WikiLeaks Leader Signals That Private Industry Disclosures from Corporate Whistleblowers Will Be Next
With Julian Assange safely in British custody for sexual assault charges in Sweden, and with calls for the U.S. to charge the WikiLeaks founder and leader with espionage for publishing hundreds of thousands of classified Defense and State Department records, how concerned should private industry be about WikiLeaks or other similar, decentralized cyber organizations? Plenty – at least, according to Assange and others who have been involved in, or who have been following, the so-called cyber “transparency” movement. According to a Forbes magazine interview of Assange in November [click here for article], WikiLeaks routinely receives thousands of daily leaks and is currently sitting on a trove of leaked records from banks and financial services, pharmaceutical, health care, tech, energy and other private companies. Plans to make “mega-leak” disclosures of such documents are in the works, according to Assange. Such mega-leaks, even if targeted at one entity, may contain sensitive information about other organizations, creating a “multiplier” leak effect. (The very recent disclosure relating to Pfizer’s Trovan clinical trials in Nigeria in the mid-1990s discussed is one such example [click here for Guardian article].)
Capturing and prosecuting Assange is one thing. Shutting down WikiLeaks is another thing altogether. So far, at least, the U.S. government has been unable to stop WikiLeaks from publishing even the most sensitive U.S. records. Moreover, Assange has taken steps that make shutting down the organization an exceedingly difficult, if not impossible, task, including ensuring that WikiLeaks personnel and servers are located throughout the world and providing his co-horts with copies of critical data. However, even if WikiLeaks’ operations could be shut down, the problem of government, company, and agency leaks won’t be going away. Established online message boards, such as “Cafepharma.com” for the pharmaceutical industry, WikiLeaks copycats, and successor organizations [see link] make clear that the age of “involuntary transparency” is here to stay.
Particularly troubling for private companies is what can happen when a disgruntled employee decides to leak hundreds or thousands of sensitive documents to an organization like WikiLeaks. Corporate whistleblowers will have the ability not only to complain anonymously about their employer, but to download as many documents, sensitive or otherwise, as they can access. Such “leaks” will no doubt capture the attention of the qui tam bar and the U.S. government.
As we discuss in more detail below, it will be more important than ever for a company worried about protecting its sensitive records to enhance its internal risk assessment programs to account for “leaking” and to develop the kind of policies, processes, and internal controls necessary to guard against the reputational and legal consequences that comes from having the company’s most confidential records highlighted in newspaper or electronic print.
How We Got Here
Although most Americans hadn’t heard of WikiLeaks before recent events catapulted the organization and its founder into the limelight, cyber-transparency has been around since the turn of the century and has grown exponentially ever since. In its first decade, the Internet went from email accounts and BlackBerrys to message boards and “chat rooms” (hosted by Microsoft, Yahoo, AOL, CompuServe, etc.). These were followed by social networking sites (like MySpace and Facebook), personal blogs and sites related to job-seeking (e.g., Monster.com), professional networking (e.g., LinkedIn.com), industry gossip (e.g., Cafepharma.com), and broad-based message boards that foster anonymous employee comments and complaints about all companies (e.g., Glassdoor.com, Vault.com, and Jobvent.com).
When WikiLeaks began publishing information in 2006, it capitalized on two developments: (1) the nearly complete digitization of modern records and (2) an underground movement for “radical transparency.” Unlike Glassdoor.com and Cafepharma.com, which can foster whistleblowing in the form of isolated complaints and thread discussions, WikiLeaks has raised the whistleblowing stakes to an entirely different level through its ability to receive not only the complaint, but voluminous records in support of the complaint. Such records provide far more disclosure than an isolated message board posting or thread, and may also serve to establish the authenticity of the complaint. By establishing relationships with mainstream media providers, WikiLeaks can provide the information it receives to a mass audience. And, given WikiLeaks’ extraterritorial presence, limiting disclosure becomes nearly impossible.
The Best Defense: Go on the Offensive
So, what can a company with a high volume of sensitive records do to protect itself from embarrassing revelations and reputational harm; from becoming another high-profile story in the media; or worse, from being named a defendant in a government investigation or whistleblower lawsuit? While it is impossible to ensure that a motivated, skilled, and disgruntled employee will never be able to export sensitive records to a WikiLeaks type organization, there are several steps senior management can take to minimize the threat and to satisfy the company’s investors and stakeholders: knowing that the senior management has acted responsibly in safeguarding the company’s assets. We recommend the following actions:
- Conduct a well-designed risk assessment to identify any weaknesses in IT security, including identification of those employees with access to sensitive records. If necessary, retain a firm with technical expertise in conducting such a risk assessment, and if management suspects that the findings may be troubling, consider using qualified outside counsel.
- Design a Risk Mitigation, Remediation, and Audit Plan to address risk assessment findings and submit the plan to the company’s Audit Committee for approval. Although each company’s plan is unique, all good plans should address and/or enhance the following:
- The company’s policies and procedures related to privacy, confidentiality, IP, social networking, internal reporting (i.e., the company’s “open door” policy and “hotline”) and records management and retention.
- Training on such policies and the company’s code of conduct.
- Processes and internal controls related to, among other things, the classification of sensitive records and employee access to such records and data transfer.
While not part of the Risk Assessment and Remediation Plan, another thing a company can do to minimize damage is to avoid having disgruntled employees in the first place. For example, when a company finds more negative posts about itself on a message board like Cafepharma.com than on its own hotline, the company may wish to consider creating its own internal and anonymous message board where employees feel free to post anonymous comments that they know will be viewed by colleagues and management. As with any effective compliance program, employees who feel that they can be heard without fear of retaliation are less likely to want to air the company’s laundry on a message board or toss it into a WikiLeaks hamper.
Fish & Richardson’s Government Investigations and False Claims Act/Qui Tam Practice Groups are experienced in all aspects of federal and state investigations, whistleblower lawsuits, and risk management and compliance matters. Please visit our web site for more information.