SPOLIATION PARLAY:

The Virginia wrongful death litigation of Lester v. Allied Concrete, in which cost sanctions[1] were awarded for spoliation of online evidence,[2] has a new compatriot in the New Jersey case of Gatto v. United Airlines.[3]  Counsel should be mindful when advising clients with regard to electronic evidence, and Judges are taking note and increasingly ready to issue both adverse inference “spoliation instructions” along with steep monetary sanctions for spoliation of evidence due to a failure of Information Governance generally, and of document retention practices, specifically; especially in that exponentially expanding category of Electronically Stored Information (ESI).

One member of the Gartner Group has defined Information Governance, as “[…] the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information.  It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals”.[4]

Focusing on the last 7 words of this definition “enabling an organization to achieve its goals”, winning the case should not come at the expense of sanctions that lead to a lost case, that wipe-out the award from a victory, or that leave the winner of a pyrrhic victory in the negative after paying a sanctions award to the losing but smiling party.  In at least one of the above cases of Lester and Gatto, Counsel had apparently advised the client to “clean-up” their Facebook, or something like that.  It is vitally important that Counsel get to grips and up to date with the expanding offerings of online social media tools, and their impacts on the litigation landscape, the document retention matrix, the scope of Professional Responsibility, and the cost of sanctions for spoliation and failures to produce.

Spoliation is the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation”.[5] [emphasis added].

THE STANDARDS, TODAY:

As shown in Mosaid,[6] Zubulake,[7] and Goodyear,[8] Not all Judges and Magistrate Judges, will see mere adverse inference instructions, which allow the errant side to still try their luck, enough of a deterrent.[9]  Indeed, with a January 15, 2010 opinion entitled Zubulake Revisited: Six Years Later,[10] Judge Scheindlin clarified her thoughts on Information Governance and Discovery (e-Discovery) of Electronically Stored Information (ESI) by providing several solid, useful, bright line rules distinguishing between ESI lapses as negligence, willfulness, and gross negligence.

“[…], it is well established that negligence involves unreasonable conduct in that it creates a risk of harm to others, but willfulness involves intentional or reckless conduct that is so unreasonable that harm is highly likely to occur.”[11]

Gross negligence has been described as a failure to exercise even that care which a careless person would use”.[12]

In addition to her analysis, Judge Scheindlin issues a clear caveat as follows “[t]hese examples are not meant as a definitive list.  Each case will turn on its own facts and the varieties of efforts and failures is infinite”.[13]  However, applying the above standards to specific steps of the litigation process, she continues in what I here condense and present as a handy cheat-sheet.

1. Preservation of Relevant Information.

“A failure to preserve evidence resulting in the loss or destruction of relevant information is surely negligent, and, depending on the circumstances, may be grossly negligent or willful”.[14]

2. Intentional Hampering Acts (*author’s terminology).

“[…] the intentional destruction of relevant records, either paper or electronic, after the duty to preserve has attached, is willful”.[15]

3. Issuance of a Litigation Hold.

“Possibly after October, 2003, when Zubulake IV was issued, and definitely after July, 2004, when the final relevant Zubulake opinion was issued, the failure to issue a written litigation hold constitutes gross negligence because that failure is likely to result in the destruction of relevant information”.[16]

4. Collection and Review.

“[…] depending on the extent of the failure to collect evidence, or the sloppiness of the review, the resulting loss or destruction of evidence is surely negligent, and, depending on the circumstances may be grossly negligent or willful.  For example, the failure to collect records – either paper or electronic – from key players constitutes gross negligence or willfulness as does the destruction of email or certain backup tapes after the duty to preserve has attached”.[17]

5. Litigation Dragnets (*author’s terminology).

“By contrast, the failure to obtain records from all employees (some of whom may have had only a passing encounter with the issue in the litigation), as opposed to key players, likely constitutes negligence as opposed to a higher degree of culpability”.[18]

6. Additional Preservation Measures (*author’s terminology).

“[…] the failure to take all appropriate measures to preserve ESI likely falls in the negligence category”.[19]

7. Assessing the Relevance and Prejudice of Spoliated Evidence (*author’s terminology).

“[…] for more severe sanctions – such as dismissal, preclusion, or the imposition of an adverse inference – the court must consider, in addition to the conduct of the spoliating party, whether any missing evidence was relevant and whether the innocent party has suffered prejudice as a result of the loss of evidence”.[20]

8. Presumptions of Relevance; Jury Instructions (*author’s terminology; emphasis added).

“Where a party destroys evidence in bad faith, that bad faith alone is sufficient circumstantial evidence from which a reasonable fact finder could conclude that the missing evidence was unfavourable to that party”.[21]

In the extreme, willful or bad faith conduct can bring jury instructions “that certain facts are deemed admitted and must be accepted as true”; in the mid-range, willful or reckless conduct may bring jury instructions imposing a “mandatory but rebuttable” presumption.[22]

