Because two of my clients – 360 Advanced and Adsero Security – provide IT data breach auditing and remediation services, I was especially interested when I learned of how a major corporation had been so easily hacked recently.
The hackers got inside the corporation’s accounts payable department and had a pretty hefty check sent to them, which was cashed and cleared. The corporation’s vice president for information technology (IT) and his team reported to the board at its monthly directors and management meeting that “everything’s OK now.”
Is it? Could the hackers still be inside, or worse, inside the company’s vendor and partner IT systems?
Statistics show that once data thieves are in, they can hide for months undiscovered until they strike again – this time at an even greater cost to the victim and their vendors and partners. Data thieves got inside Target through an air conditioning/heating vendor and loitered at their leisure, and Yahoo! and Equifax still aren’t certain who or how they were breached.
Which brings me back to the corporate board of directors. The corporation victimized by the hackers in this instance has not had an outside, third-party audit of its IT systems and data security processes and protocols by a QSR – Qualified Security Assessor. Could that failure lead to a lawsuit against its officers and directors for failure to exercise the concept of duty of care when there is another future hack? With news of major hacks every day now, should boards be more diligent in ordering management to have such audits?
The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center® (ITRC) and CyberScout®. The Review indicates a drastic upturn of a 44.7 percent increase over the record high figures reported for 2016.
“The growing prominence of cybercrime underscores the significance of cybersecurity and planning as a management issue. Given the technical nature of cybersecurity, a question naturally arises about the role that directors and officers should play,” writes John E. Black Jr., Executive Principal at Skarzynski Black LLC. “There is scant case law explaining the duties of directors and officers for corporate cybersecurity, although the number of lawsuits against directors and officers as a result of cyber breaches is rapidly growing.”
After the huge data breach at Yahoo!, a group of Yahoo! Shareholders, led by the Oklahoma Firefighters Pension and Retirement System, sued the company, its CEO, co-founder and board alleging dereliction of their fiduciary duty.
So states the Delaware Chancery Court: “It should be apparent that many failures of oversight by directors sufficient to constitute a breach of duty implicate the duty of care. Directors breach the duty of care where they act with gross negligence. In other words, where the directors are informed of potential unlawful acts in a way that puts them on notice of systematic wrongdoing, and nonetheless they act in a manner that demonstrates a reckless indifference toward the interests of the company, they may be liable for breach of the duty of care.”
According to the Legal Information Institute, “The duty of care stands for the principle that directors and officers of a corporation in making all decisions in their capacities as corporate fiduciaries must act in the same manner as a reasonably prudent person in their position would.”
With north of a 44% increase in data breaches from 2016 to 2017, one can only imagine what will happen in 2018 and beyond. I could make a pretty strong argument that since virtually every business, corporation, academic institution, hospital and any other organization that manages consumer data has a high probability of being hacked, it would be well within their boards’ “duty of care” to take preemptive action and order a thorough IT/data security audit by an qualified security assessor.
Otherwise, directors surely are on the slippery slope described above by the Delaware Chancery Court when they “are informed of potential unlawful acts in a way that puts them on notice of systematic wrongdoing, and nonetheless they act in a manner that demonstrates a reckless indifference toward the interests of the company.”
With knowledge that a breach is almost a certainty today, a “reasonably prudent person” would take appropriate defensive action to mitigate the risks. Or, would they? Some boards of directors clearly have not, and they risk ending up in in tomorrow’s headlines – and in court.
Need to create a Crisis Communication Plan? Contact Clearview Communications for a confidential consultation.
The corporate communications team at the New York City headquarters of one of the world’s largest publicly-traded corporations learned the hard way recently the importance of having a well-tested crisis communications plan in place before disaster strikes.
In this case, the mock disaster was only a very realistic drill designed by a leading crisis management firm to test the global conglomerate’s ability to continue to operate after one of its major manufacturing facilities was wiped out by a fake earthquake.
