By: Betsy S. Atkins
Veteran venture capitalist and corporate board member, Betsy Atkins advises that in a time when company management is under intense scrutiny, securing information takes on an added importance.
Over the past year, information security has become one of corporate America’s most serious challenges. The increasingly interconnected nature of conducting electronic business, including a massive rise in telecommunications, makes it harder to track who is doing what on company systems and networks. Layoffs may create disgruntled workers who may still have access to vital electronic information. In fact, attacks from both malicious hackers and insiders gone bad are on the rise.
To date, the immediate revenue impact of security lapses, mostly from downtime of critical systems, has been well documented. According to the 2002 FBI/Computer Security Institute’s Computer Crime and Security Survey, U.S. companies and government agencies reported an annual loss of $170.8 million due to theft of proprietary information — more than any other type of attack on their computer systems. PricewaterhouseCoopers reported that hacker attacks alone cost the world economy a staggering $1.6 trillion in 2001.
But corporate America hasn’t even begun to feel the effects of a new aftershock: legal liability. Businesses will have to prove they have “best practice” security measures in place in order to avoid paying out millions in damages. There are board governance and legal aspects of security breaches. I will suggest steps organizations can take to reduce legal liability. More than ever, boards (audit committees) are required to perform stringent due diligence and are accountable for the security measures they have in place.
Mistakes and Mischief Increase Liability
One of an organization’s most valuable and perhaps most dangerous assets are its employees. They have power. They can create, access and deploy extremely valuable information to customers, partners, one another. Using this power, they can also jeopardize security, expose company files intentionally or otherwise and thus open the company to lawsuits. With power should come accountability; there’s the rub. In addition to companies filing insurance claims seeking reimbursement for losses for data leaks and data theft, we’re now seeing lawsuits within and between organizations due to accusations of hacking. This has opened the litigation floodgates. As a result, companies need to manage end users to ensure everyone’s protection.
Every day we’re seeing news stories about a major loss of confidential information from well-known organizations such as Cisco, Genentech, Hewlett-Packard and Merrill Lynch. These breaches of confidence are not only extremely embarrassing but also jeopardize the very existence of the organization. Inadequate security procedures can lead to the public disclosure of proprietary information, financial loss to business partners and customers, the spread of harmful computer viruses, and distributed denial-of-service attacks. The 2002 FBI/Computer Security Institute survey results indicate that merely installing security products does not guarantee protection from attacks. Although 89 percent of respondents use firewalls and 60 percent use intrusion detection systems, 40 percent reported attacks coming from outside the organization. Then, there are the honest mistakes. Take for example:
- Cisco released its financial results in February due to the click of the mouse. An internal memo related to the quarterly earnings was inadvertently sent to more Cisco employees than intended, and company officials became concerned that so many people had seen the information that they could be in violation of Securities and Exchange Commission guidelines, according to a Cisco spokeswoman;
- Genentech didn’t have such a happy ending in April as its shares got hammered after research abstracts prepared for the upcoming annual meeting of the American Society of Clinical Oncology were leaked. This may or may not have been intentional, but it wasn’t due to a hacker or a virus;
- And what about Hewlett-Packard CEO Carly Fiorina’s memo to her employees in March about company status that made it into many, many more inboxes than those of her employees — such as those of the press? That employee was identified and immediately fired; and
- New York Attorney General Eliot Spitzer dropped a bombshell on Merrill Lynch in April when he publicly displayed a series of e-mail messages that had been sent among Merrill Lynch research staffers. Spitzer used them as proof that analysts were recommending stocks they didn’t believe in.
These events have forced a wave of internal legal personnel and external regulators to turn up the pressure on due diligence. Organizations take risks on their intellectual assets, so it’s crucial for them to know where information is going, to whom and why. Ironically, as senior executives become more accountable regarding their corporate digital assets, they will likely turn to their technologists to solve the problems.
The Buck Stops with the Employer
Are corporations vicariously liable for the conduct of their employees? Under many circumstances, the answer is “yes.” Employee misconduct may leave companies facing liability for sexual harassment, defamation, violations of intellectual property rights (including misappropriation of trade secrets), hacking and even violations of the securities laws.
While financial gain may be the most common motive for abusing confidential information, other reasons for leaking information include the desire to run up a deal’s price, scuttle a deal or even gain prestige. Take, for example, the situation in April in which Vivendi Universal agreed to sell its Italian pay-TV operations to Rupert Murdoch’s News Corp. The deal would benefit the companies in more ways than one. If completed, it would end litigation between the two firms, including a $1.1 billion lawsuit that saw a Murdoch firm accused of corporate-sponsored computer hacking.
