Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Round-up on compliance issues with online platforms: Snapchat

This is the fifth in a series of six posts on compliance issues with various online platforms.  The first post was about YouTube.  The second post was about Facebook.  The fourth post discussed Instagram.  Last week’s post was about Twitter.  Today’s post will cover Snapchat.  The sixth and final post in the series, on April 12, will be about Reddit.

Snapchat is an app-based photo and video messaging service.  Upon its initial release in 2011, Snapchat grew quickly in popularity due to its novel feature which allowed users to share messages that then disappeared.  This concept evolved from a person-to-person design to then include a chronological timeline of stories and content sponsored by brands, media groups, and influencers.

READ MORE

Compliance in Black Mirror Series 4

Black Mirror’s fourth season continues the themes of the previous three series of the show.  As discussed in this post, the show makes often uncanny connections between human life and technology, frequently covering the ways in which social media, AI, biometric devices, and other advanced technological systems and devices affect and change society.  What makes Black Mirror so effective, and often so disturbing, is that in each of the anthologized stories it contains not only a vision of the future but also a warning about the disruptions that would happen to people along the way.  The reality depicted in Black Mirror is like an amped-up version of the world that seems to be already nearly within reach, with technological advancements abound to make life easier or more entertaining.  However, the point of view in the show is markedly dystopian, forcing viewers to consider the addictive or even dangerous influence that immersive technologies could have.

READ MORE

Compliance in Black Mirror

Black Mirror is a very popular US-UK television science fiction series. It originally aired on Channel 4 in the UK and is now released and broadcasted by the subscription video streaming service Netflix. The series is anthology-style, with short seasons of stand-alone episodes which are like mini films. Most of the episodes of the series touch upon the dominance of and overreach into human life by technology, such as social media, AI, and other advanced, immersive systems and devices. The take offered is quite dramatic, often delving deeply into adverse psychological and sociological effects on modern society, taking a dark and even dystopian perspective.

While all the episodes of Black Mirror do depict a future reality, it is an immediate and accessible reality impacted by technology exceeding that which is currently possible but not so much as to be unthinkable. Indeed, the title of the show, Black Mirror, refers to current technology which is increasingly ubiquitous and addictive – television screens, computer monitors, and smartphone displays. The show both entices with the idea that many of these technological advancements could be convenient or novel or life-enhancing, while also warning that the obsessive and addictive aspects of technology could cause great harm and disruption if not developed and managed thoughtfully and carefully with the risks well in mind.

  • “The Entire History of You” (Series 1, Episode 3): In this episode, a couple struggling with mistrust and insinuations of infidelity make disastrous use of a common biometric – a “grain” implant everyone has that records everything they see, hear, and do. The recordings on the implants can be replayed via “re-dos.” This is used for surveillance purposes by security and management, as the memories can be played to an external video monitor for third parties to watch. Individuals can also watch the re-dos from their implants directly in their eyes, which allows them to repeatedly watch re-dos, often leading them to question and analyse the sincerity and credibility of people with whom they interact. People can also erase the records from their implants, altering the truthfulness of the recordings. This troubles the status of trust and honesty in society which has already in contemporary life been eroded by the influence of the internet.

 

 

 

  • “Be Right Back” (Series 2, Episode 1): In this episode, Martha is mourning her boyfriend, Ash, who died in a car accident. As she struggles to deal with his loss, her friend who has lso lost a partner recommends an online service that allows people to stay in touch with dead loved ones. The service crawls the departed person’s e-mail and social media profiles to create a virtual version of the person. After the machine learning advances enough by consuming and trying enough communications, it can also digest videos and photos by graduating from chatting via instant message to replicating the deceased’s voice and talking on the phone. At its most advanced, the service even allows a user to create an android version of the deceased that resembles him or her in every physical aspect and imitates the elements of the dead person’s personality that can be discovered by the online record. However, in all this there is no consideration given to the data privacy of the deceased person or to his or her consent to be exposed to machine learning and replicated in this manner, including even the physical android form.

