Is plausible deniability dead?
One strategy of corporate counsel that has been shown in various media reports is “plausible deniability”. Ethics rules for attorneys may require them to reveal compromising facts to the opposing side. If you can show you didn’t know that the plant could blow up and it blew up; then it may not be your fault. Nice legal term called ‘legal causation’. No facts to prove the case. Sorry victims, it was an act of God, an accident.
This is really confusing. So, I went to the fount of jurisprudence – Wikipedia. OK, jsut kidding. There are a lot of better legal references. Wikipedia is a good/great layperson’s reference. According to Wikipedia, plausible deniability refers to lack of evidence proving an allegation. In civil cases, the standard of proof is “preponderance of the evidence” whereas in a criminal matter, the standard is “beyond a reasonable doubt.” If an opponent lacks incontrovertible proof (evidence) of their allegation, one can “plausibly deny” the allegation even though it may be true.
If the plant blows up, you may find yourself facing a negligence lawsuit. Negligence involves four things: duty, breach, causation, and damages. Duty involves a standard of care and attention.
REALM OF ERM
Now in the realm of enterprise risk management (ERM) the whole point is to identify and know all your significant risks. There is an expectation of higher standard of duty and due care. One would think, ‘that the plant might blow’, would have had to be included in the enterprise risk assessment assessment. If it were and the plant did blow – due to lack of appropriate risk mitigation and/or risk management – now what? Several possibilities? A negligence (lack of care, incompetence, or disregard) lawsuit? Requirement to disclose your risk assessment and ERM plan? Collateral damages? No easy answers!
This is not just idle speculation. In late 2011 the US SEC (Securities and Exchange Commission) Division of Corporate Finance issued “CF Disclosure Guidance: Topic No. 2 – Cybersecurity”. (See http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm)
DISCLOSURE OBLIGATIONS
This posting provided the SEC Division’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The gist of the guidance is this:
“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”
If you are a publicly traded corporation and get hacked, and the effects are material (significant enough to affect your finances) to investors, you must disclose. There is no option. There may be no claim of plausible deniability.
But, there may be real pressure to keep things hidden. Disclosure may be embarrassing to management. Employees may also be fearful of making waves or reporting things to managers that might get them fired. No incident report – no embarrassment, no bad PR, no hard questions to answer, no risk to you and your cronies’ jobs or bonuses.
BEWARE OF RISK FACTORS
And not just incidents are covered, but the Risk Factors themselves:
“Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”
Note that not only is a risk assessment required, but must be evaluated against your peer group!
NEW STANDARD OF CARE
If you are not up to the industry standard – beware!
Further, US Securities and Exchange Commission states that your disclosures may need to include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Further, “Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.”
So the standard of care and duty has been raised. So, is plausible deniability dead?
NOTE: I am not a lawyer, nor do I pretend to be one on TV, the internet , or in life. So if you’re in doubt of anything or see yourself possibly being prosecuted, get hold of a barrister or lawyer ASAP. Otherwise, you may be doing the perp walk.
REFERENCE
Wikipedia: Plausible Deniability, http://en.wikipedia.org/wiki/Plausible_deniability; Negligence, http://en.wikipedia.org/wiki/Negligence