Is there risk hiding in your digital policies?

When COVID-19 erupted into our lives, we had to adapt quickly, working from home despite what our digital policies might say about security and personal devices.

Kristina Podnar
June 30, 2020
· 10 min read

I’ve taken that opportunity to address other events that should trigger a close review of digital policies -- so far, natural disasters and changes in technology. This post will address the type of digital policies organizations should review when they’re facing significant business changes, such as looking for an investment of venture capital, seeking a buyer, making your first foray into the global market, or buying or merging with another company.

Big changes in business operations require a new risk/opportunity analysis

I’ve always presented digital policies in light of risk vs. opportunity. Some companies are more open to taking risks than others, and their digital policies reflect that. They may give individual employees more freedom when it comes to posting on social media, for example. Other risks run deeper, such as when companies focus on time-to-market, assuming they’ll go back later to properly document things like processes, product specs, coding, etc.

The bottom line, though, is that no one wants to invest in, buy, or merge with a company whose digital activities present a huge risk. Think of it in terms of the GDPR. The penalties for violations are so high that no company in their right mind would legally bind themselves to an organization that doesn’t have a good grasp on consumer privacy. And that’s just one example. A smart buyer or investor is going to be digging through every aspect of our business, looking for areas of risk. Hopefully, everyone involved in digital policies will be given a heads-up before the C-suite puts the wheels in motion, giving you time to comb through your own digital policies with the intent of moving toward a position of greater safety.

How to revisit your digital policies when you’re looking for an investor or buyer

Your mission in this scenario is to rein in risks -- whether calculated risks or things that slipped through the cracks. Let’s take a look at some of the things that should be on that list.

Social media policies

Review your social media policies and make sure they reflect your new “safety first” mode. You may need to rewrite some digital policies, retrain employees, or implement new work processes to reduce the possibility of someone posting something that damages the company.

Don’t be afraid to address the C-suite in your policies

It’s not just the front-line employees you need to worry about, as the recent headlines about Elon Musk’s social media misadventures -- including Tweeting that he thought the company’s stock was overpriced -- illustrate.

Not only can such ramblings cause employees, customers, and potential buyers or investors to question leadership abilities, there are legal issues as well. In 2018, for example, Musk Tweeted that he had “funding secured” for a private takeover of Tesla at $420 per share. The SEC filed a complaint, claiming that Musk had committed securities fraud.

Musk and Tesla made a settlement with the SEC -- a settlement that put a number of restrictions on Musk’s activities with the company, one of them being that Musk couldn’t Tweet about certain topics and that Tesla had to come up with a way to monitor any Tweets he did post (something that obviously wasn’t implemented very well).

As another example, think back to last October, when Daryl Morey, GM of the Houston Rockets, Tweeted his support of Hong Kong protestors pushing for more freedom from mainland China. It started quite the chain reaction, with China taking great offense to what they considered an internal political matter, and fans in the U.S. becoming upset at what they saw as a U.S. company “caving in” to pressure from China. (It’s worth noting that American basketball is big business in China.)

You can read more about the details in the link (and the story is resurfacing now that the NBA has announced that it’s considering plans for reopening after the coronavirus pandemic). The point is that, when an executive’s personal post could be perceived as the position of the company, it should be treated as such. And that’s almost always the case.

Coming up with digital policies that effectively govern what C-suite employees can and can’t do on social media can be difficult (especially when you have a CEO who thinks the rules don’t apply). One way to address that is through executive employment contracts. Otherwise, it will be up to the board and the rest of the executive leadership team to hold each other accountable, and your digital policies should specify that doing so is part of their fiduciary responsibilities.

And then there’s everybody else...

However, when it comes to offensive posts that go viral, it doesn’t matter much (in the public’s eyes, anyway) if it was an officer of the company or a front-line employee. Check your social media policies -- and your means of enforcement -- for things like this:

  • Who has access to your social media accounts? (The correct answer is “only employees authorized to conduct those tasks.” )
  • Are those employees properly trained, and do they have tools to help them (checklists, company-approved images and templates, etc.)?
  • Do termination protocols include eliminating their ability to access your social media accounts? And how long does it take? Your digital policies should address that issue as well as how it’s enforced. Ideally, termination of one of those employees would trigger an automated notification to the person responsible for governing access.
  • Are all employees with access to your accounts trained and repeatedly reminded to make sure they’re not posting to the business account when they intend to post to their personal account?
  • If you’ve tasked employees with being brand ambassadors, have you supported them with clear digital policies? Such policies should include both what employees should share -- press releases, positive mentions in the news, awards, or even a list of hashtags -- as well as what they shouldn’t post, such as information that hasn’t yet been made public, or comments on a PR crisis that could be mistaken as the company’s official position.

I could go on forever listing specific policies, but the bottom line is this: If you’ve had lax policies regarding who posts on your social media accounts, or what employees can post about the company on their personal accounts, it’s time to tighten them up. If you already have strict policies, it’s time to make sure they’re actually being enforced.

