Whether a single policy will be written with separate and distinct sections for each of these sub-elements, or separate policies will be written for each one, is a matter of case-by-case decision for each employer.  However, many elements will be common to more than one of these policies, and ignoring or avoiding a BYOD policy can lead to “quite” a bust.[1]  The essence of a BYOD policy – to be implemented with employee buy-in, input, and trust, can have (depending on the size, scope of operations, and headcount of the employer) up to 11 (“eleven”) core elements that must be addressed.  I will now introduce these below.

CORE ELEMENTS OF A BYOD POLICY:

1.         S-ystems and Products.

At the bare minimum, you must let all of your staff know which operating systems (Windows OS version(s), Mac OS, Linux kernel[2]), and which products (phones, tablets, laptops, desktops), will be supported as the designated personal work “device” under that BYOD policy.  It should not be a free-for-all with an anything goes and everything must be supported mentality.  That is a recipe for open revolt in the IT department for the undue configuration and compatibility challenges that this would impose.

2.         P-rivacy.

This is tricky, but it must be addressed.  To the extent that work information is accessible through the device or held on the device, then passwords must be shared with the employer.  Any employee who has a problem with this should quietly back-out of the policy, or ensure that nothing “untoward” is found or left on the device; because that password access should include acceptance of random audits and monitoring to ensure: (i) security protocols are being followed; (ii) comingling of personal and business data is not the norm; and (iii) employees are not engaging in other activities, including illicit activities, that might subject the BYOD (work) device to legal impoundment, or the data thereon to compulsory disclosure.

3.         E-fficiency Enhancements.

Having likely configured the device to “play nice” with legacy systems and be interoperable across the employer’s IT space, there will be restrictions on what a device owner can and cannot load onto the device, post-configuration.  The BYOD policy should specify whether individuals can download updates on their own (some notifications can be malicious), or use an enterprise update and install function with regular logins and daily backups and syncs to a hard site.  This goes for both system upgrades as well as protective software (antivirus and antimalware).  Another question the policy might address, after taking an initial inventory of all programs and utilities on the device, is which ones can stay and which ones must go, as well as whether or not any favourite games or other utilities – sometimes hurriedly made with inadvertent vulnerabilities, and often needing far too much in the nature of system access and Admin. controls to “function properly” – can be added.

4.         C-are and Custody.

It should be heavily-stressed, that once a device has been proposed and accepted for inclusion under the policy, then the “owner” of the device is beholden to the data owner (being the employer, in the case of business proprietary information), and to the data subject (including the client or customer in the case of Personally Identifiable Information, and Personal Health Information and the like), for the care and custody of both the device, and all data that is on the device or accessible by means of the device.  The device “must” remain in the “sole” care and custody of the employee, and can no longer be used by a child to play games during downtime on a long journey, or as a reward for completing homework on time.

5.         I-nformation.

This section should remind employees that they will still need to adhere to any internal rules that required them to show a business need for any data before they could access it; as well as enforcing any Identity and Access Management procedures, and continued segregation of duties for working data (create, access, update, store, share, send, shred); system data (upload, download, wipe); and logs (write, access, edit, collate, wipe).  Tie-ins with other policies on information (confidentiality including passwords and proper screensaver and automatic sleep mode usage, social media usage, and regarding audits and internal investigations) can also be made here, or in other sections of the BYOD policy.

6.         A-ccountability.

Appropriate logs should be maintained of all data accessed through and residing on the device, at all relevant times.  This will help track and assess the degree of loss, control the damage, tailor an appropriate response to the breach population, and otherwise comply with regulatory imperatives in the case of any data breach or corruption, or any device loss.  Of course, the “only” copy should never be held on just one portable device without it also being backed-up in several secure physical locations.

7.         L-egal.

While the employer will certainly lay-out those things for which the employee will be responsible, in terms of policy violation, it should also take the opportunity to list those things for which it will neither accept nor assume responsibility.  Whether or not ultimately successful should a claim or claims arise, these might include distracted driving or walking or flying or riding, repetitive stress syndrome, and unlawful or antisocial behaviour (bullying, cyberbullying, sexting, IP infringement, or online defamation).

Clear defense and indemnification provisions would not be out of order; along with: (i) some form of funding for the employer’s personal device use; (ii) stated and mutually understood to be consideration for accepting the policy as a binding agreement; and (iii) coupled with some employee contribution therefrom into a pool from which BYOD, privacy, and other advisable liability insurance coverages would be secured with the employer as beneficiary.

8.         I-mplementation.

Here, the employer would give additional rationales for the policy, its scope, its purpose, and its importance to the organization as a whole and its mission, in particular.  Along with a preamble at the start of the policy, this section would be key to achieving buy-in at all levels, and for demonstrating the entity’s commitment at the highest levels, to ensuring that the policy was both welcome and workable.  Any staggered implementation or other pertinent details on how the policy would be managed and modified from time to time or with changing laws – and with employee input, might also be disclosed. A few words on enforcement, and the reporting and investigation of suspected policy violations should also be included here.

9.         Z-one of Control.

This section would further delineate a “zone of control” (ZOC) within which the employer reserves a right to act with or without notice to employees, and that the employees accept that as a bargained-fact.  This ZOC would include matters with regard to internal investigations (it is not always best to warn a target); for reasons of Law Enforcement & National Security (with or without stating specific provisions, but reminding all subscribers/adherents to a BYOD policy that laws of the employer’s originating jurisdiction – including export restrictions and generalized trade or directed sanctions – may also apply); and in the case of contingencies (for example, where employees in areas under actual, threatened, or suspected terror attack, or who’se devices show impending travel further afield than authorized, may find that sensitive data has been remotely wiped from those devices, or that they have been remotely locked, as a security precaution).  Less draconian but still useful in ZOC, of course, are wide and public sms alerts.

10.       E-ncyption.

Encryption has recently been touted as the be all and end all of security solutions with regard to data in static situ, in mobile situ, and in transit – whether by email or as accessible through some Cloud platform.  While it is true that encryption has a part to play, what is the use of it when the device has a stored profile that contains one or several of the “current” encryption keys?  In addition, some jurisdictions may offer safe harbors that limit or even avoiding breach disclosures when the lost or stolen data is sufficiently encrypted or anonymized to make it indecipherable, and moving the protection closer to or onto the data itself, may also serve to limit the ability of an intruder that penetrates the outer layer(s) of enterprise protection, to retrieve and retreat with, anything useful from within the firewall or data stream.  Some have called this a “Secure Breach” state.[3]

11.       D-ecommissioning and Disposal.

Both disposal of the data, and the decommissioning or disposal of the device need to be better and closely managed.  Deletion does not always remove every trace of the data.  Indeed, sometimes it is very easy to recover in the right hands, and with the appropriate tools.  There must be an accepted understanding that devices will not be traded-in for upgrades or environmental credits without first being run through a wringer (in-house or outsourced) to ensure that they are truly clean.  As the BYOD phenomenon gains pace, stability, and defined structures, a burgeoning business in such “outsourced pre-cleans” will likely develop.  The results of lax cleans prior to disposal range from the embarrassing,[4] to the quite disastrous.[5]

SUMMARY:

BYOD adds significantly more attack surface to an entity’s vulnerability matrix, and offers myriad additional attack vectors.  The IT security space is constantly expanding ever further beyond the proverbial firewall, and evolving by running adaptation to meet multiple generations of threat at a time.

A BYOD policy that addresses and covers the above points in sufficient depth and detail can still be and remain relevant, and protect both the employer and the employer’s data while educating the workforce.  But, this schema is by no means presented or intended as the last word, because change is a pure constant.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

In August, 2000, the United States Securities and Exchange Commission (the “Commission”) first published Regulation FD (17 C.F.R. §243.100 et seq.),^[1] which read in pertinent part, that:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.^[2]  (Emphasis added).

In August, 2008, the Commission issued guidance that permitted the above disclosures to be made through company websites,^[3] with certain caveats and conditions.

Recently, on April 2, 2013, the Commission has again taken a step to address the advancements of (not so new anymore) media in allowing publicly-traded companies and other issuers to disclose material nonpublic information through the Facebook and Twitter^[4] social networking channels.^[5]

“We do not wish to inhibit the content, form, or forum of any such disclosure, and we are mindful of placing additional compliance burdens on issuers.  In fact, we encourage companies to seek out new forms of communication to better connect with shareholders”.^[6]

Here now, we have a treble conundrum – (a) what is the order of precedence of the many “forms of communication” or channels now available to issuers for such information releases; (b) which channels will each issuer even use; and (c) will/should there be any distinction in channels used by any issuer or any group or industry of issuers, for releases of different types of information??

“We believe that company disclosure should be more readily available to investors in a variety of locations and formats to facilitate investor access to that information. […] A company’s website is an obvious place for investors to find information about the company, and a substantial majority of large public companies already provide access to their Commission filings through their websites”.^[7]

It therefore behooves the Commission to now go a little bit further in mandating that issuers – (a) define such an ordering or precedence of channels; (b) state which channels that they will use; and (c) address any distinctions in channel use for releases of different types of information.  Such mandate or guidance would better fit Regulation FD to the times and accord with the Commission ethos on disclosure, generally, and social media, specifically.

            Currently Available Channels.

In no particular order, I count 22 (“twenty-two”) channels through which issuers can make statements or otherwise regularly or occasionally disseminate information; whether or not material or public.  These are Blogs, Press Releases, Annual Reports, interim Regulatory Filings, Websites, RSS feeds, email alerts, sms/texts, Facebook, YouTube, Twitter, Teleconferences, Webinars, News Conferences, EDGAR, Annual Shareholder Meetings, and Electronic Shareholder Forums.  The foregoing number 17, and so the remaining 5 (“five”) channels will be introduced and described in more detail, below.

            Suggested Macro-level (group) Ordering.