At the baseline-level, an instruction may issue that “permits (but does not require) a jury to presume that the lost evidence is both relevant and favorable to the innocent party.  If it makes this presumption, the spoliating party’s rebuttal evidence must then be considered by the jury, which must then decide whether to draw an adverse inference against the spoliating party”.[23]

9. Fitting the Sanction to the Conduct/Misconduct (*author’s terminology).

“It is well accepted that the court should always impose the least harsh sanction that can provide an adequate remedy.  The choices include – from least harsh to most harsh – further discovery, cost-shifting, fines, special jury instructions, preclusion, and the entry of default judgment or dismissal (terminating sanctions).  The selection of the appropriate remedy is a delicate matter requiring a great deal of time and attention by a court.”[24]

10. When Terminating Sanctions are Appropriate (*author’s terminology).

“However, a terminating sanction is justified in only the most egregious cases, such as where a party has engaged in perjury, tampering with evidence, or intentionally destroying evidence by burning, shredding, or wiping out computer hard drives”.[25]

THE TAKEAWAY:

Actively backup (all ESI systems of the client, of Counsel, and of the agents for each);

Be comprehensive (in coverage scope: in-house systems, mobiles, external providers);

Communicate duties (in advance and ongoing: Counsel to client; client to Counsel);

Diligently enforce (client for Counsel oversight; Counsel to confirm compliance);

Educate fully your employees and agents (client-side, Counsel-side, and outside);

Fix snafus, logjams, and communications failures as fast and fully as possible;

Get professionals involved in your Information Governance plans very early.

ESI is here to stay, and expanding in depth and breadth at an extreme pace; e-Discovery has caught-up, and is keeping up – at least in the Second Circuit and the Districts it comprises, and also in the United States Court of Appeals for the Federal Circuit.[26]  Counsel should follow-suit!

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Lester v. Allied Concrete, (Case No. CL08-150, and Case No. CL09-223), Final Order dated October 21, 2011 (Va. Cir. Ct. 2011). Online: >http://www.scribd.com/doc/78439131/Lester-v-Allied-Concrete-CL08-150-102111-Final-Order< The amount of the final sanction was a fees award of $722,000.00.

[2] Lester v. Allied Concrete, (Case No. CL08-150, and Case No. CL09-223), Ruling dated September 1, 2011 (Va. Cir. Ct. 2011).  This ruling granted inter alia, a motion for sanctions (the party deleted Facebook photos then the account, and later swore under oath to never having done so, with their legal counsel further attesting that the client did not own a Facebook account); all after the other side had gotten wind of the account and requested production.  Online: >http://valawyersweekly.com/vlwblog/files/2011/09/Lester-Hogshire-order.pdf<

[3] Gatto v. United Air Lines, Inc., No. 10-cv-1090, 2013 U.S. Dist. LEXIS 41909, slip op. at 11 (D.N.J. Mar. 25, 2013).  Ruling dated March 25, 2013.  Once again, a Facebook account had been improperly deleted after a production request and Order.  The Judge, here, (stating at note 1 on page 5 of the Judgement that there was no difference to him between mere “account deactivation” and “permanent account deletion” with regard to spoliation: “[…]as either scenario involves the withholding or destruction of evidence [.]”), ruled that an adverse inference instruction to the jury would suffice, and declined to impose a monetary sanction.  Online: >http://www.technologylawsource.com/uploads/file/GattovUnitedAirLinesCaseNo10-cv-1090-DNJ.pdf<

[4] Debra Logan, Research VP, Gartner Research.  What is information Governance?  And Why is it So Hard? Published on blogs.gartner.com, January 11, 2010.  Online: >http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/<

[5] This definition was laid down by United States Circuit Judge Joseph M. McLaughlin, writing the February 12, 1999 judgement of a unanimous 2nd Circuit panel in West v. Goodyear Tire & Rubber Co., 167 F3d 776, 779 (1999).  There, the 2nd Circuit remanded a case on finding that outright dismissal of Plaintiff’s negligence action for spoliation (disposing of the allegedly malfunctioning device) was too draconian a sanction.  It was followed by the Southern District of New York with United States District Judge Shira A. Scheindlin’s July 20, 2004 ruling in Zubulake v. UBS Warburg LLC, 229 F.R.D. 422 (2004) – sometimes also styled Zubulake V – an employment discrimination case involving spoliation by failure to preserve and produce backup email tapes, that was itself a precedent in the guidance the Judge issued for future electronic discovery practices; as well as by the New Jersey District Court with the December 7, 2004 ruling of United States District Judge William J. Martini, in Mosaid Technologies v. Samsung Electronics, 348 F.Supp.2d 332, 335 (D.N.J. 2004), also involving the spoliation of electronic evidence where the failure to specifically mention “emails” within/alongside a request for the production of “documents”, should not have permitted the non-production and willful destruction of those emails.

[9] See contra, Gatto, at note 3, supra, and accompanying text.

[10] Zubulake Revisited: Six Years Later (January 15, 2010 Amended Opinion and Order of United States District Judge Shira A. Scheindlin, in) Pension Committee of the University of Montreal Pension Plan v. Banc of America Securities, LLC, No. 05 Civ. 9016 (SAS), 2010 WL 93124 (S.D.N.Y. Jan. 11, 2010).  Online: >http://ralphlosey.files.wordpress.com/2010/01/05cv9016-january-15-2010-amended-opinion.pdf<

[11] Id. at page 7 of the 88 page Amended Opinion and Order.

[12] Id. at page 8.

[13] Id. at page 10.

[14] Id. at pages 8-9.

[15] Id. at page 9.

[16] Id. at page 9.

[17] Id. at page 10.

[18] Id. at page 10.

[19] Id. at page 10.

[20] Id. at page 14.

[21] Id. at page 15.

[22] Id. at pages 21-22.

[23] Id. at page 22.

[24] Id. at pages 19-20.

[25] Id. at pages 20-21.

[26] See Ekundayo George.  GRC: Governance (Part 2).  Published on ogalaws.wordpress.com, October 29, 2012, at note 12 and accompanying text.  Online: >https://ogalaws.wordpress.com/category/regulatory-and-government-affairs/governance-risk-compliance-grc-and-sanctions/<  Model e-Discovery Order for patent litigation, as presented to the Eastern District of Texas Judicial Conference on September 27, 2011, by the Honourable Randall R. Rader, Chief Judge of the United States Court of Appeals for the Federal Circuit.

Advertisements

I would say there are essentially 7 (“seven”) stages in this trajectory, being:

(i) SaaP;

(ii) SaaS;

(iii) SaaR;

(iv) S3aUR;

(v) PcSS;

(vi) SaEE/SaEA;

(vii) PC3S.

Kindly allow me to explain.

SaaP – Software as a Product:

(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days.  It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.

SaaS – Software as a Service:

(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade.  Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.

SaaR – Software as a Right:

(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR).  Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions.  As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them).  As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.

S3aUR – Software and Systemic Security at Undue Risk:

(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management.  There are climatic and other intervening “exigent events”.  However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.

PCSS – Persistent Cloud Security Systems:

(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5]  Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.

SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:

(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used.  It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon.  The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented.  At that point, one or more governments may “force” this Stage 6.

There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals.  Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?!  A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.

Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort.  This will be resisted on a number of fronts and may cause unrest in several jurisdictions.  However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.

As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed.  Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.

PC3S – Pure Collectivized Communications Culture System:

(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System.  If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia?  A number of 20th and 21st Century books and movies may quickly come to mind.[6]

SUMMARY:

Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”!  It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published on ogalaws.wordpress.com, January 17, 2013.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[2] See Adam Edelman/New York Daily News.  Cyberbunker hosting site said to be dropping virtual ‘nuclear bomb’ on Internet with massive, global denial of service attack.  Published Wednesday, March 27, 2013 on nydailynews.com.  Online: >http://www.nydailynews.com/news/national/internet-nuked-massive-ongoing-cyber-attack-experts-article-1.1300372 <  It is “alleged” that a private dispute of some sort between Cyberbunker (a Dutch internet hosting business that will take all-comers, “except child porn and anything related to terrorism”), and The Spamhaus Project (a non-profit centred in London and Geneva, but with operating nodes in ten nations, that “works to help email providers filter out spam”), has led to the largest DDOS in history with a data stream attack magnitude of 300 billion bits per second, when 50 billion bits would suffice to bring-down the online service of many significant online businesses, including major banks.  The fact that most people have seen no significantly noticeable disruptions due to this “attack”, just goes to show the added resilience built into the system since this kind of attack was first noticed, understood, and responded to by industry and regulators. Personally, I saw some emails come through on device group “A”, but they were delayed on others – thankfully, nothing time-sensitive, and I was aware of them due to my own system of redundancies in having those multiple email access points and service providers.  Microsoft also just switched a “massive” few more users over to Outlook, so that may have also played a part in my own delayed email receipt.  In any case, investigations are ongoing into the source of the current and sustained attacks, but as with others, the true perpetrators may remain hidden.  See Infra, note 5.  See also The Spamhaus Project homepage.  Online: > http://www.spamhaus.org/organization/<; The Cyberbunker Data Centers homepage.  Online:  >http://www.cyberbunker.com< (the Cyberbunker website was verified by this author as unreachable online, at the time this SaaS Visioning-out article posted).

[3] See e.g.  Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right, at Note 17.  Posted March 11, 2013, on ogalaws.com.  Online:> https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[4] See e.g. Mikael Ricknäs, IDG News Service.  AWS takes aim at security conscious enterprises with new appliance.  Published on itworld.com, March 27, 2013.  Online: >http://www.itworld.com/cloud-computing/349894/aws-takes-aim-security-conscious-enterprises-new-appliance?goback=.gde_1864210_member_226976359<  Amazon Web Services has introduced a standalone, secondary cloud-based system to manage cryptographic keys that will be used in the cloud, with limited AWS access through “strict” separation of administrative and operational duties between the vendor and the client, and segregation and limitation of access according to business need.  SOD best practices are thus clearly translated into the cloudsphere.

[5] See Gil David.  The Dark Side of the Internet.  Published on israeldefence.com, December 1, 2012.  Online:

>http://www.israeldefense.com/?CategoryID=483&ArticleID=1756<  This article provides a fairly good overview of what we are all dealing with on a daily basis, with regard to the Deep Web.  I will post at a later date, regarding some of my thoughts on how this might spur and/or impact upon, that promised “Internet of Things” to come.

[6] I think I will also have to post at a later date on what might constitute “work”, when machines do so much of one type of work, and many of the other types are outsourced to someone, somewhere else.  As automation really took hold on a massive scale in the industrial west (Japan, Europe, North America, South Korea) in the 1960s and 1970s, much was said about the coming leisure society as machines did so much, that people would have more time on their hands to relax and actually enjoy life.  Now, the “massively unemployed, migrating mass populations” in almost all geographic zones and nations, mean something clearly went very wrong.  We are a few steps away from chaos; one that may well start in the European Union –or with one or more of its “pending former” members.  Should this happen and spread as political leaders continue making very bad calls, Anonymous, Environmentalists, Occupy, and the Anti-Globalization folks will look like child’s play, even when first combined and then multiplied.

RATIONALE:

I was recently reading the PWC/Digital IQ Report, entitled “2013 Top 10 Technology Trends for Business”,[1] when I deduced that something was missing.  Rather than say that the venerable PWC were wrong in omitting something (who am I?), I thought it better to perhaps bring my views to light with a separate but related story; hence this blog post with a title that plays-on that of the PWC Report.

The PWC/Digital IQ Report identifies and presents those 2013, top 10 tech. trends for business, as: (1) Pervasive computing; (2) Cybersecurity; (3) Big Data mining and analysis; (4) Private Cloud; (5) Enterprise social networking; (6) Digital delivery of products and services; (7) Public Cloud infrastructure; (8) Data visualization; (9) Simulation and scenario modeling; and (10) Gamification.[2]

IDENTIFICATION:

One might say that these are, each and all, complete in and of themselves.  However, the additional trends for consumers that they inspire, should, I feel, be presented as either:

(a) additional trends (numbered 11 through 15) for businesses (considering the business-to-consumer/business-to-business implications and possibilities); or

(b) as separate & distinct (numbered one through five), consumer specific trends.

These 5, are: (v) Accelerated lived experience; (w) BYOD; (x) Crowdsourcing; (y) Distance education; and (z) End-User legal authority/license autonomy/leveraged ability (EULA3, or cubed).  Hence, choosing (b) – presented as separate and distinct, consumer-specific trends, I detail them below.

SPECIFICS:

Accelerated Lived Experience:

(v) The speed at which information now moves has led to an accelerated lived experience, for everyone.  Anything and everything posted in a social media setting can be shared instantaneously, with millions of people all over the world.  And, once something is released into the wild of the web, it can “never” be taken back.  Legally, there are archives of webpages, tweets, blogs, pictures, videos, and postings – even the deleted ones – kept by licensed players within the internet superstructure; technically, there are vast storehouses (server farms) sifting through everything that is uploaded to, sent across, and downloaded from the internet by many governments around the world, and their functionaries; and individually and collectively, people and groups – both criminal and law-abiding – can surf, send, and select for download or copy/paste at their pleasure.  We are almost at a stage of constant reaction to external initiators, and always on the lookout for the next trending thing with heightened anxiety, heart rates, and hyper-dilated pupils.  The jolt of electricity from AC/DC (alternate current/direct current) is now equated by the constant, (almost intravenous in some case for those who cannot turn-off or put-down the smartphone), stimulus experienced by the always connected/always online (AC/AO) generation.

BYOD:

(w) Bring Your Own Device, is the new policy in an increasing number of workplaces, that allows employees to bring their own devices to work, or use them remotely for work.  Despite the real dangers of allowing sometimes uncleared (inherently unsecure, or running old and unpatched operating systems), incompatible (incorrectly configured), or unnecessarily vulnerable (inadequate virus and spyware protections, or already loaded with exploits-in-waiting) tech. tools to connect and send to, and source valuable personal data, customer information, intellectual property and trade secrets from, a work network, this trend is likely to continue.[3]  BYOD has the potential to enable significant savings for the organization in not having to constantly acquire, distribute, and manage ever newer devices for its sometimes vast army of employees.  However, it can also import liabilities for anything from: failing to properly train employees in, monitor, and enforce a responsible BYOD usage policy – along with a social media usage policy; negative publicity in employee pushback against the employer’s attempts to overly-regulate their private use of private property, despite its incidental business application; and legal exposure in preventable data breach, or employee loss of personal data on an unsecured device that was misplaced or stolen.  Should the employer’s insurer or the employee’s insurer pay for the ensuing liabilities when a personal laptop, used for business, is lost or stolen when an employee is on vacation (or stress leave), but finishing-off some work?

Crowdsourcing:

(x) Having so many people, in so many different places, with myriad perspectives and experiences, enables a whole new world of crowdsourcing.  This can range from personal networking sites that allow one to rapidly get information on a specific subject from a variety of sources or thought and knowledge leaders; through groups, blogs, and list serves that are more targeted and which people join or subscribe to at their pleasure; to news media sites that invite people to post their images, videos, or opinions on a variety of current and historical issues, or disasters and other developing events of significance.  Of course, there is no guarantee that some or all such crowd sources are correct, accurate, or honest.  There have also been instances of late, involving “massaged” evidence; old footage from somewhere else presented as current footage from a hot location; and cases in which people with their own agendas have either directly impersonated, or hacked the accounts and credentials of others – not to mention those “crashing” glitzy events who could easily be mistaken for legitimate participants, if presented with the right caption to an unwitting audience (not aware of, or even so far gone as to not believe), the original footage.  Crowd-sourced “fodder” is best taken with a good dose of skepticism, and at least a little salt; lest one join the ranks of those who are so easily fooled, all of the time.  On the converse side, business use of crowdsourcing within the organization may defeat itself if not properly managed. The digital suggestion box, if too full, will see management applying that very same filtering-type software, already adept at sniffing through servers full of resumes, to sift through and sort the suggestions.  Good ones, as always, may still be filtered-out by the wrong or imprecise Big Data analytical tools.

Distance Education:

(y) This trend, thankfully, is not quite as controversial.  However, the accreditation and quality of an increasing collection of online courses, degree and certificate programs, and institutions, is a fast-developing concern.  Accredited Professionals who cannot always travel so easily to attend presentations they need for continuing education credits or that are otherwise of interest to them, can more conveniently sit and watch the webcast, or listen to the teleconference from the comfort of their own homes and offices; or even when on the road (to the extent, of course, that it does not lead them into distracted driving, boating, flying, riding, or otherwise).  As technology continues to develop and regulatory accreditation issues and concerns are resolved, this trend can only continue; including, of course, greater use of learning-on-demand, (like already pervasive delivery of video and audio content on-demand), as digitized in a Cloud for later, multi-taneous,[4] ever-replicable access.   Additionally, education need not be so formal, as someone can gain knowledge from virtually any video, blog post, or seminar – posted from anywhere and available everywhere (that does not have filtering or blocked sites) that they find online in their own identified field of pre-existing, related, or newly-created interest.

End-User Legal Authority/ License Autonomy/ Leveraged Ability (EULA3, or cubed):

(z) In the olden days (dating myself a little here), computer software was released and “sent” by snail-mail in shrink-wrapped packages.  Opening the package constituted acceptance of the manufacturer/ publisher End-User License Agreement (EULA).  Once you had broken the shrink-wrap packaging, it could prove difficult to impossible, to say that you had not accepted the EULA, or to try to return the software and get a refund if you had not otherwise fulfilled the warranty requirements, where they even existed.  Then, with the growth of online commerce/eCommerce, this turned into a click-wrap scenario, which still exists, somewhat.  By clicking on the appropriate “I accept” box or boxes, you accept the terms of use, EULA, and other conditions and prerequisites to download the software, access the site, utilize the online service, fully activate a device, or register its warranty, as appropriate.  Today, we have an increasing prevalence of shareware with licenses that are not quite free, but in the creative commons (too detailed for fuller presentation here); we have devices that are sold as locked but that can be unlocked – whether or not legally; contract hackers and programmers who work for a fee are available online, or through friends-of-friends; and stolen devices still under contract or EULA can be relatively easily wiped of data, re-programmed, and re-purposed with new Sim (Subscriber Identity Module) cards or software; whether right next door or on the other side of the world.

Users and developers of shareware, including “apps.” available for download and use on various trusted and not so trusted sites, now have added and significant legal authority to use and further develop or customize them (screensavers, fonts, skins, and avatars)  to their own liking.

Those using un-locked devices – howsoever obtained – have a significant degree of license autonomy, as they can be free from multi-year contracts; they can sometimes be free from geographic restrictions on where they can use their smartphones or play their DVDs; and they can also be free (whether through active choice or by default setting, depending on the jurisdiction) from having add-ons bundled with initial programs (EU), from having their location automatically tracked by the service provider (opt-out), and from the compulsory download of automatic updates that may conflict with programs and applications installed on the device since its initial purchase or acquisition.  Of course, an original purchaser would already have known of the manufacturer/developer caveat that the item might not work as originally envisaged if automatic updates were not accepted.  However, the later purchaser or recipient of dubious propriety, might have the device wiped and/or locked, and/or tagged on him or her when searching for an update online.  Life as lived in a certain way, will always have its risks, for those who dare there stay!

The increasing online prevalence of tools and technologies enabling groups to collaborate, individuals to innovate, and everyone to share almost anything from everywhere, with everyone at any time, provides us all with significant leveraged ability.  This has ranged from simple apps. (for almost anything thinkable and unthinkable); through online groups, archives, fora, encyclopedias, and societies (ditto); to the ever-expanding plethora of additionally leveraging SaaS, PaaS, IaaS, and NaaS[5] offerings.

END-STATE:

Control once held by the manufacturer and copyright holder over the consumer and what he or she could legitimately do with the former’s intellectual property has been reduced, in cases to zero; this massive Shift of power to the consumer from the variety of choices, service options, and delivery channels available to them and in constant competition for market share; has now served to virtually Delete the EULA as once known, with end-users experiencing significant legal authority, license autonomy, and leveraged ability.  “No contract”; “unlocked”; “number portability”; “free wifi”; “roaming included”; “unlimited data package”- these are the new and standard terms, now!!

Apparently, these terms are all here to stay (and get even better in favour of the now-empowered consumer), to the extent that data-flows and internet flexibility are not slowly or suddenly throttled by sometimes competing security and IPR (Intellectual Property Rights) interests, and so long as PWCs 2013 Top 10 Technology Trends for Business[6] continue to enable & expand these 2013 Top 5 Technology Trends for Consumers that I have identified above, in this post.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] PricewaterhouseCoopers LLP.  Digital IQ – 2013 Top 10 Technology Trends for Business.  Results of the 5th Annual, PwC Digital IQ Survey.  Published on pwc.com, in 2013.  Online: >http://www.pwc.com/us/en/advisory/2013-digital-iq-survey/top-10-technology-trends-for-business.jhtml<

[2] Id.

[3] See e.g. Ekundayo George.  What about hospital BYOD?  Published on ogalaws.wordpress.com, October 7, 2012.  Online: >https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/<

[4] I have not seen the word used in this specific context before, and so I thought I might as well use it here.  It stands for “simultaneous access in multiple locations on multiple platforms or devices”; as possible through an intermediary Cloud Services Provider with a high and demonstrably reliable SLA, given industry outages to date, or a robust private/hybrid Cloud capable of running multiple and adequately buffered instances at once – providing the user (read thin- or rich- “client device”), can access adequate bandwidth and memory (as applicable), and a stable power supply.

[5] See e.g. Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right.  Published on ogalaws.wordpress.com, March 11, 2013.  I further define these 4 (“four”) SaaS service offerings here, at notes 1 through 5 and accompanying text.  Online: > https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[6] Supra note 1.

Much attention is focused on the “Triple A” of Cloud services, namely: Availability all the time (Service Level Agreements and uptime claims); Appropriate access controls (passwords and authentication); and Alteration protection and audit trails, which is especially critical in terms of eDiscovery, and responsibility in ensuring the entity’s ability to effectively backup, recover, and archive its data on a regular basis, and to restore its data on-site or off-site after the fact of a contingency event.

Whether you are thinking of a far-flung transnational operator or a small business, the following are 8 (“eight”) factors to constantly revisit in getting it right when considering or indulging in cloud services.

1.   Backup Cloud: If you have critical functionalities that have moved completely or almost completely to a cloud-based solution (SaaS,[1] PaaS,[2] Iaas,[3] NaaS[4]),[5] then it is highly-advisable to have a backup cloud.  Whether this is done as a failover provision (not always easy to coordinate the two providers), or the running of parallel instances (such as accessing a standalone data archive with staggered replication between those two or more remote access nodes, so permitting them to jointly recover the entire data set should access to the central archive suddenly cease), is ultimately the consumer’s decision.  It is important to remember in the former scenario, however, that if it is not working or suddenly stops working, then it might not be able to failover on its own, without external intervention.  This is especially true if the stoppage is due to a utility outage, climatic event, or human action (terrorism, error, criminality, or hacktivism).

2.   Effective Version Controls: Backup, recovery, and replication processes can be configured in a variety of ways, from the guarantee that a single newer version replaces a single older one, to cases where multiple older versions are retained and disposed-of in sequence as new ones are stored.  Mishaps or mis-alignments in this process can lead to sometimes irretrievable loss of valuable data, which must be avoided.  It may well be true that short of walking hard drives and zip drives, many modern “losses” may still be recoverable.  However, with the increasing complexity and sensitivity of the back-end tools, and the difficulty and active management required to get them to work well together (within promised SLA parameters) for enough of the time, the costs can be prohibitive.  Doing it right the first time, should always be the goal.

3.   Security Consciousness:  There is significant current media and government focus (here in North America and Canada) on the topic of hacking and data exploitation.  One report,[6] indicates that while 54% and 20% respectively of all 2012 breaches were in the accommodation and food services industries, and the retail trade industry,[7] external threats accounted for 95% of all breaches.[8]  With regard to the actors, 83% of breaches against all organizations reporting, were by organized criminal groups,[9] and the descending-order ranking of breach motivation for exploits at large organizations, was: financial or personal gain (71%); disagreement or protest (25%); fun, curiosity, or pride (23%); and grudge or personal offence (2%).[10]  The disgruntled current or former employee with a grudge, is apparently less of a threat than the current employee in deep financial distress, who himself or herself is also apparently less of a threat than the totally unknown but well-financed and staffed criminal organization or state actor that wants access at almost any cost, to the treasure-chest of information on your servers or on the servers of your Cloud Services Provider (CSP).  However, “apparently” is just that, because the reality is joint or co-opted action.  In stating that 65% of internal agent breaches were through a cashier, teller, or waiter, the report also found that “[t]hese individuals, often solicited by external organized gangs, regularly skim customer payment cards on handheld devices designed to capture magnetic stripe data.  The data is then passed up the chain to criminals who use magnetic stripe encoders to fabricate duplicate cards”.[11]  The threat landscape is deep, diverse, and dynamic.  Forewarned with this knowledge, you should have no choice but to be security conscious, spurring you on to craft strategies appropriate to your industry, entity, and V5,[12] to protect your client and other critical data, systems, and processes against compromise, criminality, and a completely unrecoverable disaster.

4.   Traditional (off-Cloud) Backup: Whether the cloud package is offsite, uses in-house accessories, or is a hybrid solution, off-cloud backup may still be an option – whether in addition to or as an alternative for, a backup cloud.  An offline backup sequence that occurs weekly, daily, or several times during the day depending on the interplay (V5)[13] of data Volume (sheer amount), Velocity (speed of its change), Variety (by operating division, product line, client, transaction, trade or other event, analytical element or matrix of elements in the case of big data, and so forth), Value (its criticality to the core functionality, as well as its full replicability on short-order), and Vulnerability (susceptibility to internal, external, and developing threats), with tapes transported, maintained, and regularly tested for their usability, offsite, is a highly-advisable redundancy.  In the event that the primary workspace is compromised and cloud connectivity interrupted, a well-prepared and practiced entity may – far more swiftly and smoothly than the competition – be able to recover from an initial adverse event or sequence of same, and resume operations in an alternate location using the backup tapes, staff able to reach that location if telecommuting remains unavailable, and either pre-positioned or called-in equipment; as available through an expanding group of contingent offsite emergency recovery solution/outcome providers.

5.   Data Retention Policies: Be aware of, and attune your operations to, applicable data retention policies.  Courts in the United States have, to date, proven more eager than Canadian courts to sanction parties for failing to preserve, protect, and produce data that they should have kept by law, and didn’t, or data that they could have had to present at a court or regulatory proceeding, but couldn’t, due to its initial non-retention.  There may be specific rules pertinent to your industry (such as food, or financial services and the PCI-DSS), your activity (such as Intellectual Property filing/prosecution, and healthcare), or your jurisdiction (differing in Canada and the European Union, for example).

6.   Advisable (and accelerating) Best Practices: Having your data resident (whether by bald custody or actual control, in accordance with your Cloud Services Agreement) in the pocket of a third-party, has its obvious risks.  There are also several more subtle ones, which I have canvassed at some length elsewhere in my several blogs on the cloud and outsourcing in general.  It used to be the fact that: (i) the lawmakers would write a law either creating a new regulator or authorizing an existing regulator to act; (ii) proposed regulations would be published for comment; (iii) final regulations would issue; and (iv) tests in court would help to better define and refine them.  Now, everything is in reverse.  An event leads to tests in court, the regulator makes a knee-jerk reaction to try and restore sanity in the interim, there is a public outcry (either here, or earlier in this reversed process), and then a law is passed; which may start the entire sequence again if the law is too broad, not broad enough, or has some adverse effect on a specified/protected group or interest.  “Best Practices in the Cloud” must for now, remain a still-evolving paradigm, so watch your prose (know what you draft and sign), listen to those-in-the- know (pay attention to ongoing doings, debates, and developments), and stay on your toes (be nimble and adaptive, and keep an open mind in this rapidly-changing service space).

7.   Transferring Risks: Insure thyself!  The costs of privacy practices, data breach liability, and similar lines of insurance have come down due to a modicum of standardization, and increased prevalence and awareness of their value from breach announcements occurring in several industries and jurisdictions; despite apparent best efforts.  Business interruption insurance has long been an option, and now, there are contingent event recovery services that can provide pre-packaged, tailored recovery solutions for a fixed monthly price; which is akin to insurance.  Risks can be transferred (insurance), shared (pooling), accounted for (planning), and limited (due diligence and best practices).  However, they can never be fully eliminated.  Be prepared, practice and game a variety of disaster and other contingency scenarios within your organization on a regular basis – whether actually or as tabletop exercises,[14] and expect the unexpected!  Utilities fail; climatic events don’t discriminate; and irrational actors, opportunists, state actors, hacktivists, and criminals all remain predictable in one respect: they will act!

8.   Alert and Notification Protocols: There is really no substitute for a solid system of internal controls. Pre-employment background checks, segregation of duties, authentication and access logging, counterparty due diligence, and strictly enforced policies, are all critically important.  Only 2% of 2012 breaches for misuse were as a result of inappropriate web or internet usage (surfing the wrong type of site, for example), whilst 43% were the result of abusing system access or privileges, and 50% were the result of using unapproved hardware or devices on work systems[15] (whether with BYOD, or as a workaround on strict network controls or prohibitions).  Having, properly configuring, and diligently checking logs is key to risk management.  However, the report also notes the rising challenge to proper data protection and retention from Anti-forensics[16] – especially when someone else is handling functions, now outsourced on a Cloud, that were formerly done in-house.  Cloud Security and Cybersecurity will, for now, remain as moving targets; even with current calls in the United States for laws empowering private actors to jointly take immediate steps (preserving evidence, curtailing breaches, or tracking sources, deeper structures, and sponsors of security events),[17] while regulators and Law Enforcement and National Security (LENS) actors either get up-to-speed, or use their own customized tools for some parallel or complementary actions.[18]

 

CONCLUSION:

We all know the adage that asks why re-invent the wheel?  I think the Payment Cards Industry Standards Council has already done a very good job in establishing the framework for its members to follow in their data protection and retention efforts as they “process, transmit, or store” that data;[19] which with “access” – presupposed by those first three options, also constitute the majority, if not the totality, of functions that can currently be performed in/via the Cloud.

I also think that the 6 categorical elements of that PCI-DSS Standard,[20] are broadly applicable in other industries; especially with cloud-based or cloud-dependent entities and service models.  To allow for proper tailoring, the 12 sub-elements can of course remain customizable within each of the SaaS, PaaS, IaaS, and NaaS sub-spaces.

There are many avenues that CSPs can pursue in efforts to self-regulate before something, perhaps more draconian than they had wanted, comes down firmly from the lawmakers and/or regulators above; whether with or without the precursor hue & cry following an adverse incident.

Perhaps they may find something in the above that is worthy of trying.[21]

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Software as a Service (SaaS), including “tools for processing, analysis, accounting, CRM, and back-office functions”.

[2] Platform as a Service (PaaS), including tools “for email, online backup, or desktops-on-demand”.

[3] Infrastructure as a Service (IaaS), including “tools for collaboration, integration, and visualization”.

[4] Network as a Service (NaaS), including advanced virtualization tools, such as bandwidth-on-demand for multiple Virtual Private Networks (VPN)-on-demand, and for cloud-to-cloud networking on demand.

[5] See generally, Ekundayo George, at (f).  In who’se pocket is your data packet? – International Data Governance.

Published February 6, 2013 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/<

[6] Verizon.  2012 Data Breach Investigations Report (DBIR).  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.  The report also discloses an error rate of +/- 4 percent.

[7] Id. at 11.

[8] Id. at 18.

[9] Id. at 20.

[10] Id. at 19.

[11] Id. at 21-2.

[12] Infra, note 13.

[13] The V5 interplay, is the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.

[14] I have proposed a number of permanent executive positions for the C-Suite in modern business, including a Chief Contingency policies, plans, and practices Officer (CCO) with line and staff responsibility for all-hazards contingency affairs.  See e.g. Ekundayo George, at (i).  10/4: the “C–Suite” in 2013 and beyond; who should really be there?  Published November 21, 2012 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2012/11/21/104-the-c-suite-in-2013-and-beyond-who-should-really-be-there/<

[15] Verizon.  2012 Data Breach Investigations Report (DBIR), at 35.  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.

[16] Id. at 55.

[17] American Bar Association (ABA).   National Security Experts Discuss Options for ‘Active’ Cyber Defense.  Published February 11, 2013, by ABA Division for Communications & Media Relations, on abanow.org.  (Link to full podcast is available at bottom of page).  Online:

>http://www.abanow.org/2013/02/national-security-experts-discuss-options-for-active-cyber-defense/<

[18] Supra note 15, at 52.  Fully 59% of breaches at all organizations in 2012 (10% for large organizations), were “only” discovered by the target when it was notified of the breach, by an arm of law enforcement/national security.  Notification by third-party as a result of that third-party’s fraud detection measures came next, at 26% and 8% respectively.

[19] PCI Security Standards Council.  PCI DSS Quick Reference Guide – Understanding the Payment Card Industry.  Data Security Standard version 2.0. For merchants and entities that store, process or transmit cardholder data.  Published 2010 on pcisecuritystandards.org, by PCI security Standards Council LLC.  Online:  >https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf<

[20] Id. at 8.  These six categorical elements of the PCI Data Security Standard (DSS), are: (i) Build and maintain a secure network; (ii) Protect cardholder data; (iii) Maintain a vulnerability management program; (iv) Implement strong access control measures; (v) Regularly monitor and test networks; (vi) Maintain an information security policy.

[21] Supra note 15, at 58.  With regard to PCI DSS in the context of the 2012 Data Breach Investigation Report (DBIR), we read:

“Overall, the standard attempts to set a bar of essential practices for securing cardholder data.  Nearly every case that we have seen thus far has attributes of its breach that could have been prevented if the control requirements had been properly implemented.  Of course, there is no way to be certain that new and different tactics could not have been used by the perpetrators to circumvent a compliant entity’s controls”.

%d bloggers like this: