holds all of the world’s secrets. The reality is far more mundane.
Employees save data to flash drives, e-mail it to personal accounts, print out extra copies, take photos with smart phones, post suggestive comments on social media sites, or bring home work computers. The end result is vast amounts of unsecured data vulnerable to intentional or unintentional leakage.
Contextualizing the Message
So if companies can no longer assume perfect data security, what should they do to manage reputation risk when potentially embarrassing data does leak out – as it inevitably will? Two things: first, identify which areas of the business have the greatest reputation exposure; and, second, work with communications staff to determine how data leaks can be explained in the right context. Data management practices shouldn’t stop, but companies should not see them as silver bullets, or even as the most important reputation management tools.
- Assess Reputation Risk Potential: The most difficult part of reputation risk management is to assess the external perception of company operations. In most cases, executives “know” what company policies and projects are, have a positive image of them, and mentally downplay negative data or viewpoints. Sometimes this is an appropriate response, especially if the negative data is not particularly compelling, but many times companies won’t admit (especially to themselves) when information may be truly damming. This makes it difficult to predict how outsiders will respond and can make executives condescending and defensive when they do, feeling that third parties “just don’t get it.”
This attitude unfortunately hobbles any effective response at just the time it’s most needed. Instead, companies should look at their data and – whenever possible – get a sense of what isolated pieces might look like if leaked without context. Then, they should go through an exercise of how they would contextualize that data back to a proper context. In most cases, this exercise will be good preparation for future data leaks. And in the cases where an explanation can’t be easily provided could be a signal that certain processes need changing, which is useful intelligence too.
- Work With Communications Staff: Ultimately, reputational risk isn’t something that can be mitigated just by ERM teams. Involve corporate communications staff as early as possible to determine the best way to frame and respond to data leaks. “Wargaming” may not be required but companies need a plan for how they will identify the scope of a data leak, frame the relevant issues, escalate decisions through the organization, and share that frame with the general public.
Going forward, prepare for the inevitability of information disclosure, and change your risk management activities from a focus on prevention to a focus on communication and contextualization.