 

 

  • “Nosedive” (Series 3, Episode 1): This is one of the most popular, critically-acclaimed episodes of the series, and one of the obvious reasons for this is that it focuses on social media and how it impacts friendships and interactions. The addictive aspects of social media in current times are already a hot topic in design ethics, driving people to question whether social media networks like Facebook or Twitter are good for the people who use them, and where to locate the line between entertainment and a fun way to connect and share, versus a platform with a potentially dark and abusive impact on users. In this episode, everyone is on social media and is subject to receiving ratings from virtually everyone they encounter. These ratings determine people’s standing both on social media and in the real world as well – controlling access to jobs, customer service, housing, and much more. Anxieties and aspirations about ratings drive everything people do and all the choices they make. “Addictive” has been met and surpassed, with social media having an absolutely pervasive impact in everyone’s lives.

 

 

  • “San Junipero” (Series 3, Episode 4): One of the most universally loved episodes of Black Mirror, San Junipero depicts the titular beach town which mysteriously appears to shift in time throughout the decades. Kelly and Yorkie both visit the town and have a romance. San Junipero turns out to be a simulated reality which exists only “on the cloud,” where people who are at the end of their lives or who have already died can visit to live in their prime again, forever if they so choose. In the real world, Kelly is elderly and in hospice care, while Yorkie is a comatose quadriplegic. Both eventually chose to be euthanized and uploaded to San Junipero to be together forever, after getting married first so that Kelly can give legal authorization to Yorkie to pass over. The bioethical considerations of such a reality are clear – in this society, assisted suicide is a legal normalcy, and part of patient care is planning one’s method of death and treatment path after death, which digitalization being a real option. All of the San Junipero simulations exist on huge servers, and judging by how many lights are flickering in the racks this seems to be a popular practice – but what about cybersecurity and information security of the simulations? What if the servers were hacked or damaged? This gives a new meaning to humanity and places an entirely different type of pressure on making sure that technology is used safely and the data stored on it is protected.

 

 

  • “Men Against Fire” (Series 3, Episode 5): This episode concerns the future of warfare in a post-apocalyptic world. Soldiers all have a biometric implant called MASS that augments reality, enhances their senses, and provides virtual reality experiences. One soldier’s implant begins to malfunction and he soon learns that the MASS is in fact altering his senses so that he will not see individuals he is told are enemy combatants as people. It turns out that the soldier is part of a eugenics program practicing worldwide genocide and the MASS is being used to deceive the solders and turn them into autonomous weapons who murder on command due to the augmentations and alterations to reality by the MASS. This storyline falls cannily close to many current concerns about the adoption of autonomous weapons that are not directed or monitored by humans, which are nearly within technological capability to be created and are the subject of international calls for appropriate supervision of and restraint in their development.

 

 

Black Mirror offers many interesting scenarios for analysis of and study by compliance and ethics professionals considering risk management related to the use of technology in organizations and society. As described above, surveillance, data privacy, consent, design ethics, autonomous weapons and other AI, bioethics, and cybersecurity are just a sampling of the issues invoked by episodes of the series.

READ MORE

Round-up on compliance issues with blockchain technology

One of the hottest topics of 2017 is blockchain. This advancing technology is seemingly the possible solution to every business problem conceivable. Companies across all industries – as diverse as banking to food production and seemingly everywhere in between – are experimenting with how they might be able to use blockchain to make their reporting and related processes more reliable or efficient. Many are even contemplating how they may take advantage of blockchain to market software applications to other companies, hoping to enter the profitable fintech (financial technology), regtech (regulatory technology), or suptech (supervisory technology) markets.

But what is blockchain? Most famously, it is the core technological component of the well-known cryptocurrencies, such as Bitcoin or Ethereum. Simply put, blockchain is an open list of records (which comprise the “blocks”) which are securely linked together with cryptography. As the blocks are all linked together and independently identified with references to their linked blocks, the data contained therein is extra safe from individual manipulation or alteration. This is a decentralized computing system which is incredibly useful for recordkeeping and records management activities, especially those where security is especially important such as identity management and medical records.

