When a data breach is discovered it’s natural the incident response team gets defensive: The company could be exposed to liability, bad press, loss of reputation, loss of customers and criticism by regulators, not to mention substantial costs of remediation.
Protect the company might be the first thought of many.
But Ula Ubani, the Bank of Montreal’s chief ethics officer, says there’s a better instinct: Act ethically in making all decisions.
“How we should act is important,” she told an audience of privacy professionals Tuesday at the Canadian Institute’s annual Privacy and Data Compliance Forum in Toronto., “because at the heart of it is you really need to subscribe to an ethical framework, in the sense of doing the right thing.
“That sound trite,” she admits. “When you’re in the middle of an issue, when there’s pressure, when you have to respond by tomorrow morning and it’s 4:15 [p.m.]now, things can go off the rails very, very quickly. So to the extent you’re able to remember all the various stakeholders and various people and issues you are beholden to, that is helpful. Its also predicated on values.”
Several years ago the bank shifted its code of conduct to what she called a “principles-based code,” rooted in BMO’s corporate values. This can be hard, she acknowledged, because employees are more comfortable with what she called “prescriptive information” that can be found in a how-to document. But, she said, if you are in the midst of a crisis, try to the extent you can ground yourself and try to think of what is the right thing — even if it might be different for the company, for employees for the shareholders or for victims – and how they might be impacted by decisions.
“It’s a form of stakeholder view,” she said.
“It’s not always easy,” she said, because on an incident response team the lawyers, the privacy officer, the customer advocate and others have opinions. And they don’t always agree. “How you bring them together is the ethical framework.”
The Information Accountability Foundation has a Unified Ethical Framework for big data projects, she noted, which suggests organizations ask questions like, ‘Is this really beneficial, or are we doing it because we can?’”
”Policies and procedures and rules and guidance don’t influence behavior,” she said. At BMO “we have decided it comes down to making sure people understand what the values are and the purpose is and what we are trying to achieve.”
And, Ubani admitted, sometimes decisions go against her opinion. “But the key is to speak up.”
Karen Burke, BMO’s enterprise chief privacy officer, who also spoke at the conference, put it in a different way. “I tell people, ‘Do the right thing, nine times out of 10 you’ll be following the regulation.’”
In her address Burke spoke a lot about the importance of awareness training to improve protection of customer data, particularly in making employees believe data protection and security is vital to the company – and not just to preserve their jobs. “If people don’t understand something they can’t action it,” she said.
In an interview Burke said what doesn’t work is messaging or experts that are too clever, or use jargon.
“What we found is that it needs to be frequent, consistent messaging… if you can help people understand the basic tenants of privacy and have messaging that’s consistent throughout their work” — such as giving as online access to to-do lists and other resources — “it creates a consistent just in time delivery, it creates an ability to access information in real-time.
Time training may have to be tailored for different business groups, she added.