Citing a lack of corporate contorls and preparedness to protecting mission-critical data, more corporate boards are holding back the salaries and bonuses of its chief executives. At Sony, Corp., the board of director’s decided to cut the salary of its current CEO, Howard Stringer, by 15%, and its probably successor Kazuo Hirai, from 110 million yen to 101 million yen. Mr. Hirai was the man in-charge of the PlayStation division at Sony, Corp., when that unit was hacked into last April. The cyber-attack exposed the personal information of over 100 million users of PlayStation. During Mr. Stringer’s tenure as CEO, Sony, Corp., has lost over 37 percent of its market value. Additionally, Sony, Corp., has proposed that its board members and executives all receive cuts in salary and bonues of 11 percent.
The translation here is that organizations are expecting more from its executive leadership. Cyber-attacks are a real threat to the long-term viability of an organization, and there needs to be initiatives, on the part of boards’, to start considering how a data governance program might be implemented into an overall risk management strategy. Creating a culture of compliance associated with protecting mission-critical information starts with a “tone at the top” mentality. Compensation for executive management and board membership will be directly related to how the organization goes about implementing controls related to securing data.
In a 3-2 vote today, the Federal Communications Commission announced it would begin to regulate the Internet, effectively prohibiting Internet Service Providers (ISPs) from discriminating against any website or online service traffic. Seeing the futility of politicizing a topic that is so new to legislators, Democrat and Republican lawmakers simply punted for now on the debate.
If the concept of ‘Net Neutrality’ is new to the small business owner, then let me try to explain. Imagine it is 8 a.m., and you are in a car approaching the Lincoln Tunnel for an 8:30 a.m. meeting. Once squarely inside the Lincoln Tunnel, all the lanes, but one, are occupied by massive semi-trucks and trailers. The only way to get past those vehicles is to get into the “car” lane with every other commuter. The time in which it should take you to get through the Lincoln Tunnel to make that 8:30 a.m. meeting is predicated upon a number of factors – many of which you have ZERO control over. The driving lanes and Lincoln Tunnel represent ISPs, like Comcast and AT&T; the semi-trucks and trailers represent “small” tech firms like Netflix, Etsy, and YouTube; and the car represents your place on the information superhighway. Net Neutrality would, in effect, create rules for which all occupants of the Lincoln Tunnel would have to play by.
Is this such a bad thing?
Entrepreneur Mr. Mark Cuban opines that the FCC is incapable of keeping up with fast-paced technologies, and that the creation of such rules would allow massive ISPs to monopolize the flow of Internet traffic, effectively eliminating competition. He goes on further to state that the fastest growing access for the Internet is mobile, and who dominates that market, Apple and Google. Cuban’s rationale is if Apple, Google, Comcast, and other ISPs are left to duke it out with each other, then the consumer wins.
Or does the consumer?
Congress and President Ronald Reagan deregulated the airline industry back in the 1980’s as a response to end airline monopolies and oligopolies, but such deregulation seemed to produce the opposite effect. Pan Am Airlines is now merely vintage fashion, Delta merged with NorthWest Airlines, American merged with USAirways, Continental with United, Southwest with AirTran, to name a few. Thus, it could be argued that deregulation of the airline industry achieved absolutely nothing.
Similarly, Congress and President Bill Clinton enacted a regulatory scheme to overhaul the telecommunications industry. The collateral byproduct of the Telecommunications Act of 1996 may have put us in the place we are today in regards to “Net Neutrality.” The Act was intended to open telecommunication markets, which included the Internet, to promote competition. Since 1996, what have we seen, in regards to completion, in the telecommunication space we see fewer consumer options. Enron and MCI/WorldCom are corporate governance footnotes; Qwest merged with CenturyLink; TimeWarner was bought by Comcast; and as a result, the choices for getting consumers across that analogous river to their Midtown meeting are few.
Alas, we come to the debate of ‘Net Neutrality’. Looking historically at the results of deregulation of industries as a way to “open” up competition in a marketplace, is regulation to keep an industry “open” such a bad idea? I leave that answer to more intelligible minds.
Whether it is the targeted exploitation of corporate databases by state-sponsored groups, or the lack of judicial oversight on “warrants” issued by the National Security Agency, leaders are seeking solutions in response to the cybersecurity highlights of 2014. Thus far, the status quo response has been to develop reactive, check-the-box, risk management procedures. The current legal landscape for cybersecurity is comparable to that of workplace harassment and discrimination in the mid-1980’s (i.e. a frustrating lack of meaningful response and oversight to the mistreatment of a highly-valued organizational asset). Historically, the development in workplace behavior is primarily derived from the countless lawsuits filed in the mid-1980’s that culminated in the Anita Hill/Clarence Thomas Hearings. From a corporate culture standpoint, the Hill/Thomas Hearings represented a paradigm shift in workplace employment practices for many organizations. While we have not yet experienced such a tipping point in the cybersecurity context, FBI Director, James Coffey, succinctly stated on 60 Minutes, “[t]here are two types of publicly-traded companies, those who have been hacked by the Chinese, and those who do not know they have been hacked by the Chinese.”
Most all businesses in the State of Washington are comprised of heterogeneous devices (i.e. PDA’s, laptops, personal computers, etc.) that are operated over heterogeneous environments (i.e. office communication networks, open wireless networks, etc.). This makes securing mission-critical data exponentially more difficult. Additionally, the ecology of the Internet is such that data risk exposure is the proverbial elephant in the room. Many businesses are unable to proactively respond to a cybersecurity issue for a myriad of reasons:
- Many executives see the issues around cybersecurity as being overblown
- The organization has a mindset that it will deal with information management issues later
- A perception that cybersecurity does not foster sharing and openness
- The business is unable to decipher the relative importance of their proprietary information.
One risk management solution to cybersecurity is simply transferring the risk to a third-party (i.e. buy cyber-insurance). There are plenty of available cyber-policies being offered in the marketplace by insurance providers, but understanding the nuances of what is covered in the policy is a critical procurement decision. For example, a policy that covers an insured against third-party data loss may protect the business against third-party claims, but that does not necessarily mean the insured will recover its direct loss. Additionally, investment in a first-party policy may be more cost prohibitive than self-insuring against all direct and indirect losses.
An alternative approach to dealing with cybersecurity is for organizational leadership to design a “tone at the top” governance strategy. In order to mitigate the unauthorized release of mission-critical data, corporations should explore a paradigm shift in cybersecurity away from the check-the-box procedures to a Control Conscious Corporate Culture. Laws and regulations will continue to act as an arbiter in leveling the playing field, but the ebbs and flows of regulatory guidance also create legal uncertainties. A Control Conscious Corporate Culture goes beyond technology, and, focuses, to a much greater degree, on the systematic processes and people that are within, and unique to, an organization. The behavioral choices we make – to disregard the processes – as humans has an equally catastrophic impact on the technology that supports the business. A Control Conscious Corporate Culture is accomplished through the hiring and promotion of people with the desired values, adoption of a formal set of internal controls, and the deployment of quality technology premised on core values that uniquely identify the organization from its competition.
IT departments are chartered with safeguarding mission-critical assets, but the application of better processes and employee training should be included when developing a more robust data governance strategy. Much like employment practices, the government expects organizations to be good corporate citizens, and self-monitor to ensure compliance with all laws and regulations. The ability to maintain the confidentiality, accessibility, and integrity of critical knowledge resources will accumulate long-term benefits like good public relations; high customer satisfaction; preservation of intellectual property and competitive advantage; higher investor confidence; and higher valuation.
Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?
When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.
For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice. The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy. The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.
Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information. In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students. Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint. Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed. A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.
Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place. Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES. Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential. Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money. From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.
October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that). Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses. Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time. The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring. According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”
The answer is quite simple, “because the can.” Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States. In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Large corporations have a vast repository of information related to company data, customer data, and customers customer data. However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively. Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars. That’s a ton of money, but the data breach did not prevent customers from shopping at Target. Post-breach, Target customers paid for their purchases either using cash or pre-paid cards. The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.
As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans. This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations. That could not be further from the truth. Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce. From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.
The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them. A different response should be to fight back. Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it. Know where the weaknesses in the organization lie, and address it accordingly. Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets. Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.
In August, 2013, I blogged about an insurance company’s latest product feature that enabled their customers to download all of their insurance verification documents to their cellphone through a software application. The marketing company devised a commercial whereby a pig driving a car was pulled over, and subsequently the pig handed his cellphone over to the officer, presumably to show the officer that he had insurance information (I didn’t make this up). At that time, I suggested there would be significant unintended consequences to people who turned over their cellphone to a police agency.
In a unanimous decision Wednesday, the Supreme Court of the United States ruled that police officers need a search warrant to search cellphones of individuals arrested. This decision would likely apply to tablets and laptop computers, as well as potentially searches of homes and businesses and information held by third parties, like phone companies or cloud providers. Chief Justice John G. Roberts stated that cellphones are “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” What’s more interesting is that, in writing for the majority of the Court, Chief Justice Roberts acknowledges the fact that cellphones are more than a device that you merely speak into and listen – a truly forward thinking statement for such a traditional body of government.
When looking at this in the context of the insurance company’s phone app product, there still are significant unintended consequences that people need to be made aware. Namely, while the new law prohibits warrantless searches of cellphones, relinquishment of a cellphone to a police agency is still not advisable. They can simply confiscate the device, and then go get a warrant to search it at a later date.
The Court of Justice of the European Union issued a ruling on May 13, 2014, whereby, under certain circumstances, search engine providers, like Google, are required to remove links of Web pages containing information that is made on the basis of a person’s name and published by a third-party. The “Right to be Forgotten” lawsuit is a landmark case for EU member countries, and was derived from a Spaniards claim that search results from Google’s website disclosed details about an auction of his repossessed home over unpaid debts that was resolved many years prior and presently irrelevant.
In the wake of the EU Courts ruling, Google has posted a “Remove Information From Google” page for Europeans to request takedowns. Based on reports, it appears the number of takedown requests averages about 10,000 request per day, and growing. That number may seem high, but EU Justice Commissioner, Viviane Reding notes that Google receives and complies with millions of copyright-related takedown requests. EU regulators plan to give search engine companies time to adjust to the ruling, and define just exactly what compliance with the law should look like.
For application purposes in the United States, the ruling does raise questions as to third-party usage of public information. Query a persons name in any search engine provider, and Internet ads for information on birth and arrest records are sure to come up. Many people with similar names are then subjected to potential unnecessary embarrassment and ridicule. However, the application of the term “privacy” is entirely different in the EU than U.S., and that is why it is unlikely that the “Right to be Forgotten” will soon land upon the shores of America.
Several news outlets reported yesterday that the Federal Trade Commission (“FTC”) is urging Congress to demand that data brokers tell consumers more about their trade practices in how they collect and use consumer information. Data brokers are companies that assemble digital profiles on nearly every U.S. consumer by gathering information from credit- and debit-card transactions, public records, online tracking cookies, and smartphones, among other sources.
The FTC, in its report, concluded that there is a “fundamental lack of transparency[,]” in how data brokers go about collecting consumer information. FTC Chairwoman, Ms. Edith Ramirez, states that data brokers often “know as much – or even more – about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more.” The report, two years in the making, finds no actual harm to consumers, and only suggests potential misuses that do not occur. It also goes into depth on how data brokers operate.
The report concludes that Congress should require the creation of an Internet website whereby data brokers must disclose the sources of data they collect about consumers, and give the consumers the opportunity to opt-out. The reality of anything become law in the near future seems highly unlikely at best. Similar legislation introduced in February has gained little traction.