Due to the broad desirability of a secure and adaptable record maintenance technology, blockchain, which was initially developed only less than a decade ago, has been a disruptive influence in many industries already. Across all business areas, companies are looking to blockchain for possible benefits, all relevant to compliance, to their reporting processes.

  • Transparency for pension fund reporting is one major potential use of blockchain. Following the Madoff scandal and other highly-publicized frauds in the investment management industry, there has been more pressure than ever in expectations for investor protection and reporting disclosures. Many pension funds have balked at public and supervisory demands for increased transparency due to the cost concerns for implementing additional reporting mechanisms in balance with very low profit margins. This reaction does not help to enhance trust between investor clients and this fraud-vulnerable industry. Therefore the decentralized, secure nature of blockchain offers appealing opportunities for filling this confidence vacuum. Blockchain-based platforms can get investors access to their own pension information without fears of data manipulation or increased cost burden on firms: How Blockchain is revolutionizing fraud prone industries
  • On a related note, banks and other financial institutions have borne much of the competitive pressure blockchain has created with the advent of cryptocurrencies – but they also stand to benefit from this, if they can make the best of it. Cryptocurrencies such as Bitcoin are a compelling alternative to the centralized, traditional banking system for customers who desire extra security or anonymity. While cryptocurrencies have been traditionally depicted as a safe haven for illegitimate or even illegal payment activities, the mainstream attention on them has created a broader appeal and audience for them. As a response to the interest their customers have shown in cryptocurrencies, banks have started to delve into the potential for the blockchain technology. Some has invested in tech start-up companies concentrating on various blockchain applications while others have delved more deeply into relationships with fintech partners. At this point banks’ proprietary efforts have mostly been restricted to in-house research on potential use of blockchain, but inevitably competitive momentum will start to drive larger institutions toward developing their own projects in this space. These developments are likely to encourage efficiency, inspire leaner and more innovative business models, and serve the regtech and suptech goals of increasing cooperation with regulatory authorities. Ultimately this could help to modernize and improve the persistently staid and legacy-driven banking industry into a bolder and more transparent business model:  How banks and financial institutions are implementing blockchain technology
  • The advertising industry is newly subject to regulatory scrutiny with the upcoming EU privacy directive, the General Data Protection Regulation (GDPR). This law will apply to any organization doing business in, using technology in, or targeting the citizens of, any EU country, so it has a broad global reach. The GDPR will impose new requirements for handling and controlling private data, including protective and disclosure obligations. Therefore blockchain-based solutions, which can be both secure against manipulation or leakage, and distributed with open access so that users making disclosure requests can see the information directly for themselves. This will help to reduce the burden of this reporting as well as improve cost margins rather than coming up with expensive and vulnerable in-house solutions or outsourcing the reporting to third-parties with their own attendant risks: How Blockchains Can Help the Ad Industry Comply With the GDPR
  • Commercial aviation is another industry looking to blockchain systems to help with its risks – this time in cybersecurity management. Airlines and support companies rely a lot on IT systems to do everything from fly and direct aircraft to book and manage passenger travel. These systems are highly imperfect, as system outages and computer crashes that lead to flight cancellations and stranded passengers show in the news each year. They are also vulnerable to cybersecurity risks where intruders could breach personal data, disrupt airline operations, or corrupt and steal client and aircraft information. Storing and protecting this data within vulnerable or old/legacy systems poses many cybersecurity challenges. The concept of tamper-proof blockchain technology is therefore compelling to the aviation industry for these obvious reasons. Blockchain could help to keep operational data safe and protect companies from cyberattacks. More importantly, pressure to adopt it could drive aviation companies to make the difficult yet very important technological updates and improvements to their systems which will serve safety and regulatory concerns alike: How Blockchain, Cloud Can Reinforce Cybersecurity in Commercial Aviation
  • The pharmaceutical industry has long been vexed by inaccurate and unreliable supply chain tracking. It is especially vulnerable to stolen and counterfeit medication entering the supply chain untracked and finding its way to patients, putting their safety at risk. Tracking medicine with blockchain could change all this. A consortium of pharmaceutical companies, including major firms Genentech and Pfizer, are already collaborating together on a tool called the MediLedger Project, which seeks to manage the pharmaceutical supply chain and track medicines within it to ensure that drug deliveries are recorded accurately and transparently. This would take the current complicated and inefficient network of software management in the supply chain to the next level, securing the supply chain with an integrated and decentralized blockchain system. It could also enable sharing of essential information from companies to partners and customers without exposing sensitive business information, a challenge in the industry so far: Big Pharma Turns to Blockchain to Track Meds

