Close this search box.
Close this search box.

Why The Garmin Data Breach Should Be A Wakeup Call For Every CEO

Given how often companies overlook protections outside their own walls, it's critical to have a solid system of controls governing relationships with third parties.

If you’re a CEO and you haven’t heard of Evil Corp, you need to start paying attention.

No, it’s not a plot line for the next James Bond movie. It’s a real-life Russian hacker collective linked to a reported ransomware attack on GPS tracking firm Garmin in July that should have set alarm bells ringing in every corporate boardroom.

Garmin confirmed it had been the victim of a cyberattack that caused a days-long outage in late July, during which users worldwide were unable to upload their fitness data from the company’s sports devices. Garmin reportedly paid a sizable ransom to get its data back.

More worrying for Garmin than the immediate financial cost of the attack is how the security breach has shaken some customers’ trust in the company as they question how such highly personal data was being used and secured.

If reading about Garmin gave you a sense of anxiety about hidden legal and reputational risks to your own company, you’re probably right to be concerned. Too often, CEOs don’t get to see and react to these threats until they’ve already become a crisis—a hack or even a corruption issue coming to light in a far-flung market.

A good place to begin to address this anxiety is to work with your IT head and general counsel to ensure you have a system of controls and data protection governing your relationships with third parties such as vendors, sales agents and channel partners. Although it’s unclear whether that was the source of the Garmin breach, it is often the biggest compliance risk because companies are more likely to overlook what protections are in place outside their own walls.

The massive Target customer data breach of 2013, for example, happened after hackers accessed the company’s systems through a third-party refrigeration and HVAC contractor. One recent survey found that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.

The two big categories of third-party risk are data privacy and bad behavior that can lead to prosecutions under the Foreign Corrupt Practices Act (FCPA). Shoring up your third-party data can also be a chance to cover yourself for anti-corruption.

Both risks are looming larger these days.

On the data privacy front, compliance is becoming increasingly complex due to a slew of new laws like CCPA, GDPR and the European Court of Justice’s recent ruling that shut down the U.S.-E.U data privacy shield. Ransomware is also growing ever more sophisticated, with Fortune 500 companies coming under increasingly brazen attacks. The clear trend is toward more stringent requirements on companies to protect the data they control, including through third parties.

Controls will help you stay on the right side of the growing thicket of regulations while avoiding the kind of long-term reputational and client confidence damage that Garmin is facing.

The stakes on corruption are also rising as the Department of Justice follows through on its intent to prosecute more individuals under the FCPA. Last year, it prosecuted 39 people, among the highest numbers on record, and collected a record $2.65 billion in settlements.

Jail time for executives who were not diligent in managing these relationships is an increasingly real possibility as more cases go to trial.

Foreign channel partners are among the biggest risks for a FCPA violation. That sales agent in China may have been bringing in solid revenues for years with few questions asked, but what if he’s been going around bribing officials in your company’s name? When he’s caught, the FCPA’s primary focus is going to fall on you, not him.

Getting on top of these risks is easier than most CEOs think and doesn’t require an army of expensive external lawyers. What is required is a system of controls to identify risk and to move forward with remediation. Merely having controls in place is usually an effective defense in FCPA cases, even if something slips through. The biggest FCPA settlements have involved companies that had no controls. When its star real-estate deal-maker in China was prosecuted for FCPA violations, Morgan Stanley was cleared of blame because it had strong internal controls in place.

Imagine coming under such scrutiny—how much better would you feel being able to point to a system in place meant to manage such risks? Even if a third party circumvents your controls, and you may still need lawyers if one of your third parties misbehaves, but the consequences won’t be as damaging.

Ultimately, the bigger your company is, and the more relationships you have, the more diligent you need to be about your partners. The good news is that you will sleep better at night knowing you have made the effort to manage the risks.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.