frustrated man using a laptop

Early in the morning on April 12, Pebblebrook Hotel Trust inadvertently posted an initial working draft of a document relating to its first quarter 2018 financial and operating results on its website. Pebblebrook quickly discovered what had happened and removed the document. However, as the company confessed in a press release it released about the event, it was aware that during the brief period of time the document was on the website, “certain automated web search processes discovered and disseminated the document.”

Pebblebrook is not the first company to have made such a slip, and it undoubtedly won’t be the last. But the event provides a welcome opportunity for companies both public and private to take steps to ensure something similar doesn’t happen to them. 

To be sure, most companies have some sort of internal process in place to make sure a client list isn’t accidentally published, for example. Almost certainly Pebblebrook had formal processes in place — per Securities and Exchange Commission regulations — to make sure its earnings report wasn’t released before the correct date. Yet, things still happen.

“It is very easy for a company to say to its employees ‘listen, this is our policy. This information is what we consider to be confidential, this information is for internal use only, and this information can be disseminated publicly,’” said Jorge Rey, chief information security officer for certified public accountant and advisory firm Kaufman Rossin. But the actual implementation of such policies can be very difficult, he continued, “because it all comes down to people and workflows and communication and training.”

So what steps can companies take to prevent a similar faux pas? Here are a few suggestions on how to protect the publishing process within your organization.

Related Article: Why Content Governance Is Key to Taming Content Chaos

Create a Well-Defined, Formal Process

The first step is have a formal process in place that governs the publishing of any document. Usually such a process consists of approval layers — with one or more “approver” depending on the sensitivity of the document. This workflow can be as simple or as elaborate as the company needs, but either way it should be well-defined and methodical, said Mike Pagani, chief evangelist at archiving solution provider Smarsh. “You need a workflow and a defined set of policies and procedures that is holistic around your electronic communications,” he said. “Because the reality is, it’s too easy to just hit ‘post’ or ‘publish.’”

Centralize and Secure Your Documents

Also, to ensure something isn't published erroneously, have a secure location where the pre-released documents are stored prior to publication, said Deana Galloway-Uhl, senior director, technology for FTI Technology’s Information Governance, Privacy and Security team. “Only certain people should have access to them, which makes setting up controls and approvals that much easier. Ideally one person controls the final publishing process,” she said.

Don't Rely on Word of Mouth

One oft-repeated mistake by companies, especially smaller offices, is they use word of mouth to pass approvals along, Galloway-Uhl said. Don't allow this. At the very minimum, use email, she said.

Related Article: Governance Is No Longer Optional

Write Everything Down

Galloway-Uhl also noted that many companies do not actually write down their procedures and workflows, which is another easily avoidable mistake. “Having a formal document that details who is responsible for releasing what and when and under what circumstances is my best recommendation to manage the approval process for publishing,” she said.

Maximize Technology

Technology can also play an important role in safeguarding a company’s internal documents. For example, plan for a minimum review time to make sure the sign off doesn’t happen too quickly. Perhaps the system is configured so approval takes at least a minimum of an hour before a file can be closed. There should also be reporting and alerting features.

Related Article: Content Policies: Your First Step Towards Comprehensive Digital Policies

Make it Part of the Culture

Companies should also follow the lead of government entities that handle highly secure information, Rey said. “You have constant training. You have constant reminders. You have technology that will prevent data leakage. You have checks and controls.” The problem for companies that don’t handle highly-sensitive information — but still can be embarrassed by a slip — is they don’t have the same awareness of the sensitivity of the information, Rey said.