The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.
For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:
- The company’s leadership ignored warning signs of an issue.
- The warnings were ignored because of a spat with the vendor that flagged the issue.
- The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.
- The company approved stock sales by several insiders after the problems came to light.
- Etc. Etc.
In other words: the news keeps getting worse.
For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.
- Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.
- Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.
- Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.
- Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.
- Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.
In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness
It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.
All these entities “should know better.” They probably had layers and layers of plans in place. Their plans probably aimed at security for the benefit of their third-party constituents. They see the same headlines we all see, their lawyers tell them “you should do this so you don’t face angry consumers.” Their planning focused on liability avoidance.
Cyber planning IS important. The reality for most companies, though, is that the real value of planning is that it allows you to protect your own assets. Most companies will never be the subject of worldwide headlines and consumer class-action suits about a hack of their networks. Hackers routinely penetrate the networks of companies large and small, but the true danger for most companies is not a loss of consumer data. It’s that their own assets may take a hit.
Paying attention to cyber matters will be increasingly important as these major players continue to take very-public hits: it gets harder and harder for even small companies to say, “I never thought it could happen to me.” But the resources directed to information security planning don’t have to be all about network penetration and bells and whistles. They don’t have to be fancy and only capable of implementation with a huge legal, IT and risk management staff. A lot of problems can be avoided by simple process tweaks and employee awareness and training.
Consider the company customer records: they may not have any “personally identifiable information” in them, the loss of which drives the massive breach headlines we now see so routinely. But they probably contain pricing, discount information, volume and tiering plans, sales cycle data, and other material that would make you vulnerable if it got leaked.
Now consider that information in an Excel spreadsheet, not protected by encryption, role-based access, or even a password. How easy would it be for someone to email that outside the company, whether accidentally or on purpose?
Think it doesn’t happen? It does. I’ve had multiple clients face some variant of this spreadsheet email in the last three years. It’s disruptive, it’s expensive, it’s embarrassing, and it’s got the potential to lead to liability. Most importantly, it’s compromising your “secret sauce.” Why wouldn’t you spend some time on planning and training and shoring up a few easy practices to prevent this kind of event?
If you are a small company looking to grow, and looking for a buyer, having your assets protected is important to your value: that’s why you’ve registered your intellectual property, for instance, and put contracts in place to protect it. If you are a company at scale, protecting your assets is about investing in your stable returns.
None of this is expensive or scary or overly “techy.” It’s just good business sense.
If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union. The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls. The EU views privacy as a fundamental human right; it is enshrined that way in the EU constitution. In this way, regulators and citizens of the EU are far more attuned to personal privacy than most Americans. The new privacy rules carry potentially very steep penalties: fines for violations can amount to up to four percent of global revenue or 20 million Euros (whichever is greater).
What Does the GDPR Require?
The GDPR is designed to give EU residents a standard measure of personal electronic privacy protection that has the same basic expectations no matter whether the individual is doing business with a French company, a Japanese company, or an American company. The tenets of the GDPR sound non-controversial: they involve notice, choice, and transparency (among other things).
At a minimum, this probably merits reviewing your privacy and employment policies to ensure that they fall in line with GDPR requirements of telling EU consumers what data you collect about them, what you do with it, and what rights they have to stop you (or to change their minds once they’ve given you their information). Merely revising your policies and ensuring that you have a way to respond to consumer inquiries is not enough to be fully compliant with the GDPR, but it may be a reasonable approach if your exposure to the market is very limited. That decision should be made in consultation with your lawyer and possibly your cyber insurance carrier so that you can weigh the risks of non-compliance (or partial compliance) against the benefits and costs of compliance.
If you have significant dealings in the EU, you almost certainly need to do more. Reviewing and documenting your company’s practices regarding data collection and use, designing privacy-aware interfaces for new products and services, establishing server locations so as to keep data local: all of these examples may be or become an important part of your GDPR readiness, because minimizing the data maintained on EU consumers and not moving it to jurisdictions that lack the EU’s protections are key policy aims of the GDPR.
Does it Apply to Me?
