The U.S. government so far has been WikiLeaks’ target of choice when it comes to dumping reams of confidential information out into the open. But that’s about to change. In an interview with Forbes published Monday, WikiLeaks mischief-maker-in-chief Julian Assange said at least half the treasure trove of documents the organization is sitting on belong to private corporations, and sometime early next year, it plans to do a megadump of materials belonging to one of the country’s leading banks. (Rumors are swirling that it’s Bank of America.)
All of which begs the question: Are American companies prepared for the hits coming their way? WikiLeaks’ revelations won’t stop with the yet unnamed bank. Assange told Forbes that not only does the organization have similar piles from pharmaceutical, financial, and tech companies, but that the number of documents being leaked to them is exploding “exponentially." That means private companies can no longer regard leaks on this scale as occasional aberrations happening to a handful of unlucky targets. In an age when any employee can walk out the door with gigabytes’ worth of data on a thumb drive, the likelihood that your company get hit one day just got that much larger.
Surveys, however, suggest that most companies are woefully unprepared for this new environment. According to a Harris Interactive poll, only 9% of companies have crisis protocols in place. Fast Company talked to several crisis communications experts to find out how corporations should get their houses in order before the onslaught begins. Here’s what they said:
WikiLeaks’ revelations will probably hit at companies’ reputations, rather than expose their confidential corporate information.
In the past, companies have focused on guarding competitive information, like strategy documents, and confidential customer information, like banking customers’ Social Security numbers. But those probably aren’t the kind of documents WikiLeaks will release, say experts who talked to Fast Company. The organization will more likely be focused on publishing embarrassing information than revealing trade secrets: “Baudy conversations that go on every day at companies all over the world,” for example, says Edelman Executive Vice President and U.S. Director of Issues, Crisis, and Risk Management Harlan Loeb, like “those that involve trashing a competitor, saying in pretty graphic terms what they’re going to do.” In other words, information that creates an “enormous reputational risk.”
Assange himself has suggested as much. In the Forbes interview, Assange pointed to the notorious Enron emails that were released as part of an official probe as representative of what they planned to dispatch. “Yes, there will be some flagrant violations, unethical practices that will be revealed,” he said, but "it’s also all the regular decision making that turns a blind eye to and supports unethical practices: the oversight that’s not done, the priorities of executives, how they think they’re fulfilling their own self-interest. The way they talk about it.”
...but that’s just as dangerous.
Bank of America’s stock dropped 3% yesterday on the rumors that WikiLeaks had the company in its sights. Reputations have bottom-line impact. And in a world where leaking and publishing those documents is increasingly easy, reputations are all the more vulnerable. That means companies need to think more expansively about where their reputational threats lie. Specifically, you should…
Identify your areas of risk.
Do employees regularly talk trash on internal emails? Do they describe in unsavory terms how they plan to destroy competitors or take advantage of customers? Do communications show executives encouraging bad behavior, or not taking strong action to dissuade it? And if those emails got out, would you be embarrassed? If so, you need to develop a plan for how you would explain that behavior—to the public, as well as to your customers, partners, and other stakeholders. Better yet, consider re-examining your corporate culture so that internal behavior is more aligned with your public image. What “happens in Vegas” (or in your corporate email system) no longer “stays in Vegas.” It winds up on YouTube. Or worse. “Your values need not only be what you talk about but what you live out through your fingertips,” said David Chamberlin, Senior Vice President and Director of Issues & Crisis Management, MSL New York.
And this applies to all companies, not just large ones that seem like they’d make tempting targets for WikiLeaks. “No matter what you make, sell or serve, your organization is a potential target for data theft that can place all your valuable relationships at risk,” Chamberlin said.
Think apologies and reforms rather than blame and prosecution.
In the wake of the military and State Department leaks, some officials have talked about prosecuting Assange on national security grounds. But going on offense like that won’t work for a company if all the leaked documents do is reveal shady behavior. The public at large will be more focused on the wrongdoing than the manner in which the documents were obtained. Don’t blame, and don’t point fingers, said one expert who spoke on background. Be accountable and take action that demonstrates you’re addressing the problematic issues. Said Chamberlin: “Consumers will forgive mistakes, but they will rarely absolve an organization that doesn’t behave responsibly.”
Monitor employee sentiment—they’re your most likely leakers.
Data security at corporations has historically focused on external threats—corporate espionage or hackers. But the folks at WikiLeaks aren't stealing the documents they're publishing. Other people have provided them to the organization. And many of those digital “whistleblowers” could be employees. Bradley Manning, who is suspected of leaking military documents, was a U.S. soldier, for example. Happy employees don’t leak documents, Loeb said. “WikiLeaks is the cathartic outlet for a disgruntled employee.” Companies should make a point to periodically assess employee sentiment, Loeb said, and make genuine efforts to address points of concern.
Prepare, prepare, prepare.
The advent of WikiLeaks is going to force companies to “think about 'what if we’re next?',” Chamberlin said, and prepare for the worse. That means scenario planning, risk assessment, and developing action plans, just as you would for any other disaster. And that means making it a core operational function, not just an afterthought left to the PR department. “Managing your reputation is not about spin and is not a job to be left to public relations professionals,” Chamberlin said. “It is a management function that must begin at the top.”
Follow E.B. Boyd on Twitter.
[Image: Flickr user R_SH]