Law Office of Seaton M. Daly III, P.L.L.C.

 

For almost 2 years I have been writing on this blog about issues that I see as relevant to emerging businesses.  In my professional opinion, I feel that the greatest threat to the long-term viability and valuation of any emerging enterprise is how well they protect their corporate mission-critical information.  According to President Obama, the NSA, and other governmental spy agencies, one of the greatest threats to US national security is our cyber-infrastructure (both governmental and private).  Time and again it has been proven  to be vulnerable to attack.  Yet the underlying question to all this is - Does the right to privacy exist in a Web 2.0 world?  I would argue that "privacy" does not exist any more.  We have either knowingly, or unknowingly, consented our right to privacy away, and therefore, why should corporate mission-critical information (i.e. trade secrets, intellectual property, sales figures, etc.) be any different.  The best example of this is above.

 

I was driving along the border of Medina, WA, the other night, and as I came to the corner stoplight, I looked to my right, and what I saw, made me only shake my head with disgust.  For the uninformed, Medina, WA, is one of the richest area codes in the world.  It's most notable resident's are Bill and Melinda Gates, who amassed a small fortune building a tiny software company in Redmond, WA.  Additionally, the State of Washington, in its Constitution, gives every citizen a right to privacy.  Therefore, when video surveillance occurs, like walking into the local 7-11 convenience store, there must be some sort of notification to the individual that they are being taped.  By choosing to step foot into the store, the individual has consented to waiving their right to privacy. 

 

Based on that very abridged version of the privacy law in the State of Washington, I could not believe what I saw.  For those that cannot read the sign it states: "NOTICE:  You Are Entering A 24-Hour Video Surveillance Area[.]"  Based on the contents of that sign,the right to privacy within the State of Washington's Constitution, and the fact that many of the residents of Medina, WA, are tech-millionaires, I found the irony to be extremely overwhelming.  Companies like Microsoft and Amazon (both based in the State of WA) are making a push in the cloud computing arena, and yet, one of the biggest selling points for cloud computing providers is "privacy and security."  Does the simple posting of the sign, in a town where a majority of the residents are, or were, executives for those two companies, create anecdotal evidence that in order to provide adequate security for users (i.e. citizens), the user must be willing to sacrifice their privacy either knowingly or unknowingly?  The biggest problem the Medina Police Department has is writing tickets for people who speed on the off ramp to their enclave, or serving spouses with notice of dissolution of marriage papers.  The added protection of video surveillance seems to smell of "we don't want you in our town, unless you are "one" of us." 

 

This is the classic example of the late George Carlin's "NIMBY" (Not In My Backyard).  To the town council of Medina, WA, congratulations on keeping the riff-raff out, and taking away the privacy rights of your residents.  Just don't come complaining when their personal information is plastered all over the Internet for the world to see - obviously by living within the confines of your enclave, they don't care about their privacy.  And so it begins...the fleecing of our right to privacy in the State of Washington.

 

 

Bernard Lunn of The New York Times, recently wrote an article about whether enterprise businesses are keen to the idea of SaaS, or what is otherwise known as "cloud computing."  He attended the Enterprise 2.0 Conference and asked  the question "SaaS or on-premise"?  The response he got was surprising - at least 50% of the vendors were still deploying on premises.  Part of that mind-set, according to Mr. Lunn, is the fact that most enterprise businesses feel that the have better security controls if their IT infrastructure is on-premises.  However dissolussioned this thought about security might be, it belays the point that people have an easier time dealing with tangible products and services, as opposed to abstract ones.  I mean, no one could break into a network that is on-premises, right?  The other deal-breaker for enterprise businesses, according to Mr. Lunn, deals with server capacity utilization. With all sorts of excess capacity, why is there a need to rent more space from a SaaS provider?

 

But, what brings enterprise businesses back in line is the fact that when the words "SaaS" and "cloud computing" are mentioned, VC wallets tend to become more generous.  Most VC firms are seeing SaaS as the next big wave in the 2.0 world, and if a company wants to maximize their valuation, then they will want to get on board with this.  So in one corner you have the traditionalists which say that SaaS really doesn't streamline IT work centers, but in the other corner, there are the deep-pockets of investors, like VC firms, which say it is the "wave of the future."  Who will win out, time will shortly tell.