As the conference room monitor/facilitator for my colleagues managing corporate communications during the drill, I watched the squirming begin with the simplest of challenges: the room’s main speaker phone wouldn’t work. Luckily, there was a wall-phone with a speaker that quickly became the go-to device for outside verbal communications. But then, the team discovered that many of the extensions they were using to coordinate communications with other members of the executive team weren’t correct.
It gets worse. The VP for corporate communications who was managing her team in my room realized there were no multi-lingual holding statements ready for the global firm’s numerous stakeholder groups worldwide. And, to her amazement, there had been no provisions made for translations.
Meanwhile, the God of Chaos entered uninvited. Members of the team began initiating individual calls and texts to their corporate and outside contacts on their mobile phones, and the chatter in the conference room became intense. Each was scribbling notes, drawing conclusions, making assumptions and giving each other and the team leader advice on next steps. It became obvious to me that the calm, disciplined teamwork required for effective crisis communications was unraveling.
Over the course of the three-hour exercise, however, the corporate communications team leader took charge and provided the necessary group focus. All realized and agreed they had to simply settle down and shoulder the responsibility of effectively informing numerous stakeholder groups of the situation for each. They eventually were able craft initial statements for key audiences, including:
The painful lessons learned in this exercise made the team realize that trying to effectively manage internal and external communications during a corporate crisis without a well-rehearsed plan is a lot like trying to learn how to fly a plane once it’s in the air. And, the outcomes can be tragically similar.
Legal counsel and public relations counsel: oil and water? Not necessarily. We both are often required to collaborate to provide our professional points of view and expert advice to chief executive officers facing or managing a corporate crisis.
August legal counsel will often argue in favor of “no comment.” I’ll counter that polls show people view that retort as evasive, stonewalling, covering up, hiding something and at the least, disingenuous. Further, I will argue, if you don’t comment, others will (competitors, perhaps, critics, regulators, plaintiffs?)
As a public relations practitioner with more than two decades of senior level experience helping to guide CEOs and other top executives through crises or knotty public relations challenges, I often enjoy having corporate legal counsel on my team of advisors. Some of my best friends are attorneys.
Corporate public relations counselors and legal counsel can work especially well together when the CEO we are advising understands that he or she must receive and analyze advice from public relations and legal experts with equal weight, and then reach their decision.
One of the strongest arguments for a client to ascribe equal weight to advice from PR counsel and legal counsel, is, of course, that while legal counsel may eventually be called upon to manage the outcome of a crisis in a court of law, public relations practitioners operate real time in the very unruly court of public opinion. It has been proven time and again that what the client says and does before, during and after a crisis can often eliminate the prospect of legal action altogether. “No comment” won’t.
One of our most significant successes was achieved in a landlord/tenant dispute we kept out of court by applying a policy of open communications with homeowners after legal counsel had urged a strategy of silence. Angry about substandard construction on outdoor patio decks that made them dangerous to use, the homeowners association (HOA) leadership was threatening to sue the condominium ownership company (our client). The ownership’s legal counsel was fearful that opening lines of personal communication with individual homeowners, which we recommended, risked “saying the wrong thing” that could then be used against the company in court.
We countered that by going around the HOA and opening a dialogue with individual homeowners about the damage a lawsuit could do to their property values, salability and the property’s brand, we would be able to generate popular opposition against the pending suit.
It worked. The HOA was overruled by concerned (informed) homeowners and backed down. The suit was averted, and the condominium owners proceeded with repairs, to everyone’s satisfaction. (I recall how upset the local media was because they had been alerted to the pending suit by officers of the HOA, and when the settlement was reached, the media was left without a story.)
Here are some well-established, albeit quirky differences between the court of law and the court of public opinion that keep seasoned public relations practitioners awake at night. We know these unrules very well, and consider them thoroughly as we provide advice to clients in crisis (and their legal counsel):