In this Q&A, Ethisphere EVP and BELA Chair Erica Salmon Byrne talks with David Newman, who is a partner in the Washington D.C. office of Morrison & Foerster. Prior to joining the firm, David held several key posts at the White House, including serving as special assistant and associate counsel to President Obama. He now advises clients on crisis management. David is joined by Miriam Wugmeister, who is a partner in the New York office of the firm. She’s the Co-Chair of the Global Privacy and Data Security Group.
Erica Salmon Byrne: David, COVID-19 is dominating the news at the moment, but if we take a step back, there are also a lot of elements where we can learn from prior crises. Can you talk a little bit about what pieces of an existing crisis management plan might a company be executing on now?
David Newman: I think you’re absolutely right—no one was expecting to be responding to this virus in this way. Obviously, we’re in unprecedented times. Some crisis 101 that companies have used in other fire drills is very relevant here. It starts with just some basics, like having a decision maker. One of the things that Miriam and I both see in our practice, responding to cyber incidents and other short-fuse issues, is that if companies don’t have a clear quarterback and a clear decision-making structure, they aren’t nimble enough to handle these kinds of fast-moving events.
Another is just communication. A key part of any crisis is trying to get out a consistent message in the right order to all the different audiences. That is just so hard when, as we all see from the news, facts are changing so quickly.
ESB: Who from a company should be communicating?
DN: If it affects our employees, we want them to hear it from the CEO or the leadership before they read about it. Those situations seem pretty intuitive. Something that we worked on when I was in the White House, in particular on the Ebola task force under President Obama in 2014, was collapsing the hierarchy. You need to have the decision maker in the room, but you also need the experts.
ESB: Miriam, so much of your practice has been focused on data breaches and cyber-attacks. How are you thinking about lessons that companies have learned coming out of some of the data governance structures, and how they might apply to the ways that companies are responding now?
Miriam Wugmeister: I think so many of the issues are the same. Do you have a process? Who is actually authorized to make decisions, who needs to be informed, and whose opinions do you need to gather? Do you have a cadence for regular meetings? Do you have the right cross-functional and interdisciplinary group in order to inform a decision? Because so many of the decisions we’re seeing now with COVID-19 cover employment, privacy, public health, or consumer issues. You can’t just have people working in silos. All of those are key factors.
ESB: Miriam, both you and David have referenced the fast-moving and changing aspect of the situation companies find themselves in. What are the big mistakes you’re seeing companies make at this point?
MW: I think one of the things I would encourage companies to do sooner rather than later is remind people about the importance of smart communication. Don’t put stuff in writing that you wouldn’t want to have on the front page of the paper, that kind of basic smart communication.
The other big thing I think companies could be doing to enhance their response, is to pay attention to the human side. This is the time to show humanity and warmth. An example of that is the message that the CEO of Marriott sent to all the employees, which has gone viral. I thought was such a good example of giving clear, honest information, but in a completely authentic way that I thought really resonated.
ESB: I agree 100%. One of the things I particularly liked about that is it was consistent with the way Marriott talks about their business as a whole. He was talking to Marriott Associates, but he was also talking to the community as a whole.
Now that we’re all settling in to this new reality a little bit, what should I be thinking about as a business to try and navigate these waters for the marathon?
MW: I think that one of the big issues is the privacy and data security challenges that are going to come. We’re already seeing a huge spike in phishing attempts. Fundamentally, horrible as it is, the bad guys know that everybody right now is distracted. They know that we’re all working in new environments. They know that the IT security people are not looking at the logs and looking at all the alerts that they normally get to with the same level of scrutiny. All the normal processes are stressed to the maximum.
We’re going to see more ransomware. We’re going to see more cyberattacks. We’re going to see more and more data breaches. What are regulators going to do in response? One hopes that the regulators are going to understand that companies are going to do the very best that they can.
ESB: You’re very quickly converting a massive percentage of your workforce, to work in an environment that they’re not accustomed to working in, and they’re going to create workarounds.
MW: People are going to try and find workarounds, not because they’re devious, but because they’re just trying to do their jobs. Communicating really clearly about, for example, which are the file sharing programs we’re supposed to be using and which ones were not supposed to be using, is key for companies, but so is being flexible.
Also, I think employees can encourage employers to look at new technologies. I think it’s a two-way street. It’s using the ones that the company has designated as appropriate and as blessed, but also, this is an opportunity to raise your hand when you have new ideas, bring them forward. I think most companies are open to it, because everybody is trying to figure out how to do this.
DN: One area that we’ve seen come up, for example, is printing. A lot of companies historically, for good reason, don’t let people print from their work device at home. Now that we’re all going to be home for weeks and possibly months. If you have a very strict rule, then what you’re going to find is people will just find some way to create documents that aren’t secure. I think part of it is just about creating a culture where, when employees encounter roadblocks and have ideas for workaround, they feel like their voices can be heard and they can raise those issues, and having a management culture that’s really listening.
ESB: In this particular environment where the information is just coming at us so fast, and some of it is good information and some of it is bad information and all of it creating this emotional response, what are some risks that companies may be overlooking?
DN: One that we’ve talked about with some companies is insider trading rules. I think you have a situation right now where you potentially have lots of people that know inside information that might be material to their company who aren’t used to holding that kind of information, who aren’t as familiar with the rules as your CFO and your CEO and some of your other senior executives. You also have, frankly, a very volatile falling market where understandably, people are fearful and selling. That to me is a recipe for a lot of problems down the road.