There are many potential advantages from a compliance perspective to blockchain, which has the potential to enhance transparency, protect privacy, address various process-driven risks, and strengthen cybersecurity controls, among other benefits. As the technology advances time will tell how broad the applications of blockchain may be across these diverse industries with similar needs for compliance risk management.

READ MORE

Compliance lessons to learn from the 2017 Equifax cybersecurity breach

Equifax is one of the major US-based consumer credit reporting agencies. It operates globally and due to their nature of its business, maintains sensitive and personal information on more than 800 million individuals and more than 80 million organizations.

In September 2017, Equifax announced that it had experienced a cybersecurity intrusion in July 2017 which impacted the data of up to 200 million consumers from the US, Canada, and the UK. The handling of this breach by Equifax was widely criticized and questioned. Among the controversial aspects of it were the two month delay in publicizing it, the lack of specific information about the data compromised, the inadequate and possibly even unsafe system and support provided for impacted consumers, and the perception of possible insider trading by company executives in the days after the breach took place but before it was public.

As the problematic response to this cybersecurity incident unfolded, Equifax’s various blunders and missteps in the public handling of the situation formed a guide for worst practices in such a scenario. As the dialog around Equifax’s response has shown, poor crisis management in the public eye only compounds the consumer protection problems.

  • Companies do often have legitimate reasons for delaying notifying consumers, regulators, and the public at large about data breaches. Sometimes companies do not even know they have been breached right away. Even once they are aware, sometimes law enforcement will request that they do not disclose the breach. Different types of data may be subject to different disclosure requirements, so companies also sometimes have to take time to determine what data was involved. However, these delays still can be very problematic for consumers, who can be unknowingly at risk and make assumptions about the seriousness with which their data is stored and maintained which might be very far from reality.  Why it can take so long for companies to reveal their data breaches 
  • While Equifax was taking its time notifying consumers and regulators of the data breach, questions abound about when – and what – people on the inside knew about it. This is because only a few days after the July 29 cybersecurity intrusion, on August 1 and August 2, several executives at Equifax sold shares. These transactions were not part of scheduled trading plans, but they were not total liquidations of their positions, and the company says that the executives were unaware of the breach at the time of the trades. However, the perception of possible insider trading is hard to avoid once the timing of this activity is revealed. If they truly did not know about the cybersecurity problem, it would have been wise at least to inform key senior management of the breach and advise them to avoid trading in the stock while in possession of inside information.  Three Equifax Managers Sold Stock Before Cyber Hack Revealed
  • Despite how secret most people in the US see their financial data as being – especially social security numbers and bank account or credit card information – current privacy laws are lacking in many key areas when compared to those in other parts of the world such as the EU. Top of mind among privacy concerns, including the need for consumers to input personal data to check whether their other personal data has been compromised, is that over a month went by before Equifax notified the public of the cybersecurity incident at all. In the 40 days that went past, the data could have been used for many illicit purposes without consumers even being aware they were at risk. Laws in the US currently differ between states with regards to breach notification requirements. There is no unifying directive in the US for the standard where personal data is concerned, such as there will be next year in the US under the General Data Protection Regulation, which requires notification within a maximum of 72 hours. Perhaps a higher standard in the US such as this one would reinforce seriousness of these events to organizations and improve consumer protection and communication processes when they occur.  Equifax breach disclosure would have failed Europe’s tough new rules
  • While these data breaches are unfortunately becoming so common that the public is often less alarmed by them now than in the past, irresponsible or insufficient responses by organizations to these breach still provoke justifiable outrage and calls for change. Consumers being desensitized to the exposure of their personal data just shows how widespread the problem is and how insufficiently the interests of the consumers are guarded. However exhausted the public may seem to be with the ongoing leaks and hacks of their private data, this is no excuse for organizations affected by them to respond with the same passive, indifferent attitude. Equifax’s lack of detail and inadequate communication displayed to the public that they did not care about the invasion consumers were suffering, which is quite a different message than one of fatigue by victims who have had this experience too many times to excuse. The reputational risk suffered by such corporate carelessness is extreme, and hopefully will drive consumers to advocate for a higher standard of responsibility and responsiveness from keepers of consumer data.  The Banality of the Equifax Breach
  • As the public contends with the reality of the Equifax data breach – that subsequent hacking attempts stemming from this breach are inevitable and that companies like Equifax do not meet the standard of care for protecting this private information in their possession – what can anyone do in the future? Holding companies accountable for their poor service by taking their business elsewhere is often the only choice consumers have to voice their displeasure. In the current system individuals aren’t really able to avoid the consumer credit reporting agencies, but organizations could opt to create and use independent systems with more secure infrastructures. These corporate users could drive a technological shift that would also benefit individual consumers. Blockchain and related technologies could provide the solutions to these vexing and chronic security concerns that the existing system seems unable to address.  It’s time to build our own Equifax with blackjack and crypto

