Corporate governance: boardrooms fret over corporate espionage and federal guidance regimes
(Business Law Currents) – Dodd-Frank related governance issues such as say-on-pay and proxy access have been well known focal points for boardrooms during the 2012 proxy and annual meeting season, but another issue has topped headlines and is of increasing concern to boardrooms: business intelligence gathering activities. Faced with shareholder oversight, the risks posed by private intelligence gathering firms and governmental regulation in this area, companies must ensure that they abide by accepted best practices, the highest ethical standards and standards for compliance with laws.
Shareholders and governing bodies have enhanced scrutiny of corporate governance, with scandals such as MF Global highlighting abuses of corporate power and potential criminal activities by company officers. Effective corporate governance principles dictate that those who conduct unethical or, worse, illegal activities on behalf of a company must be brought to heel.The phrase “traditional intelligence gathering” has its roots corporate espionage. Popular targets include technology related industries such as software, hardware, aerospace, biotechnology, telecommunications and energy, among others. It is no surprise that Silicon Valley is the world’s most frequently targeted area for industrial espionage as any advantage gained in a rapidly evolving industry is multiplied in value. It is clear, however, that no specific industry or sector is immune to these issues.
In 2009, Starwood Hotels and Resorts accused Hilton Worldwide of espionage activities. After private equity shop Blackstone acquired Hilton, Starwood alleged that Hilton had hired former Starwood executives and employees to steal corporate information in connection with Hilton’s proposed luxury brand hotel chain, Denizen. This alleged theft included large quantities of sensitive documents taken via a personal computer and email account. Hilton was later banned from creating the chain as part of a settlement with Starwood.
Federal agencies were bound to take notice eventually, and boards should note that cyber-related issues represent a new and ever expanding area for corporate governance concerns. As the protection of trade secrets becomes an even more pressing issue for companies, broadly drafted SEC guidance could also give rise to an expanded regime that includes guidance related to corporate espionage.
Although cyber-security is the primary focus of the SEC guidance, the actual language included is very broad and encompasses a plethora of issues. In contemplating cyber-risks, the SEC’s Division of Corporation Finance (DoCF) stated that “cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.”
According to a report from the Office of the National Counterintelligence Executive (ONCE), Foreign Spies Stealing US Economic Secrets in Cyberspace (Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011), a significant problem for companies, and consequently shareholders, is the issue of how losses related to corporate espionage are calculated.
The losses issue relates directly to shareholder value concerns as underrepresented or incorrectly reported lost profits and royalties negatively impact investor returns. This is especially true in light of the ONCE’s estimates that losses suffered by American companies, the federal government and other organizations range from $2 billion to $400 billion. ONCE has already stated that companies have a fiduciary duty to account for effects on their financial conditions as a result of data breaches, economic espionage and loss or degradation of services.
Of equal concern to investors, shareholders and stakeholders is the problem of how companies actually deal with confirmed security breaches. In cases of industrial espionage involving foreign operatives, those caught are often just fired and simply sent on their way. Companies, by and large, are very reluctant to report any instances of theft for fear of damaging their reputations.
Historically, companies have been concerned that law enforcement agencies would make breaches public and create a firestorm of negative press. Another potential byproduct of publicizing breaches is the perception that a company has outdated or inadequate security measures in place, thus destroying commercial relationships based on trust. Corporate espionage cases are mostly either kept under wraps, or like the Hilton-Starwood suit settled out of court, and very few ever get prosecuted under the Economic Espionage Act of 1996.
There is a conflict of interest that exists in the current environment. Some CEOs want to keep the light off of security breaches, yet some of these breaches will have a material effect on the operations and financial conditions of companies and ultimately shareholder value. In the present regime, companies are required to account for and disclose risk factors so that shareholders can reach informed decisions on how companies are guided. The onus is on CEOs and executives to protect trade secrets under the overall umbrella of risk factors, and not merely consign such issues to IT or security departments.
The courts have also stipulated that there is a mandate for boards to ensure that corporate information is secure. The Delaware Court of Chancery ruled in In re Caremark International Inc. Derivative Litigation (698 A.2d 959 (Del.Ch. 1996)) that because of directors’ good faith duty, they must make efforts to ensure that information and reporting systems exist. Absent these efforts, directors could be liable for losses arising from illegal conduct on the part of company employees.
At the heart of the matter is the risk that illegal or unethical corporate espionage harms the strategic directions of companies and strips value from shareholders. Companies and executives may want to put in place monitoring systems to ensure protection of trade secrets, and ensure that defensive strategies are sufficient to meet threats. Aside from monitoring and protection issues, what oversight is in place for companies that engage in corporate intelligence gathering?
For years now, private business intelligence firms have provided their services to companies. These firms are often staffed with former officers from western intelligence agencies, and use “tradecraft” acquired from governmental service to collect business intelligence on matters ranging from employee activities, terrorist threats, market trends and the business dealings of rival companies.
Although these firms often dispense a valuable and legal service to companies, there is the serious underlying possibility that competitive intelligence gathering for a fee could stray into grey areas where legal issues may arise. Intelligence firms ply their craft in secrecy, and in corporate intelligence, relationships between service providers and clients are often as opaque as practicable.
Eamon Javers in Secrets and Lies – The Rise of Corporate Espionage in a Global Economy notes that firms are often hired as subcontractors for corporate law firms to argue that activities are covered by attorney-client privilege. Furthermore, intelligence firms will protect the secrecy of their operations by using a “series of cutouts and freelancers, each layer papered with strict non-disclosure agreements”.
The kinds of services provided by these intelligence firms can range greatly. Benign offerings can include BIA behavioral assessment techniques, whereby former intelligence employees with experience in areas such as polygraph analysis use their skills to evaluate quarterly corporate earnings calls. Financial institutions can use the results in conjunction with their own analyses to make decisions on whether or not to invest in a company’s shares.
On the other end of the spectrum lies Hakluyt, an ultra-secretive firm that is purported to spy on companies in order to gather intelligence in a more covert manner. It counts many FTSE 100 companies amongst its clients. In a known example where spying was authorized by companies, Hakluyt conducted intelligence gathering work on behalf of Shell and BP on Greenpeace and other environmental groups.
On the dodgier side of intelligence gathering, a jury found that Mattel Inc illegally acquired trade secrets from MGA Entertainment with respect to Bratz doll toys, and awarded MGA $88.5 million in damages. According to Reuters, the decision means that Mattel lost shareholders $400 million of their money with zero return. Mattel is alleged to have had an intelligence unit in which members travelled with fake identities, gaining entrance to rivals’ confidential product briefings and using spy cameras to film secret demonstration models of toys.
It is important that any intelligence gathering activities conducted comply with the strictest ethical standards. Corporate governance principles dictate that a board selectively endorses a company’s strategy and establishes directional policies. Companies must be protected against corporate espionage, but in order to stymie competitors they must sometimes resort to the services of the very firms that are entrenched in the intelligence industry. Board level oversight is very much a necessity.
Corporate espionage issues are a rapidly growing concern and business intelligence firm usage as a company issue cannot be kept in the closet forever. In a climate of shareholder activism and increased regulatory oversight, companies will need to ensure that protecting trade secrets is elevated to a higher standard. Potentially even more significant of a risk for boards is that companies must ensure that their intelligence gathering activities comply with laws and adhere to best practices standards.
(This article was first published by Thomson Reuters’ Business Law Currents, a leading provider of legal analysis and news on governance, transactions and legal risk. Visit Business Law Currents online at http://currents.westlawbusiness.com. )