On December 12, 2020, SolarWinds learned that malware had been inserted in its software, potentially granting hackers access to thousands and thousands of its 300,000 customers. General Counsel Jason Bliss needed to orchestrate the company response without knowing how many of its customers had been affected, or how severely. The SolarWinds CEO was already scheduled to step down within three weeks, and the incoming CEO was as yet unaware of the incident. Bliss needed to address three immediate issues. First, did the incident qualify as a material event, and if so, what information did SolarWinds need to report to whom, and when? Second, what posture should SolarWinds take with respect to its customers and to the media, where the news was expected to break within a day? Third, how should SolarWinds balance helping its customers understand and recover from the breach with protecting itself from a negative stock price impact and potential legal implications?
Supplements the (A) case, describing actions taken by SolarWinds as well as by regulatory agencies in the aftermath of the immediate crisis. The case also includes reflections by SolarWinds managers on the choices they made with respect to disclosure, media relations, cybersecurity preparedness, and the sometimes-contending agendas of companies and government agencies SolarWinds interacted with.
Supplements "SolarWinds Confronts Sunburst" (723-357, -368) to provide context on types of cyberattacks and their costs, as well as-at the time of the Sunburst cyberattack in December 2020-the fragmentary regulatory regimes through which U.S. states and regulatory agencies attempted to encourage disclosure of cyberattacks and pursue enforcement action against negligence in failing to adequately safeguard personally identifiable information (PII), payment card information (PCI), and protected health information (PHI).
In fall 2021, a team of students from the HBS Impact Investing Fund considered Neurologic Optimal Wellness Physical Therapy (NOW PT) for a potential investment. Dr. Banks, the founder of NOW PT, drove to visit patients. She sought an investment from the fund to open a brick-and-mortar clinic. However, the students believed that Dr. Banks might be more successful if she continued providing mobile PT services. At the conclusion of the case, the students must perform due diligence to test their hypothesis. What should their priorities be as they begin the due diligence process?
This (B) case examines the results of the HBS Impact Investment Fund student team's diligence on Neurologic Optimal Wellness Physical Therapy (NOW PT). After examining Springfield's demographics, anticipated PT demand, local competition, and NOW PT's financial statements, the students realized that NOW PT would be more successful if it opened a brick-and-mortar clinic. The case appendix provides the students' Investment Committee deck, which readers can reference as an example of a thorough due diligence process. The conclusion of the case reveals the students' investment recommendation and its results.
Dick's Sporting Goods was one of the top five retailers of a range of firearms in the US. Over the last several years and specifically following the Parkland shooting of 2018, Ed Stack, the CEO and chairman, had wrestled with the question of their role as a leading firearms retailer and the inconsistent patchwork of laws, oftentimes right after a tragic shooting.
Dick's Sporting Goods were one of the top five retailers of a range of firearms in the US. Over the last several years and specifically following the Parkland shooting of 2018, Ed Stack the CEO and chairman, had wrestled with the question of their role as a leading firearms retailer and the inconsistent patchwork of laws, often times right after a tragic shooting.
The case, which is a disguised version of real events, is set in Kandahar, Afghanistan (2013) during the long running Afghan war. Lt. Paul Rickson, a Navy SEAL Platoon Commander, is leading a team of 30 US and Afghan soldiers on a mission to clear hostile forces in Maiwand Village. After a long day of various hostile activities and clearing Improvised Explosive Devices (IED's), he faces a tough choice that is filled with various tensions. After he directs a missile attack from a drone onto an enemy position, he's ordered to conduct an on the ground Battle Damage Assessment (BDA), to confirm there are no civilian casualties. This would require some or all of his team crossing 800 meters in open territory, almost certainly drawing enemy fire. He's concerned about the real risks to his team vs the perceived benefit of a US-forces taken picture. His has to reconcile a conflicting sense of priorities, from the Rules of Engagement for his team, the directive from HQ and inputs from his team. The primary purpose of the case is to focus on lessons from his decision-making approach that might be beneficial for a young leader facing conflicting tensions, such as: a. The strategic directive to win hearts and minds, while training Afghan forces vs. the on the ground facts and circumstances facing the platoon commander and the threats to his team. b. The predictability of support systems (e.g. communications, HQ guidance, video surveillance, transport) that can have outsized impact on options and outcomes. c. How substantial risks and core values come together in deciding what to do for you and your team.