If anything should be made clear to corporate executives by the events over the past months, it is that the concept of putting up a wall isn’t enough. Gaining an understanding about intellectual property, where it resides and how it is moving throughout the network gives the company some chance of protecting it.
Regulatory Activity Helping to Drive the Legal Boundaries
Regulations implementing the privacy and security provisions of the Gramm-Leach-Bliley Act of 1999 and the proposed security regulations implementing the Health Insurance Portability and Accountability Act of 1996 put a framework and some elbow grease around legal issues. The GLB regulations require board and management involvement in the development and implementation of an information security program. For example, the board must, among other things, approve a financial institution’s written information security program and oversee the development, implementation and maintenance of a financial institution’s information security program.
The Health Insurance Portability and Accountability Act mandated regulations governing privacy, security and electronic transactions standards for health care information. HIPAA touches virtually all health care organizations, requiring them to reassess their computer systems and internal procedures for compliance. Breaches of medical privacy such as press disclosures of individuals’ records, network hacking incidents, patient consent issues and misdirected patient e-mails fueled this concern.
What we’re seeing is a way for a regulatory authority to force organizations to take security seriously by mandating that companies protect their intellectual assets from threats, hazards and unauthorized access.
Boards Set Policies, Management Enforces Them
After carefully assessing potential enterprise liability, including potential liability for sexual harassment, copyright infringement and defamation arising out of the misconduct of employees, companies should consider ways to reduce their legal exposure. The key for management is to develop, implement and enforce an e-mail/Internet use policy, making sure that the employer acts promptly when it learns of employee misconduct. Organizations should have defined policies on incident response. The monitoring of user behavior is legal and does not violate employees’ constitutional rights.
One approach to enforcement of an e-mail/Internet use policy is to engage in monitoring of employee e-mail/Internet usage. Generally speaking, in the United States an employer’s legitimate business justification for monitoring (e.g., guarding against improper use of a company’s e-mail system, or keeping tabs on employee productivity) will be sufficient to override an employee’s privacy expectations so long as the employer properly implements its monitoring program. Proper implementation may require companies to take policy measures and set appropriate expectations to try to prevent information leakage, such as the following:
- Include in the company’s acceptable policy notice to employees that the company owns the computer system, that all e-mails, computer files, etc. are the property of the employer, that systems are primarily for business purposes, and that the company reserves the right to review and disclose matters sent over the system and stored on the system;
- Specify in the acceptable use policy that the computer system must not be used for distribution of certain content (g., acceptable use policies often prohibit defamatory e-mail, distribution of copyrighted material, etc.);
- Be careful not to limit the basis on which the company is permitted to monitor employees’ computer use. Doing so enables workers to argue that the scope of employee consent to monitoring was restricted by company policy; and
- Require employees to sign a form stating that they have read and understand the corporate e-mail policy and agree to its terms as a condition of access to, and use of, the computer system. The form should state that a breach of confidentiality is not only a violation of company policy, but also a violation of the law if a person acts on his or her own behalf, and uses that information for financial gain and/or shares that information with others who then might act on the information.
A court is highly unlikely to conclude that an employee has a reasonable expectation of privacy in his e-mail communications when the employer has a policy clearly stating that such communications are subject to monitoring. As such, employers are free to monitor their employees’ use of their networks so long as the company does not violate labor and anti-discrimination laws, for example, by targeting union organizers or minorities.
Conclusion: Monitoring User Behavior and Assets Doesn’t Violate Any Constitutional Rights
Gaining an understanding about your intellectual property, where it resides and how it is moving throughout the network gives you some chance of protecting it. Measured use of monitoring technology can contribute to a company’s efforts to identify objectionable employee conduct before it rises to an actionable level. On the other hand, companies should be aware that pervasive monitoring could lead to employees being overly sensitive and perhaps critical about the scrutiny.
Toward this end, companies should consider various strategies to protect themselves. Simply reserving the right to monitor e-mail in the future while actually monitoring only in limited circumstances such as when monitoring is necessary to investigate reports of misuse; other steps might include establishing documentation requirements to ensure management awareness of employee behavior that may pose a risk to the company. With emerging technology evolving rapidly, only high-end analytical tools will enable organizations to keep up with the massive amounts of data they will need to analyze.