Given the ever-increasing risks surrounding cybersecurity, compliance professionals and individuals interested in cybersecurity risk management can take many cues from the above on what not to do in such a situation from Equifax. Hopefully as organizations continue to live with the risk of such intrusions, and improve their control frameworks to prevent and mitigate them, they also pay attention to the public responses in such situation, to make sure that the statements made and guidance provided are adequate and accurate.

READ MORE

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

READ MORE

Round-up on the ethics of the Internet of Things

The Internet of Things refers to physical devices which are inter-networked and can share and store data between themselves. This includes things such as televisions, cars, buildings, and other objects that have network-connected technology inside that allow these objects to be accessed and controlled remotely via computer-based networks. This also includes systems that operate in this way, such as smart homes, grids, and cities. These things can be identified and operated individually but also are part of the interconnected system and can have co-dependencies.

There are obvious ethical issues with a highly connected and complex system such as the Internet of Things, where tremendous amounts of data are stored and shared and ultimately used in often mysterious or unclear ways – certainly to improve the intelligence of the Internet of Things and make it operate more efficiently, but also potentially for malicious or dishonest purposes.   Security vulnerabilities in a system which is remotely accessible are also an alarming risk, as unauthorized intrusions or destructive attacks could render everyday items such as cars or door locks inoperable or turn items such as smart houses or transportation networks against their users.

