The hiatus is officially over! After a reboot and relaunch of my new website – http://www.isecure.biz – I am happy to return to a life of blogging. The Emerging Business Advocate is not a place to discern legal advice. If that is what you seek, then please contact a practicing attorney – they should be able to help you. Rather, the content of this blog is to highlight new and emerging issues that the general audience may experience in a corporate business context. Comments and questions are welcomed and encouraged. For now, take a moment to peruse prior topics of interest, and see if you can find any discernable changes to issues an emerging business is confronted with.
In a 3-2 vote today, the Federal Communications Commission announced it would begin to regulate the Internet, effectively prohibiting Internet Service Providers (ISPs) from discriminating against any website or online service traffic. Seeing the futility of politicizing a topic that is so new to legislators, Democrat and Republican lawmakers simply punted for now on the debate.
If the concept of ‘Net Neutrality’ is new to the small business owner, then let me try to explain. Imagine it is 8 a.m., and you are in a car approaching the Lincoln Tunnel for an 8:30 a.m. meeting. Once squarely inside the Lincoln Tunnel, all the lanes, but one, are occupied by massive semi-trucks and trailers. The only way to get past those vehicles is to get into the “car” lane with every other commuter. The time in which it should take you to get through the Lincoln Tunnel to make that 8:30 a.m. meeting is predicated upon a number of factors – many of which you have ZERO control over. The driving lanes and Lincoln Tunnel represent ISPs, like Comcast and AT&T; the semi-trucks and trailers represent “small” tech firms like Netflix, Etsy, and YouTube; and the car represents your place on the information superhighway. Net Neutrality would, in effect, create rules for which all occupants of the Lincoln Tunnel would have to play by.
Is this such a bad thing?
Entrepreneur Mr. Mark Cuban opines that the FCC is incapable of keeping up with fast-paced technologies, and that the creation of such rules would allow massive ISPs to monopolize the flow of Internet traffic, effectively eliminating competition. He goes on further to state that the fastest growing access for the Internet is mobile, and who dominates that market, Apple and Google. Cuban’s rationale is if Apple, Google, Comcast, and other ISPs are left to duke it out with each other, then the consumer wins.
Or does the consumer?
Congress and President Ronald Reagan deregulated the airline industry back in the 1980’s as a response to end airline monopolies and oligopolies, but such deregulation seemed to produce the opposite effect. Pan Am Airlines is now merely vintage fashion, Delta merged with NorthWest Airlines, American merged with USAirways, Continental with United, Southwest with AirTran, to name a few. Thus, it could be argued that deregulation of the airline industry achieved absolutely nothing.
Similarly, Congress and President Bill Clinton enacted a regulatory scheme to overhaul the telecommunications industry. The collateral byproduct of the Telecommunications Act of 1996 may have put us in the place we are today in regards to “Net Neutrality.” The Act was intended to open telecommunication markets, which included the Internet, to promote competition. Since 1996, what have we seen, in regards to completion, in the telecommunication space we see fewer consumer options. Enron and MCI/WorldCom are corporate governance footnotes; Qwest merged with CenturyLink; TimeWarner was bought by Comcast; and as a result, the choices for getting consumers across that analogous river to their Midtown meeting are few.
Alas, we come to the debate of ‘Net Neutrality’. Looking historically at the results of deregulation of industries as a way to “open” up competition in a marketplace, is regulation to keep an industry “open” such a bad idea? I leave that answer to more intelligible minds.
Posted in Data Security & Privacy | Tagged Internet, Net Neutrality |
Whether it is the targeted exploitation of corporate databases by state-sponsored groups, or the lack of judicial oversight on “warrants” issued by the National Security Agency, leaders are seeking solutions in response to the cybersecurity highlights of 2014. Thus far, the status quo response has been to develop reactive, check-the-box, risk management procedures. The current legal landscape for cybersecurity is comparable to that of workplace harassment and discrimination in the mid-1980’s (i.e. a frustrating lack of meaningful response and oversight to the mistreatment of a highly-valued organizational asset). Historically, the development in workplace behavior is primarily derived from the countless lawsuits filed in the mid-1980’s that culminated in the Anita Hill/Clarence Thomas Hearings. From a corporate culture standpoint, the Hill/Thomas Hearings represented a paradigm shift in workplace employment practices for many organizations. While we have not yet experienced such a tipping point in the cybersecurity context, FBI Director, James Coffey, succinctly stated on 60 Minutes, “[t]here are two types of publicly-traded companies, those who have been hacked by the Chinese, and those who do not know they have been hacked by the Chinese.”
Most all businesses in the State of Washington are comprised of heterogeneous devices (i.e. PDA’s, laptops, personal computers, etc.) that are operated over heterogeneous environments (i.e. office communication networks, open wireless networks, etc.). This makes securing mission-critical data exponentially more difficult. Additionally, the ecology of the Internet is such that data risk exposure is the proverbial elephant in the room. Many businesses are unable to proactively respond to a cybersecurity issue for a myriad of reasons:
- Many executives see the issues around cybersecurity as being overblown
- The organization has a mindset that it will deal with information management issues later
- A perception that cybersecurity does not foster sharing and openness
- The business is unable to decipher the relative importance of their proprietary information.
One risk management solution to cybersecurity is simply transferring the risk to a third-party (i.e. buy cyber-insurance). There are plenty of available cyber-policies being offered in the marketplace by insurance providers, but understanding the nuances of what is covered in the policy is a critical procurement decision. For example, a policy that covers an insured against third-party data loss may protect the business against third-party claims, but that does not necessarily mean the insured will recover its direct loss. Additionally, investment in a first-party policy may be more cost prohibitive than self-insuring against all direct and indirect losses.
An alternative approach to dealing with cybersecurity is for organizational leadership to design a “tone at the top” governance strategy. In order to mitigate the unauthorized release of mission-critical data, corporations should explore a paradigm shift in cybersecurity away from the check-the-box procedures to a Control Conscious Corporate Culture. Laws and regulations will continue to act as an arbiter in leveling the playing field, but the ebbs and flows of regulatory guidance also create legal uncertainties. A Control Conscious Corporate Culture goes beyond technology, and, focuses, to a much greater degree, on the systematic processes and people that are within, and unique to, an organization. The behavioral choices we make – to disregard the processes – as humans has an equally catastrophic impact on the technology that supports the business. A Control Conscious Corporate Culture is accomplished through the hiring and promotion of people with the desired values, adoption of a formal set of internal controls, and the deployment of quality technology premised on core values that uniquely identify the organization from its competition.
IT departments are chartered with safeguarding mission-critical assets, but the application of better processes and employee training should be included when developing a more robust data governance strategy. Much like employment practices, the government expects organizations to be good corporate citizens, and self-monitor to ensure compliance with all laws and regulations. The ability to maintain the confidentiality, accessibility, and integrity of critical knowledge resources will accumulate long-term benefits like good public relations; high customer satisfaction; preservation of intellectual property and competitive advantage; higher investor confidence; and higher valuation.
Posted in Uncategorized |
Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?
When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.
Posted in Business Law, Data Security & Privacy | Tagged Data Breach, data governance, Seattle Public Schools |
For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice. The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy. The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.
Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information. In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students. Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint. Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed. A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.
Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place. Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES. Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential. Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money. From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.
Posted in Uncategorized | Tagged Data Breach, data governance, Preg O'Donnell Gillett, Seattle Public Schools |
Law Office of Seaton M. Daly III, PLLC
Presented by:
Blog Archives
-
Join 14 other subscribers
The Emerging Business Advocate 