Data security

When it comes to financial risks, data security ranks near the top. Here are some things to think about:

  • If you have physical servers, who has access to them? Access should be on a “business critical” basis, and those with access should be trained (and reminded) not to let anyone else use their credentials.
  • Is there a policy and process in place for deleting the credentials of employees who leave the company? Having a process in place is especially important during mass layoffs, when things tend to be rather chaotic.
  • Are your current login credential requirements set at the highest possible level? Your security protocols should meet the latest industry-approved safety requirements for passwords (at least eight characters, no common words, no reused passwords, etc.).
  • Are all of your employees registered for two-step verification (at least for access to your most sensitive information) and using a password management tool to ensure additional protection (e.g., LastPass).
  • Do you have a firewall and VPN? Do you require a VPN for anyone logging in from outside of your physical building?
  • If employees use mobile devices (whether their own or devices supplied by the company), is the data encrypted (both while on the devices and during transmission)?
  • How often do you back up your data? Is your back-up data stored in a place that will be accessible during a national disaster, a terrorist attack, etc.? Do you have detailed plans for accessing and restoring your data
  • Do essential employees know how to access data to continue operations during the situations described above?
  • Do you conduct regular, multi-factor penetration testing (including phishing) to identify weaknesses in your system? Do you document both the weaknesses and the steps you take to correct them?
  • Do you have a breach identification and mitigation plan, and does everyone understand what their roles are?
  • If you work with outside agencies or vendor partners (such as a content agency that manages your digital marketing), or have a fully integrated supply chain, how often do you review their digital policies to make sure they’re at least as strong as yours?

Again, I’m not trying to cover everything related to data security -- just to give you some food for thought!


Compliance is another area where the risks pack a punch. Lack of compliance with the GDPR, for example, can result in fines of almost $25 million or 4% of the organization’s worldwide revenue from the previous year, whichever is higher -- so you can be sure that any company considering investing in or buying your organization will take a close look at your compliance with privacy laws.

Another potentially expensive compliance problem often shows up when a company is involved in litigation. During one wrongful termination suit, for example, employees deleted emails relevant to the case even after the company had been instructed not to. When the case went to trial, the judge allowed the jurors to infer that the deleted emails supported the plaintiff’s claims. They ended up awarding her $29 million!

Today, though, the word “compliance” usually refers to regulatory requirements, such as:

  • Privacy laws, like the GDPR or CCPA
  • SEC regulations (like those that prevent an executive from Tweeting about his expectations for the company’s stock!)
  • Accessibility regulations that require businesses to make every effort to make sure their website is accessible to everyone, including those with disabilities.
  • FDA regulations, like those that require pharmaceutical companies advertising drugs to consumers to include all reported side effects

And, if you’re in an industry that has regulations with digital implications, make sure you’re in complete compliance.

Going global

Taking your company global is a big step for any company, full of both risks and opportunities. The most important advice I can give you is to make sure you know and follow all laws pertaining to your digital activities. Here are a few examples:

  • In the EU, it’s illegal to advertise pharmaceuticals directly to consumers.
  • Israel and some other countries have had accessibility requirements in place for nearly a decade, so make sure yours are up to par.
  • China prohibits information on Chinese citizens from being transferred outside of national borders,meaning that organizations have to establish servers in China.
  • Sweden prohibits advertising aimed at children under the age of 12.
  • The marketing of alcohol is regulated in many countries and completely prohibited in others. In Indonesia, for example, it used to be legal to market alcohol, but it’s been banned since 1995.

And that barely scratches the surface. So the main takeaway here is to do your homework and develop both your digital policies and your means of enforcing them before beginning to do business in another country -- even one you think you know well.

When the shoe is on the other foot

Things are a little different when you’re the one considering an investment in or partnership with another company. In that case, you want to examine their digital policies just as closely as you’d examine your own if the situation were reversed. (And if your executive team doesn’t realize the magnitude of risk involved, give them a heads-up and request permission to examine the target company’s digital policies.)

Here are a few additional things to consider:

  • How experienced are they in your industry? Could a lack of experience lead to regulatory risks?
  • Are your digital policies in alignment? If not, how will you go about reconciling them? Change management in a situation like that can be tough, especially if you and the other organization have vastly different cultures -- like a charge-full-steam-ahead start-up and a blue chip company that changes course about as quickly as an aircraft carrier does -- but it’s got to be done.
  • What does their IT architecture look like? Do you use the same CRM and other cloud services, for example? If not, is there an opportunity to develop an integration? If not, will you attempt a migration, or will you continue operating two completely different systems? What additional costs and risks will that incur?
  • The same is true for cybersecurity, privacy, and other compliance issues. Keep in mind that, if your target acquisition is weak in those areas, it’s important to include those potential risks in the overall cost assessment. If their security is so bad that they’re in imminent danger of a major breach, that completely changes the math -- and it’s up to you to make sure that information gets to the right people.

It’s really all about safety

Reading through all of those examples can make your head spin, no matter how long you’ve been involved in digital governance. But the important thing to remember is that, if you’re facing a major change in your business, it’s time to batten down the hatches and play it safe, whether that means changing policies that intentionally embraced risks or making sure existing policies are being followed. After all, risk is money, regardless of which side of the table you’re on. That’s why it’s so important to examine digital policies for risks and to eliminate them as soon as possible.

Want more practical advice on digital policies? Read other articles in “Shifts in Technology” series:

Part 1: Do your digital policies address natural disasters?

Part 2: Digital policies are no good if they’re static

Part 4: How to set your digital policies up for continuous improvement

Need a hand getting your policies in order? Get in touch to schedule a workshop or discuss a consulting engagement.

Photo by Danting Zhu

Related industries:
Related functions: