SCCE Official Site - Regaining Control of Corporate Information...Source: “ Perceptions About Network Security,” Ponemon Institute, June 2011; “Reputation Impact of a Data Breach,”

Legal, Risk & Compliance Practice

Regaining Control of

Corporate Information

November 2, 2012

SCCE Southwest Regional Compliance & Ethics Conference

2

2

© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN

THE BUZZ BEHIND THE BUZZWORDS

Select Information- and Technology-Related Developments Affecting Companies Size According to Number of Search Hits

The recent introduction

and acceleration of

numerous information

technology developments

dramatically change the

landscape of corporate

information risk.

■ CEB research indicates that

legal & compliance

executives worry most about:

– Growth of unstructured

data

– Cloud computing

– Remote access to

information

– Employee negligence

and misconduct

– Personal devices in the

workplace

Source: Google.com, “Google Analytics,” 21 August 2012, http:/ /www.google.com/analytics; GCR Information Risk Survey, 2012.

Information security

Information governance

Record

s m

anagem

ent

Security breach

Data

securi

ty

Server vulnerabilities

Data breach Data privacy

Social media Unstructured data

SaaS Cyber attack

Business intelligence

BYOD

E-discovery

Cloud computing

Privacy b

y D

esig

n

Advanced persistent threats

Hacktivis

m

GPS tracking

Mobile computing B

reach n

otifi catio

n

Electronic records

Near field communication

IPv6

Corp

ora

te c

loud

Collaboration tools

3

3


SIGNIFICANT COSTS OF INFORMATION AND

TECHNOLOGY INCIDENTS

Select Examples of Information and Technology Incidents and Their Impact

Failure to adequately

control corporate

information can lead to

significant direct

financial, regulatory, and

reputational costs for

companies.

■ According to a recent

survey, 90% of organizations

experienced at least one data

breach in the past year.

■ In addition, depending on

the type of information lost,

damage to brand value can

range from 12%–22%.

■ These costs do not

account for any managerial

opportunity costs or

productivity loss arising

from the incident.

Source: “ Perceptions About Network Security,” Ponemon Institute, June 2011; “Reputation Impact of a Data Breach,” Ponemon Institute, October 2011.

Employee Theft—

Prior to leaving

Zynga, four employees took

proprietary materials through USB

storage devices and personal e-

mail accounts. Zynga lost control of

its business “playbook” and “secret

sauce” to a direct competitor.

Hacktivism—In

retaliation for a

suit Sony filed against one of its

customers, hacker group LulzSec

released the account and credit card

information of almost 100 million

Sony customers, driving an

estimated $1.5 billion in lost revenue.

Executive Officer

Embarrassment—After the

CEO of GoDaddy released

a graphic video of himself shooting and

killing an elephant, PETA launched a

campaign to boycott GoDaddy’s services.

Outraged customers shut down their

accounts, resulting in more than 20,000

account closures and millions of dollars in

lost revenue.

Customer Data Loss—In 2010,

after Zurich Insurance lost the

personal details of 46,000

customers, including, in some cases, their

bank and credit card information, UK’s

Financial Services Authority fined the

company more than $3.5 million for failing

to maintain an adequate system of controls.

Selling Customer Data—In

2011, a Seoul court ordered

SK Broadband, a high-speed internet

provider, to pay its customers W 4 billion

(US$3.35 million) for illegally collecting

and selling customer information to a

telemarketing company. Additionally, in

the last few years, 23,000 customers

have filed class-action lawsuits against

the company.

Cyberhackers—

In 2010, Honda

Canada lost information for more

than 4.9 million customers to

cyberhackers, incurring significant

financial costs, including a class-

action lawsuit claiming $200+

million in damages.


EFFECT OF DEVELOPMENTS ON RISK EXPOSURE

Perceived Influence on Risk: New

Risks Adding to Existing Risks Illustrative

Many teams incorrectly

consider the most

commonly adopted

technology

developments as

new risks.

■ Rather than create new risks,

many technological

developments (e.g., personal

devices, social media, cloud

computing) actually serve as

channels that magnify existing

risks.

Increased Impact and Likelihood of Existing Risks

“It’s difficult to stay on top of legal risks related to

electronically-stored information. Now in

addition to that risk, we have to worry about

social media, privacy issues, mobile devices,

etc.—this is particularly difficult to manage as a

smaller company.”

General Counsel

Paper Manufacturing Company

“Companies need to break down and categorize

assets and risks. Most companies start from

scratch, which isn’t necessary. The trend itself

may vary, but there’s a commonality between

past experiences and current issues—there’s

no need to re-invent the wheel.”