The case, which is a disguised version of real events, is set in Kandahar, Afghanistan (2013) during the long running Afghan war. Lt. Paul Rickson, a Navy SEAL Platoon Commander, is leading a team of 30 US and Afghan soldiers on a mission to clear hostile forces in Maiwand Village. After a long day of various hostile activities and clearing Improvised Explosive Devices (IED's), he faces a tough choice that is filled with various tensions. After he directs a missile attack from a drone onto an enemy position, he's ordered to conduct an on the ground Battle Damage Assessment (BDA), to confirm there are no civilian casualties. This would require some or all of his team crossing 800 meters in open territory, almost certainly drawing enemy fire. He's concerned about the real risks to his team vs the perceived benefit of a US-forces taken picture. His has to reconcile a conflicting sense of priorities, from the Rules of Engagement for his team, the directive from HQ and inputs from his team. The primary purpose of the case is to focus on lessons from his decision-making approach that might be beneficial for a young leader facing conflicting tensions, such as: a. The strategic directive to win hearts and minds, while training Afghan forces vs. the on the ground facts and circumstances facing the platoon commander and the threats to his team. b. The predictability of support systems (e.g. communications, HQ guidance, video surveillance, transport) that can have outsized impact on options and outcomes. c. How substantial risks and core values come together in deciding what to do for you and your team.
Since its founding in 2004, Facebook has built a phenomenally successful business at global scale to become the fifth most valuable public company in the world. The revelation of Cambridge Analytica events in March 2018, where 78 million users' information was leaked in a 2016 U.S. election cycle, exposed a breach of trust/privacy among its user community. In the past, growth at any costs appeared to be the de facto strategy. Now many voices such as regulators, advertisers, ethicists, shareholders and users argued for a more responsible approach to addressing their concerns. Mark Zuckerberg (CEO/Chair/Founder) and Sheryl Sandberg (COO) mapped out their six-point plan to address this existential threat. Could they continue to grow and rectify the breach of trust/privacy? Did other stakeholders have some greater responsibility too? In addition to issues of privacy and trust, there is a growing chorus of concern about "content moderation"-not for the easy topics like spam or copyright material-but for the hard things revolving around political points of view, hate speech, polarizing perspectives, etc. How will Facebook strike the balance between free speech and corrosive content across billions of users and dozens of languages? Are they the arbiters of truth/censorship in the digital world?
The National Football League (NFL) was both the most popular spectator sport in the U.S. and a major economic entity, taking in roughly $10 billion a year in revenue. However through the early twenty-first century, an increased understanding of the long-term effects of head injuries on NFL players indicated a serious threat to the long-term viability of the game. Particularly concerning was the indication that some deceased professional football players had developed chronic traumatic encephalopathy (CTE)-a neurodegenerative disease which had a strong influence on a person's mental and physical health-most likely as a result of repetitive hits sustained during their football careers and which may have contributed to their deaths. Over 4,000 retired players had jointly sued the NFL over the head injuries they had sustained during their time in the NFL and the resulting health problems they attributed to these injuries. In part, the lawsuit alleged that the NFL had not been forthcoming with players about the health risks of head injuries. The two sides had reached a tentative $765 million settlement in 2013, the bulk of which would go to compensating retired players suffering from such diseases as Alzheimer's or dementia. While this settlement compensated retired players, it was not applicable to current or future players. Could the NFL preserve the sport by making it safer through new rules or equipment changes, or was football an inherently physical game that no amount of new rules or equipment could make completely safe? Were current and future players, now knowing full well the potential long-term health implications of football, tacitly accepting the risks involved? As a team owner, is now the time to sell while franchise value and fan support are at their peaks, or will the business of the NFL be viable for years to come?