I would start by organizing these channels into 3 (“three”) groups:

(i) a Static Foundational group (SF) of 4 channels – where information once placed, is generally there for the duration, and the medium can also serve as a repository for prior releases of information.  The four items here, would be the issuer’s main Website (with or without an attached static blog), the issuer’s main Facebook page (whether or not interactive), EDGAR (publicly accessible, United States Securities and Exchange Commission’s “Electronic Data Gathering, Analysis and Retrieval” system for issuer filings), and the issuer’s Annual Reports (which once released with their audited financial statements, are seldom amended or re-stated without very good cause);

(ii) a Live Regulated group (LR) of 6 channels – where the speakers are known and often seen, and the format is often interactive.  This includes the Teleconference (such as one with market Analysts), the Webinar, the News Conference (whether strictly for media or for all comers), the Annual Shareholder Meeting, and interactive Electronic Shareholder Forums.  A sixth channel in this group is the interim Regulatory Filing.  Although not interactive and possessing qualities of the SF group, interim Regulatory Filings can be more easily amended and can be either regular or irregular in their appearance, as per the specific filer or the industry of the filer.  I place them here because even though they are non-interactive, they are more “live regulated” than “static foundational”; similarly, Electronic Shareholder Forums are both interactive and virtual, but still highly regulated under applicable Securities Laws;

(iii) a Virtual Responsibility group (VR) of 7+5 channels– where the speaker, author, or poster can be anyone specifically or apparently authorized to speak by or on behalf of the issuer, the audience is not restricted to persons with a direct interest in the issuer or the business of the issuer, and the consequences for material mis-statements or intentionally and misleadingly incomplete disclosures can be broad, international, and damaging in the extreme.  Despite these dangers, the medium is virtual and may potentially “go viral” with a quickness, and so self-regulation and corporate responsibility are more the norm.  This group includes Twitter (with a current character limit that cannot possibly accommodate both the message and all necessary and advisable disclaimers), YouTube (where hundreds of thousands, or even millions of “hits”/“views” can precede adult supervision and removal of the content in question), interactive or standalone blogs, RSS feeds, email alerts, sms/texts, and print or electronic Press Releases.

The five remaining VR channels in an “EVR” sub-category, standing for “Enhanced” or heightened responsibility, are “C-suite” outlets, being:

(i) 2 channels in SF-C (personal Facebook pages and personal websites);

(ii) 2 channels in VR-C (personal Twitter accounts, and personal blogs);

(iii) 1 grouped channel in LR-C (book signings, CEO roundtables, economic fora, and outside and often-unscripted and unaccompanied conferences and other speaking engagements).

            Suggested Micro-level (specific) Ordering?

There appears to be good Commission precedent, indeed a preference, for using multiple sites, or ranking multiple channels as “recognized channels of distribution” for the dissemination of information.  As stated in the 2008 interpretive guidance on use of issuer websites:

“[…] where disclosure of information is required under the Exchange Act, we have allowed companies to make such information available to investors on their web sites with their web sites serving, depending on the circumstance, as a supplement to EDGAR, as an alternative to EDGAR, or as a stand-alone method of providing information to investors independent of EDGAR”.^[8]

Hence, on one interpretation of this sentence, so long as there is a central or reference site as a recognized channel on which the data is publicly posted and accessible, the data can also be posted elsewhere, on other similarly recognized channel(s) “reasonably designed to provide broad, non-exclusionary distribution of the information to the public”.^[9]

            REFERENCE SITE (Static Foundational):

For reference sites, I would suggest that co-equality be given to EDGAR, the issuer’s main website, and the issuer’s main Facebook page.  In this way, any or all could be used, deemed, and construed as categorically authoritative.  EDGAR, due to the regulatory filings made there; the issuer’s main website, due to its centrality and expected diligent maintenance; and the issuer’s main Facebook page, due to its popularity as a means to engage in 2-way communication with shareholders, customers, and the public at large.  This triple redundancy also covers for instances where either or both of EDGAR and the issuer’s main website may be inaccessible due to maintenance or unwanted intrusion, in which event a Facebook alert might be speedily issued and significant information releases in the interim period would rapidly there migrate; with the corollary for the issuer’s main website when both EDGAR and Facebook are unavailable.  Of course, issuers will need to ensure that their Facebook pages are pre-set to be fully open and accessible, including for those page visitors who are not Facebook subscribers – as there are still some people who have yet to sign-up, or who were signed-up but have now left.

The Commission notes that issuers with large Analyst followings and market capitalizations may need to do little to alert the market to new postings on their websites, which will be rapidly picked up and disseminated by the financial press, but that those issuers with less of a following or market capitalization “may need to take more affirmative steps so that investors and others know that information is or has been posted on the company’s web site and that they should look at the company web site for current information about the company”.^[10]  As an example for purposes of this proposal and comment, that might be a blog post, email alert, RSS feed, or tweet (in the VR group) detailing and alerting to the material as already posted on that issuer’s main website; or perhaps a teleconference, news conference, or interim regulatory filing (in the LR group) undertaking to post the materials on the issuer’s main website or another Reference Site at or by a set date and time.

In the words of the Commission:

“If the information is important, companies should consider taking additional steps to alert investors and the market to the fact that important information will be posted – for example, prior to such posting, filing or furnishing such information to us or issuing a press release with the information. Adequate advance notice of the particular posting, including the date and time of the anticipated posting and the other steps the company intends to take to provide the information, will help make investors and the market aware of the future posting of information, and will thereby facilitate the broad dissemination of the information”.^[11]

            VIRTUAL (Virtual Responsibility, and Enhanced Virtual Responsibility):

It is important to state that blogs were specifically in the contemplation of the Commission when the 2008 guidance was issued, with the Commission opining at note 60, that “[f]or purposes of Regulation FD, a posting on a blog, by or on behalf of the company, would be treated the same as any other posting on a company’s web site. The company would have to consider the factors outlined above to determine if the blog posting could be considered “public””.^[12]  A blog may highlight additional data on the Reference Site with appropriate wording, but a tweet will need to be very narrowly-tailored as a mere “tombstone” announcement or pointer arrow, in order to avoid attendant liability for omission of material facts in electronic and other disclosures under antifraud and related provisions of the Securities Act (1933), the Securities Exchange Act (1934) and their related Rules and Regulations as amended; and other applicable laws.  So long as the URL is correctly referenced by that tweet, then there should be no misstatement of material fact.

In addition, the Commission was already considering the use of CEO blogs as far back as 2000, when it wrote: “Company-sponsored “blogs,” which can include CEO blogs and investor relations blogs, among others, are recent additions to company web sites”.^[13]  The argument can therefore be made that based on this earlier guidance, a CEO blog with a large subscription base is analogous to an issuer’s main blog, and that a CEO Facebook page with a similarly large subscriber base is also akin to the issuer’s main Facebook page.  Hence, rather than competing, each may be considered and treated as a “recognized channel of distribution” in this VR group.  The Commission did not explicitly state or imply this reasoning, but from a cumulative reading of their guidance and a review of the specific facts of the Netflix Investigation, such an argument if made today, should certainly have strong merit.

            LIVE (Live Regulated):

As stated earlier, the speakers at a news conference or at an annual shareholders’ meeting are always seen, and very often quite well-known to the audience.  So too, the corporate author of an interim regulatory filing is easily discernible – even if the document is filed by accountants, auditors, or legal counsel.  Things can be a little different with electronic shareholder forums, where nobody is seen or heard – but their words are; with teleconferences, where the speaker is a disembodied voice; and with webinars, where audience members may or may not know enough about the presenters to be able to put a name to a face.  However, due to their very public nature and the likelihood that anything or everything said will be rapidly analyzed and acted-upon by investors, all of these live instances are tightly regulated when involving issuers.  There are legal and commonsense limits on: (i) what may be said that is not certain (speculation and inaccuracy); (ii) what may be predicted that is not guaranteed (earnings estimates and guidance, whether qualitative or quantitative); (iii) work or negotiations recently commenced or in progress (contract negotiations that may or may not close, significant milestones projected or reached, and significant contracts or other engagements secured); and (iv) the type and extent of disclaimers that must accompany forward-looking data, in general.  Thanks to the open-access that members of the public have to EDGAR, interim regulatory flings can also be picked-up, analyzed, and acted-upon quite rapidly.  As a result, the importance of ensuring that information publications and disseminations in all channels of this group are accompanied by one or more of (a) alerts to their release; or (b) timely publication and dissemination of the same actual information through either or both of the other channel groups (SF or VR), is shown here with the greatest of clarity.

            Channel Disclosure Sequencing:

Now, knowing what is where, let us consider the following relationship matrix for this schema.

Following this sequencing table:

(i) Where information is first disclosed in a Static Foundational (SF) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Live Regulated (LR) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility channels).

(ii) Where information is first disclosed in a Live Regulated (LR) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Static Foundational (SF) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility).

(iii) Where information is first disclosed in a Virtual Responsibility (VR) Channel (whether or not “Enhanced”), alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should also be disclosed, in either or both of a Static Foundational (SF) channel and a Live Regulated (LR) channel.

Each case must be judged on its own merits, as the Commission so rightly states.  However, with the ability to interlink and cross-post or simul-post on social media accounts, it is not impossible for a Facebook or blog-happy C-Suite member to simultaneously or shortly thereafter tweet a quick link of the posting that can be caught by and posted on, the issuer’s main website, blog, or Facebook page – with or without an added human intermediary, but hopefully with prior clearance as to both postings, by the IR Director and legal counsel.  However, if a selective (VR tweet) disclosure of material non-public information follows a selective (webinar Q&A or other unscripted LR) disclosure of the same, then the third SF group (Form 8-K in EDGAR, the issuer main website, and the issuer main Facebook page) will remain open for a corrective and “public” disclosure within the prescribed time limits, before greater liabilities and penalties can accrue.

