A cyberattack earlier this year on online retailer Zappos resulted in the possible theft of as many as 24 million users’ personal information. The company cut off all access to its services to users outside of the United States for several days, and it faces at least one lawsuit from a customer.

Most U.S. states have enacted laws requiring companies that collect personal information to report cybersecurity breaches in which unauthorized persons may have accessed such information. “Personal information” include names, home addresses, dates of birth, social security numbers, and other information that could be used in identity theft or other fraudulent activity. Companies typically must notify a government agency as well as the consumers whose information may have been compromised.

The U.S. Securities and Exchange Commission (SEC) recently set out new guidelines for cybersecurity disclosure that could have a long-ranging impact. The guidelines advise companies to provide information about cyberattacks that they have experienced, including the nature and scope of the attack, and the value and character of any lost property. Companies are also encouraged to identify what aspects of the business, such as sales, were harmed by the attack or attacks. The guidelines even recommend that companies disclose the “cyberrisks” they face and the potential consequences of hackers appropriating their data or interfering with their operations, even if they have not suffered an actual attack or breach.

The SEC’s jurisdiction generally only extends to publicly-traded companies, but they may affect other organizations as well. The guidelines specify that companies should make these disclosures on their annual 10-K form, a document that provides an overview of a company’s business, including its finances. The purpose of the new guidelines, according to a former SEC staffer, is to provide information on the security of a company’s digital and computer assets for the benefit of investors. Stakeholders in other types of organizations may also want access to this type of information, and the SEC’s guidelines may lead to demands for more openness and disclosure. Closely-held corporations, partnerships, and nonprofit organizations may find themselves under pressure to provide this sort of information.

Although investors and other interested parties could undoubtedly benefit from information on cyberattacks, such disclosure could be problematic for companies. Disclosure of their cyberrisks could expose sensitive parts of their business operations, inadvertently benefitting a competitor or even a tipping off a hacker. At the same time, companies could face lawsuits from shareholders if a cyberattack occurs and the company did not disclose all potential risks. Striking a balance between the two interests must be a key factor in an organization’s cyberrisk management plan.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

More Blog Posts:

Public Cloud Computing Has New Guidelines to Help Protect Users’ Privacy and Security, Prism Risk Management Blog, April 18, 2012

Federal Government Develops Definitions and Standards for Cloud Computing, Prism Risk Management Blog, April 18, 2012

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Photo credit: ‘U.S. Securities and Exchange Commission headquarters’ by AgnosticPreachersKid (Own work) [CC-BY-SA-3.0], via Wikimedia Commons

This Saturday the Austin Young Lawyers’ Association is holding it’s major annual fundraiser, the AYLA Retro Vegas Party benefiting the AYLA Foundation.   I’m looking forward to the party for several reasons: (1) I’m on the AYLA Board and this is one of our flagship events, (2) I have been heavily involved with the planning of this event, and (3) it’s going to be a lot of fun.  Additionally, I am very excited about seeing Prism’s friend Sara Foskitt (of the Foskitt Law Office) be recognized as AYLA’s Outstanding Mentor of the Year.

For quite a while, Sara has been personally mentoring attorneys both new to Austin and new to law practice.  Sara has been working to spread her love of mentoring by building a mentor program with the Austin Bar Association.  This has been it’s inaugural year, and with over fifty mentors participating, it has been quite successful.

Congratulations Sara!  

Sara Foskitt and the Foskitt Law Office work with Prism Risk Management to provide litigation management services to the Texas Schools Property & Casualty Cooperative risk management program.

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

This covers most information collected from individuals when signing up for an internet-based service or making an online purchase. It may also cover information stored or transmitted by businesses that use cloud-based services for business activities. The proposed “bill of rights” protects the data of individuals. This is undoubtedly a good objective, but it means that companies conducting risk assessments of their cloud computing activities must consider their obligations to their own officers and employees, who may put their own PII at risk on behalf of the company.

The “bill of rights” lists seven key rights of individual consumers that companies handling PII must respect:

- Individual control over one’s own PII;
- Transparent, easily understood information about PII practices;
- Use of PII strictly for the purpose(s) for which it is collected;
- Secure, responsible PII management;
- Ability by the consumer to access PII and correct inaccuracies;
- Reasonably focused collection of PII that is strictly needed by the company; and
- Accountability to consumers for violations of these rights.

Although the White House has called on Congress to pass legislation giving this “bill of rights” the force of law, for now it remains a set of non-binding guidelines. As cloud computing evolves and businesses develop sets of best practices, protections such as these may become the norm.

