Tuesday, July 12, 2011

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:
Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."
Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Monday, July 11, 2011

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:
  • BSkyB is British Sky Broadcasting, a satellite TV company 
  • BSkyB is like DirecTV only bigger (based on Market Cap), 
  • the Guardian is a very reputable British newspaper,
  • one British pound is worth about $1.6,
  • that share drop erased $2.88 billion from the company's value.
What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.) 

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.