Chief Legal Officer

Semiconductor Industry

C

B

A

3

2

1 1 Potential data breach

2 Disclosure of company confidential information

3 Violations of privacy regulations

4 Personal devices in the workplace

5 Social media

6 Cloud computing

Greater Number of Risks to Protect Against = =

Social

media

Cloud

computing

Potential

data breach

Violations

of privacy

regulations

Disclosure

of company

confidential

information

Personal

devices in

the

workplace

Actual Influence on Risk:

New Developments Multiplying Existing Risks Illustrative

4


AMPLIFYING THE RISK CALCULUS

Effect of New Information Technology Developments

New technology

developments magnify

the impact and likelihood

of risks companies

already assess.

■ The increased volume and

variety of interactions as a

result of personal devices

multiply existing records-

and discovery-related risks.

■ Employee access to social

media magnifies traditional

risks by increasing the

speed, audience, and scope

of each risk.

■ As the vast majority of

companies eventually shift to

cloud computing services,

third-party risks will increase.

Risk = Information Technology Multiplier x (Impact x Likelihood)

Source: www.internetworldstats.com, December 2011; CIO Executive Board research; Information Risk Executive Council research; General Counsel Roundtable research.

Information Technology Multiplier x (Impact x Likelihood)

Personal Devices

Computers, telephones, recorders,

and other electronic devices owned

and used by people to communicate,

share, organize, and consume

information.

Volume

Increase in the volume

of person-to-person

interactions creates

more opportunities for

data leakage.

Variety

Growing person-to-

platform interactions cause

greater security risks.

Social Media

Forms of electronic communication

through which users create online

communities to share information,

ideas, personal messages, and

other content.

Speed and Audience

2.3 billion web users can

instantly read anything

employees or customers

post, with viral

transmissions magnifying

small mistakes into

globally visible ones.

Scope

■ Blurred lines between

personal and

professional worlds

■ Employees communicate

with contacts many

times per month instead of

an average of once per

year.

WWW

Cloud Computing

Delivery of computing over a network

(such as the Internet), whereby

computers and other devices access

shared resources, software, and

information on demand.

Severity

Seventy-seven percent

of IT leaders rate the risk

of data leakage from a

cloud very or extremely

significant.

Third Parties

Information Security

officers rank vendor

staff misconduct as one of

the top five potential cloud

computing flaws.

Traditional View of Risks

Risk = Impact x Likelihood

5


EVERYTHING OLD IS NEW AGAIN

Existing Risks Affected by New Information Technology Developments Selected

The risks of new


surface as some of

the most common

information management

risks already concerning

legal and compliance teams.

■ The risk of disclosing

sensitive information in

social media is similar to

that of e-mail but with a

greater impact due to the

unique characteristics of

social media.

■ In 2012, 50% of CIOs plan to

allow employees to use

personal devices in the

workplace; however, fewer

than 20% of companies we

surveyed have a process in

place for retaining business

records on employees’

personal mobile devices.

■ Most cloud service providers

offer standard terms that

include a general outline of

services, limit warranties and

indemnities, and shift risks to

customers.

Source: CIO Executive Board research; Information Risk Executive Council research; General Counsel Roundtable research.

Risk Personal Devices Social Media Cloud Computing

Violation of records management policies

and schedules

Loss of availability of information

Third-party vendor misconduct

Violation of workplace rights

Unauthorized access to or

disclosure of personal information

Violation of HR policies

Storage of information on

insecure sites or restricted locations

Inability to produce

data for discovery requests

Loss of intellectual property or company

confidential information

Non-compliance with legal or regulatory

requirements

6


INCREASING RISK EXPOSURE

Effect of Technology Developments on Companies’ Exposure to Information-Related Risks Illustrative

Rapidly adopted


increase the likelihood of

and overall exposure to

information-related risks.

■ Most companies identify

acceptable levels of

information risk exposure

and appetite against which they

currently manage

(though Legal, Compliance and

other assurance functions tend

to disagree with the business

on where to set it).

■ These technology

developments collectively push

companies’ risk

exposure beyond acceptable

(and manageable) levels.

Deg

ree o

f In

form

ati

on

Ris

k E

xp

os

ure

LRC Risk

Appetite

Previous Risk

Exposure

New Risk

Exposure

Sensitivity of Data and Intended Use

Increased Exposure Due to New Developments

■ Personal devices in the workplace

■ Personal/employee use of social media

■ Corporate use of social media and collaboration tools

■ Cloud computing

■ Third-party/vendor access to information

■ Remote access to information

High

Low

Business’s Risk

Appetite

Zone of Peril

Zone of Tension

Zone of Tolerance

Low High

7


REFINING OUR ROLE IN INFORMATION RISK Legal and Compliance

must refocus their

efforts to address the

risk multiplying effects

of new technologies

and overcome the

shortcomings of

current approaches to

risk management.

Traditional Approach

to Managing Risks

Current State Failures Percentage of Respondents Agreeing

Key Opportunity for Legal

Legal Owns Risk Identification; IT/IS Designs and Implements Mitigation

Lawyers in the Department Are Equipped to Diagnose and

Understand Technology Risk

Company Policies Reflect How Employees Actually Consume

and Use Technologies

Employees Regularly Violate Company Information Policies 1

The Business Does Not Consider Legal & Compliance Risks When

Starting Information- or Technology-Related Projects

Legal Provides Formal Guidelines to Business Clients on Legal Risks

of Information-Related Projects

Efforts focus on risk

identification, tending

to own controls-based

and reactive activities.