The “companies” addressed by these guidelines mostly include online service providers like Google and Facebook, but they also apply to any business that routinely collect consumer data online. The consumers protected by the guidelines are the individuals entering their personal data. This puts companies that use cloud-based services somewhere in the middle, as the company’s employees are the ones entering the data, and the company may have PII for both its employees and its customers stored in the cloud.

Companies that use cloud-computing services must therefore consider the potential liabilities they have to both their own staff and their customers when developing a cloud-computing strategy. For now, PII security is governed by existing rules of confidentiality for customer data, which varies depending on the type of business in which a company is engaged. The same may be said for officer or employee PII stored in the cloud, which may be protected by existing privacy laws. Since many existing laws came about when privacy largely involved securing data in locked file cabinets, businesses must take care with their digital PII.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

Web Resources:

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (PDF file), National Institute of Standards and Technology, April 2010

PRIVACY: Alternatives Exist for Enhancing Protection of Personally Identifiable Information (PDF file), U.S. Government Accountability Office, May 2008

More Blog Posts:

Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Intern Hazards, Prism Risk Management Blog, July 7, 2011

Photo credit: ‘White House 06.02.08′ by Юкатан (Own work) [Public domain], via Wikimedia Commons.

Bloomberg News reported in January that two giant French companies, France Telecom SA and Thales SA, had joined a venture with the French government to offer a “made in France” cloud network to French business, organizations, and individuals. The network would offer incentives or other measures to give preference to French companies and service providers. Business leaders specifically cited the degree of scrutiny and control the U.S. government can exercise over cloud data as the justification for the move.

German businesses have likewise advocated secure, domestic-based cloud storage not subject to U.S. jurisdiction. A CEO at Deutsche Telekom remarked last year that the German government should facilitate the construction of secure cloud networks localized in Europe. Customers, he said, have expressed a desire for cloud storage separate from American law enforcement and regulations. Proposals include possible restrictions on or requirements for the location of cloud servers holding privileged data.

At issue for American companies and cloud users is the effect of certain PATRIOT Act provisions on the management of cloud networks. Paul Miller at the technology blog CloudAve describes how European countries tend to adopt stricter rules regarding protection of personally identifiable information online, as compared to the United States. The PATRIOT Act, passed in the immediate aftermath of the September 11, 2001 terrorist attacks in order, ostensibly, to streamline certain law enforcement procedures, allows the federal government greater access to such information than many Europeans prefer. This has created the opening for European businesses to tout building cloud networks specifically for Europeans.

Microsoft, one of the world’s leading cloud providers, publicly committed to compliance with European data protection laws last year. Observers doubt, however, that they company can keep the U.S. government from accessing data that would be protected under European privacy laws, based on American laws like the PATRIOT Act and FISA. This has caused significant consternation in Europe’s tech community.

These moves by companies in France, Germany, and elsewhere to create a separate cloud network could cause difficulties for American users. American businesses that use cloud computing and cloud storage may rely on easy transmission of data across national borders, as companies may locate servers in multiple countries. Dividing the cloud network into separate national clouds has the potential to disrupt existing users’ access. Any such course of action would involve significant initial costs, measured both monetarily and as opportunity cost.

The extent of these possible disruptions is impossible to predict at this point. Businesses who make use of the cloud should remain aware of these situations in order to effective manage the risk posed to their data and to prevent possible losses.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

More Blog Posts:

Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Texas Schools Feeling the Effects of Drought, Fires, Prism Risk Management Blog, September 26, 2011

Photo credit: ‘Storm Clouds over London’ by Garry Knight (Flickr: Storm Clouds over London) [CC-BY-SA-2.0], via Wikimedia Commons

The NIST published its report, “Guidelines on Security and Privacy in Public Cloud Computing,” in December 2011. It recommends a security and privacy environment based on careful planning that is tailored to a particular cloud provider’s system. Planners should take the needs of the organization into account when creating a cloud computing solution, paying close attention to the computing environments of both the service provider and the user. Finally, cloud computing environments require accountability, with constant monitoring of the system’s effectiveness.

Planning for Security and Privacy

Cloud computing represents a major departure from previous models of information management. Sensitive data no longer resides on a private server, but rather “in the cloud.” It therefore requires careful planning of organizing and storing data, as well as management of security and privacy over the life of the organization. Security and privacy are particularly vulnerable in the initial process of transferring data to new storage media, and also in the ongoing process of retrieving data for use.