  • The technology that drives the Internet of Things has grown explosively, and legal and compliance frameworks have not been able to keep pace. Questions of liability that arise from cyberattacks on the Internet of Things and rules of responsibility governing companies working within this space are largely undefined. The Internet of Things may bring change to society similar to that of the Industrial Revolution. A thoughtful view on regulations and ethical guidance to protect privacy and security from the earliest design point in the industry is crucial: The Internet of Things Needs a Code of Ethics
  • Among all the fears of artificial intelligence and sentient, unfriendly robots with autonomous weapons, the real risk of the Internet of Things will still lie in the hands of humans. Hackers are a big threat to the system’s security and this risk must be taken seriously, with organizations investing in controls to prevent and mitigate attacks, intrusions, and disruptions that could damage devices, harm people, and interrupt business operations: Why Hackers Will Become a Significant Threat to the Internet of Things
  • The data produced in the Internet of Things is a major security and privacy consideration. Users of these interconnected devices may not realize how much information the devices have about them and their activities. The Roomba, a small robot home vacuum, was an early-comer to this market. The company that makes it, iRobot, has said it hopes to make money from selling maps of users’ living rooms to other companies. Using customer data for profit from a third-party is nothing new in the internet company world, but there are many questions of privacy, notice, and consent which remain to be answered: The Internet of Things is a data farm, Roomba won’t be its only profiteer
  • Cybersecurity fears about the Internet of Things extend to the U.S. government as well, where legislators have proposed to make sure that smart devices can receive security updates like traditional computers. Lawmakers also seek to prevent manufacturers from hard-coding passwords into their system tools that can be manipulated by hackers to take control of the related devices. The U.S. government is just as interested in the objects of the Internet of Things as consumers are, and safeguarding against present and future risks from them is top of mind: Two U.S. lawmakers think the government has a new cybersecurity problem: The Internet of Things
  • So what does all this mean for the future of the Internet of Things? Will the risks of it slow its growth or it will it continue to advance in both complexity and connectivity, its risks unchecked or outpacing the frameworks created to control against them? It appears likely that the value and appeal of connection, and the fear of not being able to function and communicate, will outweigh the desire to want to withdraw from it for safety and privacy purposes: The Internet of Things Connectivity Binge: What Are the Implications?

The intelligence and complexity of the Internet of Things will continue to grow as consumer applications become more in demand and commonplace. The need for strong security standards and clear customer protections will expand in kind. Privacy, safety, and control are all ethical concerns which compliance programs at the companies working on the Internet of Things will have to consider prominently in future risk assessments and strategic plans.

READ MORE

Cybersecurity and the hacking of Hollywood

Cybersecurity appears near the top of any compliance officer’s risk assessment. Addressing the ever-evolving concerns around it is a priority on the strategic annual plan for any compliance program. Modern society’s reliance on technology and the internet is always increasing. Along with the many benefits of technology’s interconnectedness and conveniences comes risks to data privacy, information theft, unauthorized intrusions, and security breaches.

While all businesses are vulnerable to these threats, recently the spotlight has been on Hollywood and some high-profile hacking campaigns that have seriously impacted the entertainment industry. Damaging emails have been published, produced shows and scripts have been ransomed, and private photos have been leaked due to storage and server facilities being breached.

  • In November 2014, Sony Pictures was hacked by a group calling itself Guardians of Peace. The cyberattack used malware to steal and then overwrite and delete the data on half of Sony’s computer network worldwide. Not only did Sony have to deal with a major technology infrastructure crisis, but shortly after, the leaks began. The stolen data from the company that was subsequently published ranged from embarrassing personal emails of executives and celebrities to unreleased movies to sensitive employee information. The hack was eventually blamed on North Korea and their effort to suppress the film The Interview, a claim which is still disputed by some today. The fallout from the cyberattack and the insufficiency of the company’s preparations against it offer many difficult lessons in cybersecurity and corporate defences within it: Inside the Hack 
  • Netflix was compromised by a hacker going by the name thedarkoverlord, who posted ten episodes of the network’s hit show Orange is the New Black to a torrent site on the internet. The leak occurred after a ransom request was not met, first by a production vendor affiliated with Netflix and then by Netflix itself, demonstrating that cybersecurity at third-party vendors can also be a business risk: A Group Of Hackers Is Holding Hollywood Captive — & Here’s What It Wants
  • In another ransom case, Disney suffered a hack involving the latest movie in the Pirates of the Caribbean franchise, compromised while on the servers of a post-production facility. Work is often sent out to vendors in the industry who will do it for the lowest cost, but may not promise the most robust network security to prevent intruders from accessing the content and ransoming it to the owners. This phenomenon is becoming increasingly common and expensive: Cyberattacks once again roil Hollywood, but can anything be done about it?
  • HBO sustained a major cyberattack, possibly from various sources, on their servers which demonstrate how vulnerable major organizations can be to leaks, hacks, and social media hijackings. This event shows that HBO, and other organizations like it, face cybersecurity threats from a variety of sources: suppliers, insiders, intruders, and more. Ransom demands were involved here too, but other threats seemed designed just to test security protocols or to intimidate and embarrass: Breaking Down HBO’s Brutal Month of Hacks
  • Other than content owners such as networks and studios, Hollywood talent agencies, such as UTA, ICM, and WME, have all also been the target of cyberattacks. In the case of UTA, the intrusion occurred through the phone system and spread from there to the computer network, with a ransom demand following. Many of these hackers openly acknowledge they are motivated just by financial gains from ransom payments, so some companies are being advised to pay up and avoid damaging or embarrassing information and valuable content being leaked online: FBI Gives Hollywood Hacking Victims Surprising Advice: “Pay the Ransom”

