From the AEGIS e-Journal, Volume 8 Number 10, October 2005
Coming soon to your company: A class action lawsuit We have recently had conversations with attorneys interested in class action lawsuits against corporations that suffered losses through competitive intelligence, espionage, and theft, and have not disclosed lack of an OPSEC program in their financials. This may indicate that the issue of dealing with information loss is about to become mainstream and front-page. We are neither attorneys nor accountants, nor do we play them on television, but their theory seems sound: The SEC now requires internal controls in this area, and FASB would seem to indicate that their lack needs to be disclosed. So if a corporation suffers a loss and has neither an OPSEC program nor a disclosure of the risk this causes for shareholders, the directors and senior management – certainly anyone who has Sarbanes-Oxley responsibility – are now fair game for securities litigators. Dancing away from this is a trifle more difficult now than it was before Sarbanes-Oxley. In the old days you could make the claim that intellectual assets developed in-house have no book value, and that the loss of un- booked assets is not a matter of public record or concern. However, loss of assets that have no book value, but underlie current profits and future earnings, can lead to significant financial losses. Even if you believe that the loss of $50 million or $100 million is not material to your $35 billion dollar company – a claim that we have heard made – this probably won’t hold up in the post-Sarbanes-Oxley world. And, as a manager, it may end up being personally painful to take that approach, because insurance companies seem to be indicating that failure to comply with SEC requirements in this area would be an uncovered deliberate action, not a covered negligent action. There are three ways for a manager to deal with this issue. The easiest is to do nothing and hope that you will neither have a problem nor get caught. The second easiest is to make a disclosure of risk in your financials, though you may be opening yourself up to additional problems. The third easiest is to simply implement an OPSEC program. An OPSEC program is the least expensive SOX internal control you implement, and will not only remove the liability, but will go far in eliminating your share of the country’s $300 billion annual loss to competitive intelligence, economic espionage, and theft. Prudence suggests that an OPSEC program should be implemented – and disclosed – before a loss, and before you are hit with a class action suit. ÆGIS, October 2005 6