Does your company have any role in our country's national defense? Don't discount the question just because you don’t build stealth missiles or the new “Mission Impossible” movie doesn't remind you of your office.
If your business interacts with the U.S. military or intelligence community, including by way of sales or contracts, or if your business could be used by a terrorist or spy (for example, if you are a communications provider or a company with technology of value to the Chinese government), then your company may possess national defense information (NDI).
NDI, which does not have to be classified or marked in any way, is simply any "information relating to the national defense," and it is regulated and controlled under the federal Espionage Act, which provides criminal or civil penalties for a several kinds of mishandling of NDI, including both intentional and negligent acts.
For example, the Espionage Act provides penalties if a person's (or company's) gross negligence causes a document or other information relating to the national defense to be lost or stolen. Think about that: HR could be grossly negligent in hiring someone with a criminal background who steals NDI. Or your IT department could be grossly negligent in the way it protects your network, allowing hackers to gain easy access to NDI.
We have seen the government undertake aggressive national security investigations even when the underlying conduct was, at most, negligent. You don't need cloak-and-dagger or ties to the Kremlin to raise the ire of the Espionage Act. And the Espionage Act also makes it a crime to fail to report the loss of NDI once it is known.
Yet, you don't see company executives going to jail over a mishandling of NDI. What, then, are the real risks to protect against?
- A national security investigation invariably causes disruption, inconvenience and the expenditure of significant resources in responding to FBI inquiries
- A company can lose business and revenue that are dependent on access to NDI
- A company can violate Sarbanes-Oxley Act requirements because the company did not have adequate controls to manage foreseeable risks (in this case, the loss of NDI)
- Attention of the news media, which could come from a leak concerning a government investigation or even from a required disclosure in SEC filings
A final wrinkle is that in some cases, the sensitive work that can generate NDI will not be widely known. In fact, we have had company general counsel come to us confessing that they do not know what sensitive work, if any, is being done at their company. So how do you protect against a risk like this that you may not know you even have?
Our recommendation is to get control. Corporate policies and controls that relate to NDI are just part of an effective compliance and ethics program and the government will take those into account when considering whether to attribute the criminal conduct of an individual officer or employee to the company itself. Therefore, the company should do the following:
- Develop policies and procedures for handling NDI and communicate those policies and procedures to relevant employees
- Provide appropriate training on the handling of NDI to all those who have reason to work with it
- Provide company personnel who have access to NDI with the tools they need to protect that information, including, for example, a locked file cabinet, a paper shredder and robust encryption for communication and storage of NDI
If you don't feel like you have the institutional knowledge to adequately address the treatment of NDI within the company, consider meeting with general counsel of the agency or agencies with whom your company interacts. Don't overlook asking the simple questions: What's going on with my company? Are we in possession of information relating to the national defense?
These national security risks only seem esoteric and abstract until you find out you have one. Fortunately, the perceived intrigue and mystery associated with national security issues is in reality an unnecessary smoke screen; corralling all the information and setting reasonable policies will let you avoid most problems before they arise.