SEC Disclosure Guidelines Urge Businesses to Disclose Not Only Cyberattacks, but Also Risks

Recent cybersecurity breaches at major companies have underscored the importance of careful and comprehensive planning to guard against potential attacks. Attacks can come from live criminals like hackers, or from viruses and malware. They can result in direct financial losses through theft, lost productivity due to equipment failure or data loss, and civil or criminal liability for exposure of sensitive or confidential data. Companies and organizations should consider how best to incorporate cyberattack data into their risk management plans.

A cyberattack earlier this year on online retailer Zappos resulted in the possible theft of as many as 24 million users’ personal information. The company cut off all access to its services to users outside of the United States for several days, and it faces at least one lawsuit from a customer.

Most U.S. states have enacted laws requiring companies that collect personal information to report cybersecurity breaches in which unauthorized persons may have accessed such information. “Personal information” include names, home addresses, dates of birth, social security numbers, and other information that could be used in identity theft or other fraudulent activity. Companies typically must notify a government agency as well as the consumers whose information may have been compromised.

The U.S. Securities and Exchange Commission (SEC) recently set out new guidelines for cybersecurity disclosure that could have a long-ranging impact. The guidelines advise companies to provide information about cyberattacks that they have experienced, including the nature and scope of the attack, and the value and character of any lost property. Companies are also encouraged to identify what aspects of the business, such as sales, were harmed by the attack or attacks. The guidelines even recommend that companies disclose the “cyberrisks” they face and the potential consequences of hackers appropriating their data or interfering with their operations, even if they have not suffered an actual attack or breach. Read the rest of this entry »

This Saturday the Austin Young Lawyers’ Association is holding it’s major annual fundraiser, the AYLA Retro Vegas Party benefiting the AYLA Foundation.   I’m looking forward to the party for several reasons: (1) I’m on the AYLA Board and this is one of our flagship events, (2) I have been heavily involved with the planning of this event, and (3) it’s going to be a lot of fun.  Additionally, I am very excited about seeing Prism’s friend Sara Foskitt (of the Foskitt Law Office) be recognized as AYLA’s Outstanding Mentor of the Year.

For quite a while, Sara has been personally mentoring attorneys both new to Austin and new to law practice.  Sara has been working to spread her love of mentoring by building a mentor program with the Austin Bar Association.  This has been it’s inaugural year, and with over fifty mentors participating, it has been quite successful.

Congratulations Sara!  

Sara Foskitt and the Foskitt Law Office work with Prism Risk Management to provide litigation management services to the Texas Schools Property & Casualty Cooperative risk management program.

Proposed “Consumer Privacy Bill of Rights” Could Protect Businesses Using Cloud Computing, but Also Makes Them Accountable to Employees

The Obama administration announced its proposal for a “Consumer Privacy Bill of Rights” on February 23, 2012 amid a variety of concerns about the security of consumers’ personally identifiable information (PII). The Government Accountability Office (GAO) offers a useful, if broad, definition of PII as:

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

This covers most information collected from individuals when signing up for an internet-based service or making an online purchase. It may also cover information stored or transmitted by businesses that use cloud-based services for business activities. The proposed “bill of rights” protects the data of individuals. This is undoubtedly a good objective, but it means that companies conducting risk assessments of their cloud computing activities must consider their obligations to their own officers and employees, who may put their own PII at risk on behalf of the company.

The “bill of rights” lists seven key rights of individual consumers that companies handling PII must respect:

- Individual control over one’s own PII;
- Transparent, easily understood information about PII practices;
- Use of PII strictly for the purpose(s) for which it is collected;
- Secure, responsible PII management;
- Ability by the consumer to access PII and correct inaccuracies;
- Reasonably focused collection of PII that is strictly needed by the company; and
- Accountability to consumers for violations of these rights.

Although the White House has called on Congress to pass legislation giving this “bill of rights” the force of law, for now it remains a set of non-binding guidelines. As cloud computing evolves and businesses develop sets of best practices, protections such as these may become the norm. Read the rest of this entry »

U.S. National Security Laws May Be Driving Other Countries to Nationalize Cloud Computing, and It Could Put Your Data at Risk

A “fight between two giants” may be brewing, as France takes steps to counter the dominance of U.S. companies in cloud computing. Amid concerns about American laws that permit government monitoring of cloud data, business and government leaders across Europe have touted the need to build strong European mechanisms for cloud storage. This can affect users worldwide, of course, not just in Europe, and the effect on large-scale cloud users in the United States could be significant.

