Legal BlackBook

TM

SEPTEMBER 2018
HOW DISINFORMATION CAN DAMAGE COMPANIES
The spotlight may be on the midterm elections, but intentionally false news can target—and devastate—a business.
By David Hechler
DISINFORMATION CAMPAIGNS have been much in the news lately, as the midterm elections approach. Evidence has emerged that Russia and other countries are trying to influence public opinion here, just as Russia tried to do during the 2016 presidential campaign.
     Some of these efforts have taken the form of cyberattacks, according to Microsoft Corporation. The tech giant reported in August that it had uncovered and taken down websites created by Russians to spoof those of U.S. groups involved in national politics. The plot also seemed designed to steal visitor passwords.
     It’s a big story, but it’s part of a much larger one that hasn’t gotten sufficient attention. Disinformation is not just about Russia and a handful of other countries attacking the U.S. They are not the only ones who have engaged in (or at least deeply contemplated) deploying “fake news” for political advantage.
     And it’s not just about politics. Or cyberattacks. Disinformation can also be a devastating weapon when it’s turned on a business. And even when the delivery method is not a cyberattack, there may be important lessons to learn about the fragility of information security.
     Before we get to the main subject—the lessons for corporations—let me remind you about our own country’s foray into disinformation. Or at least the public revelations about what we had begun to do. In February 2002, The New York Times reported that shortly after the September 11 terrorist attacks, the Pentagon established the Office of Strategic Influence. Its purpose was to plant news items in foreign media outlets to influence public opinion. The plan was to place both truthful and untruthful stories.
     These revelations immediately erupted in controversy. Aside from the “false news” angle, many critics were appalled when they learned that the campaign would be aimed at allies as well as adversaries. A week after the article appeared, the Bush administration signaled that the new office would be eliminated.

The Corporate Version
Those were the days before the social media explosion. No mention of cyberattacks back then. Clearly, disinformation can be disseminated without either. Word of mouth will do. But today the lure and the danger are amplified dramatically by the ability of individuals and groups to spread information globally and almost instantaneously to very large audiences.
     And the targets of disinformation attacks may be companies and their executives. Three years ago, I wrote an article about this in which I described the experience of a company and its CEO. It was for Corporate Counsel magazine, where I was the executive editor. We called the article “Cyberattacked,” but technically that was a misnomer. It was really a disinformation campaign (though prosecutors later brought criminal charges under a new “cyber harassment” statute). But regardless of what we called it, the attacks rocked the business.
     It started after the real estate market crash that kicked off the Great Recession in 2008. The following year, a Connecticut investment advisory firm called Old Hill Partners acquired a portfolio of distressed loans from real estate investments. One loan had been taken out by a Boston real estate developer who had vastly overextended himself and had personally guaranteed it.
     Old Hill contacted the developer, Steven Fustolo, and he promised to begin making payments. But he never did. After months of trying to get him to budge, Old Hill’s CEO sought to negotiate a settlement. At this point, the developer owed more than $20 million, with interest, but his highest offer was never more than six figures. So the CEO, John Howe, decided that his only recourse was to force Fustolo to declare personal bankruptcy and to pursue him in bankruptcy court.
     A few months later, an article appeared online. It reported that the Securities and Exchange Commission was investigating fraud allegations lodged against Howe and his company.
     When the CEO was shown the article, which turned up in a Google alert, he actually laughed. He knew that it wasn’t true. It was literally fake news—demonstrably false. He sent it to his outside lawyer and went back to work.
     But then there was another article, and a third. An international whistleblowers organization commented on the gravity of the allegations. Various lawyers were quoted, talking about the possibility that Howe had defrauded his clients. The U.S. Department of Justice was said to be investigating.

Phony Information, Real Trouble
The articles kept coming. At this point, Howe was no longer laughing. He tried calling the international whistleblowers organization and found out that it didn’t exist. Neither did the media contact listed in Stockholm. Nor the lawyers quoted in the stories. But still the articles kept coming.
     Yet, as phony as the information proved to be, the hit on his business was all too real. His company was trying to capitalize a $300 million investment fund. When potential investors performed a simple search, it returned a spate of articles that said that the CEO and his company were in deep trouble. Who wants to invest with a company that may not be honest?  
     Suddenly Howe had a problem that threatened his very business. What could he do? 
     Obviously, he had to get those articles removed from the internet. Google had to delete them from its search engine. If people in Europe who had long ago been charged with or even convicted of crimes could get articles about them removed under a “right to be forgotten,” surely articles that were false and defamatory would qualify.
     Wrong. After years of effort, and mounds of evidence, some but not all of the 350 articles that were eventually posted were taken down. To get even that much accomplished took an experienced in-house paralegal, an exhaustive investigation (aided by a cyber investigator and lawyers who specialize in tricky defamation cases) and the plodding litigation at the federal bankruptcy court—which is still not over, even though Fustolo has been arrested in connection with these events and charged by the Massachusetts attorney general’s office in its first-ever criminal cyber harassment case.   

Hard Lessons
Here’s what I’ve learned about disinformation as a weapon aimed at companies. It doesn’t take a Chinese army unit of trained hackers to disrupt a company. In this case, all it took was one angry man who paid a freelance blogger $1,800 to give him a hand. And if the goal was to inject chaos into the company, he got one heck of an ROI.
     This kind of problem is much more likely to have a serious impact on a small business or an individual than on a big company. A large corporation is much more likely to be impervious to serious damage. Given the volume of publicity a major corporation generates, those kinds of postings are very unlikely to rise anywhere near the top of its search results, so very few people will even notice them.
     Executives should always ensure that someone is monitoring what’s being said about them and their companies. Small disturbances can quickly burgeon out of control, given the unpredictability of what may happen when, say, a short video goes viral.
     In-house lawyers can play pivotal roles in overseeing and managing a defense against disinformation. In the case I described, the paralegal was a key player. Kim Hopkins helped executives track down the lawyers and investigators they needed to defend themselves. She identified attorneys with expertise in this area, and focused on the many legal strands at a time when the business leaders were scrambling to keep the firm going.
     Speaking of expertise, there are lawyers who have devoted their practices to this area of the law. They can make a big difference. Defamation cases can be tricky for many reasons, especially proving what damages resulted. (In the case above, defamation never even entered the discussion, because the attacker already owed the victims more than he could ever pay.)
     The biggest challenge is often getting online content removed from sites. The legal hurdle is the Communications Decency Act of 1996, which gives online publishers very broad protection against claims based on speech posted by third parties. None of the new privacy laws that were recently passed, or the ones now being discussed, have addressed this issue.
     So, the next time you hear the word “disinformation,” maybe you’ll associate it with more than propaganda or a dishonest political attack. A disinformation campaign can inflict tremendous damage on the reputation of a business and its employees. And, like a cyberattack, it may target the security of a company’s information—but by replacing it, rather than stealing it. And not just any information. It may be the piece that the firm and its employees view as most precious: the essence of who they say they are.