Understanding the Cloud Environment

Organizations have unique computing needs, and cloud providers offer multiple types of services. To effectively manage risk, organizations must have a detailed understanding of the cloud provider’s services. In particular, an organization must understand its responsibilities, as opposed to those of the cloud provider, for security and privacy of information.

Ensuring the Cloud Service Meets the Organization’s Needs

An organization is unlikely to find a cloud provider whose default service precisely meets their needs for security and privacy. The organization should clearly articulate their particular risks and vulnerabilities, and should be prepared to negotiate services with a cloud provider to find the best possible service.

Ensuring the Client-Side Service Meets the Organization’s Needs

Cloud computing is two-sided. Organizations must ensure the security of their own users as well as the cloud service itself. Users access cloud providers’ services through web browsers, smartphone apps, and other software. Hackers can easily breach many client-side applications, so careful planning and understanding is crucial for an organization.

Accountability for Maintaining Security and Privacy

Once an organization has security protocols in place for its cloud computing system, it must maintain those protocols and review their effectiveness as a means of managing risk. This involves designating a responsible party to oversee security. It also requires an ongoing process of collecting and analyzing data on the use and integrity of the system, and of communicating with the cloud provider to resolve concerns and maintain updated technology.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

Web Resources:

Guidelines on Security and Privacy in Public Cloud Computing (PDF), National Institute of Standards and Technology, December 2011

More Blog Posts:

Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Texas Schools Feeling the Effects of Drought, Fires, Prism Risk Management Blog, September 26, 2011

Photo credit: ‘Cloud computing openness’ by Sam Johnston [GFDL or CC-BY-SA-3.0], via Wikimedia Commons

In a publication titled “The NIST Definition of Cloud Computing,” released in September 2011, NIST has issued its guidelines for standardized definitions and terminology in relation to the field of “cloud computing.” The Federal Information Security Management Act of 2002 (FISMA) requires NIST to develop these guidelines for the purpose of facilitating information security. A set of standard terms and definitions is crucial to developing security protocols for cloud-based data, particularly when data may be spread across multiple servers or networks in multiple physical locations. Although the specific audience of NIST’s publication is the federal government, it notes that private organizations may choose to follow its recommendations.

NIST defines “cloud computing” as a model that allows access to shared resources online that is convenient and available on demand from anywhere a user has access to the internet. Resources may include data storage, applications, and other services, and should involve little management on the user’s end. The report defines “cloud computing” based on a set of “essential characteristics,” “service models,” and “deployment models.”

Five essential characteristics define cloud computing. A consumer must be able to access cloud services on-demand and on a self-service basis, with no human interaction required. Services must be available through ordinary network access, such as through laptop computers, tablets, or smartphones. Cloud services should be pooled to serve multiple consumers at once. Services should also be sufficiently elastic to allow for rapid changes in demand on system resources, giving consumers the same or similar experience no matter how many users are online. Finally, the service should be measurable, allowing both the service provider and consumer to track usage statistics like bandwidth and storage.

Cloud computing has three fundamental service models. Infrastructure as a Service (IaaS) allows the user access to general system resources like processing or storage. The most common example would be online data storage or backup services. Platform as a Service (PaaS) offers a virtual computing platform in which a user can create software applications or configure platform settings. The service provider controls the overall operating system. Finally, Software as a Service (SaaS) provides the highest level of online service and support, allowing users to access applications hosted online through their web browser, with little to no need to install software on the local machine.

Cloud services can follow four deployment models. A public cloud is available to the entire internet. On the other end of the spectrum, a private cloud is only available to consumers of a specific organization. A community cloud may be available to a group of users with common interests or concerns, and a hybrid cloud combines elements of the other three models.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

Web Resources:

The NIST Definition of Cloud Computing (PDF), National Institute of Standards and Technology, September 2011

More Blog Posts:

Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Texas Schools Feeling the Effects of Drought, Fires, Prism Risk Management Blog, September 26, 2011

Photo credit: ‘Cloud computing’ by Sam Johnston (This vector image was created with Inkscape) [CC-BY-SA-3.0], via Wikimedia Commons

Prism Risk Management friend and attorney Sara Foskitt was one of the members of the class along with several of my friends from AYLA and YMBL.  I appreciate the work put in by David Courreges and Karin Crump as chairs of the Leadership Academy.

-Dave Floyd

CEO & General Counsel of Prism Risk Management

I’m looking forward to participating in the 2012 Leadership Academy.   I enjoyed Leadership Austin’s Essential and Emerge programs, and am interested to see how things will unfolding in a lawyer oriented leadership program.

-Dave Floyd

CEO & GC, Prism Risk Management