Gather realistic risk

behavior inputs to better

understand current and

desired technology and

information use.

Design practical employee

programs that both

encourage the productive

use of new technology and

ensure compliance.

Enable risk-informed

business decision making

by providing clearer

guidance to the business.

Policies restrict access

to or use of emerging

technologies.

We rely upon the

business to escalate

questions or

information related to

new initiatives or

projects.

3

2

1

n = 128–130, except see Note 1.

Source: GCR Information Risk Survey, 2012.

1 Unit of measurement is percentage of employees surveyed indicating the rate at which they violate company information policies (as opposed to percentage of respondents agreeing with the statement); n = 1,236; Source: Cisco’s 2011 Connected World Technology Report.

66%

30%

48%

70%

26%

65%

8


ROADMAP FOR TODAY

1 Pseudonym.

Introductory Discussion: Governing Information Risk

Define LRC

Role

1

GCR Guidance:

Allocating Responsibility for

Information Risk Governance

Network-Based

Governance Structure

Influencing Employee and Business Information Risk Behaviors

Gather Realistic

Risk Behavior

Inputs

1

Power User-Led

Policy Development Mobile Device

Pilot Program

Design Practical

Employee Programs “Guiding Principles”-

Based Policies

Empowering Employee

Social Media Engagement

Enable Risk-

Informed Business

Decision Making

1

“Conscious Choice”

Decision Making Principles-Based

Decision Making

Risk Multiplier Discussion

Managing the Impact

of Mobile Devices


Exploring the Cloud


Influencing Employee

Social Media Activity

9


EXISTING AND UPCOMING CEB RESOURCES TO HELP ON RELATED CHALLENGES

Additional Resources

Records

Management Records Inventory Cataloging Tool

Records Management and E-Discovery Forum

Webinar Replay: New Approaches for Managing Electronic Records

10 Information Questions Every GC Should Ask the CIO

Records Management Policies, Sample Schedules, Training, and Audit Plans

Data Privacy Data Privacy Program Benchmarking, Checklists, Risk Assessments, and Training Templates

Updated Database of Data Privacy Regulations in More Than 25 Countries (Coming Soon)

Webinar Replay: Understanding Proposed EU Data Protection Reforms Webinar

E-Discovery Sample Discovery Response Plans

Cost-Effective Approaches for Electronic Discovery Webinar (Coming Soon)

E-Discovery Management and Vendors Benchmarking Results (Coming Soon)

Research Findings: The In-House Counsel’s Guide to Partnering for E-Discovery

Decision and

Diagnostic Tools

Executive Networking

Live and Online

Learning Events

Peer Benchmarks

Research and Insights

10


rOADMAP fOr tODAY

1 Pseudonym.

introductory Discussion: Governing information risk

1

GCR Guidance: Allocating Responsibility for Information Risk Governance

Network-Based Governance Structure

infl uencing employee and Business information risk Behaviors

Gather realistic risk Behavior inputs

1

Power User-Led Policy Development

Mobile Device Pilot Program

Design Practical employee Programs “Guiding Principles”-

Based Policies

Empowering Employee Social Media Engagement

enable risk-informed Business Decision Making

1

“Conscious Choice” Decision Making

Principles-Based Decision Making

risk Multiplier Discussion

Managing the Impact of Mobile Devices


Exploring the Cloud


Infl uencing EmployeeSocial Media Activity

Defi ne LRC role

11


DiscussiOn: wHO sHOuLD JOin tHe teAM?

Key information risk Management stakeholders

whether in a virtual or formalized team structure, Legal should ensure appropriate representation and allocation of responsibilities to balance diverse technical and functional considerations with legal and regulatory oversight.

■ Collaborative information risk efforts typically include the following:

– General Counsel

– Chief Marketing Officer

– Chief Information Officer

– Head of Human Resources

necessary information risk protections, relying on input from other departments to tailor initiatives to business needs.

Invite additional functional or business unit heads to join in information risk oversight to provide robust and enterprise-wide input into development of the information risk management program, ensure the program meets organizational needs, and minimize department push-back.

