It sure is fun, and illuminating, to call Austin, Texas, home.
This week, I met with LRN CEO Dov Seidman (in town to speak about behavioral risks in the context of the social enterprise as part of the SXSW Interactive conference); bought and planted a slew of drought-busting perennials at The Natural Gardener (the world's second best nursery ; Shakespeare's Gardens in Brookfield, Conn., reigns); and was wowed by two stories in today's Austin American Statesman that crystallize the upside-down nature of organizational data security risks and personal privacy risks.
Austin-based private intelligence firm Stratfor has experienced the downside of organizational data security risks -- and organizational privacy risks -- recently. Late last year, hackers pilfered a reported 5 million internal emails (which were shared with WikiLeaks) from the company as well as credit card information from tens of thousands of Stratfor customers. Since then, Stratfor and its CEO, George Friedman, have had to:
- Deny that the company was on the verge of shutting down (it's not);
- Defend its reputation (while also arguing that it should not have to do so) in response to the WikiLeaks claims that the company routinely relies on bribes in its intelligence-gathering activities;
- Spend an estimated $2 million to shore up its cyber security; and
- No doubt conduct a massive effort to manage its customer relationships.
Friedman even took to one of the many SXSW Interactive stages this week to dispute how his company has been portrayed by WikiLeaks, as this Statesman article reports. It's notable that the print article's headline, "Stratfor is victim, not villain, CEO says," will make Stratfor's PR folks cringe; PR 101 states that you never want to see your or your company's name in the same sentence as "crook," "villain," or "cheater."
It's also notable that this article was joined on the front page by a piece detailing a class-action lawsuit, filed in Austin this week, alleging that big-name mobile app makers "routinely steal address-book data such as names, phone numbers, email addresses, job titles and even birthdays from millions of users without their knowledge or consent."
What should be chilling for organization risk managers is that Stratfor, the victim of a major cyber theft, needs to invest just as much time, if not more, defending its reputation as the mobile app makers charged with violating their customers' privacy. Imagine if a burglar breaks into your house, steals all of your flat screen TVs, computers and other gadgets, and then sells them to a pawn shop, which then publicly complains about their shoddy quality, which you then feel compelled to defend. (Granted, Stratfor is in a line of business where protecting customer information and managing its reputation are crucial activities.)
Stratfor and Friedman's understandably indignant response to the information theft will, and should, serve as a case study in responding to cyber-security breaches. There are plenty of lessons to learn from the response.
For example, in a late-February statement, Stratfor rightfully emphasizes that the stolen emails are stolen property. But the statement also indicates that that these private emails "were written casually with no expectation [that] anyone other than the sender and recipient would ever see them. They should be read as such."
That's not a terribly risk-savvy approach, nor is it exactly breaking news that email conversations can have serious implications for companies -- and can easily be seen by regulators and federal prosecutors when warranted. Just ask Microsoft, whose email language weakened its defense in a U.S. Department of Justice antitrust case in 1998.
That case seems quaint compared to the topsy-turvy world of newly social enterprises in which victims must also prove they are not villains, and fundamentally sound and sufficiently comprehensive risk-management capabilities have never been more important.