Bloomberg News reported in January that two giant French companies, France Telecom SA and Thales SA, had joined a venture with the French government to offer a “made in France” cloud network to French business, organizations, and individuals. The network would offer incentives or other measures to give preference to French companies and service providers. Business leaders specifically cited the degree of scrutiny and control the U.S. government can exercise over cloud data as the justification for the move.

German businesses have likewise advocated secure, domestic-based cloud storage not subject to U.S. jurisdiction. A CEO at Deutsche Telekom remarked last year that the German government should facilitate the construction of secure cloud networks localized in Europe. Customers, he said, have expressed a desire for cloud storage separate from American law enforcement and regulations. Proposals include possible restrictions on or requirements for the location of cloud servers holding privileged data.

At issue for American companies and cloud users is the effect of certain PATRIOT Act provisions on the management of cloud networks. Paul Miller at the technology blog CloudAve describes how European countries tend to adopt stricter rules regarding protection of personally identifiable information online, as compared to the United States. The PATRIOT Act, passed in the immediate aftermath of the September 11, 2001 terrorist attacks in order, ostensibly, to streamline certain law enforcement procedures, allows the federal government greater access to such information than many Europeans prefer. This has created the opening for European businesses to tout building cloud networks specifically for Europeans.

Microsoft, one of the world’s leading cloud providers, publicly committed to compliance with European data protection laws last year. Observers doubt, however, that they company can keep the U.S. government from accessing data that would be protected under European privacy laws, based on American laws like the PATRIOT Act and FISA. This has caused significant consternation in Europe’s tech community. Read the rest of this entry »

Public Cloud Computing Has New Guidelines to Help Protect Users’ Privacy and Security

Administrators and users of “public cloud computing” services have a new set of guidelines for managing risks to the security of the systems and the privacy of the stored data. The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, has followed up on its recent document offering a definition of cloud computing with a set of guidelines for privacy and security in cloud systems. While government agencies comprise the principal audience for NIST’s guidelines, private companies and organizations can benefit as well. End-user consumers, whose personal information is often most at risk of cyberattack, will also find the guidelines beneficial. We will focus on security and privacy considerations for businesses and other organizations.

The NIST published its report, “Guidelines on Security and Privacy in Public Cloud Computing,” in December 2011. It recommends a security and privacy environment based on careful planning that is tailored to a particular cloud provider’s system. Planners should take the needs of the organization into account when creating a cloud computing solution, paying close attention to the computing environments of both the service provider and the user. Finally, cloud computing environments require accountability, with constant monitoring of the system’s effectiveness.

Planning for Security and Privacy

Cloud computing represents a major departure from previous models of information management. Sensitive data no longer resides on a private server, but rather “in the cloud.” It therefore requires careful planning of organizing and storing data, as well as management of security and privacy over the life of the organization. Security and privacy are particularly vulnerable in the initial process of transferring data to new storage media, and also in the ongoing process of retrieving data for use.

Understanding the Cloud Environment

Organizations have unique computing needs, and cloud providers offer multiple types of services. To effectively manage risk, organizations must have a detailed understanding of the cloud provider’s services. In particular, an organization must understand its responsibilities, as opposed to those of the cloud provider, for security and privacy of information.

Ensuring the Cloud Service Meets the Organization’s Needs

An organization is unlikely to find a cloud provider whose default service precisely meets their needs for security and privacy. The organization should clearly articulate their particular risks and vulnerabilities, and should be prepared to negotiate services with a cloud provider to find the best possible service.

Ensuring the Client-Side Service Meets the Organization’s Needs

Cloud computing is two-sided. Organizations must ensure the security of their own users as well as the cloud service itself. Users access cloud providers’ services through web browsers, smartphone apps, and other software. Hackers can easily breach many client-side applications, so careful planning and understanding is crucial for an organization. Read the rest of this entry »

Federal Government Develops Definitions and Standards for Cloud Computing

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce. Its purpose is to develop standards for measurements in science and technology that “promote U.S. innovation and industrial competitiveness.” The ultimate goal is to “enhance economic security and improve our quality of life.” NIST was founded in 1901 as the National Bureau of Standards. Its standards and regulations regarding measurements of weight, mass, and other metrics influence much of the world’s commerce. It even operates a website that provides the official time for any location in the United States. NIST has recently turned its attention to cloud computing.

