Online Extra: The Bigger, Better, Less Secure Company

New technologies mean today's large outfits have more places to spring a leak. And ethics are taking a backseat to plugging the holes

By Tom Lowry

Lesson No. 1 for the next top executive itching to order an investigation into corporate leaks: Your company, or any modern corporation, for that matter, is a sieve. And there is nothing you can do about it. Leaks are as old as capitalism itself, but new technologies, from PDAs to blogging, have made companies truly porous. The old hushed phone call from a phone booth on the corner to pass a tip to a reporter seems a distant and nostalgic image today.

Companies have become more sprawling and penetrable, so leaking itself is more complex. The word certainly has more pejorative connotations than it once did. In Watergate days, Deep Throat was widely seen as a heroic figure, tipping off a reporter for the good of the country. Today, motives can be murkier.

What defines a leak these days? Is it leaking when a CEO attempts to manage news by releasing early confidential information about a product launch or an acquisition? Is the tidbit a reporter elicits from a source a leak? Is the half-truth spewed by a disgruntled employee seeking revenge a leak? Probably yes to all of the above, though how material they are varies in each case.

"Not all leaks have consequences," says Larry Ponemon, founder of Michigan research outfit Ponemon Institute, which studies security issues. "But sometimes breaches can hurt."


  It is still too early to tell what toll the unfolding Hewlett-Packard (HPQ ) leak will take on the hardware company. The irony now is that the witch hunt launched to find the leaker is doing far more damage than any comments by board members (planted or otherwise) to reporter friends ever did. Two directors have resigned, the CEO is under the gun, and Congress is holding hearings. All the while, HP's public image is tainted and employee morale devastated.

Taking it to an absurd level, stories are now being written based on leaks about earlier leaks. "It's important that troublesome information gets out," says Barbara Ley Toffler, a former ethics consultant. "But in overzealous attempts to plug the leaks, ethics are being handed over to the Pinkerton detectives and have nothing to do with behavior in organizations."

Today's business environment—in which information, in all its forms, is currency—is complicated by the Sarbanes-Oxley era of probity. Before Regulation Fair Disclosure, which requires that all shareholders receive critical information at the same time…"We called it selective disclosure and we did it a lot, whether in one-on-ones with analysts or on backgrounders with the press," says Leo Hindery, a former CEO of AT&T Broadband and TCI Communications, and now a principal of investment firm InterMedia Partners. "It was the practice of the day. Now those sessions are illegal."


  But make no mistake, leaking is alive and well, and the HP mess won't button it up. Look at Time Warner (TWX ). Two separate leaks in the past year show how the game can be played both ways. After months in the crosshairs, management won points with its shareholders when information leaked to the New York Post discredited its nemesis, breakup advocate Carl C. Icahn.

The billionaire investor had been wooing shareholders to his cause by saying separating the parts of Time Warner would offer them greater value than keeping the company intact. But during a private dinner in February, he opined to a group of investors that the pieces of Time Warner post-split might well be juicy takeover bait and fetch higher prices than as stand-alones. That stance was leaked and damaged Icahn's credibility as a shareholder activist, and Icahn soon after ended his proxy battle.

A few months later, the company felt the ugly side of leaks. With anxiety about possible layoffs at America Online already high, the unit's secret plans to offer e-mail and other services for free landed in The Wall Street Journal, and were said to have bleak financial consequences. Shares dropped after the story appeared.


  Those kinds of aftershocks could be why corporate boards are vowing, even after HP, to be as vigilant as ever in halting the leaks, at least the ones they don't engineer themselves. In a Sept. 18 report by the Ponemon Institute, 78% of 226 directors polled believed that a board chairman should be empowered to use any legal means to identify the source of a confidential leak.

Fully 50% said it would be O.K. to obtain and review phone records if pretexting—misrepresenting yourself to do so—is not illegal. But those directors might want to remember that not all leaks are created equal. Look at the nightmare HP finds itself in for probing leaks of information that had already been reported.

Lowry is a senior writer for BusinessWeek in New York

    Before it's here, it's on the Bloomberg Terminal.