“Indeed, one of the key benefits of the Internet is that companies can make information available to investors quickly and in a cost-effective manner”.^[14]

It is notable that a number of print media houses are transitioning fully or preferably to an online format, making the speed at which they can issue story updates (and analyst updates in the financial press) as gleaned from issuer sources and sites, that much faster.  In addition, a tweet or a Facebook update costs practically nothing, financially, and the effort with the limited character content of the former, is negligible.  However, to follow-up on that short message, can be quite a challenge at times.  The speed of dissemination advantage for the disseminator, should not come at the expense of public convenience, or lead to confusion in that investors cannot determine where to look first, or where to look for the most definitive and most frequently and recently updated statement of a relevant situation, or guidance on an issuer’s financial position.

Channel Usage and Ranking for Disclosures:

“We emphasize for issuers that the steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, non-public information, including the social media channels that may be used and the types of information that may be disclosed through these channels, are critical to the fair and efficient disclosure of information. Without such notice, the investing public would be forced to keep pace with a changing and expanding universe of potential disclosure channels, a virtually impossible task”.^[15]

As the Commission had so rightly concluded, in order for this schema to function properly (i.e. to avoid forcing the investing public to spend time scrambling through channels in search of that information, while missing opportunities), issuers and non-issuers alike will need to state which of the 22 channels they will regularly use for their material and general disclosures in the three channel categories, in what order those channels might best be consulted, and which types of regulated information will be disseminated on which disclosure channels.  This sounds complicated, but categorizing the universe of potential regulated information – both day-to-day and for special situations, will likely assist.  I would propose just four such non-exhaustive categories of regulated information: (1) Availability of channels; (2) Market financial data; (3) Pending, planned, or public events; and (4) Significant public announcements.  To avoid repetition, these will be defined further in the below draft format of a re-stated Regulation FD.

Collective “hashtags” Rules for these 22 Channels.

In order to work towards steady compliance with the various standards that may be applicable to the making of statements, generally, and information management in particular (always consult legal counsel for your specific situation and jurisdiction), entities – issuers and non-issuers alike, might further consider the “hashtags” rules, which read as follows.

H—ardware and bandwidth considerations and ERP should be tailored to such factors as issuer market capitalization, number of shareholders, and likelihood of an event that might precipitate a spike in web traffic;

A-ccess and acceptance logs (with periodic counts and inventory of linkers, likers, subscribers, and followers and so forth), to show the degree to which a site is accessed by investors, the markets, and the media (all being and remaining subject to the “do not track me”, or “please forget me”, and other such evolving digital rights that may butt against it), may also be desirable to establish and maintain;

S-Structure, Sincerity, and Security, means that the policies and procedures at the issuer should be designed to ensure: (i) Structure – appropriate disclosure controls and procedures should be in place and enforced, and only certain persons should be authorized and trained to release information and represent the issuer online, and monitored and re-trained as needed on an ongoing basis; (ii) Sincerity – facts and figures should not be released unless verifiable or otherwise justifiable, and positions should not be taken that are subject to serious challenge as insincere or in violation of applicable securities or other law; and (iii) Security – significant care should be taken to guard against hacking and spoofing, hijack, DDoS attack and the like, as well as premature or inappropriate information release, the posting of damaging messages by activists[16] or disgruntled employees as purportedly from the issuer, or other lapse or mishap;

“Since all communications made by or on behalf of a company are subject to the antifraud provisions of the federal securities laws, companies should consider taking steps to put into place controls and procedures to monitor statements made by or on behalf of the company on these types of electronic forums”.^[17]

H-yperlinks should be: (i) avoided if to information an issuer knew or should have known was materially false or misleading; and (ii) otherwise used with linking explanations or rationales, responsibility disclaimers (to the extent a linking issuer wasn’t involved or “entangled” in the preparation of the linked information), content disclaimers (to the extent a linking issuer does not explicitly or implicitly endorse, approve, or otherwise “adopt” the linked information), and (iii) if possible, exit notices or standalone intermediate screens preceding access to linked data offsite;^[18]

T-raditional channels and Talking-points, means that the issuer should continue to use traditional channels alongside social media channels, in order to: (i) properly control and coordinate its Public Relations and Investor Relations (PR/IR) functions; (ii) maintain consistency of message, brand, and information release procedures across all channels used; and (iii) retain the capacity and credibility to speedily correct erroneous information released, and make the necessary subsequent public releases, following the intentional or inadvertent release of material nonpublic information.^[19]  Failure to maintain use of traditional channels may subject an issuer to allegations of discrimination or lack of notice by those “non-avid” new media users, or those who prefer primary reliance on print and broadcast media for their news & current affairs;

A-lways date- (and where advisable, also time-) stamp new releases, or as “last modified”; and archive older material separately, but in searchable or browsable format, so as to avoid any confusion regarding the precedence of the data and statements contained therein, and to maintain safe harbor protections against re-publication of previously published and posted (historical) materials or statements – absent some “affirmative restatement or reissuance” of same, which may invoke antifraud legal proscriptions and an affirmative duty to clarify and/or update them;

G-enerate distance, always, from third-party posts and statements in online and interactive fora such as Shareholder fora, especially mis-statements; and always remind other participants that silence does not equate agreement, consent, or endorsement, and of the forum’s terms of use (which should never precondition usage on participant waiver of their securities law protections);

S-ummaries, Propriety, Overviews, and Tombstones, means that each and all of these should be appropriately delineated as such (with titles, added explanatory language and terms, or website placement and display in close proximity to hyperlinks to the underlying material, where appropriate), and clear directions to readers on where and how to access the underlying information on which they are based.  In addition, the propriety (of content, manner, and timing) should always be vetted prior to release in seeking the advice of counsel, which is an indicia of good faith and best efforts in attempting compliance with Regulation FD; and any other data necessarily disclosed so as to make those summaries not materially misleading, confusing, or incomplete, should be disclosed with the release, or timely thereafter with prior notice to expect it – especially (if possible) within the limited character sets of tombstone releases via Twitter.

A Restated Regulation FD, as re-vamped per the above considerations, may well resemble the following markup:

*************************************************

§ 243.100 General rule regarding selective disclosure.

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(k).  (e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

(b)

(1) Except as provided in paragraph (b)(2) of this section, paragraph (a) of this section shall apply to a disclosure made to any person outside the issuer:

(i) Who is a broker or dealer, or a person associated with a broker or dealer, as those terms are defined in Section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a));

(ii) Who is an investment adviser, as that term is defined in Section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(11)); an institutional investment manager, as that term is defined in Section 13(f)(6)of the Securities Exchange Act of 1934 (15 U.S.C. 78m(f)(6)), that filed a report on Form 13F (17 CFR 249.325) with the Commission for the most recent quarter ended prior to the date of the disclosure; or a person associated with either of the foregoing. For purposes of this paragraph, a “person associated with an investment adviser or institutional investment manager” has the meaning set forth in Section 202(a)(17) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(17)), assuming for these purposes that an institutional investment manager is an investment adviser;

(iii) Who is an investment company, as defined in Section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3), or who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) thereof, or an affiliated person of either of the foregoing. For purposes of this paragraph, “affiliated person” means only those persons described in Section 2(a)(3)(C), (D), (E), and (F) of the Investment Company Act of 1940 (15 U.S.C. 80a-2(a)(3)(C), (D), (E), and (F)), assuming for these purposes that a person who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) of the Investment Company Act of 1940 is an investment company; or

(iv) Who is a holder of the issuer’s securities, under circumstances in which it is reasonably foreseeable that the person will purchase or sell the issuer’s securities on the basis of the information.

(2) Paragraph (a) of this section shall not apply to a disclosure made:

(i) To a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant);

(ii) To a person who expressly agrees to maintain the disclosed information in confidence;

(iii) In connection with a securities offering registered under the Securities Act, other than an offering of the type described in any of Rule 415(a)(1)(i) through (vi) under the Securities Act (§ 230.415(a)(1)(i) through (vi) of this chapter) (except an offering of the type described in Rule 415(a)(1)(i) under the Securities Act (§ 230.415(a)(1)(i) of this chapter) also involving a registered offering, whether or not underwritten, for capital formation purposes for the account of the issuer (unless the issuer’s offering is being registered for the purpose of evading the requirements of this section)), if the disclosure is by any of the following means:

(A) A registration statement filed under the Securities Act, including a prospectus contained therein;

(B) A free writing prospectus used after filing of the registration statement for the offering or a communication falling within the exception to the definition of prospectus contained in clause (a) of section 2(a)(10) of the Securities Act;

(C) Any other Section 10(b) prospectus;

(D) A notice permitted by Rule 135 under the Securities Act (§ 230.135 of this chapter);

(E) A communication permitted by Rule 134 under the Securities Act (§ 230.134 of this chapter); or

(F) An oral communication made in connection with the registered securities offering after filing of the registration statement for the offering under the Securities Act.

[65 FR 51738, Aug. 24, 2000, as amended at 70 FR 44829, Aug. 3, 2005; 74 FR 63865, Dec. 4, 2009; 75 FR 61051, Oct. 4, 2010; 76 FR 71877, Nov. 21, 2011]

§ 243.101 Definitions.

This section defines certain terms as used in Regulation FD (§§ 243.100 -243.103).

(a) Availability of channels.  “Availability of channels”, means with regard to any or all of the channels identified and defined under this § 243-101 wherein material nonpublic information and general company information may be discussed or disclosed, their status as available to the public for access, attendance, and consultation along with any restrictions or pre-conditions, or reasons for their non-availability to the extent it is known and/or prudent, with projected timelines for resumption of availability.

(b) Categories of regulated information.  “Categories of regulated information” as defined under this § 243-101, collectively and individually means, as described herein:

(1) Availability of channels.

(2) Market financial data.

(3) Pending, planned or public events.

(4) Significant public announcements.

(c) Channels.  “Channels”, collectively and individually means:

(1) A static foundational group, including as of or by the entity, a corporate website, a corporate blog, an annual report, and the Commission’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.

