The hiatus is officially over! After a reboot and relaunch of my new website – http://www.isecure.biz – I am happy to return to a life of blogging. The Emerging Business Advocate is not a place to discern legal advice. If that is what you seek, then please contact a practicing attorney – they should be able to help you. Rather, the content of this blog is to highlight new and emerging issues that the general audience may experience in a corporate business context. Comments and questions are welcomed and encouraged. For now, take a moment to peruse prior topics of interest, and see if you can find any discernable changes to issues an emerging business is confronted with.
In a 3-2 vote today, the Federal Communications Commission announced it would begin to regulate the Internet, effectively prohibiting Internet Service Providers (ISPs) from discriminating against any website or online service traffic. Seeing the futility of politicizing a topic that is so new to legislators, Democrat and Republican lawmakers simply punted for now on the debate.
If the concept of ‘Net Neutrality’ is new to the small business owner, then let me try to explain. Imagine it is 8 a.m., and you are in a car approaching the Lincoln Tunnel for an 8:30 a.m. meeting. Once squarely inside the Lincoln Tunnel, all the lanes, but one, are occupied by massive semi-trucks and trailers. The only way to get past those vehicles is to get into the “car” lane with every other commuter. The time in which it should take you to get through the Lincoln Tunnel to make that 8:30 a.m. meeting is predicated upon a number of factors – many of which you have ZERO control over. The driving lanes and Lincoln Tunnel represent ISPs, like Comcast and AT&T; the semi-trucks and trailers represent “small” tech firms like Netflix, Etsy, and YouTube; and the car represents your place on the information superhighway. Net Neutrality would, in effect, create rules for which all occupants of the Lincoln Tunnel would have to play by.
Is this such a bad thing?
Entrepreneur Mr. Mark Cuban opines that the FCC is incapable of keeping up with fast-paced technologies, and that the creation of such rules would allow massive ISPs to monopolize the flow of Internet traffic, effectively eliminating competition. He goes on further to state that the fastest growing access for the Internet is mobile, and who dominates that market, Apple and Google. Cuban’s rationale is if Apple, Google, Comcast, and other ISPs are left to duke it out with each other, then the consumer wins.
Or does the consumer?
Congress and President Ronald Reagan deregulated the airline industry back in the 1980’s as a response to end airline monopolies and oligopolies, but such deregulation seemed to produce the opposite effect. Pan Am Airlines is now merely vintage fashion, Delta merged with NorthWest Airlines, American merged with USAirways, Continental with United, Southwest with AirTran, to name a few. Thus, it could be argued that deregulation of the airline industry achieved absolutely nothing.
Similarly, Congress and President Bill Clinton enacted a regulatory scheme to overhaul the telecommunications industry. The collateral byproduct of the Telecommunications Act of 1996 may have put us in the place we are today in regards to “Net Neutrality.” The Act was intended to open telecommunication markets, which included the Internet, to promote competition. Since 1996, what have we seen, in regards to completion, in the telecommunication space we see fewer consumer options. Enron and MCI/WorldCom are corporate governance footnotes; Qwest merged with CenturyLink; TimeWarner was bought by Comcast; and as a result, the choices for getting consumers across that analogous river to their Midtown meeting are few.
Alas, we come to the debate of ‘Net Neutrality’. Looking historically at the results of deregulation of industries as a way to “open” up competition in a marketplace, is regulation to keep an industry “open” such a bad idea? I leave that answer to more intelligible minds.
Whether it is the targeted exploitation of corporate databases by state-sponsored groups, or the lack of judicial oversight on “warrants” issued by the National Security Agency, leaders are seeking solutions in response to the cybersecurity highlights of 2014. Thus far, the status quo response has been to develop reactive, check-the-box, risk management procedures. The current legal landscape for cybersecurity is comparable to that of workplace harassment and discrimination in the mid-1980’s (i.e. a frustrating lack of meaningful response and oversight to the mistreatment of a highly-valued organizational asset). Historically, the development in workplace behavior is primarily derived from the countless lawsuits filed in the mid-1980’s that culminated in the Anita Hill/Clarence Thomas Hearings. From a corporate culture standpoint, the Hill/Thomas Hearings represented a paradigm shift in workplace employment practices for many organizations. While we have not yet experienced such a tipping point in the cybersecurity context, FBI Director, James Coffey, succinctly stated on 60 Minutes, “[t]here are two types of publicly-traded companies, those who have been hacked by the Chinese, and those who do not know they have been hacked by the Chinese.”
