Keep Company Secrets Safe With a Strong Publishing Process

Early in the morning on April 12, Pebblebrook Hotel Trust inadvertently posted an initial working draft of a document relating to its first quarter 2018 financial and operating results on its website. Pebblebrook quickly discovered what had happened and removed the document. However, as the company confessed in a press release it released about the event, it was aware that during the brief period of time the document was on the website, “certain automated web search processes discovered and disseminated the document.”

Pebblebrook is not the first company to have made such a slip, and it undoubtedly won’t be the last. But the event provides a welcome opportunity for companies both public and private to take steps to ensure something similar doesn’t happen to them.

To be sure, most companies have some sort of internal process in place to make sure a client list isn’t accidentally published, for example. Almost certainly Pebblebrook had formal processes in place — per Securities and Exchange Commission regulations — to make sure its earnings report wasn’t released before the correct date. Yet, things still happen.

“It is very easy for a company to say to its employees ‘listen, this is our policy. This information is what we consider to be confidential, this information is for internal use only, and this information can be disseminated publicly,’” said Jorge Rey, chief information security officer for certified public accountant and advisory firm Kaufman Rossin. But the actual implementation of such policies can be very difficult, he continued, “because it all comes down to people and workflows and communication and training.”

So what steps can companies take to prevent a similar faux pas? Here are a few suggestions on how to protect the publishing process within your organization.

Create a Well-Defined, Formal Process
The first step is have a formal process in place that governs the publishing of any document. Usually such a process consists of approval layers — with one or more “approver” depending on the sensitivity of the document. This workflow can be as simple or as elaborate as the company needs, but either way it should be well-defined and methodical, said Mike Pagani, chief evangelist at archiving solution provider Smarsh. “You need a workflow and a defined set of policies and procedures that is holistic around your electronic communications,” he said. “Because the reality is, it’s too easy to just hit ‘post’ or ‘publish.’”

Centralize and Secure Your Documents
Also, to ensure something isn’t published erroneously, have a secure location where the pre-released documents are stored prior to publication, said Deana Galloway-Uhl, senior director, technology for FTI Technology’s Information Governance, Privacy and Security team. “Only certain people should have access to them, which makes setting up controls and approvals that much easier. Ideally one person controls the final publishing process,” she said.

Don’t Rely on Word of Mouth
One oft-repeated mistake by companies, especially smaller offices, is they use word of mouth to pass approvals along, Galloway-Uhl said. Don’t allow this. At the very minimum, use email, she said.

Write Everything Down
Galloway-Uhl also noted that many companies do not actually write down their procedures and workflows, which is another easily avoidable mistake. “Having a formal document that details who is responsible for releasing what and when and under what circumstances is my best recommendation to manage the approval process for publishing,” she said.

Maximize Technology
Technology can also play an important role in safeguarding a company’s internal documents. For example, plan for a minimum review time to make sure the sign off doesn’t happen too quickly. Perhaps the system is configured so approval takes at least a minimum of an hour before a file can be closed. There should also be reporting and alerting features.

Make it Part of the Culture
Companies should also follow the lead of government entities that handle highly secure information, Rey said. “You have constant training. You have constant reminders. You have technology that will prevent data leakage. You have checks and controls.” The problem for companies that don’t handle highly-sensitive information — but still can be embarrassed by a slip — is they don’t have the same awareness of the sensitivity of the information, Rey said.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.