(2) A live and regulated group, including as of or by the entity, any teleconference, webinar, news conference, annual shareholder meeting, electronic shareholder forum, or interim regulatory filing including restatements of interim and annual reports, that occurs between annual reports.

(3) A virtual responsibility group, including Twitter, YouTube, blogs, RSS feeds, email alerts, sms/texts, and print or electronic press releases.

(4) An enhanced virtual responsibility group, including as of or by the entity, any twitter account, blog, Facebook page, or personal website of a senior official or so closely identified with a senior official by sufficient members of the public to require its inclusion here, as well as any senior official book signing, roundtable, economic forum, or outside conference or speaking engagement.

Note (channels):

The Commission recognizes and notes that this listing is not exhaustive and remains subject to change with existing and developing technologies and business practices, and company Boards of Directors are encouraged to use their own business judgment in assessing which additional channels they will place in these above categories either as and when they appear or occur or arise, or before they appear or occur or arise.

(d) Channel usage and ranking for disclosures.  “Channel usage and ranking for disclosures”, shall mean the listing by an issuer of which of the channels identified herein it shall use for disclosing both general information and categories of regulated information, as well as for making general communications to investors, consumers, the markets and the public.  This listing shall be accompanied by a ranking of where to look first, second, third, and so forth, in issuers’ crafting and maintenance of systems that are reasonably designed to provide broad, non-exclusionary distribution of information to the public.  Such a channel usage and ranking for disclosures will prevent investing and other interested members of the public from having to scramble through multiple channels as defined herein, in search of critical and  time-sensitive categories of regulated information that others can more easily find and use to guide their decision-making.

(e) (a) Intentional. A selective disclosure of material nonpublic information is “intentional” when the person making the disclosure either knows, or is reckless in not knowing, that the information he or she is communicating is both material and nonpublic.

(f) (b) Issuer. An “issuer” subject to this regulation is one that has a class of securities registered under Section 12 of the Securities Exchange Act of 1934 (15 U.S.C. 78l), or is required to file reports under Section 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(d)), including any closed-end investment company (as defined in Section 5(a)(2) of the Investment Company Act of 1940) (15 U.S.C. 80a-5(a)(2)), but not including any other investment company or any foreign government or foreign private issuer, as those terms are defined in Rule 405 under the Securities Act (§ 230.405 of this chapter).

(g) Long weekend.  “Long weekend”, shall mean a weekend that due to a fixed or floating celebration or holiday or festive event recognized as a United States federal holiday, is at least 3 (“three”) days in length to add a Friday or a Monday or both, and during the full business days or the partial business days of which long weekend any 2 (“two”) of the New York Stock Exchange (NYSE) for all physically-trade securities, the National Association of Securities Dealers Automated Quotation (NASDAQ) system for securities of issuer’s regulated by the Commission, and the Chicago Board Options Exchange (CBOE) for all trading activities, are closed for business.

(h) Market financial data.  “Market financial data” means any earnings, financial projections and data, any changes to earnings or financial projections and data, any significant or notifiable trades or movements in the securities or instruments of the entity, and any and all regulatory filings with the United States Securities and Exchange Commission (SEC) or other domestic or foreign body of the same or similar competence.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

(i) Pending, planned, and public events.  “Pending, planned, and public events” means any meeting of the Board of Directors or Shareholders, any public appearance or speaking engagement of a senior official of the entity as defined under this § 243.101, where material information may be discussed or disclosed (which engagement’s initial notification and the eventual attendance of persons may be conditioned on appropriate security considerations, advisories, and precautions), any real or virtual meeting with Analysts, any teleconference or press conference, any meeting of shareholders, and any other happening, prior to its happening, that the entity wishes to publicize or is required to publicize, subject to appropriate security considerations, advisories, and precautions.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

(j) (c) Person acting on behalf of an issuer. “Person acting on behalf of an issuer” means any senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser), or any other officer, employee, or agent of an issuer who regularly communicates with any person described in § 243.100(b)(1)(i), (ii), or (iii), or with holders of the issuer’s securities. An officer, director, employee, or agent of an issuer who discloses material nonpublic information in breach of a duty of trust or confidence to the issuer shall not be considered to be acting on behalf of the issuer.

(d) Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

(k) (e) Public disclosure.

(1) Except as provided in paragraph (e) (k)(3) and paragraph (k)(4) of this section, an issuer shall make the “public disclosure” of information required by § 243.100(a) by furnishing to or filing with the Commission a Form 8-K (17 CFR 249.308) disclosing that information.

(2) An issuer shall be exempt from the requirement to furnish or file a Form 8-K if it instead disseminates the information through another method (or combination of methods) of disclosure in accordance with its channel usage and ranking for disclosures and section (k)(3) or (k)(4), as appropriate, that is reasonably designed to provide broad, non-exclusionary distribution of the information to the public.

Intentional Disclosures.

(3) Where the issuer becomes aware that material non-public information has been intentionally disclosed as defined in § 243.100(a), the issuer shall:

(i) First make the information that was intentionally so disclosed available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(ii) In any and all of (k)(3)(i)(A) through (k)(3)(i)(F) except (k)(3)(i)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iii) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

Note: (Compliance burden):

With the advent and wide availability of mobile productivity tools and applications, the Commission does not see it as an undue burden for an issuer to be required to post material nonpublic information or any corrective disclosure after the intentional or unintentional release of material nonpublic information, either or both of which may well already be readily available to the senior officer responsible for the corrective disclosure as an email attachment or other portable document, to a given channel after a trading day or over a weekend or Long Weekend.

Non-intentional Disclosures.

(4) Where the issuer becomes aware that there has been a non-intentional disclosure of material non-public information as described in § 243.100(a), the issuer shall:

(i) First alert investors to the non-intentional disclosure on either or both of a live regulated channel and a virtual responsibility channel, along with the anticipated location on a static foundational channel and a timeline for the pending availability of that material nonpublic information or any corrective disclosure on a static foundational channel, within 6 (“six”) hours of the original release on any trading day, and within 12 (“twelve”) hours of the original release on any weekend or Long Weekend;

(ii) The issuer shall thereafter make the information that was unintentionally disclosed, available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(iii) In any and all of (k)(4)(ii)(A) through (k)(4)(ii)(F) except (k)(4)(ii)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iv) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

(f) Senior official. “Senior official” means any director, executive officer (as defined in § 240.3b-7 of this chapter), investor relations or public relations officer, or other person with similar functions.

(l) Senior official.  “Senior official” means for purposes of this Regulation FD (§§ 243.100 -243.103) and with regard to an issuer, any member of the board of directors, any executive officer charged with overall administration or operations, any officer in charge of a principal business unit or division or function, including without limitation, contingencies, finance, human resources, information or technology systems, international operations, investor relations, legal affairs, logistics, marketing, public relations, regulatory compliance, sales, or any significant project or initiative or policymaking function, whether styled as a director, or a president or a vice-president, or otherwise, and including other senior officials with the same or similar functions in any subsidiary of the issuer, as well as the issuer and the issuer representative or issuer representatives as the case may be in a business combination or joint venture or consortium or coalition in which the issuer or a subsidiary of the issuer holds an overall voting position or a right to the gross or net receivables in excess of 15% (“fifteen”) percent of the total in any class or sub-class of instrument, whether or not contingent, evidencing a right to such voting position or a right to share in the gross or net receivables of a business combination or joint venture or consortium or coalition.  Any other officer or employee or authorized agent  of the issuer who is not a senior official by title or function but who has established what the issuer or a third-party may reasonably consider to be a significant following, readership, subscriber base or like status in the social or professional mileu whether through or as a demonstrably recognized channel of distribution for matters of or relating to the issuer, shall also be considered and treated by the issuer as a senior official for purposes of this Regulation FD.

(m) (g) Securities offering. For purposes of § 243.100(b)(2)(iv) [iii - Dodd Frank, 10.4.2010].

(1) Underwritten offerings. A securities offering that is underwritten commences when the issuer reaches an understanding with the broker-dealer that is to act as managing underwriter and continues until the later of the end of the period during which a dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated);

(2) Non-underwritten offerings. A securities offering that is not underwritten:

(i) If covered by Rule 415(a)(1)(x) (§ 230.415(a)(1)(x) of this chapter), commences when the issuer makes its first bona fide offer in a takedown of securities and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities in that takedown (unless the takedown is sooner terminated);

(ii) If a business combination as defined in Rule 165(f)(1) (§ 230.165(f)(1) of this chapter), commences when the first public announcement of the transaction is made and continues until the completion of the vote or the expiration of the tender offer, as applicable (unless the transaction is sooner terminated);

(iii) If an offering other than those specified in paragraphs (a) and (b) of this section, commences when the issuer files a registration statement and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated).

(n) Significant public announcement.  “Significant public announcement” means any announcement or notification to the public that could be reasonably considered to impact the market in share price or trading volume of the securities of the issuer or otherwise impact upon the decision of any person or entity to invest or not invest in the issuer, including if internal to the issuer or an affiliate of the issuer any environmental events, legal and regulatory actions, investigations, incidents involving internal controls, or cyber incidents, and if external to the issuer and its affiliates but that the Board of Directors reasonably determines may have an impact in the chain of supply or the markets of the issuer or on the operations of the issuer, then any of the above events of any other entity or party or group or affiliation of entities or parties in any combination, in any place or jurisdiction, including any political event or events.  This listing is not exhaustive and Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

(o) Trading day.  “Trading day” is defined as running from 9:30 a.m. to 4:00 p.m. Eastern Standard Time from Monday through and including Friday, in accordance with the regular business hours of the physical New York Stock Exchange (NYSE) in New York City, United States of America.  Any earlier cessation of trading on a trading day or any curtailment or expansion of a trading day whether planned or unplanned, shall be treated for purposes of this Regulation FD, as provided in this Regulation FD (§§ 243.100 – 243.103).

