Threats to reveal a company’s confidential information or to contaminate its products need to be analysed carefully to decide on the best response. DLA Piper’s Stuart Ponting considers the steps that should be taken.
Increasingly, businesses are facing attacks from their own employees or third parties attempting to extort financial or other advantage by making malicious threats against the company. Extortion attempts are far from unusual, but the details of surprisingly few ever make it into the public domain.
At the heart of an attempt is usually a threat to reveal an organisation’s confidential or sensitive data into the public domain, an attack on the supply chain or, perhaps more concerning, a threat to contaminate a product or foodstuff either before or after it is offered for sale. Threats can come from any direction, but are often from within a business.
This article looks at how extortion or blackmail attempts often occur and what options are available to successfully manage them without detriment to the organisation.
The first key step to successfully resolve an extortion attempt is to carefully analyse the nature of the threat; only by understanding the nature of the threat can an appropriate and effective response strategy be delivered.
Threats may be made by individuals, so called “lone wolves”, or they can be made by groups of individuals; the latter poses very different types of challenges for any organisation.
Having identified “who” is making the threat it is then necessary to try and identify “why”. Motives for attacks can vary significantly and understanding the motive may offer a clear resolution for the organisation.
For example, an employee who feels disgruntled following recent demotion or overlooked in a recent promotion may not be making a genuine attempt at extortion, it may simply be a (very) misguided way of expressing their unhappiness. Distinguishing genuine threats from irate grumblings is vital.
The next stage of the threat analysis is to examine the potential worst-case scenario if the threat is actually executed.
Understanding the impact of the threat will provide a basis for objective assessment of the proportionality of any proposed response. For example, if a threat sounds highly concerning but its practical impact would, in fact, be very limited, the organisation’s response to it may be tempered by the lower impact of the threat being executed successfully. Identifying that the threat, if executed, would have a potentially catastrophic effect and might even cause physical injury to others clearly necessitates a far stronger and immediate response.
Having comprehensively analysed and assessed the threat against the business, it is then necessary to decide on a response.
One of the key decisions to be made will be whether or not the issues can be resolved internally. Many businesses will choose to contact the police immediately to ask for their assistance and guidance in resolving the situation; however, this may not appeal to every business.
There are varied reasons as to why an organisation may wish to manage the situation internally rather than involve the police. For example, it may be that the business is concerned that those making the threat have identified information the business would not want shared with the police.
Alternatively, a lack of clear action from the police can often “encourage” those engaging in extortion attempts to continue to make threats against the organisation and, if the lack of police interest in a case becomes known, it can encourage others to engage in similar conduct.
Identifying the right team to respond
Handling a crisis situation in an organisation is a team game and managing an extortion attempt is no exception. Bringing together key individuals in the business, which is likely to include senior HR professionals, will ensure a multidisciplinary approach to the resolution of the issues faced by the company.
Those who may know or at least be familiar with those making the extortion attempt are likely to have crucial insight into their motives. The team needs to be able to operate with unequivocal integrity.
Discussions, dialogue and negotiations with the attacker must not be compromised by disclosures that may weaken the organisation more widely. If the company is seen to be vulnerable to threats, especially if it seeks to resolve matters with financial settlement or without the involvement of the police, it may simply serve to encourage future prospectors.
Experience tells us that those who ultimately make extortion or blackmail attempts often start with more gentle grumblings or throw-away comments to others, including their HR professionals.
Remaining vigilant for early warning signs of possible attacks is very important, especially within organisations that may be in a state of flux or are undergoing an internal re-organisation.
Often glib and supposedly humorous comments, made in the course of a salary review, performance management meeting or an annual review, can reveal the future intentions of a disgruntled employee.
Identifying these early warning signs may allow the company to consider early intervention, perhaps by challenging the employee’s comments and assuring them of the consequences of their actions.
It will never be possible to prevent an attack on a business, but with constant vigilance, sound business continuity planning and regular testing of crisis management protocols, much can be done to mitigate the risk and impact of any future attack.
Stuart Ponting is a legal director at DLA Piper LLP