Human Resources

Information Technology/Information Security

Legal

■ Identifies necessary legal and regulatory requirements for information management

■ Assesses corporate risk exposure from various information and technology uses

■ Cascades mitigation efforts to various departments and business units as necessary

information technology and information security

■ Oversee implementation of technical requirements for information security

■ Classify data types and ensures protection of most sensitive information

■ Monitor systems for data breaches or vulnerabilities

Marketing and Human resources

■ Help identify sensitive information used in high-value internal efforts

■ Serve as key sources of insight into how the organization uses information and technology

■ Assist with implementing information management training across the organization

Division of information risk Management responsibilities

Derf 11-3533

catalog # GCR1055311SYN

title

Derf xx-xxxx


title

12

■ Legal & compliance typically work closely with IT to define LRC

Compliance


KeY tAKeAwAYs

Partner Across the Organization for effective information risk Management

Identify the appropriate owner for essential information risk management tasks, and work with key functional partners to develop an effective governance structure and assign clear ownership and accountability.

foster strong working relationships with information technology and information security

Partner closely with the Chief Information Officer and Chief Information Security Officer to understand the organization’s technological capabilities and incorporate legal considerations into new technology projects.

consider the composition of cross-functional committees

Rather than solely rely on functional experts, select highly networked members responsible for discrete areas of information risk to ensure better coordination with existing risk management efforts.

Derf xx-xxxx


title

13


roadmap For today

1 Pseudonym.

introductory discussion: governing information risk

1



infl uencing employee and business information risk behaviors

gather realistic risk behavior inputs

1



design practical employee programs “Guiding Principles”-

Based Policies


enable risk-informed business decision making

1



risk multiplier discussion



Exploring the Cloud



defi ne lRC role

14


increasing mobility and prodUctivity throUgh technology Use

consumer technologies Used on a regular basis for work 1Percentage of Respondents by Attitudinal Profile 2

employees increasingly use a variety of tools and platforms in their day-to-day workflows, including employees who describe themselves as “skeptical” or “wary” of new technology.

■ Many of these social networking platforms and collaboration tools, while effective for productivity, do not yet have organizational approval.

n = 9,990 global employees.

Early Adopters

Open to New Technology

Skeptics/Wary/Uninterested in New Technology

Source: Infrastructure Executive Council Employee Technology Value Survey, 2011.

personally owned devices

collaboration/productivity tools

social networking technologies

communication tools

1 Percentage of respondents answering “Which Personal/Consumer Technologies Do You Use on a Regular Basis for Getting Work Done?”2 Multiple responses allowed.

78%

65%

51%59%

45%

32%39%

26%

15%

51%44% 40%

examples

15


derF 12-3491

catalog #

title

pervasive and pernicioUs

average secure behavior by organizationRanked by Companies’ Average Secure Index 1

insecure employee technology behaviorsBased on Questions from the Secure Behavior Index 1

with distinct preferences for the use of personal technology and social media at work, employees act in their perceived own best interests, unintentionally placing their organizations at greater risk.

■ Research from the Information Risk Executive Council shows that the average end-user displays insecure behavior 22% of the time.

participating organizations

90%

75%

60%

User compliance

rate

Lagging Organization

Best in Class

n = 57,000 employees at 60 companies.

average User compliance rate

78%

1. Leaving sensitive information unattended on desks or in other accessible locations

2. Sharing passwords with trusted co-workers to get at ask done better or more easily

3. Writing down one or more of work-related password so as not to forget them

4. Copying or e-mailing files containing sensitive information to enable work at home or on the road

5. Inconsistently securing a laptop physically with a cable or by locking it in a safe place while unattended

6. Opening e-mail attachments or links that do not seem business-relevant

1 The Secure Behavior Index is calculated from employees’ responses to six questions about the frequency of insecure behavior.

Source: Information Risk Executive Council research.

16


How do we ensure that policies accurately reflect employee behaviors and technology preferences to increase policy relevance and effectiveness?

power User-led policy development

tapping into Key technology Users in the business

challenge Key member Question approaches for discussion

Understanding employee technology and information Use

mobile device pilot program

1

1 Pseudonym.

gaining visibility into Future technology trends

Consider the permanency of and employee preferences for new technology uses to help design programs that minimize risk while delivering desired benefits.

gather realistic risK behavior inpUts

17

How do we gain insight into employee technology and information use and identify the risks posed to the organization?


QUestions to help identiFy power Users

sample Questions on employee attitudes and preferences for technology

identify “power users” to advise on policies that mitigate risks while still enabling preferred and productive use of technology.

Source: Infrastructure Executive Council research; General Counsel Roundtable research.

preferences for Using technology to complete work

■ Is technology important for the employee to complete his/her work? ■ Does the employee frequently use services and products as part of his/her job? ■ Does the employee identify technology offerings that would make him/her more successful in his/her job?

interest in Using technology to collaborate with peers

■ Does the employee like to share knowledge with peers? ■ Does the employee seek ways to collaborate and share work through technology?

willingness to Use technology to learn

■ Does the employee use or look for opportunities to use technology to learn something new? ■ Does the employee prefer technology delivery methods for work-related education?

desire to Use technology to work remotely

■ Does the employee spend a large percentage of his/her time away from his/her desk? ■ Is the employee comfortable with working remotely?

curiosity in Using more technology solutions

■ Does the employee seek to independently solve technology constraints? ■ Is the employee comfortable expressing opinions on technology needs? ■ Is the employee comfortable with using new tools implemented by IT? ■ Does the employee hold a track record of recommending new technologies to IT?

18


Key taKeaways

rely on demonstrated employee and business technology Use for policy and program development

Understand how employees use and access technology and information and build these considerations into program development to enhance compliance and minimize risk.

incorporate the input of technology “early adopters”

Create and access a network of key power users in the business, tapping into their knowledge about the role of technology in day-to-day employee activities to design programs that realistically account for and impact employee actions and behaviors.

test new technologies and information sources in the business

Create programs to pilot new or proposed technologies before widespread employee use to understand how employees use such tools to access and distribute information and to surface the concomitant legal and compliance risks and business benefits.

19


RoADmAp FoR ToDAY

1 Pseudonym.

introductory Discussion: governing information Risk

1



infl uencing Employee and Business information Risk Behaviors

gather Realistic Risk Behavior inputs

1



Design practical Employee programs “Guiding Principles”-

Based Policies


Enable Risk-informed Business Decision making

1



Risk multiplier Discussion



Exploring the Cloud



Defi ne lRC Role

20


DERF xx-xxxx

Catalog # GCR3343912SYN

Title

n = 125.


Employee Data Privacy

Bring Your Own Device/Mobile Computing

E-Mail Communication

Social Media Acceptable Use

General Information Security

Website or Internet Privacy

Customer Data

Policies Related to Specific Regulations (e.g., HIPAA)

Third-Party Due Diligence and Compliance

Information Classification

79%

75%

74%

71%

70%

68%

67%

41%

37%

30%

An UnDERpERFoRming ConTRol EnviRonmEnT

Top 10 information policies Currently in place at member organizations Ranked by Percentage of Respondents

Source: Cisco’s 2012 Connected World Technology Report.

n = 245.

I’m Not Doing Anything Wrong

I Need Access to Programs Not Sanctioned

by the IT Policy

My Company’s IT Policy Isn’t Enforced

I’m Too Busy to Think About My

Company’s IT Policy

It Is Not Convenient

Top Five Employee Reasons for non-Compliance with Corporate iT policyPercentage of Employees1

■ While 50% of survey respondents prefer a restrictive approach to managing information risk, no correlation exists between restrictive approaches and the number of data disclosures experienced per year.

■ Employees regularly violate company information policies and lack accountability for protecting information, exacerbating existing legal, regulatory, and reputational risks.

33%

22%19% 18%

16%

1 Multiple responses allowed.

Nearly 70% of employees admit to violating company information policies at least some of the time.

lRC teams often use a “policy-first” approach to manage and reduce risks created by employee technology and information use.

departments are neutral in their assessment of whether their policies and training programs effectively mitigate employee-created risks.

■ CEB research indicates that the majority of legal

21


sUBvERTing soCiAl mEDiA ConTRols

Facebook Use by DevicePercentage of Facebook Users

Twitter Use by DevicePercentage of Twitter Users

n = 8,544. n = 978.

Office Computer Office ComputerMobile Device Mobile Device

Not Blocked on Office Computer

Blocked on Office Computer

Not Blocked on Office Computer

Blocked on Office Computer

DERF 10-5616

Catalog # IREC6688210SYN

Title HO: AER Chicago 09 22

Source: Information Risk Executive Council research.

38%

2%

33%35%

27%

12%

52%55%

DERF xx-xxxx

Catalog # CLEX3412412SYN

Title

22


“HARmlEss” BEHAvioRs?

impact of Employee Behaviors on Traditional Risks Selected

■ Employees’ autonomy and ability to acquire and share

insider Trading

Unauthorized Access

Discovery and litigation

Harassment and Discrimination

ip/Trade secret violations

Breached or lost Data

Regulatory and legal Consequences

Unsanctioned Internet Browsing

Portable Storage Devices (e.g., USB Drives)

Discussing Confidential or Proprietary Information on Social Media

Insufficient Passwords and Poor Password Protection

Transferring Company Data on an Unsecure Network

Downloading Unauthorized Software or Attachments

Sharing a Company Computer, Smartphone, or Tablet

Sending Confidential Information or Data Through Personal E-Mail

Using Unsanctioned Collaboration Tools

Storing Sensitive Information in a Personal Cloud

insecure or thoughtless actions by employees, compounded by increased access to company information and methods for distribution, intensify risks for companies.

information likewise increase the possibility, danger, and volatility of traditional legal and compliance risks.

23


Challenge Key member Question Approaches for Discussion

Creating Flexible policies from static guiding principles

Training Employees on Appropriate Behaviors

How do we create policies that provide consistent feedback but that can also adapt easily to changing technology needs or uses?

How do we allow employees to use new technologies while minimizing the potential risk impact of these uses?

“guiding principles”–Based policies

social media ninjas Training program

Shift focus toward creating practical policies and providing general guidance that enable employees to make sound and compliant decisions, while still benefitting from technology use.

