], the possibility that such a leak may occur in the near future has cost the bank considerable money. It has been reported by the New York Times
that Bank of America hired the consulting firm Booz Allen Hamilton to conduct an internal investigation. The bank is looking for a needle in a haystack as employees in the finance, technology, legal and communications departments try to determine what, if any, computers or hard drives are missing or have been compromised. All this because the director of Wikileaks, Julian Assange, said in an interview last year that a major bank would be the next big target of his non-profit organization.
While such a threat couldn’t have been contemplated only 10 years ago, the digitization of our world has made it possible. That doesn’t mean that all leaks of classified or secret information are bad (i.e. the Pentagon Papers during the Vietnam War, WorldCom whistleblower Cynthia Cooper’s testimony). But the potential downside from such a release of corporate information definitely should keep the C-suite and directors up at night.
So what can boards and management do to prepare for such a risk? While there hasn’t been a lot written about this take on the Wikileaks crisis (curiously there has been a dearth of client memos from law firms), I did stumble upon a Gartner news analysis
from November 2010 on data privacy and security around the time Wikileaks released the first 220 of 250,000 confidential cables from U.S. embassies.
In their analysis, Stephen Prentice, vice president and Gartner fellow, and Steve Bittinger, a research director with Gartner in Australia, wrote the following:
“In a digital age, governments or private enterprises cannot count on privacy. Any digital information is discoverable whether by the deliberate action of people inside the enterprise, the hacking of people outside, or simple human error or system failure. Disclosure is almost inevitable because:
Additional technical or procedural measures may reduce future disclosures but cannot prevent them entirely. Conventional computer systems connected to the Internet will always be vulnerable to external attack. And the recent Stuxnet virus demonstrated that a determined and expert hacker can penetrate any computer system, even when it is supposedly protected by an "air gap" between it and the outside world.
Governments officials who take heavy-handed steps to prevent further embarrassment may fuel the public's suspicions and motivate more leaks. Private enterprises that do not prepare for leaks may suffer significant commercial damage.”
- Material published on the Internet instantly reaches audiences around the globe.
- It can't be deleted.
- The sources who provided the information can be hidden.
Their recommendations for private enterprises are:
- “Understand the risks associated with any assumption of privacy related to information and move toward an expectation that every action or decision will be recorded and could be made public.
- Use this WikiLeaks event as an opportunity to war-game with your business colleagues the impact that might be created by similar leaks from your own enterprise.
- Extend risk management strategies to include issues arising from the unplanned release of information. Take into account the extent to which such a release will affect the trust in, and reputation of, your enterprise.
- Consider pre-empting leaks by releasing more information yourself to increase your enterprise's transparency.
- If a leak of what you are discussing could cripple your enterprise, prevent any recording of it, including minutes typed on a computer.
- Train users on how to spot inflammatory content in e-mails and other documents.”
I’d be remiss if I didn’t draw your attention to our Sept. 20 guest blog post by Kevin F. Brady, chair of the Business Law Group and the Information Security, Electronic Discovery and Records Management Group of the Wilmington, Del., office of Connolly Bove Lodge & Hutz LLP, and Francis G.X. Pileggi, the founding partner of the Wilmington office of Fox Rothschild LLP. That post
pointed out that managing electronic data, especially data privacy and data security concerns, have been elevated to C-level attention and a regular slot on the board’s agenda due to the substantial increase in costs and risks arising from these issues.
Brady and Pileggi also emphasized the impact of cloud computing and social media networking sites and software.
If you are a director on a U.S. public company, you probably had a queasy feeling in your stomach when you heard about Wikileaks’ potential next target: corporate America.
Let’s face it. If there were to be a data dump of corporate e-mails, documents and other secret information that was the size of the classified U.S. government cables released by the rogue Wikileaks Web site last year, the ramifications for that particular company could be severe. And that’s not so much because the information being leaked was confidential or top secret. It’s how the information is portrayed by the leaker and how key stakeholders and the markets react to that portrayal.
The information itself could be as minor as some embarrassing e-mails or as major as documents that could be discoverable in criminal or civil litigation. But since most IT teams, CIOs, CEOs and directors can’t predict what information might be leaked by an organization like Wikileaks or a whistleblower, for that matter, preparing for such a breach of data security becomes an exercise in crisis risk management.
The type of risks at play here run the gamut from strategic and operational risks to business model and financial reporting risks, especially if you are talking about the release of documents that might intimate a fraud has been perpetrated.
In the case of Bank of America, which happens to be the alleged target of Wikileaks [Read Forbes blog post