If you have customers, employees, or even vendors in the EU, and you interact with their personal data in electronic fashion, you may be subject to the GDPR. The rules apply if you offer goods or services to EU residents and/or if you monitor them. Cookies and other common Web tracking devices are considered a form of monitoring. This has important implications for how you design your online and data flow practices, both consumer-facing and internal. Also, the EU definition of “personal information” is far broader than anything used in the U.S. It means anything that can be used to identify a person, not just specific information about a specific person. IP addresses, for example, are “personal information” within the EU definition – not just tax ID numbers, email addresses, and so forth.
What Should I Do?
The first step for any company is awareness: knowing whether you have dealings with EU residents, and what information you collect and use regarding them, will tell you whether you need to undertake a compliance discussion with your cyber counsel and carrier. After that, ensuring that your company makes personal privacy a priority, both internally and externally, is high on the GDPR list. Unfortunate happenings like the Equifax and SEC breaches announced in September, combined with EU suspicion of U.S. electronic surveillance measures, will ensure that U.S. companies have to justify themselves to a skeptical regulator if they ever face their own issues.
The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.
Instead, consider the following scenarios:
- An employee erroneously distributes the social security numbers and other personal information of every employee in the company;
- A customer’s email is hacked, resulting in your company receiving a fraudulent - but authentic-looking - set of instructions to wire payment to a specific bank account. The money disappears as soon as it hits the fake account; and
- Someone (unclear whether internal or external) gets into your company HR system and cracks several accounts, changing employee direct deposit information and locking employees out of their email.
I've gotten calls about each of these three situations just this week.
What would you do if this were your company? None of these is a catastrophic event, but every one of them involves disruption, investigation, acrimony, and significant amounts of time and money to resolve. For a company that lacks the resources of Equifax, a seemingly small event like this could become catastrophic: your insurance might not pay; your customers might walk; your bank account might be compromised. On a smaller but still disruptive scale, you could become mired in reactive work (investigation, legal follow-up, relationship repair with customers and employees, HR actions) for weeks or even months.
Now think about a “minor” event like this, but where the information compromised is your company's core asset. That really would be catastrophic. And the plain truth is that these “minor” events are often preventable, or at least there is advance planning that could mitigate their impact. This is in plain contrast to the Equifax situation, where advance planning may or may not be enough to protect the plum assets of a high-value target from sophisticated actors.
Cyber and information security planning are not a purely defensive play. Investing in and planning for the security of your corporate assets – whether the company’s “secret sauce” or not – is a key offensive move for any organization. If you're a growing company, investing in the integrity of your assets helps establish your value to potential buyers and investors. If you're already at scale, planning and investment helps maintain it by allowing you to distribute and spend your profits for the benefit of your shareholders and your operations, rather than on reactive clean-up. The legal exposure issues of a breach are real, but avoiding legal risk is not the primary result of planning done right. #cyberforgrowth #cyberasoffense
According to a new survey by insurer Nationwide, almost half of all businesses have been the victim of a cyberattack without knowing it.
Most of the headlines about cyber exposure and planning focus on the need to avoid exposure to consumer claims. This neglects the real purpose of cyber planning for most companies, however: protecting your revenue and securing your growth.
Many businesses don’t have a lot of “personally identifiable information” on file, and the penalties associated with losing control over that information are generally not large (outside healthcare, financial services, and similar industries). With those facts in front of you, it can be hard to justify spending scarce resources on a defensive plan.
However, your own business assets and your own growth/succession are at risk no matter what kinds of records you hold in your company. The time and money you spend on developing and practicing good cyber habits is priceless when you think about your IP, your trade secrets, your pricing, your “secret sauce” getting out via a hacker. Bad guys troll for valuable information all the time, and often sell batches of information via online black markets. This has nothing to do with the headline grabbing consumer suits that garner all the attention.
How would you value your business in a sale if you knew you’d been the victim of a cyberattack and couldn’t demonstrate that your core assets remained secure? How would you talk to your investors or your board following an attack? What would you want to know about a target’s cyber habits before buying its business?