Most all businesses in the State of Washington are comprised of heterogeneous devices (i.e. PDA’s, laptops, personal computers, etc.) that are operated over heterogeneous environments (i.e. office communication networks, open wireless networks, etc.). This makes securing mission-critical data exponentially more difficult. Additionally, the ecology of the Internet is such that data risk exposure is the proverbial elephant in the room. Many businesses are unable to proactively respond to a cybersecurity issue for a myriad of reasons:
- Many executives see the issues around cybersecurity as being overblown
- The organization has a mindset that it will deal with information management issues later
- A perception that cybersecurity does not foster sharing and openness
- The business is unable to decipher the relative importance of their proprietary information.
One risk management solution to cybersecurity is simply transferring the risk to a third-party (i.e. buy cyber-insurance). There are plenty of available cyber-policies being offered in the marketplace by insurance providers, but understanding the nuances of what is covered in the policy is a critical procurement decision. For example, a policy that covers an insured against third-party data loss may protect the business against third-party claims, but that does not necessarily mean the insured will recover its direct loss. Additionally, investment in a first-party policy may be more cost prohibitive than self-insuring against all direct and indirect losses.
An alternative approach to dealing with cybersecurity is for organizational leadership to design a “tone at the top” governance strategy. In order to mitigate the unauthorized release of mission-critical data, corporations should explore a paradigm shift in cybersecurity away from the check-the-box procedures to a Control Conscious Corporate Culture. Laws and regulations will continue to act as an arbiter in leveling the playing field, but the ebbs and flows of regulatory guidance also create legal uncertainties. A Control Conscious Corporate Culture goes beyond technology, and, focuses, to a much greater degree, on the systematic processes and people that are within, and unique to, an organization. The behavioral choices we make – to disregard the processes – as humans has an equally catastrophic impact on the technology that supports the business. A Control Conscious Corporate Culture is accomplished through the hiring and promotion of people with the desired values, adoption of a formal set of internal controls, and the deployment of quality technology premised on core values that uniquely identify the organization from its competition.
IT departments are chartered with safeguarding mission-critical assets, but the application of better processes and employee training should be included when developing a more robust data governance strategy. Much like employment practices, the government expects organizations to be good corporate citizens, and self-monitor to ensure compliance with all laws and regulations. The ability to maintain the confidentiality, accessibility, and integrity of critical knowledge resources will accumulate long-term benefits like good public relations; high customer satisfaction; preservation of intellectual property and competitive advantage; higher investor confidence; and higher valuation.
Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?
When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.
For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice. The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy. The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.
Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information. In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students. Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint. Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed. A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.
Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place. Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES. Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential. Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money. From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.
October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that). Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses. Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time. The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring. According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”
The answer is quite simple, “because the can.” Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States. In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Large corporations have a vast repository of information related to company data, customer data, and customers customer data. However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively. Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars. That’s a ton of money, but the data breach did not prevent customers from shopping at Target. Post-breach, Target customers paid for their purchases either using cash or pre-paid cards. The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.
As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans. This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations. That could not be further from the truth. Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce. From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.
The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them. A different response should be to fight back. Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it. Know where the weaknesses in the organization lie, and address it accordingly. Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets. Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.
In August, 2013, I blogged about an insurance company’s latest product feature that enabled their customers to download all of their insurance verification documents to their cellphone through a software application. The marketing company devised a commercial whereby a pig driving a car was pulled over, and subsequently the pig handed his cellphone over to the officer, presumably to show the officer that he had insurance information (I didn’t make this up). At that time, I suggested there would be significant unintended consequences to people who turned over their cellphone to a police agency.
In a unanimous decision Wednesday, the Supreme Court of the United States ruled that police officers need a search warrant to search cellphones of individuals arrested. This decision would likely apply to tablets and laptop computers, as well as potentially searches of homes and businesses and information held by third parties, like phone companies or cloud providers. Chief Justice John G. Roberts stated that cellphones are “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” What’s more interesting is that, in writing for the majority of the Court, Chief Justice Roberts acknowledges the fact that cellphones are more than a device that you merely speak into and listen – a truly forward thinking statement for such a traditional body of government.
When looking at this in the context of the insurance company’s phone app product, there still are significant unintended consequences that people need to be made aware. Namely, while the new law prohibits warrantless searches of cellphones, relinquishment of a cellphone to a police agency is still not advisable. They can simply confiscate the device, and then go get a warrant to search it at a later date.