Imagine innocently filling out an online subscription form for video streaming or purchasing merchandise for the latest World Wrestling Entertainment (WWE) event only to later find out that your private information was breached. All kinds of questions would run through your mind. What information did I provide? Did I tell them I had children? Could someone find out where I live? Do I need to alert my creditors? Those were likely the types of questions that ran through the minds of WWE subscribers who learned that their personal information could have been leaked.
Fortunately, WWE discovered and remediated the breach before any information was leaked to other sources. This incident should have boards of directors talking about ethical concerns within their own organizations.
Background on the WWE Cybersecurity Breach
Kromtech, a cybersecurity firm, discovered an IT error that left the personal information of over 2 million WWE subscribers open to anyone who had the correct Web address. The information was stored in easy-to-read plain text, and included addresses, educational background, email addresses, birthdates, gender, ethnicities and even age ranges of children.
Kromtech found the information on an Amazon server that was not username- or password-protected. WWE moved to disable the information quickly, and they are now investigating the source of the issue and which branch of their marketing team was involved. They suspect that either a WWE employee or an IT partner may have mistakenly misconfigured the database on the server.
Kromtech security expert Bob Dyachenko also found another leak on Amazon’s hosting service that contained addresses, phone numbers and names of (primarily European) fans.
Fortunately, security checks uncovered the breach before any information was leaked to the public, but the incident does call into question the risks of using a third-party server.
Cybersecurity Breaches in the Personal and Political Realms
Another such breach occurred recently when a Republican Party marketing contractor left a database open to the public, exposing personal and voter information. Once again, the breach was due to storage on a third-party server. Experts discovered and remediated the breach before personal information leaked out to the public. The results could have been disastrous.
Owners of the affair website Ashley Madison did not move quickly to protect their site from hackers. The fallout from the scandal caused public humiliation for their members and multiple lawsuits.
Are Boards of Directors Overseeing IT Intensely Enough?
One of the main responsibilities of the board of directors is oversight. If the WWE subscriber information leaked had been made public, many questions would be directed at the board of directors, such as:
- Was the board aware of the types of information being collected?
- Did they write out and distribute privacy policies?
- Were they aware of how the company planned to use sensitive information about consumers?
- Were they aware that the company was using third-party servers?
- Did the board have discussions with IT about making sure data on third-party servers was username- and password-protected?
- Did the board require that third-party servers be checked and monitored periodically for security?
Regulatory investigators seeking information about a breach will have many questions about what board directors knew and should have known before the breach occurred. Board members will be held responsible and liable for not performing due diligence in overseeing cybersecurity.
Role of Board Directors in Ethics and Oversight
Hackers have various reasons for trying to steal personal information. Cyber breaches and personal information leakages can harm branding and reputation lightning-fast.
In addition to knowing exactly how their IT departments are protecting their consumers from a cyber breach, board directors also need to learn what kinds of data the company is collecting from their customers. Board directors should know how the company is using the data and support proper usage of data in their strategic planning.
Board members need to ask the right questions about whether only the employees who need access to data can access it, protecting it from others whose positions don’t require such access. Board members will also want to know how managers are monitoring their employees as they access personal information.
With more and more employees working at home or remotely from other locations, board members will want to know if employees can download sensitive customer information onto their own personal or mobile devices, which may have less cybersecurity protection than company-owned equipment.
Board members need to adopt clearly written policies and procedures about how their customers’ personal information can be accessed, transferred and used, as well as who is allowed to have access. They also need to establish procedures for how to communicate with their consumers via privacy notices about the types of information they collect, and how they use it and share it.
Boards should require an independent audit of controls on employee behavior and integrity. Board directors also need to be able to access information without managers overriding their access to company information.
Risk of cyber breach is one of many reasons that it’s a good idea for boards to have independent directors who are not afraid to speak up and who will set the tone for asking the hard questions.
Boards Have an Ethical Responsibility to Develop an Action Plan in the Event of a Potential Breach
Even the most highly qualified cybersecurity experts acknowledge that protecting systems is a continual work in progress, and that it’s impossible to block every potential entry point. Every corporation has some level of risk.
Board discussions should include setting up an action plan that they can readily implement in the unfortunate incident of a cyber breach. The plan needs to identify steps they need to take, including remediation, communicating information to consumers and the media, and conducting a post-breach investigation.
Ethical Questions Linked to Cyber Breach
The WWE incident was fairly harmless in the end, but board directors have much to learn from the breach about ethics. It gives them many questions to add to the boardroom agenda. This breach should get board directors talking more about how they can gain assurance from IT departments that system updates and reconfigurations include double checks on protective measures like usernames, passwords and encryption. They should be especially concerned about storing customer data on third-party servers, where the internal IT departments have less control. Board directors may learn that they don’t know as much about the type of data they have on their customers, or how they will allow the company to use it, as they should.