The article in the url below is interesting because it argues that data and privacy breaches are today's major oil spills. That is, for firms concerned about their reputations, data breaches should be punished the way that oil spills have previously been punished. To emphasize the point, the article contrasts recent data breaches with the Exxon Valdez oil spill in 1989:
"In 1989 the thin-hulled Exxon Valdez supertanker ran aground in Prince William Sound, Alaska, pouring a quarter of a million barrels of oil into the surrounding waters. At the time, it was America's worst offshore spill, and a huge blow to the reputation of the ship's owner, Exxon."
What is interesting is the effect the Exxon Valdez spill had on public policy and on the internal controls at Exxon:
"The firm paid $3bn to clean up the area and settle legal claims, and to improve safety the American government ordered the phasing out of single-hull ships such as Exxon Valdez. All vessels used worldwide by Exxon's corporate descendant, ExxonMobil, are now double-hulled. But that is not all. The disaster gave rise to a cultlike culture of discipline within ExxonMobil that helped turn it into the profitmaking beast it is today."
The author argues that firms today should learn from this experience and do all they can to prevent a similar traumatic experience happening to them. It draws on the recent data breach from Capital One of "personal and financial details of 106m credit-card customers and applicants," which is described as the firm's "own Exxon Valdez moment," especially given the firm's prior reputation "as one of the most technologically adept in finance":
"The incident has two parallels with the oil industry. … Like Exxon Valdez, Capital One should have had more protection. Like the oil companies of old, the bank may have also lacked a culture of safety sufficiently strong to ensure that it relentlessly probed for new vulnerabilities. Both are a reminder that, if data are now more valuable than oil, data breaches bear an unhealthy resemblance to oil spills."
The idea is that firms today can learn by seeing how Exxon reacted to its 1989 defining event, in spite of the greater complexity of cybersecurity and the odds that are stacked against firms today (they have to be right 100% of the time; hackers only have to get it right once):
"Still, the oil industry's experience is instructive. First, the emphasis on ingraining safety in every employee can strengthen the weakest link in cyber-security: the individual. … Studies show that employees are often, by accident or intentionally, the main cause of successful cyber-attacks. … [Second] Oil firms' insistence on their supply chains speaking the same language, and loudly, on safety is also worth emulating. Hackers increasingly infiltrate large corporations by first penetrating the defences of smaller suppliers and piggybacking on the communications systems which link the two. … Third, the near-death experience suffered by BP after the Deepwater Horizon oil disaster in 2010 shows how data can turn from an asset into a crushing liability. It ended up costing the British firm more than $50bn. Its reputation has yet to recover fully."
For now, the article argues, data breaches are receiving relatively light punishments from regulators. If this changes (under growing public awareness and concern) and firms are not prepared, then they could suffer an existential threat.
Take care
David
David Chandler
© Sage Publications, 2020
Instructor Teaching and Student Study Site: https://study.sagepub.com/chandler5e
Strategic CSR Simulation: http://www.strategiccsrsim.com/
The library of CSR Newsletters are archived at: https://strategiccsr-sage.blogspot.com/
The Exxon Valdez of cyberspace
August 10, 2019
The Economist
Late Edition – Final
55