§ 243.102 No effect on antifraud liability.

No failure to make a public disclosure required solely by § 243.100 shall be deemed to be a violation of Rule 10b-5 (17 CFR 240.10b-5) under the Securities Exchange Act.

********************************************

Possible Approaches for Issuers and Non-issuers, alike.

Whether or not utilizing the above-presented schema and/or channel ordering, it would be prudent for issuers and non-issuers alike, to adopt some sort of channel usage and ranking for their disclosures, and post the same to standalone hard links or prominently within the legal & disclaimers sections of their Static Foundational channels (website, Facebook, filings).

“We have since encouraged “honest, carefully considered attempts to comply with Regulation FD”.  (Securities and Exchange Commission in Release No. 34-69279 of April 2, 2013, at page 2,[20]  citing to Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Motorola, Inc., Release No. 34-46898 (Nov. 25, 2002)).[21]

Adopting the spirit of the foregoing (whether or not it becomes law), may become one such honest and carefully considered attempt to comply with Regulation FD in which investors and members of the general public can see the sequence of channels through which the most accurate, relevant, and timely words of an issuer or any other company might be disseminated, and consult these in order of precedence to determine the most current state of affairs.  Such an approach may assist in limiting certain liabilities for companies as they provide alerts to, release to, materially disclose to, update, and otherwise educate investors, market intermediaries, customers, and the public.  This will help stabilize markets at volatile times; growing Regulation FD compliance by ensuring no investor is unduly favored or unfairly disadvantaged in accessing “material nonpublic information” from or about a company; whether or not it is an “Issuer”.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, public finance and state Blue Sky laws, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

 This article does not constitute legal advice or create any lawyer-client relationship.

Started by moderator Christopher Odutola of the Linked in group: Cloud Computing, Virtualization and Disaster Recovery in Nigeria.

Online: http://www.linkedin.com/groups/Data-Centers-Disaster-Recovery-in-3785575.S.43550562?view=&srchtype=discussedNews&gid=3785575&item=43550562&type=member&trk=eml-anet_dig-b_pd-pmt-cn&ut=1tsF8girXdkBI1

**********

Thank you, all for your highly knowledgeable and astute comments in this discussion so far.  We all know that as Nijas, we have the talent and we have the skills to get things done – as you all show.  However … na conditions!!  I think 6 factors need to be addressed to some extent before the cloud can gain more credibility and traction in Nigeria, and even in Africa, and become “e-Solid”.

“E”nergy is number one.  Data centers need cooling (especially below the equator), and drives need energy to spin, access memory, and provide those virtual instances.  The idea of generators in series has merit, but I would say turbines are better – with all the natural gas we have flaring.  I always wonder why none of our unemployed Engineers have built scalable and modular mini-re refineries that can be used in the Niger Delta instead of all these open air burns; as used to feed or as combined with, modular and scalable mini-power stations.  We do have the labour, craftsmen, engineers, and natural resources.  Perhaps some of your banking and industrial contacts can be interested in seed funding.  Such machines will get plenty of interest in similarly challenged parts of the world.  It will take quite an effort to string functioning power lines everywhere, or bury them where there are already more people than spare ground.  I think localized modularity is the way to go, as opposed to regional and national power grids.

“S”ecurity has many facets.  One the one hand, it is the day to day matter of traveling to work while avoiding roadblocks, armed robbers, militants or les beaucoup-harmers, and drivers of trucks with no brakes, or of buses full of people and tankers full of petroleum or chemicals, who are not in their right minds due to some substance or other.  The 24/7 nature of IT will require people to travel back and forth at odd times,  unless you are there on 7-12 day on, and 7-12 day off shifts, or something like that.  Even then, you will have to switch-out at some point, and face the travel hazards.  The other facet of security is data security.  Are the sys-admins selling off data sniffed in transit; is the data entirely managed within Nigeria or are portions of the cloud external and therefore subjecting the data to the laws and sniffing of other jurisdictions; are Nigerians adequately protected from identity theft and loss of funds in the case of financial data transfers through the cloud?  These are all areas where Nigerian laws are pretty far behind, due to other priorities of our dear leaders – state and federal, and legislators.

“O”versight is also highly important.   There are a plethora of regulatory bodies, associations, commissions, and parastatals in Nigeria that have overlapping and complementary functions.  When people in position wake and realize that there is money to be made from taxing, regulating, and licensing the cloud, there will be a rush to assert jurisdiction.  Will it be from NCC (due to communications), CBN (due to financial transactions in the cloud), FRSC (due to data transportation on the information highway), NIMASA for the undersea telecommunications cables, each and every state government (due to data center location), EFCC (due to the potential problems within their competence), or any combination of the security agencies, due to the potential national security implications.  How easily can the Corporate Affairs Commission define which of the above types of business the CSP/CSV is engaging in, and how many lawsuits, pleas to the President, and examples public rudeness and misbehavior at the highest levels will Nigerian have to endure from those many competing regulatory interests?  I think a massive rationalization and realignment of Nigeria’s regulatory landscape is long overdue, but it may not happen while there are so many who benefit from the current alphabet soup of a conjoint twin octopus at a grand buffet, still eating to their heart’s content.  Other countries have established central fora, fusion centers, and similar councils where many bodies work together for the same goal.  In our case, that may take some time to achieve.

“L”egal is the logical follow-on, here.  There can be a self-regulatory body established for cloud service providers that enforces standards amongst peers, coordinates training and best practices, and works to lobby the government where and when needed.  Or, providers in the space can continue to work independently and accept whatever laws and regulations – no matter how contradictory, policy-somersault-laden, or otherwise non-conducive to sane and sustained business – are handed down from above.  Tips can be taken from what transpires with regard to the cloud outside Nigeria, but we should not be so fast to adopt things full force, that might not quite fit with our unique context.  We have seen many examples of this, as well as cases where countries accepted Constitutions and laws drafted by outsiders that were just plain wrong.

For example, the Warsaw Convention limits liability to air carriers in the case of a lost luggage, persons, or goods.  The Hamburg Rules perform a similar function with regard to carriage of goods by sea.  Those work well and are generally accepted for important service industries, when coupled with insurance.  Obviously, some lawyers can always be found to sue, despite the caps!  Attitudes change, however, when the protection is given to specialized industries and interests.  You have for example the Nuclear Liability Act in Canada, and the Price-Anderson Nuclear Industries Indemnity Act, in the United States – both limiting the liability of civilian nuclear installations for any incidents.  Most recently, on top of the refusal or inability of the United States Food and Drug Administration to force the labeling of genetically modified foods and food ingredients, President Obama still signed a Monsanto Protection Act on March 28, 2013 – http://rt.com/usa/monsanto-bill-blunt-agriculture-006/.

A time may well come when the cloud industry becomes so large and all-pervasive that it will merit similar protections for all the data breach and failings we see with it in the western world – the first adopters.  However, if this happens in Nigeria before deposit insurance is taken and managed seriously (towards fewer vanishing premiums), a national identity system is firmly in place (towards fewer unusually expensive ghost workers), and business insurance and industry best practices are firmly adhered to, someone may pull a Cyprus without the government involvement.  The supposedly un-hackable Bitcoin was recently pilfered, and government should not help itself to personal bank accounts just because someone tells it to.  If the industry itself is protected, but the protection is not there or woefully inadequate for customers/consumers, some major problems could very well result.

“I”nfrastructure also needs a lot of work – whether roads and rails, buildings within which mobiles may or may not function, encryption and security of data in transit against SQL insertion and other malware exploits, and a lot more attention to such basic security as keeping programs and systems patched and up to date.  BYOD can mean both bring your own device and bring your own destruction, depending on what the device owner is knowingly or unknowingly carrying within it, or something to which the device attaches.  It is no secret that many government websites in Africa (not just Nigeria) are Trojan-laden.  This needs to be fixed, before Nations are cut-off from the outside and just go dark, due to the increasingly powerful antivirus and anti-malware programs that just block access to swathes of e-Estate, due to the real or alleged vulnerabilities that they represent.  Come on, guys and gals, we need to be able to reach you …. and there is no guarantee that VOIP will remain unaffected.  I cannot count the number of times that my system has refused to go somewhere – somewhere legitimate thank you – and then, I had to decide whether or not to disable the meguard and go there anyway.  This trend is already well-underway.  Even with all or most of the cell towers up, there should be backups in hard lines and satellites, because towers can still be taken down.  We need to get our act together and put in the kind of backup and redundancy of critical infrastructure that gives people a greater sense of confidence that things will work and continue to work when they are needed most.   With the near total absence of landlines, what happens to emergency calls when the cloud-based cellular service goes down?  Our infrastructure needs some serious work if we are to have the necessary bandwidth for greater cloud uptake (by SMBEs and conglomerates), deployment (in SaaS, PaaS, and IaaS configurations), and uptake (by the public and the powers that be); along with the other deficiencies here identified.

“D”isaster prevention, planning, response, and recovery is an obviously-ignored competence at the higher levels in Nigeria, due to the abundance of buildings and homes in flood plains – recurrently lost; the lack of an organized, national ambulance and air and water ambulance service – let alone fully-equipped, staffed, and functioning medical and dental facilities and pharmacies; poor attention to building standards, and road and rail traffic, maritime, and aviation vessel quality and facility maintenance; and the preponderant fire brigade approach with promises and prayers when things go horribly wrong.  Even where the cloud is proprietary, such as the example of your own VM instance on campus or at work, commonsense and best practices still advise the use in any combination, of off-cloud backup (such as having your digital photos both in the cloud and on a physical USB stick that can create a mirror collection with rapid and relative ease – so long as not corrupted or lost), a substitute or backup cloud (such as also storing them in another location and with another vendor,  perhaps as sent email attachments due to the current almost unlimited email storage capacity), offsite backup (on a portable hard drive at a second physical location), and perhaps physical hardcopy prints that can be laboriously scanned and uploaded, again, if and when all else fails.  Multiple redundancies are keys to data availability, reliability, and replicability, and all of the above need to be addressed before that can be more fully guaranteed with the appropriate high-uptime SLAs.

SUMMARY:

In summary, unless the Nigerian cloud industry members, vendors, and workers want to be misled by the kind of absentee and not quite technically competent as it is supposed to be or claims to be leadership that has characterized so much of our experience in recent memory, they (and other like-minded professional bodies tired of waiting to be disappointed, yet again), will step-up to take the lead in their own best professional and practical interests, and the interests of all Nigerians at home, abroad, and as yet unborn, to organize, strategize, and familiarize themselves with global best practices, apply only what makes most sense with regard to local idiosyncrasies, and work to build local workarounds and custom solutions to the Nigerian situation that can waylay & workaround the kind of Bigman and Bigwoman jealousy, grandstanding, and other examples of feferity and insincerity that I alluded to above; better insulating their businesses from marauders to make them e-Solid.

That’s my N 100;

I hope it helps.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

The Virginia wrongful death litigation of Lester v. Allied Concrete, in which cost sanctions[1] were awarded for spoliation of online evidence,[2] has a new compatriot in the New Jersey case of Gatto v. United Airlines.[3]  Counsel should be mindful when advising clients with regard to electronic evidence, and Judges are taking note and increasingly ready to issue both adverse inference “spoliation instructions” along with steep monetary sanctions for spoliation of evidence due to a failure of Information Governance generally, and of document retention practices, specifically; especially in that exponentially expanding category of Electronically Stored Information (ESI).

One member of the Gartner Group has defined Information Governance, as “[…] the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information.  It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals”.[4]

Focusing on the last 7 words of this definition “enabling an organization to achieve its goals”, winning the case should not come at the expense of sanctions that lead to a lost case, that wipe-out the award from a victory, or that leave the winner of a pyrrhic victory in the negative after paying a sanctions award to the losing but smiling party.  In at least one of the above cases of Lester and Gatto, Counsel had apparently advised the client to “clean-up” their Facebook, or something like that.  It is vitally important that Counsel get to grips and up to date with the expanding offerings of online social media tools, and their impacts on the litigation landscape, the document retention matrix, the scope of Professional Responsibility, and the cost of sanctions for spoliation and failures to produce.

“Spoliation is the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation”.[5] [emphasis added].

THE STANDARDS, TODAY:

As shown in Mosaid,[6] Zubulake,[7] and Goodyear,[8] Not all Judges and Magistrate Judges, will see mere adverse inference instructions, which allow the errant side to still try their luck, enough of a deterrent.[9]  Indeed, with a January 15, 2010 opinion entitled Zubulake Revisited: Six Years Later,[10] Judge Scheindlin clarified her thoughts on Information Governance and Discovery (e-Discovery) of Electronically Stored Information (ESI) by providing several solid, useful, bright line rules distinguishing between ESI lapses as negligence, willfulness, and gross negligence.

“[…], it is well established that negligence involves unreasonable conduct in that it creates a risk of harm to others, but willfulness involves intentional or reckless conduct that is so unreasonable that harm is highly likely to occur.”[11]

“Gross negligence has been described as a failure to exercise even that care which a careless person would use”.[12]

In addition to her analysis, Judge Scheindlin issues a clear caveat as follows “[t]hese examples are not meant as a definitive list.  Each case will turn on its own facts and the varieties of efforts and failures is infinite”.[13]  However, applying the above standards to specific steps of the litigation process, she continues in what I here condense and present as a handy cheat-sheet.

1. Preservation of Relevant Information.

“A failure to preserve evidence resulting in the loss or destruction of relevant information is surely negligent, and, depending on the circumstances, may be grossly negligent or willful”.[14]

2. Intentional Hampering Acts (*author’s terminology).

“[…] the intentional destruction of relevant records, either paper or electronic, after the duty to preserve has attached, is willful”.[15]

3. Issuance of a Litigation Hold.

“Possibly after October, 2003, when Zubulake IV was issued, and definitely after July, 2004, when the final relevant Zubulake opinion was issued, the failure to issue a written litigation hold constitutes gross negligence because that failure is likely to result in the destruction of relevant information”.[16]

4. Collection and Review.

“[…] depending on the extent of the failure to collect evidence, or the sloppiness of the review, the resulting loss or destruction of evidence is surely negligent, and, depending on the circumstances may be grossly negligent or willful.  For example, the failure to collect records – either paper or electronic – from key players constitutes gross negligence or willfulness as does the destruction of email or certain backup tapes after the duty to preserve has attached”.[17]

5. Litigation Dragnets (*author’s terminology).

“By contrast, the failure to obtain records from all employees (some of whom may have had only a passing encounter with the issue in the litigation), as opposed to key players, likely constitutes negligence as opposed to a higher degree of culpability”.[18]

6. Additional Preservation Measures (*author’s terminology).

“[…] the failure to take all appropriate measures to preserve ESI likely falls in the negligence category”.[19]

7. Assessing the Relevance and Prejudice of Spoliated Evidence (*author’s terminology).

“[…] for more severe sanctions – such as dismissal, preclusion, or the imposition of an adverse inference – the court must consider, in addition to the conduct of the spoliating party, whether any missing evidence was relevant and whether the innocent party has suffered prejudice as a result of the loss of evidence”.[20]

8. Presumptions of Relevance; Jury Instructions (*author’s terminology; emphasis added).

“Where a party destroys evidence in bad faith, that bad faith alone is sufficient circumstantial evidence from which a reasonable fact finder could conclude that the missing evidence was unfavourable to that party”.[21]

In the extreme, willful or bad faith conduct can bring jury instructions “that certain facts are deemed admitted and must be accepted as true”; in the mid-range, willful or reckless conduct may bring jury instructions imposing a “mandatory but rebuttable” presumption.[22]

At the baseline-level, an instruction may issue that “permits (but does not require) a jury to presume that the lost evidence is both relevant and favorable to the innocent party.  If it makes this presumption, the spoliating party’s rebuttal evidence must then be considered by the jury, which must then decide whether to draw an adverse inference against the spoliating party”.[23]

9. Fitting the Sanction to the Conduct/Misconduct (*author’s terminology).

“It is well accepted that the court should always impose the least harsh sanction that can provide an adequate remedy.  The choices include – from least harsh to most harsh – further discovery, cost-shifting, fines, special jury instructions, preclusion, and the entry of default judgment or dismissal (terminating sanctions).  The selection of the appropriate remedy is a delicate matter requiring a great deal of time and attention by a court.”[24]

10. When Terminating Sanctions are Appropriate (*author’s terminology).

“However, a terminating sanction is justified in only the most egregious cases, such as where a party has engaged in perjury, tampering with evidence, or intentionally destroying evidence by burning, shredding, or wiping out computer hard drives”.[25]

THE TAKEAWAY:

♦Actively backup (all ESI systems of the client, of Counsel, and of the agents for each);

♦Be comprehensive (in coverage scope: in-house systems, mobiles, external providers);

♦Communicate duties (in advance and ongoing: Counsel to client; client to Counsel);

♦Diligently enforce (client for Counsel oversight; Counsel to confirm compliance);

♦Educate fully your employees and agents (client-side, Counsel-side, and outside);

♦Fix snafus, logjams, and communications failures as fast and fully as possible;

♦Get professionals involved in your Information Governance plans very early.

ESI is here to stay, and expanding in depth and breadth at an extreme pace; e-Discovery has caught-up, and is keeping up – at least in the Second Circuit and the Districts it comprises, and also in the United States Court of Appeals for the Federal Circuit.[26]  Counsel should follow-suit!

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

(i) SaaP;

(ii) SaaS;

(iii) SaaR;

(iv) S³aUR;

(v) PcSS;

(vi) SaEE/SaEA;

(vii) PC³S.

Kindly allow me to explain.

SaaP – Software as a Product:

(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days.  It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.

SaaS – Software as a Service:

(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade.  Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.

SaaR – Software as a Right:

(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR).  Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions.  As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them).  As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.

S³aUR – Software and Systemic Security at Undue Risk:

(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management.  There are climatic and other intervening “exigent events”.  However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.

PCSS – Persistent Cloud Security Systems:

(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5]  Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.

SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:

(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used.  It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon.  The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented.  At that point, one or more governments may “force” this Stage 6.

There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals.  Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?!  A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.

Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort.  This will be resisted on a number of fronts and may cause unrest in several jurisdictions.  However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.

As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed.  Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.

PC³S – Pure Collectivized Communications Culture System:

(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System.  If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia?  A number of 20^th and 21^st Century books and movies may quickly come to mind.[6]

SUMMARY:

Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”!  It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

I was recently reading the PWC/Digital IQ Report, entitled “2013 Top 10 Technology Trends for Business”,[1] when I deduced that something was missing.  Rather than say that the venerable PWC were wrong in omitting something (who am I?), I thought it better to perhaps bring my views to light with a separate but related story; hence this blog post with a title that plays-on that of the PWC Report.

The PWC/Digital IQ Report identifies and presents those 2013, top 10 tech. trends for business, as: (1) Pervasive computing; (2) Cybersecurity; (3) Big Data mining and analysis; (4) Private Cloud; (5) Enterprise social networking; (6) Digital delivery of products and services; (7) Public Cloud infrastructure; (8) Data visualization; (9) Simulation and scenario modeling; and (10) Gamification.[2]

IDENTIFICATION:

One might say that these are, each and all, complete in and of themselves.  However, the additional trends for consumers that they inspire, should, I feel, be presented as either:

(a) additional trends (numbered 11 through 15) for businesses (considering the business-to-consumer/business-to-business implications and possibilities); or

(b) as separate & distinct (numbered one through five), consumer specific trends.

These 5, are: (v) Accelerated lived experience; (w) BYOD; (x) Crowdsourcing; (y) Distance education; and (z) End-User legal authority/license autonomy/leveraged ability (EULA3, or cubed).  Hence, choosing (b) – presented as separate and distinct, consumer-specific trends, I detail them below.

SPECIFICS:

Accelerated Lived Experience:

(v) The speed at which information now moves has led to an accelerated lived experience, for everyone.  Anything and everything posted in a social media setting can be shared instantaneously, with millions of people all over the world.  And, once something is released into the wild of the web, it can “never” be taken back.  Legally, there are archives of webpages, tweets, blogs, pictures, videos, and postings – even the deleted ones – kept by licensed players within the internet superstructure; technically, there are vast storehouses (server farms) sifting through everything that is uploaded to, sent across, and downloaded from the internet by many governments around the world, and their functionaries; and individually and collectively, people and groups – both criminal and law-abiding – can surf, send, and select for download or copy/paste at their pleasure.  We are almost at a stage of constant reaction to external initiators, and always on the lookout for the next trending thing with heightened anxiety, heart rates, and hyper-dilated pupils.  The jolt of electricity from AC/DC (alternate current/direct current) is now equated by the constant, (almost intravenous in some case for those who cannot turn-off or put-down the smartphone), stimulus experienced by the always connected/always online (AC/AO) generation.

BYOD:

(w) Bring Your Own Device, is the new policy in an increasing number of workplaces, that allows employees to bring their own devices to work, or use them remotely for work.  Despite the real dangers of allowing sometimes uncleared (inherently unsecure, or running old and unpatched operating systems), incompatible (incorrectly configured), or unnecessarily vulnerable (inadequate virus and spyware protections, or already loaded with exploits-in-waiting) tech. tools to connect and send to, and source valuable personal data, customer information, intellectual property and trade secrets from, a work network, this trend is likely to continue.[3]  BYOD has the potential to enable significant savings for the organization in not having to constantly acquire, distribute, and manage ever newer devices for its sometimes vast army of employees.  However, it can also import liabilities for anything from: failing to properly train employees in, monitor, and enforce a responsible BYOD usage policy – along with a social media usage policy; negative publicity in employee pushback against the employer’s attempts to overly-regulate their private use of private property, despite its incidental business application; and legal exposure in preventable data breach, or employee loss of personal data on an unsecured device that was misplaced or stolen.  Should the employer’s insurer or the employee’s insurer pay for the ensuing liabilities when a personal laptop, used for business, is lost or stolen when an employee is on vacation (or stress leave), but finishing-off some work?

Crowdsourcing:

(x) Having so many people, in so many different places, with myriad perspectives and experiences, enables a whole new world of crowdsourcing.  This can range from personal networking sites that allow one to rapidly get information on a specific subject from a variety of sources or thought and knowledge leaders; through groups, blogs, and list serves that are more targeted and which people join or subscribe to at their pleasure; to news media sites that invite people to post their images, videos, or opinions on a variety of current and historical issues, or disasters and other developing events of significance.  Of course, there is no guarantee that some or all such crowd sources are correct, accurate, or honest.  There have also been instances of late, involving “massaged” evidence; old footage from somewhere else presented as current footage from a hot location; and cases in which people with their own agendas have either directly impersonated, or hacked the accounts and credentials of others – not to mention those “crashing” glitzy events who could easily be mistaken for legitimate participants, if presented with the right caption to an unwitting audience (not aware of, or even so far gone as to not believe), the original footage.  Crowd-sourced “fodder” is best taken with a good dose of skepticism, and at least a little salt; lest one join the ranks of those who are so easily fooled, all of the time.  On the converse side, business use of crowdsourcing within the organization may defeat itself if not properly managed. The digital suggestion box, if too full, will see management applying that very same filtering-type software, already adept at sniffing through servers full of resumes, to sift through and sort the suggestions.  Good ones, as always, may still be filtered-out by the wrong or imprecise Big Data analytical tools.

Distance Education:

(y) This trend, thankfully, is not quite as controversial.  However, the accreditation and quality of an increasing collection of online courses, degree and certificate programs, and institutions, is a fast-developing concern.  Accredited Professionals who cannot always travel so easily to attend presentations they need for continuing education credits or that are otherwise of interest to them, can more conveniently sit and watch the webcast, or listen to the teleconference from the comfort of their own homes and offices; or even when on the road (to the extent, of course, that it does not lead them into distracted driving, boating, flying, riding, or otherwise).  As technology continues to develop and regulatory accreditation issues and concerns are resolved, this trend can only continue; including, of course, greater use of learning-on-demand, (like already pervasive delivery of video and audio content on-demand), as digitized in a Cloud for later, multi-taneous,[4] ever-replicable access.   Additionally, education need not be so formal, as someone can gain knowledge from virtually any video, blog post, or seminar – posted from anywhere and available everywhere (that does not have filtering or blocked sites) that they find online in their own identified field of pre-existing, related, or newly-created interest.

End-User Legal Authority/ License Autonomy/ Leveraged Ability (EULA3, or cubed):

(z) In the olden days (dating myself a little here), computer software was released and “sent” by snail-mail in shrink-wrapped packages.  Opening the package constituted acceptance of the manufacturer/ publisher End-User License Agreement (EULA).  Once you had broken the shrink-wrap packaging, it could prove difficult to impossible, to say that you had not accepted the EULA, or to try to return the software and get a refund if you had not otherwise fulfilled the warranty requirements, where they even existed.  Then, with the growth of online commerce/eCommerce, this turned into a click-wrap scenario, which still exists, somewhat.  By clicking on the appropriate “I accept” box or boxes, you accept the terms of use, EULA, and other conditions and prerequisites to download the software, access the site, utilize the online service, fully activate a device, or register its warranty, as appropriate.  Today, we have an increasing prevalence of shareware with licenses that are not quite free, but in the creative commons (too detailed for fuller presentation here); we have devices that are sold as locked but that can be unlocked – whether or not legally; contract hackers and programmers who work for a fee are available online, or through friends-of-friends; and stolen devices still under contract or EULA can be relatively easily wiped of data, re-programmed, and re-purposed with new Sim (Subscriber Identity Module) cards or software; whether right next door or on the other side of the world.

Users and developers of shareware, including “apps.” available for download and use on various trusted and not so trusted sites, now have added and significant legal authority to use and further develop or customize them (screensavers, fonts, skins, and avatars)  to their own liking.

Those using un-locked devices – howsoever obtained – have a significant degree of license autonomy, as they can be free from multi-year contracts; they can sometimes be free from geographic restrictions on where they can use their smartphones or play their DVDs; and they can also be free (whether through active choice or by default setting, depending on the jurisdiction) from having add-ons bundled with initial programs (EU), from having their location automatically tracked by the service provider (opt-out), and from the compulsory download of automatic updates that may conflict with programs and applications installed on the device since its initial purchase or acquisition.  Of course, an original purchaser would already have known of the manufacturer/developer caveat that the item might not work as originally envisaged if automatic updates were not accepted.  However, the later purchaser or recipient of dubious propriety, might have the device wiped and/or locked, and/or tagged on him or her when searching for an update online.  Life as lived in a certain way, will always have its risks, for those who dare there stay!

The increasing online prevalence of tools and technologies enabling groups to collaborate, individuals to innovate, and everyone to share almost anything from everywhere, with everyone at any time, provides us all with significant leveraged ability.  This has ranged from simple apps. (for almost anything thinkable and unthinkable); through online groups, archives, fora, encyclopedias, and societies (ditto); to the ever-expanding plethora of additionally leveraging SaaS, PaaS, IaaS, and NaaS[5] offerings.

END-STATE:

Control once held by the manufacturer and copyright holder over the consumer and what he or she could legitimately do with the former’s intellectual property has been reduced, in cases to zero; this massive Shift of power to the consumer from the variety of choices, service options, and delivery channels available to them and in constant competition for market share; has now served to virtually Delete the EULA as once known, with end-users experiencing significant legal authority, license autonomy, and leveraged ability.  “No contract”; “unlocked”; “number portability”; “free wifi”; “roaming included”; “unlimited data package”- these are the new and standard terms, now!!

Apparently, these terms are all here to stay (and get even better in favour of the now-empowered consumer), to the extent that data-flows and internet flexibility are not slowly or suddenly throttled by sometimes competing security and IPR (Intellectual Property Rights) interests, and so long as PWCs 2013 Top 10 Technology Trends for Business[6] continue to enable & expand these 2013 Top 5 Technology Trends for Consumers that I have identified above, in this post.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

Whether you are thinking of a far-flung transnational operator or a small business, the following are 8 (“eight”) factors to constantly revisit in getting it right when considering or indulging in cloud services.

1.   Backup Cloud: If you have critical functionalities that have moved completely or almost completely to a cloud-based solution (SaaS,[1] PaaS,[2] Iaas,[3] NaaS[4]),[5] then it is highly-advisable to have a backup cloud.  Whether this is done as a failover provision (not always easy to coordinate the two providers), or the running of parallel instances (such as accessing a standalone data archive with staggered replication between those two or more remote access nodes, so permitting them to jointly recover the entire data set should access to the central archive suddenly cease), is ultimately the consumer’s decision.  It is important to remember in the former scenario, however, that if it is not working or suddenly stops working, then it might not be able to failover on its own, without external intervention.  This is especially true if the stoppage is due to a utility outage, climatic event, or human action (terrorism, error, criminality, or hacktivism).

2.   Effective Version Controls: Backup, recovery, and replication processes can be configured in a variety of ways, from the guarantee that a single newer version replaces a single older one, to cases where multiple older versions are retained and disposed-of in sequence as new ones are stored.  Mishaps or mis-alignments in this process can lead to sometimes irretrievable loss of valuable data, which must be avoided.  It may well be true that short of walking hard drives and zip drives, many modern “losses” may still be recoverable.  However, with the increasing complexity and sensitivity of the back-end tools, and the difficulty and active management required to get them to work well together (within promised SLA parameters) for enough of the time, the costs can be prohibitive.  Doing it right the first time, should always be the goal.

