Director Nightmare #2: Cybersecurity


May 31, 2013

It’s no wonder cybersecurity is the #2 issue that keeps corporate directors up at night. The news abounds with stories about Chinese cyber espionage, overzealous Department of Justice probes, multi-million dollar ATM thefts, crippling denial of service attacks and leaks from social media and “rogue” employees. In some respects the public is numb to all this (unless that was your credit card number that was broadcast). But directors are and should be worried. The Internet can be a risky place.

The threats may seem overwhelming. How can a company avoid the global spread of malware? Don’t the Patriot Act and FISA allow the feds access to a company’s records without its knowledge anyway? Won’t overseas companies copy your products somehow no matter what? What is Twitter about?

The reality is that cyber risks can be thwarted and mitigated with good security risk management programs and IP protection programs. These programs aren’t just about having the latest technology. Proper use of technology and company data by people is the key. In fact, employees, not bad technology, are the source of 56% of data breaches, according to a hospital survey. Breathe: employees are trainable.

Changes in technology are a factor, however. The cloud, smartphones and social media are new avenues for company data delivery, access and storage. A company’s internal IT security protocols are important but becoming less relevant as more data moves to the cloud. Yet, another survey showed that only 50% of company IT security professionals reviewed the security practices of the cloud and SaaS providers that their company uses. Like employees, cloud providers have varying levels of sophistication and attention to data security. That’s a lot of unassessed risk.

Next, more employees use their own smartphones and tablets to access the company systems, creating zillions of copies of company data on uncontrolled devices. Well, uncontrolled at 76% of companies’ since only 24% report having BYOD (bring your own device) policies. Even company issued devices don’t necessarily come with security guidelines.

Social media, meaning Facebook, Twitter, Pinterest and the like, are the electronic versions of newspapers and press releases – except that they are used by lots of employees, reach many more people and are instantaneous. Directors who are used to all company statements being carefully crafted through the PR department may find their company’s use of social media frightening. And, if the company doesn’t have a policy for social media use, it may be at risk for leaks about company strategies or misinformation about products, not to mention embarrassments like photos of drunken staff parties. Social media is a very easy way for employees and customers to spread information which represents the company. It is a great marketing and advertising tool but needs management to avoid damaging a company’s brand or worse.

Net, if a company’s internet use or email policies were written in the nineties, it’s time to give them a fresh look. And policies alone don’t fix things. A full compliance program which includes education, auditing and enforcement is required.

Ultimately all cyberthreats cannot be prevented. Directors sleep better if they know the company is prepared to manage a data security breach. While 63% of the directors surveyed felt comfortable that their company could manage a data security breach, they weren’t so happy with their companies’ crisis management plans. Those plans encompass such catastrophes as cyberattacks and natural disasters that shut down operations and corporate disgraces like tainted products, oil spills or executive fraud. 57% of board members said that they had reviewed their company’s crisis management plan within the last year, but only 34% said that they were very comfortable with the plan. 30% said they were not at all comfortable with the plan, the company had no plan, or they didn’t know if the company had a plan.

Corporate boards aren’t responsible for the day to day risk management of the company. But, when they hear about the cyber theft and cyber crises around the globe, they must know their company is prepared. A modern data security program, IP protection program and crisis management plan can significantly reduce threats from lazy or malicious employees, unsafe devices and rogue cloud installations.

Directors should be leading the charge when it comes to acknowledging cybersecurity.  Regardless of their technical backgrounds, Directors should be asking the right questions of their leadership to ensure key company threats are addressed.  If the company isn’t able to address these issues internally then it needs to bring in resources to take an objective look and implement best practices in the industry.  Proactive risk management should result in a boring outcome, meaning, there are no cybersecurity crises.  It definitely beats the alternative.

Colorado Secretary of State Throws a Bone

December 3, 2012

Colorado was one of the states that made a frantic search for illegal voters, turning up about ten, maybe, and scaring thousands (we went blue anyway). And our Secretary of State  is now under investigation for spending state funds to go to the Republican National Convention. Now, whatever his motive, he has temporarily dropped the online filing fees for all state business filings to $1 (with a few minor exceptions). Can’t argue with that one. See more details here: A gift for business from the SOS .

Why Corporations Behave Badly

November 14, 2012

I once worked for a company whose slogan was “Working for Shareholders”. As an employee, I thought it was a callous motto but at least they didn’t pay us lip service with such platitudes as “Our employees are our greatest assets” or “Customer satisfaction is our number one goal.”

In fact, as a public company they were only restating their legal obligations. Any company’s foremost obligation is to its shareholders. The directors and managers are assigned the task of creating value for them by law. So, does this mean that companies have the obligation to cut corners, pollute and take advantage of their employees if it creates more “value” for the shareholders?

Of course, companies also have the obligation to comply with other laws which limit those bad acts. But these are the regulations that bring out the free market radicals. According to this philosophy, the free market will punish those companies that pollute, produce dangerous or shoddy products or abuse their employees. Unfortunately for them, history has not supported this approach. Unfettered corporate greed has created some bad consequences for some actors no doubt, thinking back (not so very far) to several market crashes. But workers, customers and society usually pay the price.

So it’s this requirement to create value for the owners that makes corporations resist new health care mandates, environmental regulation, safety precautions, employment rules and all those other “nanny state” traits – and which is exactly why we need them. Prior to the rise of unions and wage and hour laws, companies used to hire children, make them work 12-15 hour days under dangerous and unhealthy conditions and pay them pennies. Adults weren’t treated much better. Companies who did not take that approach had a hard time competing (and employees didn’t have better choices), so the market wasn’t going to correct them. It took laws to make them stop, despite the efforts of union busting Pinkerton agents.  Unions have lost relevance to most of us, but we should remember that they did us all a great service once upon a time – that is unless you are only an investor and have never worked for a living.

The loudest corporate defiance since the election has been about Obamacare, where a few companies (e.g., Papa John’s Pizza and Applebee’s) have already announced that they will have to fire employees instead of provide them with the required health insurance (or pay the measly fine). If this is really what they need to do to create value for their shareholders, then this is what their corporate charter requires. So far, it doesn’t seem to be affecting Domino’s, Denny’s and other large restaurant chains. And for those of us who would rather frequent a locally-owned restaurant, the 50 employee threshold on the health insurance requirement will actually make them more competitive.

Environmental regulation is often cited as a reason that Democrats are bad for business. Making companies take expensive steps to keep waste from polluting the earth is in contradiction to creating the most wealth for shareholders. But, some companies have learned that creating less waste decreases production costs thereby increasing net profits – too bad finding the ways to decrease waste wasn’t important until waste disposal became a legal issue. And, it took a lot of damage to the earth before most people became aware that something needed to be done about stewardship to our planet.

The recent announcement by Murray Energy that the Obama administration’s “war on coal” is forcing that company to lay off employees misses the bigger picture – the market impact that cheaper, cleaner natural gas has had on the coal industry and the fact that the Clean Air Act was signed into law by Richard Nixon. The first rules regulating mercury emissions from coal fired power plants were issued in the 1960s, which led to development of far more power stations fueled by alternatives to coal. This has been coming for fifty years. It appears Charles E. Murray was literally banking on Romney bailing out his already failing industry. Maybe we should appreciate that Murray Energy has hung on so long under these market conditions.

And the list goes on with other regulatory categories. The tension is built into our corporate code when “value” is only interpreted to mean monetary wealth. However, if shareholders accept that “value” includes social responsibility, corporations don’t have to behave badly to create value.

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in corporate law and commercial contracting, with an emphasis on technology licensing and the Internet. She can be reached at

This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.