MW: I do think that many regulators are going to take into account the fact that this is an extraordinary time and companies are doing the best they can. They might give companies a bit of a break, but the regulators aren’t going to go away. Even in the middle of working so hard and trying to do the right thing, I don’t think companies can just say, well, this is a pandemic, so I can just ignore the regulations. You just have to keep reminding people. Yes, we’re going to maybe take a little bit more of a risk-based approach, but we aren’t just throwing all of our rules and requirements out the window.
DN: Another thing that Miriam and I have talked about is that at times like these when you have falling markets and people who aren’t coming to work in their normal functions, you’re also just going to surface some other problems that were unrelated to coronavirus. You saw that in the financial downturn in 2008. That’s when the Bernie Madoffs of the world and their scams become exposed. With everything else that’s happening, people still have to be on alert for those kinds of red flags, whether it’s at their own company or with others. If people turned a blind eye to significant fraud, or embezzlement, or accounting problems, I don’t think that they’re going to get a pass in the end from regulators.
MW: I totally agree. I think the really important word that David said was significant. I do think that a mistake that some risk and compliance people make is they try and say, “We have to stick with the absolute perfect letter of the law.” There’s a point at which you just have to be realistic. I totally agree, we have to look for those significant issues, but also understand that these are extraordinary times and we can’t be perfect. That’s just not possible.
ESB: You both think that litigation is certain to be coming. Obviously, we’re going to see force majeure litigation. Anything that companies should be thinking about now as they try to navigate all of this?
DN: One thing which maybe seems intuitive, but it’s just challenging to do in real-time is to really look at your contract. What does your clause actually say? Because the truth is the clauses are worded very differently, and depending on what they say can have a significant effect on what our assessment is.
The second question is, what law governs your agreement? Because even within the United States, different states have different approaches to interpreting force majeure. This is taking on a whole new set of meanings for different companies as they are shutting down, because they are concluding that they’re not essential, and there’s a huge question about what comes next financially.
Down the road, in terms of litigation, I do think there’s going to be more restructuring, more issues over credit and refinancing. I think those issues are going to become unfortunately more significant as you just see so many companies that are under so much stress at the moment. Then, we also have been very focused on thinking about ways to make sure our clients are aware of all the different government programs that can assist them. I imagine you’re going to see a lot of litigation, or at least processes around who qualifies for all of this relief.
ESB: If I asked you to put on your prognosticator hats, what do you predict are going to be some of the changes that will come from this pandemic?
MW: It seems to me that one of the core issues is going to be whether or not internet and WiFi connectivity are considered essential service, like heat and water. For example, think about all the kids who are getting sent home to do distance learning. Well, you have a lot of them who don’t have computers or access to WIFI. What are these kids supposed to be doing? Or you have people who are being sent home in rural areas where the broadband and the internet is just not up to do basic functions. I really think that one outcome of this is going to be the realization that every single person in the U.S. needs to have access to good internet connectivity.
DN: Another issue that I think this experience highlights is the extent to which public health authorities are principally a state and local system. We are now seeing businesses struggle with how to handle 50 states, hundreds of counties in which they might operate, all putting out advice. It’s essentially impossible to comply with all of them.
I do think that patchwork nature of the way the United States in particular regulates these issues is going to be reexamined after this is all done. Of course, the response needs to be very keyed into local condition. You need to think about the local population and resources. That’s different than saying we should be having hundreds of counties with different guidance on who should stay open.
ESB: Absolutely. I think the other thing that we’re going to wind up seeing is a lot of people looking at the remote work environment in a way that that was different than they were looking at it in December, both in terms of the availability of people to work remotely, and the infrastructure, and systems that you need to be able to support that kind of work environment.
MW: I don’t think we’re ever going to go back to a situation where the assumption is everybody comes to the office. I think that that’s finished. David, you agree?
DN: I do agree that I think companies are going to have a different understanding of what kinds of things they can achieve without people come into the office. I would also say the flipside is, it’s challenging to manage people remotely. My hope is that all of us are going to get a little more thoughtful about how we manage people who aren’t physically present. I think all of us now are learning, hopefully, how to become better, more compassionate, more sensitive managers to people who were not able to ever be physically in contact with.
About the Author:
David Newman has significant experience advising clients on crisis management. Prior to joining Morrison & Foerster, David held several key posts at the White House, including serving as Special Assistant and Associate Counsel to President Obama and in multiple positions on the staff of the National Security Council. Throughout his tenure at the White House, he played a central role in coordinating the Administration’s response to domestic and international crises and advised on a broad range of legal and policy matters affecting the federal government. This included serving as Chief of Staff to the Office of the Ebola Response Coordinator during the Ebola outbreak in 2014.
Miriam Wugmeister is Co-chair of Morrison & Foerster’s preeminent Global Privacy and Data Security Group. She works with companies to develop comprehensive customized incident response plans, training staff, conducting extensive table top exercises, and addressing key issues with Boards of Directors and executive management. She regularly advises on the global collection, use, and sharing of employee, customer, vendor, and consumer personal information and ediscovery and employee monitoring issues, as well as on developing data security policies and procedures and cybersecurity preparedness and response plans.