Category Archives: IT Consultants

New York’s DFS provides a two-month reprieve

On December 28, 2016 – after a very public outcry from the financial community it regulates, New York’s Department of Financial Services (“DFS”) pushed to March 1, 2017 the January 1, 2017 deadline to comply with its proposed data security standards.  These security standards and related regulatory requirements – which are unique in the country, were first disclosed by DFS this past September and include a data breach reporting deadline that is a mere three days in length.

After reviewing 150 comments, the DFS doubled down on its proposed standards and only gave two more months for compliance.  As it now stands, the regulation will be officially implemented on March 1, 2017 and impacted firms will have 180 days to begin compliance – September 1, 2017.  And, by February 15, 2018, firms will be required to submit a certificate of compliance to DFS.

Despite vigorous opposition found in the submitted comments, the DFS retained several important aspects of its proposed regulations, including the three-day window to report a “cybersecurity event” – broadly defined to also include unsuccessful attempts, and the need to file annual certifications of compliance.

Another key component of these proposed regulations requires the designation of a Chief Information Security Officer.  Even though most large financial institutions already have that position filled, many firms subject to DFS jurisdiction will now have to allocate resources to either hire such an employee or reassign an existing employee to take on these new challenges.

All in all, the new DFS regulations – implementing specific security standards on New York’s largest business sector, will immediately generate significant business for those tech vendors and privacy lawyers offering gap-filling solutions that actually work.

A Data Security Trend For 2011: The Data Threat Hype Continues

The new year appears to be continuing a trend begun in 2008 — ever increasing hype concerning the level of data security threats faced by public and private entities.  This hype is not just about increasing public breach disclosures (which have primarily been driven by the increase in breach notification laws) given it also manifests in:   the perceived threat of involuntary corporate transparency brought into public view by the “Wikileaks Effect”, the fact that papers such as the LA Times are able to report as true the powerful Stuxnet worm was able to trim years off of the Iranian nuclear program, and the fact that the Organisation for Economic Co-operation and Development (OECD), in a recent report, paints a picture of a world where “[p]reventative and detective security technologies will not provide protection against all the threats [so] considerable effort will be needed to mitigate and recover from losses.”  OECD Report (dated 14 January 2011) at 82.

For example, in the LA Times article, the Stuxnet worm was removed from its unique Iranian context and given broad scare appeal:  “Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.”

Third-party threats have indeed shifted but that shift took place over five years ago – when organized crime realized that stealing data could be more lucrative — and much safer — than traditional criminal activity.  The ego-driven hackers of yesterday may still exist in the form of the hackavists of today but they remain a minor threat compared to the threats driven by organized crime.  But that is not something new.

On the other hand, the hype that has filled the data security landscape has only risen to a fever pitch these past several years.  Not exactly sure why this is happening.  It may be the fact that more big business has entered the data security consulting/technology space – well equipped with PR firms in tow.  It may be because news organizations have found a new bogeyman that can help drive sales.  It may just be the case reporters and pundits truly feel the hype is justified.

No matter what the cause, one thing is for certain.  This hype does not help companies or governments better protect themselves.  Employees faced with this barrage of hype may be just a bit more lax — thinking there is little they can really do to prevent a theft.  This would be a grave mistake given that a significant source of data loss incidents is directly tied to employee negligence.   As well, if hype causes a CFO to think that state-sponsored incidents such as Stuxnet may be an imminent threat, he or she may suggest diverting resources from more important initiatives like employee training.

There are obviously ongoing data security threats faced by companies that are very real and not going away any time soon.  Marching into 2011, focused companies will weed the hype and address these many challenges utilizing a cost-effective risk management approach.   And, should they need legal or consultative advice, they will choose seasoned partners with the lowest volume setting.  Smart companies realize that succumbing to the hype is a zero-sum endeavor that will only benefit those who feed off the hype.

New York Metropolitan Area Tops Tech Jobs Ranking

According to a recently released report, the New York metropolitan area — including several nearby New Jersey counties — has more technology workers than any other in the United States.  The New York metro area had 317,000 technology jobs in 2009, topping a list of 60 other metropolitan areas, according to the Cybercities 2010: The Definitive Analysis of the High-Tech Industry in the Nation’s Top 60 Cities survey.   These New York metro jobs paid on average $98,500 annually and are mainly in computer systems design and related services.  

Although the New York metro area traditionally is known for being dominant in the financial sector, this report demonstrates something those in the tech/telecom industry have known for years.  Whether born out of Bell Labs in Murray Hill, New Jersey or IBM in Armonk, the New York metro area has laid claim to some of the major technology innovations of our time.  Couple those breakthroughs in core technologies with the new media leaps taken in Silicon Alley during the early days of the Internet and New York’s recipe for tech growth is quickly realized — it is all about innovation.  Those who innovate usually lead.

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.

New MA Data Protection Law Impacts Companies Around the Country

As of March 1, 2010, any company, organization, association or entity that has any sensitive personal information of a Massachusetts resident must now comply with a new law – Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).  This new law impacts an entity even if it is not located in or even does business in Massachusetts – all that is necessary to trigger a compliance obligation is that the firm maintains personal information on Massachusetts residents, including information on any customers and employees.  

Taking a page from the FTC’s Red Flags regulations, the new law requires that companies implement a written security plan to protect protected personal information.  An employee needs to oversee this security program, it must be regularly monitored, and the efficiency of the program needs to be reviewed at least annually or at any time when there’s a major change in a company’s business practices. 

Going further than the FTC and not wanting to disappoint given its name, Massachusetts has actually set forth specific data security standards in its new law.  For example, all records containing personal data that are transmitted wirelessly or sent via public networks need to be encrypted.  As well, sensitive personal data stored on laptops and other portable devices also must be encrypted. Companies will need to restrict access to records and files that contain personal information to only those employees who need such information to do their jobs.

Third party vendors who contract with businesses after March 1, 2010 are subject to the new law and also need to comply.  Those companies who contracted prior to March 1, 2010 are given two additional years to comply.  It remains to be seen whether other states will follow suit with Massachusetts but given the reach of the statute, it may not even matter.   Between the FTC and MA, good common sense may dictate that your firm implement a written ID theft prevention program sooner rather than later.

FTC Points Out P2P Risk

In a February 22, 2010 press release, the Federal Trade Commission states that it notified “almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.” 

The agency also released new educational materials that recommend ways to manage P2P risk.  Interestingly, the FTC does not suggest that all P2P file sharing software be banned from a business.  The recommendation is to evaluate what sensitive data is being used compared with the benefits of using such software.  This recommendation fails to appreciate the fact that all P2P software used for a business purpose can likely be replaced with secure search software that does not require opening up your folders to strangers.  Moreover, there is no general business purpose for using LimeWire or similar software given such tools are focused primarily on locating free music and video files.   In fact, that is why some universities have banned the use of P2P file sharing software for years now.  The reasonable assumption is that if music and video does not fit within a scholastic environment, it does not in a business environment.

Several years ago, Information Week did an excellent expose of the P2P risk faced by many businesses.  This was a wake up call that was obviously not heeded given the FTC release.  In a similar vein, security specialists were warning years ago that there were hundreds of thousands of websites infected with SQL injection exploits.  To this day, SQL injection exploits remain one of the most popular tools for hackers to gain database access.   Unfortunately, given the “fix” for such an exploit requires some basic coding, it is beyond the expertise or concern of most businesses and individuals.

OCR Website Posts List of Breaches As Required Under HITECH Act

On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.  By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website.    The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.

Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information.    As well, there were a number of instances of hacking with a few involving compromises of business associates. 

It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft.  What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.

Google Attacks Provide a Valuable Lesson

The facts are starting to surface regarding the recent attacks against Google, Yahoo! and Microsoft – all of which have been linked to Chinese interests.  According to one recent report, the attackers selected employees with access to proprietary data, determined their social networking friends and then hacked into those accounts.  Once in control of the friends’ accounts, the attackers (posing as friends) sent their actual targets instant messages with links to sites that installed spying software on their computers.   

This sort of criminal strategy could be applied to any company – large or small.  In fact, it is much easier to assume that the president of a large middle market firm has more valuable intelligence on his computer than a strategic employee at a larger company.   Having knowledge of this sort of attack is important given the overall number of attacks against business has been increasing.  According to a recent CSO Survey, 37% of businesses polled have seen an increase in attacks during the past 12 months.  

One sure way to reduce the risk of a corporate attack is to limit social networking access to those individuals in marketing or sales who have a corporate reason to go to those sites.   Even those individuals should have proper training so that they would know, for example, not to click on links that have strange URLs or link to content that does not serve a distinct corporate purpose.  Also, try hard to avoid clicking on an image.  It may be hard to do.  Our propensity to click on whatever online content we see is a habit not easily kicked.

Virtualization Security Risk

If you are a larger middle-market company, another “below the radar” IT risk factor that may be impacting you may be driven by the cost savings inherent in using virtualized servers and desktops.  A security breach in a virtualized environment can have greater consequences than the same breach in a traditional IT environment because it is much more difficult to localize or isolate a virtualized IT environment.    This report gives further detail regarding the security threat and astutely points out that no one really understands where the real security problems can be found; and therefore, is the real problem.