The increasing frequency and visibility with which the technological systems of Hollywood companies are being targeted for cyberattacks indicates that this will remain a top risk for some time to come. The threats to the reputations of individuals and organizations involved, as well the economic and reputational risks, require that lessons learned from the situations above be implemented into practical and technological improvements to cybersecurity programs.

READ MORE

Round-up on emerging compliance disciplines in diverse industries

Compliance programs of the last 20 years have taken the firmest roots in industries that are by definition highly-regulated or in those which have most potential for widespread damage from wrongdoing.  These range from pharmaceutical companies in the former group to financial services firms in the latter group.  Current trends indicate, however, that many other industries’ practices are being assertively investigated by the media, concerned citizens, and filmmakers. These investigations bring to light processes and practices that are governed by insufficient controls and often unethical cultures.

  • Doping in professional sport is under increased public scrutiny in the aftermath of scandals such as state-sponsored cheating by Russian athletes in the Olympics and the dramatic fall from grace of Lance Armstrong, who cheated without detection for years; as society deals with the fallout of these discoveries, far-reaching change in anti-doping programs is necessary:  Icarus: A Doping House of Cards Tumbles Down
  • Evolving tech company organizational culture is under fire again, this time at Google, with an employee-authored document questioning diversity initiatives going viral and suggesting that gender inequality and treatment of people of color remain systemic problems in Silicon Valley that current corporate governance systems are insufficient to address.  The employee in question was dismissed immediately, and Google leadership immediately started disclaiming the statements and apologizing, but it remains to be seen what substantive steps might be taken to actually address the root causes of this conduct and openly analyze the culture of compliance at Google.  Hopefully a self-appraising, progressive conversation can take place in Silicon Valley rather than denial of the systemic issues that lead to these events time after time: Google Employee’s Anti-Diversity Manifesto Goes ‘Internally Viral’ 
  • Cybersecurity grows all the time as a risk factor to businesses, with hackers constantly outpacing efforts to prevent their intrusions; now moving beyond breaking into office e-mail servers or ransoming files from zombie computers, these cyber-thieves are exploiting differences in national laws and vulnerable devices to rig slot machines in casinos around the world:  Meet Alex, the Russian Casino Hacker Who Makes Millions Targeting Slot  
  • Campaign finance laws are a perennial hot issue in US politics; these laws are often intended to avoid corruption and increase transparency, but with the number of committees, groups, and shell companies participating in election fundraising constantly growing, following the money is becoming harder, complicating along with it efforts to establish accountability:  Soft Money Is Back — And Both Parties Are Cashing In
  • Fascinating intersection of business and politics, with all the risks inherent in both, as consumer technology giant Samsung struggles against an increasingly complicated government relationship, intense corporate work culture, legal dramas, and public protests, despite an impressive commercial rebound:  Summer of Samsung: A Corruption Scandal, a Political Firestorm—and a Record Profit

All the foregoing represents many growth areas for the welcome expertise of compliance practitioners and a possibility to drive change toward a society that places a higher value on accountability and integrity.

READ MORE