I am currently teaching two fully-online graduate courses in Marist College's master's program in integrated marketing communication. One of the courses is COMI 610 Social Media Strategies and Tactics. This week, COMI 610 students and I have been reading about and discussing a variety of topics related to privacy and security in social media and other forms of Internet or computer-mediated communication.
We have been having a fascinating exchange of information and ideas about this topic on Facebook, Twitter, Pinterest, and our own course Web site. Here is the latest issue in this interesting series of news and feature stories: the question of whether or not organizations (especially publicly-traded companies) have a legal, or at least moral, obligation to report cyberattacks (e.g., hacking) against them.
According to The New York Times, "Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users’ e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems" ("An Eerie Silence on Cybersecurity," Editorial, February 26, 2013).
Apparently, there is a silent majority of organizations in this country and elsewhere that remain mum about the constant cyberattacks (hacking) against them. The rationale seems to be "fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government" ("An Eerie Silence on Cybersecurity," para. 1).
Protecting information about cyberattacks might be sensible if you are investigating the crimes and want to avoid tipping your hand to the bad guys that you might be on their trail. On the other hand, witholding information from shareholders could be a crime itself. In the United States, state and federal agencies mandate the reporting of breaches in personal information security.
For instance, the U.S. Securities and Exchange Commission has reminded organizations registered with the SEC of their obligations to provide the public with information about cybersecurity risks and cyberattacks:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. (Division of Corporate Finance, U.S. SEC, CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 18, 2011, para. 7).
Furthermore, U.S. private and public institutions have over our nation's history assumed a social responsibility to provide audiences with accurate and timely information on matters of public interest. Ivy Ledbetter Lee, often called "the father of public relations" in the United States, stated at the turn of the 20th century his concept of public relations:
In brief, our plan is frankly, and openly, on behalf of business concerns and public institutions, to supply the press and public of the United States prompt and accurate information concerning subjects which it is of value and interest to the public to know about. (Ivy Lee, Declaration of Principles, 1906, para. 5)
The U.S. Department of Defense, like many other federal agencies, also advocates a free flow of information, constrained only by the need to protect operational security and the safety of DoD personnel and their families. According to DoD principles of information, like the principles of Ivy Lee, the defense department has an obligation to
Ensure a free flow of news and information to the news media, the general public, the
internal audiences of the Department of Defense, and the other applicable forums, limited only by the security restraints. (DoD Directive 5122.05, 2008, Responsibilities and Functions, para. d.)
In fact, the U.S. Department of Defense strictly prohibits the witholding of information solely for purposes of avoiding embarrassment or criticism. The DoD information principles state clearly, "Information will be withheld only when disclosure would adversely affect national security, threaten the safety or privacy of the men and women of the Armed Forces, or if otherwise authorized by statute or regulation. (DoD Directive 5122.05, 2008, Enclosure 2, para. d.)
I support The New York Times' position that withholding public (versus legitimately classified) information about cyberattacks undermines the public trust in our nation's institutions and weakens our security. By disclosing information about cyber attacks, organizations can keep publics informed while also sharing valuable information with other organizations who might be under attack. Such information sharing and collaboration might actually strengthen security and prevent against future attacks.
And in a profession that acknowledges "perceptions are reality," public relations officials for organizations should remind their executives that protecting the public trust is every bit as important as protecting against cyberattacks. Even if a company succeeds in fending off a cyberattack and withholding this information from its publics, in the end the organization will lose valuable trust if it tries to avoid embarrassment or criticism by creating a false perception of security.
True security comes in the form of trust -- or perceptions that are based on reality. Trust is based in part on our confidence that an organization will do what it says it will do when a) it safeguards our interests and b) tells us when our interests are threatened.
It's time for organizations to heed Ivy Ledbetter Lee's century-old advice and provide their publics with prompt and accurate information on matters that are of "value and interest" to us. Draw a sharp line between matters that are truly security threats and other matters that are simply risks of embarrassment or criticism.
ADM Leighton W. Smith, Jr. |
Given the severe penalties that the SEC can levy on organizations regarding the release (or not releasing) information I wouldn't say that organizations are 'eerily' silent. Rather, I think they are 'not surprisingly' silent. Generally speaking, organizations are weighing every cost associated with the release/don't release decision and taking the road that would cost them less. Often times the path chosen is the one where the less said, the better. That doesn't bode well in the eye of a suspicious public. But, in a lawsuit happy society the goal becomes mitigating any and all exposure. At the end of the day, follow the money.
ReplyDeleteThanks for the comment, George. You make some good points about the tightrope that publicly-traded companies have to walk in terms of SEC information guidelines. And I agree with your assessment of the need to weigh the legal pros and cons of releasing or withholding information.
ReplyDeleteHowever, keep in mind that lawyers and public relations (or IMC) counselors need to work together on such decisions. A decision that could be deemed "legal" according to the rules might not be ethical or even sensible. In addition to legal considerations, leadership must also consider factors like public trust and organizational reputation when making decisions about releasing information.
For instance, consider the hypothetical risks involved with a decision to not inform me, a loyal customer or shareholder in Company XYZ about a cyberattack that could threaten the security of my personal data. The company has an ethical, if not legal, obligation to warn me.
What happens if it don't warn me and my identity is stolen, or someone starts withdrawing funds from my account. I might consider suing, along XYZ, with everyone else that was affected, in a class-action suit that could be costly to XYZ. So yes, I will follow the money, but if I win the money flows from XYZ to me.
Best case, I don't lose my identity or any of my money but, the situation was a wake up call ... so I lose confidence in Company XYZ and I withdraw my investments, business, stop buying its products, etc. ... and its stock value declines, sales drop off, etc.
XYZ needs to mitigate that risk by having a plan to inform me of a cyberattack.
There is another problem with "rules," as well. Do they have "teeth," or are they enforceable? The SEC guidelines I referenced in my post come from SEC's Division of Corporate Finance. So, the guidelines fall well short of enforceable federal laws. They are not even "guidelines" in SEC vernacular, which provide strong incentives to comply, but are not enforceable either. So, Company XYZ would not be compelled to follow these suggestions about releasing information. Consider the following "supplemental information" provided in the SEC document that I referred to:
"The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content."
Talk about a "paper tiger" ....
Mark
Hi Mark. I agree with your argument that companies have an obligation to disclose cyberattacks to shareholders. Trust and transparency are vital parts of maintaining relationships. If I were a shareholder and my private information were compromised, I would want to know. And know what is being done about it.
ReplyDeleteI understand that companies worry about negative public reactions, but taking responsibility and explaining how you will prevent attacks in the future help build credibility and trust as well. How a company deals with crisis says a lot about them.
You mention that disclosing information could tip off the bad guys. These situations can be dealt with like other crimes, where only important information is initially released. Other information could be temporarily withheld pending an investigation. I do think shareholders may be relatively understanding.
Cybercrime is not something new, and it is going away any time soon. There needs to be a standardized way to deal with it, and shareholders need to know what they can expect from companies.