DEsign pRACTiCAl EmploYEE pRogRAms

24


How To TRAin AnD ARm A ninJA

ninja Tools

To prepare ninjas for their role and provide ongoing support for success, sprint equips ninjas with a varied arsenal of tools and training.

■ Social Media Ninjas go through several phases of training and receive ongoing support from Sprint, which provides consistent messaging, reinforces Sprint policy, and reduces the risk of unauthorized disclosures or unacceptable behaviors.

5

4

initial workshopEvery Ninja goes

through a 90-minute initial training workshop

that covers Sprint’s social media policy and key social media

platforms.

Follow-Up TrainingEvery six weeks, Sprint offers more

advanced workshops addressing either specific to platforms or detailed information about products and services for discussion in social

media. Business units with unique training

or support needs can also receive

customized training.

2

sprint spaceSprint Space, a

discussion board for employees, provides Ninjas with additional

material and opportunities to communicate with each

other about social media issues, concerns, or experiences.

3

widgetsWhen providing Ninjas with suggested content, Sprint also provides widgets that allow the Ninjas to link directly to their profiles on three main social media platforms—Facebook, LinkedIn, and Twitter—and post the content quickly and easily.

Approved ContentIn response to participants’ requests for clear guidance on approved content, Sprint provides Ninjas with approved “copy and paste” ready material for use in posts and advice on strategic use of the provided content.

Existing sprint policiesSprint’s Social Media Ninjas program is informed by foundational Sprint

policies such as its code of conduct, disclosure policy,

information security policy, privacy policy, and non-harassment

policy.

6

1

25


KEY TAKEAwAYs

provide Realistic guidance to Employees on Appropriate Behavior

Account for employee technology needs and desires and create policies that enable continued use while providing clear guidelines on acceptable behaviors.

Use principles to guide policy Creation

Empower Employees to safely Engage with Desired Technologies

Provide staggered and directed training sessions to educate employees on their responsibilities when representing the company in the public sphere, and provide them with the opportunity and encouragement to defend the brand.

DERF xx-xxxx


Title

Avoid lawyers' traditional “rules-based” policy approach by balancing policy development and awareness with broadly applicable and memorable principles. Clarify the connections between specific and adaptable (as necessary, especially to respond to fast-moving technological developments and demand) rules and longer-term principles based in company values.

26


DERF xx-xxxx

Catalog # ■ IREC6672610PRO

Title

ROADMAP FOR TODAy

1 Pseudonym.

introductory Discussion: Governing information Risk

1



infl uencing Employee and Business information Risk Behaviors

Gather Realistic Risk Behavior inputs

1



Design Practical Employee Programs “Guiding Principles”-

Based Policies


Enable Risk-informed Business Decision Making

1






Exploring the Cloud



Defi ne lRC Role

27


2010 2011 2012 2013 2014 2015

100 160260

410

660

1,050

Estimated Rise in Global Data Volumes, 2010–2015 Indexed to 100

MORE DATA, MORE DEMANDThe amount of business information continues to grow, leading to higher business demand for technology to access this information.

■ “Big data” grows exponentially bigger as information volumes increase by 60% annually.

■ As technology evolves, corporate use of data grows in popularity, increasing the risks associated with its use.

■ Approximately 60% of companies report a measurable decrease in communication costs as a benefit of social technology adoption.

Changes in Technology Project Portfolios 2009–2010Percentage of Respondents Indicating Demand Changes 2

Source: “All Too Much,” The Economist, 27 February 2010; Insight IQ Diagnostic, 2011, IT Practice, Corporate Executive Board; AEC Peer Perspectives, Survey of Applications Executives, June 2011; “How Social Technologies are Extending the Organization,” McKinsey Quarterly, May 2012.

Increased

Flat

Decreased

n = 34 Applications Executive Council member institutions.

The types of technology projects being considered focus on the business’s desire for more analysis of corporate information and greater accessibility and sharing.

Business Intelligence/Analytics

Social Media

Mobile Applications

Software as a Service (Concur, Basecamp, NetSuite, Salesforce.com)

Customer Interface Applications (Web)

Collaboration (SharePoint, Lotus Notes)

94% 6%

87% 13%

81% 13% 6%

71% 26% 3%

68% 23% 9%

67% 33%

3%

0%

0%

0%

10%

6%

60% CAGR 1

2 Numbers may not equal 100% due to rounding.

1 Compound Annual Growth Rate.

DERF 12-2945


Title

28


2.75%3.28%

1% Strongly Agree

8% Agree

27% Neither Agree Nor Disagree

16% Strongly Disagree

49% Disagree

liGhTiNG ThE PATh

Agreement That “Business Clients Consider legal, Regulatory, and Records-Related Risks when starting a New information-Related Project”Percentage of Respondents

Most general counsel worry that the business does not consider the risks associated with new projects, yet few provide the business with guidance.

recommend mid-course corrections due to its limited visibility into and influence on business needs and planned uses of technology or information assets.

n = 130.

