WikiLeaks in releasing sensitive, embarrassing government information and with the threat of a similar fate in store for a US-based bank, has highlighted the need for all businesses to look at the possibility of an employee releasing sensitive information about your company.
“Risks around security and privacy of sensitive data have been around for a long time but what the WikiLeaks phenomenon has done is create a new and highly damaging form of corporate data breach,” said Gary Anderson, managing director of global business and risk consulting firm, Protiviti.
“Organisations are reasonably aware of the need to protect information subject to tight privacy laws such as credit card data, personal financial information, health records and the like. WikiLeaks however, has shown that a slew of other non-regulated data could also be very damaging to an organisation’s reputation if disclosed.
Mr Anderson says businesses need to have a comprehensive data governance policy and process to manage the organisation’s information throughout its life cycle – from creation or acquisition, all the way through to disposal or destruction.
“Few organisations take a lifecycle view and therefore fail to do data governance effectively. Organisations are often also embarrassed when they find out the information they’ve kept unnecessarily for years is admissible in court proceedings. Not having a data governance program is expensive in the long run, complicates the management process and now, thanks to WikiLeaks, creates an extra layer of reputational risk and liability exposure”.
WikiLeaks’s founder, Julian Assange’s recent promise to release information about a US bank that he claims will shed light on a culture of unethical practices and corruption from the highest ranks down, shows just how easy it is for internal information from within a business to be exposed externally, prompting a frantic scramble by the bank’s staff to stave off an imminent crisis.
“WikiLeaks has opened up the universe of anonymous leakers so that every hacker and disgruntled insider is a potential threat. With what’s at stake, directors, executives, general counsel and risk managers would be well-advised to investigate what type of data governance framework exists within their organisation and ensure they are absolutely satisfied it’s up to scratch”, said Mr Anderson.