Google, Inc., announced today that it will stop censoring its search results in China, and possibly pull out of the country completely, after it was discovered that Chinese hackers had tricked human rights activists into exposing their e-mail accounts to outsiders. According to The New York Times, the hackers were trying to break "into the computers of at least 20 major U.S. companies, and gathering personal information about dozens of human rights activists trying to shine a light on China’s alleged abuses." The article went on to state that "[o]nly two e-mail accounts were infiltrated in these attacks[…] and the intruders were only able to see subject lines and the dates that the individual accounts were created. None of the content written within the body of the e-mails leaked out[…]As part of its investigation into that incident, Google stumbled onto another scam that was more successful. Google said dozens of activists fighting the Chinese government’s policies fell prey to ruses commonly known as ”phishing” or malware. The victims live in the United States, Europe and China, Google said.
From a Enterprise Risk Management ("ERM") perspective, it could be argued that the lion share of the blame lies not with Chinese hackers, but with the Board of Director’s of Google, Inc., and the human rights organizations that were illegally accessed (after all, based on what is being reported, the hacking had little to do with technology, and more to do with people and processes). The goal of any ERM is to not eliminate the risk, but rather to develop a tolerance for the risk. This happens in other aspects of corporate governance (i.e. finance, audit, etc.), but rarely any attention is given to data governance. The legal standard, in regards to the Board of Director’s role in ERM continues to be In re Caremark International Inc., Derivative Litigation (the "Caremark Duty").
The Delaware Court of Chancery held that legal liability will attach only for “a sustained or systematic failure of the board to exercise oversight” or “an utter failure to attempt to assure a reasonable information and reporting system exists.” The same Court restated the Caremark duty in the case Stone ex rel. AmSouth Bancorporation v. Ritter. There, the Court states that (1) there is a director’s initial duty to address compliance and ethics. The director breaches this branch of the Caremark duty by failing to take any action directed toward establishing a compliance and ethics program; then (2) there is an ongoing duty to address compliance and ethics. The director breaches this branch of the Caremark duty if she learns of a specific gap or weakness in the organization’s compliance and ethics program, but takes no action to address that failing.
Google, Inc., might argue that, by threatening to leave China, they are addressing their duties outlined in Caremark, but leaving the world’s most populous country might have a detrimental affect on the valuation of the Company (which could lead to the destruction of shareholder value). It’s time for all organizations in the U.S. to recognized the threats to their internal and external controls, as they relate to information protection, and remedy those significant deficiencies.
To read more about the article, please click here: E-Mail Breach Has Google Threatening to Leave China
Another article of interest might be: Google’s Top Enterprise Executive: Don’t Be Alarmed By Chinese Cyber Attack