These are the questions that should be driving our discussion of cybersecurity planning. #cyberprotectionforgrowth – not cybersecurity as a means to fend off rare (and rarely successful) consumer claims.
A friend recently asked if the Georgia Angel Investor Tax Credit program would cover an angel investor’s investment in a start-up’s convertible promissory note. It was a good question because start-ups often raise funds through convertible notes. The short answer to his question was, “it depends.”
The Georgia Angel Investor Tax Credit program gives angel investors who are Georgia residents a tax credit for making qualified investments in Georgia start-ups. The program was amended in 2015 to cover qualified investments made in 2016, 2017 and 2018. (See Georgia Angel Investment Tax Credit (May 24, 2016))
The program allows the angel a tax credit of up to 35% for a qualified investment, capped at a credit of not more than $50,000 in any tax year, with the tax credit to be issued in the second year after the investment is made. (For example, a qualified investment made in 2015 would result in a tax credit for the 2017 tax year.) The state permits not more than $5 million in tax credits each year and start-ups need to apply for allocations of the tax credits if they have investors who want to take advantage of the program.
The Georgia Department of Revenue has issued rules to guide tax payers through the requirements of the program. (See Georgia Rule 560-7-8-.52)
To obtain a tax credit a “qualified investor” must make a “qualified investment” in a “qualified business” (tracking the definitions from the Georgia Rule). Answering the question originally posed, therefore, requires the taxpayer to walk through each of these definitions. An investment in a convertible promissory note, can be a “qualified investment” (assuming all of the other definitions are met) if the convertible promissory note satisfies the requirements of “qualified subordinated debt” (the only debt category within the definition of “qualified investment”). Qualified subordinated debt is “indebtedness that is not secured, that may or may not be convertible into common or preferred stock or other equity interest, and that is subordinated in payment to all other indebtedness of the qualified business issued or to be issued for money borrowed and no party of which has a maturity date less than five years after the date such indebtedness was purchased.”
It is this last requirement for “qualified subordinated debt” that most start-up convertible note deals may have difficulty satisfying. Most convertible notes issued by start-ups are not subordinated, but rather represent senior indebtedness that may not be subordinated. So, if a start-up wants to ensure that its convertible note offering will be eligible for the Georgia Angel Investment Tax Credit program, counsel for the start-up should carefully draft the subordination provisions of the note with a view towards the requirements of Georgia Rule 560-7-8-.52(2)(g).
This week, the House of Representatives will consider and vote on the Financial Choice Act (“FCA”), sponsored by Rep. Jeb Hensarling of Texas – chairman of the House Financial Services Committee. The FCA is a response to the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), and not a nice one. It essentially guts that bill which was itself a response to the financial crisis that began in 2007. After his election, President Obama called for a "sweeping overhaul of the United States financial regulatory system, a transformation on a scale not seen since the reforms that followed the Great Depression" and Dodd-Frank was basically the result.
Yesterday's news about Apple's secret effort to find the 'holy grail' for treating diabetes is just the tip of the iceberg.
The data-mining and communications solutions that are made possible by the Internet will make it possible for future entrepreneurs to launch solutions that we find hard to imagine today.
Wearable devices, once configured with the right technology to enable the monitoring of blood sugar levels, blood oxygen levels and other health data in combination with data-mining and simultaneous communication to health care providers hold great potential for guiding patients to make healthy choices and to seek medical help when appropriate.
There are obvious data privacy and cyber-security implications, of course, but even these challenges are opportunities in disguise for the entrepreneurs who can develop market-friendly solutions.
I hope everyone can join me in a webinar on April 21, 2017, entitled Real Estate in Mergers and Acquisitions.
I’ll be part of a panel that includes my environmental partner, Leah Knowlton, on challenges in dealing with real estate in M&A documentation and negotiations.
Registration information available on the National Business Institute website.
As warming temperatures precede the coming of Spring, there is a growing chorus of support in the U.S. Congress for ending the U.S. embargo of Cuba.
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Public Policy
- Intellectual Property
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate