A LETTER TO OUR CLIENTS
Today, as we committed to you back in May, we released a report from the law firm Hogan Lovells and the data security and regulatory compliance consulting firm Promontory Financial Group on our client data policies and practices. The Hogan Lovells/Promontory report includes the conclusions of Samuel J. Palmisano, the former Chairman and CEO of IBM, who provided advice to our Board of Directors. You can find the full Hogan Lovells/Promontory report on the terminal at RVWS<GO> and online at www.bloomberg.com/reviews.
Hogan Lovells and Promontory, with advice from Mr. Palmisano, looked deep into our organization at everything from physical and cyber security to our privacy policies to assess whether we could meet our protection obligations to our clients. I’m gratified that the Hogan Lovells/Promontory report states that we have appropriate client data policies and controls in place. As you will see in his comments, Mr. Palmisano agrees with that conclusion. That is deeply reassuring to us given his experience and judgment.
In a parallel effort, Clark Hoyt, previously Editor-at-Large at Bloomberg News and a former Public Editor of The New York Times, conducted extensive interviews across our news functions and with clients and experts on journalism ethics, to review and make recommendations on the relationship between the company’s news and commercial operations. Mr. Hoyt made a number of important recommendations, which we accepted to ensure that we address areas in our editorial operation that need to be revisited in a changing environment. These recommendations can also be found at RVWS<GO> and on our website.
I want to give you more detail on the reviews as well as a little context. As you will see later in this letter and in the reports, while there were no major new issues identified, our work is not done. There are many recommendations that we have implemented or will be implementing to ensure that we exceed your expectations of us. As I hope you know, our highest priorities are to innovate rapidly, promote transparency and respond quickly to your questions and needs. From our founding, our culture encouraged close collaboration, openness and a minimum of bureaucracy. For example, when a customer calls asking for help, we expect people from across the organization to drop what they’re doing and respond, without regard as to whether the request falls into their formal line of responsibility.
As our business grew, we evolved by putting in place tighter controls and policies. That was particularly true in our regulated businesses, where we long ago developed formal processes and procedures.
Yet in some ways, we did not evolve fast enough. In our effort to focus on innovation and responsiveness, we did not fully appreciate how expectations of us had evolved, both because of changing norms and because of our own growth. And we did not fully appreciate how growth in both our news and commercial operations necessitated a reexamination of how they work together.
We have taken these issues very seriously. We have listened to clients and other constituencies to understand their data security concerns. In true Bloomberg spirit, hundreds of people have worked together to assess the situation, codify our existing policies and procedures, and establish new ones. And rather than waiting for the various reviews to be completed, we have promptly begun implementation as recommendations have been presented.
I want to summarize for you what the reviews covered as well as how we are implementing the recommendations.
Palmisano/Hogan Lovells/Promontory Review
We asked Hogan Lovells and Promontory for a thorough review of journalist access to client information and the degree to which any of it was used in news coverage. In addition, they assessed the status of our policies and procedures around matters like client data, information security and privacy. They also looked at other potential issues that our clients raised.
To accomplish these tasks, Hogan Lovells and Promontory conducted an in-depth examination of more than 350 internal documents, including policy manuals, policy notes, training guides and client visit logs. They executed more than 230,000 separate tests of our systems. They reviewed more than 500,000 news stories and interviewed more than 225 people. They also had unfettered access to the company, its people and its records.
The review tested our systems and found that we segregate and protect client data appropriately and that we respect the importance of treating client data with extraordinary care. They reviewed all of our client communications on these matters over the past four months and found them to be accurate. It also pointed to areas where we can do even more, such as ongoing third-party reviews and trainings. In the report, Hogan Lovells and Promontory list their recommendations and note that we have accepted all of them.
With one exception, detailed in the report, Hogan Lovells and Promontory found no evidence that journalists had used sensitive client data in news stories (the affected client is aware of this situation). The report also confirms that journalists’ access to client data is the same access that non-employee terminal users have.
I want to thank both firms. They threw themselves at this assignment with dedication, judgment and integrity. They never hesitated to give us their unvarnished views. We gave them access to anything and anyone they needed to complete their work, and there is no question their findings will help make us a better company.
I also want to thank Mr. Palmisano for his dedication to this assignment, as well as his thoughtful counsel. He met regularly with our outside advisors and our internal teams. He talked with Peter Grauer, our Chairman, and with me. He talked to our clients. We drew upon his remarkable experience and highly successful track record.
Mr. Hoyt’s Review and Recommendations
At the same time that Mr. Palmisano, Hogan Lovells and Promontory examined matters relating to client data, Mr. Hoyt examined the relationship between our news and commercial operations. This was a different kind of review and was intended to help Bloomberg LP and Bloomberg News live up to their high standards and address areas where standards and practices need to be revisited in a changing environment. Mr. Hoyt is a colleague who brought to the exercise a deep commitment to our company and to journalistic integrity. We benefited enormously from his experience as the Public Editor at The New York Times as well as his sound judgment and integrity.
Mr. Hoyt had unfettered access to the company, its people and its records. As with the Hogan Lovells/Promontory review, his team conducted an in-depth examination of internal materials across a diversity of units. He conducted more than 200 interviews from across all units globally and spoke with several external journalism experts and clients in the interview process. He regularly shared relevant findings with Hogan Lovells, Promontory and Mr. Palmisano.
We’re very proud of Bloomberg News. What started as a handful of scrappy journalists 23 years ago has grown to become a global leader in essential information for business and finance around the world. Today, we have a staff of more than 2,000 journalists who collectively produce thousands of stories a day that matter to businesses, governments and the global marketplace. And news is an even more integral part of what we offer on the terminal than ever before.
But as Mr. Hoyt’s recommendations make clear to us, we didn’t do enough to reassess the relationship between news and our commercial operations as our news department grew and our business expanded. The fact that we didn’t recognize the sensitivity of journalist access to limited client data represents an example of how our policies did not keep pace with the realities of our growth and evolution. Mr. Hoyt made a number of recommendations that are incorporated in our action plan below.
Actions in Response to the Reviews
We did not wait for the completion of these reviews to take action. A full list of the actions related to the Hogan Lovells/Promontory report can be found in the executive summary of the report and the appendixes, but it’s worth noting a few of the key actions:
- We are in the process of hiring a Chief Risk and Compliance Officer who will report to me and to whom the heads of risk, corporate compliance, client data security, and information security will report.
- We have developed a hierarchy of principles, policies and procedures to govern the handling of client data, which formalizes and expands policies and practices previously in existence.
- We have committed to ongoing third-party testing and reviews of our information security and client data controls. We will make the reports available to our clients.
- We have incorporated a companywide training program that begins with managers and stresses their responsibilities in setting an example and communicating with employees the importance of the policies and procedures and ensuring compliance.
- We enhanced the company’s governance framework. The Bloomberg Board of Directors’ Audit Committee now includes oversight of risk and compliance, and the Committee is now comprised of a majority of independent directors.
In addition, Mr. Hoyt made a number of important recommendations which we have accepted:
- We will appoint an Independent Senior Editor to serve as an independent avenue of appeal for issues and complaints around news coverage. This new position will assist in the ongoing development of best ethics practices and training on them. This individual will report to Bloomberg’s Chief Content Officer within the Office of the Chief Executive rather than the news organization.
- We will establish a newsroom Standards Editor with the responsibility for making sure that News consistently adheres to The Bloomberg Way’s high standards for accuracy, rigor in reporting, balance and tone.
- Where appropriate, in order to supplement other measures that restrict access to client data, we will facilitate greater physical separation between our news and business colleagues and introduce further guidelines on how employees should conduct themselves in shared-use facilities.
- We will create a newsroom Standards and Practices Task Force, including all units that generate content, to consider the necessary policies, practices and mandatory trainings that ensure the appropriate relationship between our news and commercial businesses.
- We will change our policies so that reporters and their immediate editors will be permitted to visit Bloomberg terminal clients only for the purpose of newsgathering.
- We will introduce more thorough and regular training for our News employees.
It is clear that we should have been more proactive in considering the evolution of customer data issues as well as the relationship between our news and commercial operations. Personally, I wish I had done more to hasten this evolution, which could have helped to prevent us from making mistakes. That said, I am proud of how our company responded when we became aware of the fact that we needed to change. We acted quickly to give our clients the protection and third party reassurance they deserve.
Where do we go from here? As we chart a complex, multifaceted path forward, two simple words come to mind: transparency and innovation. We want our clients to understand what we’re doing. And we want to apply the same spirit of innovation to this area that we have used to build our products and services. Our ultimate goal is not just to fix today’s issues; it is to set new standards for ourselves and, in doing so, hopefully a higher bar for the entire industry.
This will necessitate an even closer working relationship with all of our clients. We have always communicated closely with our terminal users and responded quickly to their suggestions and concerns. This process allowed us to do the same thing with our client counterparts in areas like IT security, vendor management and risk. So as we look ahead, in addition to our engagements with the end-user, we are also beginning a process of client interaction to hear from you about enterprise-wide areas where you think we need to improve our service and areas where we can benefit from your experience and perspective. I hope you will not hesitate to reach out to us on these or any other aspects of our operations.
Let me close with my deep thanks to our clients. You have provided invaluable insight and encouragement. You have helped make us a stronger organization and, we hope, a better partner to you. As always, I hope you will let me know if we can ever answer any questions or be of any assistance.
Daniel L. Doctoroff