More than 60% of respondents believe the business does not consider legal risks when starting an information- or technology-related project.

Only 26% of legal departments provide guidance to their business clients on the legal and regulatory risks to consider when starting a new project.


impact of legal’s Guidance on information Risk Management satisfaction 1Legal Satisfaction Rating from Strongly Disagree (1) to Strongly Agree (5)

n = 120.

1 Legal’s level of agreement with the statement “I am satisfied with the extent to which the company understands and manages the legal and compliance risks associated with different information channels and platforms.”

Legal Departments Providing Information and Technology

Project Risk Guidelines

Legal Departments Not Providing Information and Technology

Project Risk Guidelines

∆ = 18%

“Traditional technology projects were capital projects that had to be

vetted through capital investment processes. Now, most licensing and sub-contracting agreements currently hit individual expense budgets, which don’t follow the same process (and frankly, don’t always involve legal or iT). As a result, we’re spending a lot of time with individual business managers to educate them on the legal risks and implications.”Chief Privacy OfficerHospitality Industry

Note: Graph numbers may not total 100% due to rounding.

■ As a result, Legal cannot preempt the need for or

29


1 Pseudonym.

DERF 12-3164


Title

1

Challenge Key Member Question Approaches for Discussion

Providing Opportunities for Open Discussions on information Risks

Embedding Risk Considerations into Business Routines

How do we encourage the business to raise concerns about information risks prior to implementing new programs or initiatives?

“Conscious Choice”Decision Making


Provide clear, concise guidelines to the business to enable risk-based decisions regarding technology and information uses.

ENABlE RisK-iNFORMED BUsiNEss DECisiON MAKiNG

How do we guide the business to consider legal and compliance risks when determining to pursue new opportunities?

30


iNTEGRATiNG FORMAlizED DECisiON MAKiNG

Five Key Conscious Choice Questions to Aid Decision Making

Communicating the Concept to the Business

Allstate formalizes discussions of the risks of particular information uses by implementing Conscious Choice Decision Making to ensure decision makers mitigate risks and remain aware of risks that cannot be mitigated.

■ Allstate’s legal department condenses critical questions and decision factors onto portable cards employees can carry for quick reference during meetings.

■ Employees with risk-related concerns about particular uses of information can reach out to stakeholders and subject-matter experts, almost always including a lawyer, to meet and discuss all potential risks of the proposed initiative.

1. what is the business objective and who is the business decision maker?

2. what risks does this strategy present in the following areas?■ Regulatory/Legal?■ Reputation?■ Customer?

3. what strategies have you developed to mitigate the identified risks?

4. what are your contingency plans (if risks occur or circumstances change)?

5. what processes have you established to monitor implementation and reassess, as necessary, to ensure the planned strategy continues to be the best means to achieve the business objective?

Training sessions

■ Allstate creates temporary, standalone training to instill the Conscious Choice Decision Making concept in business managers and employees simultaneously.

■ Allstate incorporates the training into its strongly-encouraged management course: Leading with Integrity and Ethical Decision Making.

laminated Cards

■ Allstate prints the principles on laminated, 5” x 7” cards to emphasize the importance and permanent nature of the Conscious Choice Decision Making concept to the employee.

leadership Outreach

■ Allstate reaches out to thought leaders from the different functions and champions within the business units to promote the use of the meetings and provide assistance and introduces the concept to new officers within 90 days of hire or appointment through onboarding sessions and pre-packets.

Conscious Choice Decision Making: A simple, repeatable method for informed risk-taking that helps avoid unanticipated, negative consequences by ensuring that decisions are made based on a full consideration of options and the implications of actions.

DERF 12-3164


Title

31


GUiDiNG iNFORMATiON UsE DECisiONs

Principles–Based Guiding Questions

Recognizing how the perceived misuse of information can affect its brand, Alvarez’s legal team develops principles-based questions that the business can use to guide its decision making on initiatives that involve consumer information.

■ The legal department also uses the questions to inform business clients of the context of its decisions to pursue a particular use of information.

■ Alvarez embeds the principles-based questions into both live privacy training and in-person meetings.

is the proposed use of information legal?

If yes or uncertain:

Notice—Have we notified customers that we will be using their data in this manner? ■ What forms of notice would customers deem sufficient for this particular use? ■ Is this practical?

Consent—Did the customer consent to our use of their data in this manner? ■ Is it possible for the customer to make an informed choice allowing this particular use?

Risks—Have we evaluated all the potential unintended consequences that may stem from using the customer’s data in this manner?

■ Will this use surprise the customer? ■ What types of risks will be increased through this use and what mitigation tactics will alleviate them?

Opt-Out—Can the customer opt-out of our using their data in this manner? ■ If a technology barrier exists, do we need to increase the level of consent and notification?

impact—Have we considered the implications these data will have on our data security and records retention efforts?

■ How and where will these data be captured and stored? Is there a technical solution available?

■ Has IT Security been included in these conversations?

