"I'm sorry, it appears the information was inadvertently released."
"He was acting in a rogue manner. How were we to know?"
With those words, the security crisis management team red lines are identified as having been crossed.
Data which was expected to be protected is discovered to not have been afforded that appropriate protection. Or an employee is actively breaking internal processes and procedures and placing the enterprise at risk.
In either case, the subsequent damage assessment will either evolve into a productive introspective review or the age-old cover-your-backside exercise. Do these types of events really happen? You bet they do, and with great frequency. Let's take a walk through some recent instances.
On 10 April 2013, the US Department of Defense was afforded a surprise during a hearing on 10 April 2013 of the House Armed Service Committee when Representative Doug Lamborn (Republican-CO) began quoting from an "unclassified" Defense Intelligence Agency (DIA) report on the nuclear capabilities of North Korea. Chairman of the Joint Chiefs of Staff, General Martin Dempsey appeared to be surprised and even though Lamborn read from the document, and asked Dempsey if he agreed with the assessment, Dempsey demurred with "I can't touch that one" and they sparred over the "unclassified" findings of a classified DIA analysis and whether or not it can be made public. The DIA apparently neglected to place appropriate classifications on the North Korea assessment (Lamborn/Dempsey exchange).
What are the ramifications? This inadvertent disclosure put in the hands of a potential adversary (North Korea) the findings of the US Department of Defense re: their nuclear capabilities. If this happened to the DIA, could it happen to entities which fall under the National Industrial Security Programs of the DOD? Absolutely, the annual training requirement contained in NISPOM section 3 requires a minimum of one annual training event for each cleared individual is important to know what you have in your NISPOM security training deck.
Over the course of the last several years, the US Department of Justice has been collecting some very notable fines from companies which from any optic should have had controls and processes in place to detect the inadvertent disclosure, illegal business practices, Foreign Corrupt Practices Act (FCPA) violations, Security and Exchange Commissions (SEC) violations,Export Administration Regulation (EAR),International Arms Control Act (ITAR) and Arms Export Control Act (AECA) violations, all of which constitute a violation of various US federal laws and regulations.
Add to the mix the number of times which employees compromise their employer's business ethics, be it motivated by greed, ego or simply inattentiveness, the size of the issue becomes staggering.
Examples of the fallout:
- US$800 million fine to Siemens AG under the FCPA and Ã'Â¬395 million fine from the Munich Public Prosecutors Office was levied against Siemens AG for activity which occurred from 1997-2007. What was the end result following admissions of guilt, wholesale clearing of the C-suite at Siemens.
- US$400 million to BAE PLC for attempting to defraud the United States; US$79 million for violating the AECA and ITAR and 30 million to the United Kingdom's Serious Fraud Office.
- US$75 million to United Technologies Corporation for ITAR and AECA violations.
Sign up for CIO Asia eNewsletters.