3.   Security Consciousness:  There is significant current media and government focus (here in North America and Canada) on the topic of hacking and data exploitation.  One report,[6] indicates that while 54% and 20% respectively of all 2012 breaches were in the accommodation and food services industries, and the retail trade industry,[7] external threats accounted for 95% of all breaches.[8]  With regard to the actors, 83% of breaches against all organizations reporting, were by organized criminal groups,[9] and the descending-order ranking of breach motivation for exploits at large organizations, was: financial or personal gain (71%); disagreement or protest (25%); fun, curiosity, or pride (23%); and grudge or personal offence (2%).[10]  The disgruntled current or former employee with a grudge, is apparently less of a threat than the current employee in deep financial distress, who himself or herself is also apparently less of a threat than the totally unknown but well-financed and staffed criminal organization or state actor that wants access at almost any cost, to the treasure-chest of information on your servers or on the servers of your Cloud Services Provider (CSP).  However, “apparently” is just that, because the reality is joint or co-opted action.  In stating that 65% of internal agent breaches were through a cashier, teller, or waiter, the report also found that “[t]hese individuals, often solicited by external organized gangs, regularly skim customer payment cards on handheld devices designed to capture magnetic stripe data.  The data is then passed up the chain to criminals who use magnetic stripe encoders to fabricate duplicate cards”.[11]  The threat landscape is deep, diverse, and dynamic.  Forewarned with this knowledge, you should have no choice but to be security conscious, spurring you on to craft strategies appropriate to your industry, entity, and V5,[12] to protect your client and other critical data, systems, and processes against compromise, criminality, and a completely unrecoverable disaster.

4.   Traditional (off-Cloud) Backup: Whether the cloud package is offsite, uses in-house accessories, or is a hybrid solution, off-cloud backup may still be an option – whether in addition to or as an alternative for, a backup cloud.  An offline backup sequence that occurs weekly, daily, or several times during the day depending on the interplay (V5)[13] of data Volume (sheer amount), Velocity (speed of its change), Variety (by operating division, product line, client, transaction, trade or other event, analytical element or matrix of elements in the case of big data, and so forth), Value (its criticality to the core functionality, as well as its full replicability on short-order), and Vulnerability (susceptibility to internal, external, and developing threats), with tapes transported, maintained, and regularly tested for their usability, offsite, is a highly-advisable redundancy.  In the event that the primary workspace is compromised and cloud connectivity interrupted, a well-prepared and practiced entity may – far more swiftly and smoothly than the competition – be able to recover from an initial adverse event or sequence of same, and resume operations in an alternate location using the backup tapes, staff able to reach that location if telecommuting remains unavailable, and either pre-positioned or called-in equipment; as available through an expanding group of contingent offsite emergency recovery solution/outcome providers.

5.   Data Retention Policies: Be aware of, and attune your operations to, applicable data retention policies.  Courts in the United States have, to date, proven more eager than Canadian courts to sanction parties for failing to preserve, protect, and produce data that they should have kept by law, and didn’t, or data that they could have had to present at a court or regulatory proceeding, but couldn’t, due to its initial non-retention.  There may be specific rules pertinent to your industry (such as food, or financial services and the PCI-DSS), your activity (such as Intellectual Property filing/prosecution, and healthcare), or your jurisdiction (differing in Canada and the European Union, for example).

6.   Advisable (and accelerating) Best Practices: Having your data resident (whether by bald custody or actual control, in accordance with your Cloud Services Agreement) in the pocket of a third-party, has its obvious risks.  There are also several more subtle ones, which I have canvassed at some length elsewhere in my several blogs on the cloud and outsourcing in general.  It used to be the fact that: (i) the lawmakers would write a law either creating a new regulator or authorizing an existing regulator to act; (ii) proposed regulations would be published for comment; (iii) final regulations would issue; and (iv) tests in court would help to better define and refine them.  Now, everything is in reverse.  An event leads to tests in court, the regulator makes a knee-jerk reaction to try and restore sanity in the interim, there is a public outcry (either here, or earlier in this reversed process), and then a law is passed; which may start the entire sequence again if the law is too broad, not broad enough, or has some adverse effect on a specified/protected group or interest.  “Best Practices in the Cloud” must for now, remain a still-evolving paradigm, so watch your prose (know what you draft and sign), listen to those-in-the- know (pay attention to ongoing doings, debates, and developments), and stay on your toes (be nimble and adaptive, and keep an open mind in this rapidly-changing service space).

7.   Transferring Risks: Insure thyself!  The costs of privacy practices, data breach liability, and similar lines of insurance have come down due to a modicum of standardization, and increased prevalence and awareness of their value from breach announcements occurring in several industries and jurisdictions; despite apparent best efforts.  Business interruption insurance has long been an option, and now, there are contingent event recovery services that can provide pre-packaged, tailored recovery solutions for a fixed monthly price; which is akin to insurance.  Risks can be transferred (insurance), shared (pooling), accounted for (planning), and limited (due diligence and best practices).  However, they can never be fully eliminated.  Be prepared, practice and game a variety of disaster and other contingency scenarios within your organization on a regular basis – whether actually or as tabletop exercises,[14] and expect the unexpected!  Utilities fail; climatic events don’t discriminate; and irrational actors, opportunists, state actors, hacktivists, and criminals all remain predictable in one respect: they will act!

8.   Alert and Notification Protocols: There is really no substitute for a solid system of internal controls. Pre-employment background checks, segregation of duties, authentication and access logging, counterparty due diligence, and strictly enforced policies, are all critically important.  Only 2% of 2012 breaches for misuse were as a result of inappropriate web or internet usage (surfing the wrong type of site, for example), whilst 43% were the result of abusing system access or privileges, and 50% were the result of using unapproved hardware or devices on work systems[15] (whether with BYOD, or as a workaround on strict network controls or prohibitions).  Having, properly configuring, and diligently checking logs is key to risk management.  However, the report also notes the rising challenge to proper data protection and retention from Anti-forensics[16] – especially when someone else is handling functions, now outsourced on a Cloud, that were formerly done in-house.  Cloud Security and Cybersecurity will, for now, remain as moving targets; even with current calls in the United States for laws empowering private actors to jointly take immediate steps (preserving evidence, curtailing breaches, or tracking sources, deeper structures, and sponsors of security events),[17] while regulators and Law Enforcement and National Security (LENS) actors either get up-to-speed, or use their own customized tools for some parallel or complementary actions.[18]

CONCLUSION:

We all know the adage that asks why re-invent the wheel?  I think the Payment Cards Industry Standards Council has already done a very good job in establishing the framework for its members to follow in their data protection and retention efforts as they “process, transmit, or store” that data;[19] which with “access” – presupposed by those first three options, also constitute the majority, if not the totality, of functions that can currently be performed in/via the Cloud.

I also think that the 6 categorical elements of that PCI-DSS Standard,[20] are broadly applicable in other industries; especially with cloud-based or cloud-dependent entities and service models.  To allow for proper tailoring, the 12 sub-elements can of course remain customizable within each of the SaaS, PaaS, IaaS, and NaaS sub-spaces.

There are many avenues that CSPs can pursue in efforts to self-regulate before something, perhaps more draconian than they had wanted, comes down firmly from the lawmakers and/or regulators above; whether with or without the precursor hue & cry following an adverse incident.

Perhaps they may find something in the above that is worthy of trying.[21]

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

I still believe that the Cloud “is” a positive development and that it “can” be a productive platform – especially in terms of backup and redundancy, or in disasters and emergency situations, as was recently proposed in New Jersey.[5]  However, this worthy end-state can only be reached, when:

(a)    Properly governed by the appropriate regulators in a more globally cooperative fashion;[6]

(b)   Used with eyes wide open by both vendors and clients, and with proper regard to their rights and duties regarding third parties;

(c)    Balanced with enterprise, agency, and personal best practices, and insurance coverage appropriate to the data, users, risks[7] and regulations, and custodians;

(d)   Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor;

(e)    Industry Vendors agree to some degree of stabilization and standardization, and a modicum of synchronization in exigent situations that adequately respects local laws;

(f)    Companies in that space, begin – in addition to the current rules on breach disclosure, notification, and remediation – to be more open in educating the public on some of the potential Cloud hazards, as well as on the potential benefits of the many and evolving cloud-based offerings now available, including: SaaS ~ Software as a Service (tools for processing, analysis, accounting, CRM, and back-office functions); UaaS ~ Utilities as a Service (providing video, audio, and gaming on demand); PaaS ~ Platforms as a Service (for email, online backup, or desktops-on-demand); and IaaS ~ Infrastructure as a Service (tools for collaboration, integration, and visualization).

As a work in progress the Cloud space is not a perfect thing, but it “is” a growing and increasingly popular and pervasive one, and it should now be obvious that those who do not even “think” they need to know about the Cloud, should actually be paying the most attention to its growth and diffusion into more and more facets of their work, lives, and free- or down-time.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

As I have stated at length,[4] you need to take a comprehensive approach to Cybersecurity that also watches the employees and contractors at your back, while you are watching the outsiders in front of you.  In scanning only those 180 degrees left to right, and those 180 degrees north to south at your front, you are missing exactly that same size of iceberg at your back.  You must engage in strict Segregation of Duties, initial background checks, datalogs and audit trails, constant network monitoring, and other actions.

Apparently, only one of his employers noticed a problem, and sought (outsourced) a deeper look.  Even then, why did it take so long for them to discover that: (i) the credentials assigned to a domestic worker; (ii) were accessing the system out of work hours, almost non-stop; (iii) from a place where the worker was not last noted to have traveled?  There needs to be more of a focus on internal security, employee access logging (where and when, for how long, and how frequently), and real-time system access audits.

Clearly, it seems that some U.S. employers are still far from having a serious approach to Cybersecurity.[5]

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is also an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.