Alvarez asks a foundational question to establish that the desired business use of customer information does not violate any legal or contractual requirement. If the use does violate any legal or regulatory considerations, Alvarez will not pursue the opportunity.

If answers are “no” or “uncertain,” Legal typically evaluates with the business whether to disallow the use or request additional information or mitigation efforts.

1 Pseudonym.

1

DERF 12-3164


Title

32


AlTERNATiVE DECisiON CRiTERiA

Additional information Use Decision CriteriaSelected from Member Conversations

Build a set of decision criteria based on your organization’s risk profile and tolerance to guide business decision making on the potential use of information or technology.

DERF 12-2945


Title

Regulatory/statutory Requirements

■ Does this use of information violate regulatory requirements that dictate how we may use or store this information? ■ What are the potential penalties for violating regulatory or statutory requirements regarding information use in this way?

■ Do we face scrutiny from a regulatory agency or a regulatory investigation if we use information in this manner?

industry Requirements

■ Are there industry standards that prevent such information use?

Customer Expectations

■ Do our customers expect we will use information in this manner? ■ Do our obligations to customers allow us to use information in this manner? ■ What are the consequences of violating customer expectations by using information this way?

Reputational harm

■ Is the use of information in this manner consistent with our brand philosophy? ■ If our customers discovered we used/treated information this way, would they stop doing business with us? ■ What impact could reputational damage related to our use of information this way have on our stock price, market share, or revenue?

Criminal liability

■ Does this practice or use of information open us up to criminal liability? ■ What are the criminal penalties for such information use?

Civil liability

■ Does this practice or use of information pose potential civil liability? ■ What are the civil penalties for such information use? ■ Could we face class action lawsuits over such activities?

33


KEy TAKEAwAys

Provide Business-level Guidance

Keep Guidance simple and Replicable

Avoid overly cumbersome risk assessment processes or decision criteria that make it difficult for the business to achieve its objectives and instead focus on simple, practical, and easy-to-apply principles to aid decision making.

Encourage Business Risk self-Assessments

Provide the business with a set of standard risk questions (including guidance on acceptable risk thresholds or escalation criteria) to facilitate self-assessments of the risks involved with new technology or information uses.

Enable the business to make risk-informed decisions about information and technology use through principles that take into consideration company values, reputational risks, and legal requirements.

34


KEy TAKEAwAys FOR ThE DAy

Technology Developments Magnify Existing Risks, Not Create New Ones

Rather than introduce new-to-world risks, many information- and technology-related developments are actually the channels by which existing risks are magnified, accelerated, and dispersed. While actual impact will depend on a company’s industry, type and complexity of information handled, and geographic footprint, these developments collectively push companies’ risk exposure beyond acceptable (and manageable) levels.

legal’s Cautious Approach is ineffective in This Environment

To manage information risks, legal departments often create controls and requirements that are too restrictive and impractical, tending to overlook the business opportunities and unstoppable employee behavior associated with these challenges. Rather than manage down companies’ risk exposure to more acceptable levels, these overly restrictive policies and controls can instead hide risks and, in turn, increase risk exposure.

Leading legal departments focus instead on the following actions to appropriately manage the risks and opportunities associated with these technology developments:

35

1. Establish Clear, Effective information Risk Governance structures Legal may be tempted, on the one hand, to control information risk initiatives or, on the other, to abdicate and defer ownership entirely. However, the inter-disciplinary nature of information risk management requires effective collaboration by LRC with other functional partners. With varying degrees of formality and administrative effort, LRC must choose the model appropriate to its organization that ensures a balance among key stakeholders and internal experts. Assign key task ownership carefully and deliberately—the most “obvious” function responsible for an activity may not, in fact, be the most effective.

2. Create Practical, Realistic Employee-Facing Policies and Programs On average, employees demonstrate a propensity for insecure behavior 22% of the time; however, Legal often bases its responses on a limited understanding of employee demand and preferences for new technology tools and platforms. Recognizing that typical tools fail to address the risks associated with employee behavior, leading LRC teams assess both the opportunity costs of prohibition and realistic means of enforcement, in addition to considering employee preferences, when developing policies and programs.

3. Ensure Deliberate Decision Making As technology evolves, the business use of data grows in both popularity and complexity, amplifying the associated risks. In this ambiguous, rapidly changing environment, most business units do not consider legal and regulatory risks in their decision making, while their legal advisors rarely provide appropriate and sufficient guidance on how to do so and have limited visibility into the organization’s use of and desire for emerging information technologies. Leading companies enable the business to make risk-informed decisions about information and technology use through principles that take into consideration company values, reputational risks, and legal requirements, while keeping themselves informed of the business’s technology uses and needs by actively tracking and assessing technology developments.

Documents

SCCE Official Site - Regaining Control of Corporate Information...Source: “ Perceptions About Network Security,” Ponemon Institute, June 2011; “Reputation Impact of a Data Breach,”