"Every company of consequence has people who do detective-type work in order to ferret out the sources of nefarious activities."
So said ousted Hewlett-Packard Co. chairman, Patricia Dunn, in her testimony before a testy Congressional committee investigating the company's boardroom spying scandal. I hope she's wrongas she seems to have been about most everything related to the company's wide-ranging investigation of media leaksbut I suspect she's probably right about this one. Companies increasingly recognize the value of information assets and, understandably, want to protect them from premature or unwanted disclosure.
But I doubt many companies go to the lengths H-P did to find out who on its board of directors was revealing what it considered confidential information. So far we have learned that H-P, in addition to the likely illegal acquisition of private phone records, secretly recorded instant messages, attached spyware to a fake e-mail message sent to a journalist from a supposedly disgruntled H-P employee, and sifted through garbage. Disclosure of the investigation into the leaks has done far more harm to the company than the leaks themselves.
Worse, there was no need for cloak-and-dagger. H-P could simply have sued the suspected leakersboard members and employees in this casefor breach of written and implied duties of confidentiality. Having done so, the company could then have used the courts to issue subpoenas for the phone records, and taken depositions under oath from everyone involved. In the end they could have gotten everything they wanted, legally.
Realistically, though, suing board members is distracting and destructive. H-P's covert operations, on the other hand, were quick and efficientruthlessly efficient. The "investigation team" assembled by H-P's legal department at Dunn's request was a kind of posse, following time-tested techniques of vigilante justice. Posses collapse the process of investigation, trial and sentencing into one step. The appeal of H-P's investigatory methods is as plain now as it was on the American frontierand so is the danger.
There was another way for H-P to solve the problem, however. Management could have simply explained to the board how the leaks were damaging the company and its shareholders. Of course, this approach requires a board and an executive team who all have the best interests of the company at heart. It doesn't plug leaks so much as it repairs relationships.
The moral of the story here is that when a company has its own in-house legal department, it's important for senior management to resist the temptation to use it inappropriately. Much as a company's books must be certified by public accountants, internal reviews should be supervised by outside legal counsel, and conducted in a way that won't embarrass the company if they become public. Because they always do.
So maybe it's time for a candid conversation about what the shareholdersthe owners, that isexpect of your company's officers and directors. You know, a conversation about shareholder values.
Larry Downes is a Fellow with the Stanford Law School Center for Internet and Society.
The Role of Standards in Cloud Security
Security is often cited as a primary cause for concern...Watch Now
Ensuring Resources for Mission Critical Workloads
Application workloads can thrive in cloud environments,...Watch Now
Improving Security in the Public Cloud
One of the main concerns about moving data to a public...Watch Now