In a publication titled “The NIST Definition of Cloud Computing,” released in September 2011, NIST has issued its guidelines for standardized definitions and terminology in relation to the field of “cloud computing.” The Federal Information Security Management Act of 2002 (FISMA) requires NIST to develop these guidelines for the purpose of facilitating information security. A set of standard terms and definitions is crucial to developing security protocols for cloud-based data, particularly when data may be spread across multiple servers or networks in multiple physical locations. Although the specific audience of NIST’s publication is the federal government, it notes that private organizations may choose to follow its recommendations.

NIST defines “cloud computing” as a model that allows access to shared resources online that is convenient and available on demand from anywhere a user has access to the internet. Resources may include data storage, applications, and other services, and should involve little management on the user’s end. The report defines “cloud computing” based on a set of “essential characteristics,” “service models,” and “deployment models.”

Five essential characteristics define cloud computing. A consumer must be able to access cloud services on-demand and on a self-service basis, with no human interaction required. Services must be available through ordinary network access, such as through laptop computers, tablets, or smartphones. Cloud services should be pooled to serve multiple consumers at once. Services should also be sufficiently elastic to allow for rapid changes in demand on system resources, giving consumers the same or similar experience no matter how many users are online. Finally, the service should be measurable, allowing both the service provider and consumer to track usage statistics like bandwidth and storage. Read the rest of this entry »

Austin Bar Leadership Academy

Last Friday I attended the kick-off of the inaugural Austin Bar Leadership Academy.   The day ended up being quite interesting, with highlights including a speech from Chief Justice Wallace Jefferson and a presentation on leadership from keynote speaker Senator Kirk Watson.  We also participated in several leadership activities as well as receiving instruction on the interplay of various personality types in a working environment.

Prism Risk Management friend and attorney Sara Foskitt was one of the members of the class along with several of my friends from AYLA and YMBL.  I appreciate the work put in by David Courreges and Karin Crump as chairs of the Leadership Academy.

 

-Dave Floyd

CEO & General Counsel of Prism Risk Management

Austin Bar/AYLA Leadership Academy

I am very excited to announce that I have been accepted into the Austin Bar/AYLA 2012 Leadership Academy.  Having just looked at the list, I am very pleased to be in such good company.  Included in this list is Sara  Foskitt of the Foskitt Law Office, one of Prism Risk Management’s favorite service providers.

I’m looking forward to participating in the 2012 Leadership Academy.   I enjoyed Leadership Austin’s Essential and Emerge programs, and am interested to see how things will unfolding in a lawyer oriented leadership program.

-Dave Floyd

CEO & GC, Prism Risk Management

Partners: Sara Foskitt

We are very excited to see that our friend Sara Foskitt has just had her first column published in the Texas Lawyer.   The column is about how judges react to discovery disputes in Travis County District Courts.  In addition to being highly skilled in general litigation and real estate matters, Sara also has an extensive knowledge of the Travis County District Courts thanks to her experience as a staff attorney for the Hon. Darlene Byrne.   Sara helps Prism Risk Management with general legal advice as well as claims management.

YMBL Fall Fling and AYLA Bar & Grill

Tonight, while I’m at dress rehearsal for Bar & Grill: Double Feature, the Austin Young Men’s Business League is having its annual Fall Fling.  But for the rehearsal conflict, I would be there.  I have been to multiple Fall Flings and all were a lot of fun.  Spring Fling, held this year at Laguna Gloria, was awesome as well.

 

Fall Fling is tonight at the Umlauf Sculpture Garden.  Tickets are $30, with proceeds going to benefit the Austin Sunshine Camps.

 

Tomorrow and/or Saturday night, there is no better way to spend the evening than at Bar & Grill: Double Feature, Austin’s finest value in lawyer themed musical comedy.  The show is at 8p both nights, at the historic State Theatredowntown (located conviently near the Roaring Fork and the hotel bar at the Stephen F. Austin).  Tickets for Bar & Grill: Double Feature are available online.

 

Bar & Grill, in addition to being highly entertaining, is a fundraiser for the Austin Young Lawyers’ Foundation, the charitable arm of the Austin Young Lawyers’ Association.  I am on the board of directors of AYLA, and I have acted in, written for, and been a story contributor for Bar & Grill in 2009, 2010, 2011.  My first appearance in Bar & Grill was in 2006.

 

Dave Floyd

CEO, Prism Risk Management LLC