 

To read more about this article, please click here:  Why Enterprises Don't Like SaaS

 

 

For the past couple of years, I have been advising clients, asking questions of professionals, and presenting on the fact that there is extremely little (alright none) caselaw on third-party liability when it comes to protecting mission-critical data.  That is until now.  The payment systems, or credit card processing, industry has had a set of guidelines (26 to be exact) that, if followed, would make the business "PCI Compliant."  PCI Compliance is not a law or regulation, it's Visa, MasterCard, AmEx, and others, attempt to "self-police" the industry from an identity theft perspective.  While in theory this sounds good, in actuality, the problem has been that these "auditors" get to say who is "in" and who is "out".  The Heartland Payment Systmes and Hannaford data breaches showed just how de facto these guidelines can be.  Prior to those breaches, HPS and Hannaford were certified "PCI Compliant," but once the breaches occurred, they were quickly taken off the compliant list (although they can apply for reinstatement in a year).  Most analysts saw this as the PCI Council's (Visa, MasterCard, AmEx, et al) way of disclaiming liabililty in order to avoid being brought in on potential lawsuits.

 

CardSystems Solutions was hacked into in 2004, and when it was, the executives reached for their audit report.  In theory, they should have been safe, because they were given a clean bill of health by their auditor, Savvis, just 3 months earlier.  Yet, despite those representations and assurances, the company's data was breached.  The Plaintiff's attorneys in a class action lawsuit have now brought in Savvis as a defendant to the litigation, and like the article below states, "raises increasingly important questions about not only the liability of companies that handle card data[,] but also the liability of third parties that audit and certify the trustworthiness of those companies."  The ripple effect across industries will be overwhelming.  Maybe not immediately, but in the near future, you will start to see an increase in the amount of attention paid towards auditing.

 

To view the article, please click here:  In Legal First, Data Breach Suit Targets Auditor

 

 

In The New York Times today, columnist Saul Hansell, talked about the fact that the Obama Administration has been interestingly silent on the topic of privacy ever since there was a push late last week to bring cyber-security to the forefront of the American psyche.  At the Computers, Freedom, and Privacy Conference in Washington D.C. on Tuesday, Ohio State law professor, Peter Swire, who served on the Obama Administration transition team, offered up a reason for the avoidance - he stated that there is a division between the typical view of privacy among technology experts and the emerging view that is taking shape with the Web 2.0 world.  According to Mr. Swire, "[t]he Web 2.0 movement is opposed to the privacy movement...[and that we] have become producers of our own data."  Thus, the lines have been drawn, on one side there is the "old guard" that says the less the government knows about us, the better, but then there is another emerging group that talks about [to use Mr. Swire and Mr. Hansell's words] "data empowerment" and they have the philosophy that more is better.  I have some times commented on the fact that to protect one's privacy, more information is needed about that individual.  It is an ironic twist of fate in the data privacy and security world.

 

The other point that should be considered is how Americans view privacy, compared to the rest of the world.  For the most part, we as a country see privacy as a right belonging to the owner of the data (i.e. opt in versus opt out forms), as opposed to say Canadian or European countries, where they see privacy as belonging to the individual to which the information is about (not who controls/owns the information).  For an administration that used social networking sits and grass roots organizing via the Web 2.0 world, it is no wonder why they choose to remain silent when it comes to privacy.  Afterall, if you've read your "terms of use" on Facebook, myspace, or hotmail, it may come as a surprise as to who owns those family vacation photos once downloaded to the web site.

 

To view more about this article, please click here:  The Obama Administration's Silence on Privacy

 

Today, President Obama made cyber-security a top priority for the United States when he said that the U.S. has reached a "transformational moment" because computers are attacked and probed millions of times a day.  Shortly, he will be choosing a "cyber czar" to press for action with government agencies and private industry.  At a press conference, flanked by government officials and corporate executives, President Obama said "It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation[...]We're not as prepared as we should be, as a government or as a country."  The President also assured the business community that the government will not dictate how private industry should tighten digital defenses, and he made it clear that the new cyber security effort will not involve any monitoring of private networks or individual e-mail accounts.  The Internet, he said, should remain open and free.

 

This is a red letter date, not only in U.S. history, but in security.  Far too long, security professionals have said that no one has heard their desparate pleas for help in addressing this pandemic disease.  By making cyber-security a priority, we can now begin to answer that all illusive question of "what is the standard for safeguarding mission-critical data?"  Based on the comments of the President, I am a little concerned that there is too much focus on technology, and not enough on people and the systematic processes that go into safeguarding data.  Technology works, but it is absolutely a futile effort to pour millions of dollars into "keeping pace with technology", without some sort of set of policies and enforcement mechanisms in place to ensure that the technology is fully utilized and realized.  In my opinion, that is where an equal amount of the focus should be, especially since technologies like RFID and cloud computing are becoming more and more a part of our everyday lives.

 

To read the entire article, please click here:  Obama Setting Up Better Security For Computers