BACKGROUND:

 

SPEECH –

An example of “public speech”, in this context, would be an open and notorious change to one’s LinkedIn profile, such as adding a project, an interest, or a competency and skill; and then positively choosing to publicize these profile changes to one’s network.

 

WHISPER –

An example of a “public whisper”, in this context, would be changing one’s skills or communication preferences to show openness to career opportunities, thereby letting recruiters know that one might be interested in opportunities; willingly sharing one’s LinkedIn profile with potential recruiters; or making a public speech as above, but then “specifically” choosing to not announce this profile change to one’s network or to members of the general public.

 

LINKEDIN

LinkedIn    (“LinkedIn”) is a very widely-used networking site that allows users to choose between making such public speech and public whispers, in their settings preferences.

 

hiQ

hiQ Labs, Inc. (“hiQ”), is a data analytics entity that has developed and deployed automated “bots” that can access public speech and that last definitional element of a public whisper[1] (hushed or stealthy profile changes) on LinkedIn in a Skill Mapper, allegedly not always in accordance with LinkedIn user-selected visibility preferences,[2] and then further share, publicize or sell the results whether in the raw or aggregated formats to its own customer base of interested employers and parties and persons attempting to contact such job-seeking, job-interested, and passively job interested LinkedIn users.

 

“Companies like LinkedIn, Twitter and Facebook view scraping of the data generated by their users not just as theft – they sometimes charge to license data (to higher level business users) – but a violation of their users’ privacy, because some information can be limited so not all users can view it”[3] [additional words in parentheses].

 

Understandably, LinkedIn, “which charges recruiters, salespeople and job hunters for higher levels of access to profile data”,[4] issued a 3-page cease-and-desist letter to hiQ on May 23, 2017,[5] advising the recipient that it was in violation of the LinkedIn user agreement with those behaviours, notifying  the recipient that additional security precautions had been implemented to prevent any recurrence, demanding that the recipient delete and destroy all such “improperly obtained material” in its possession or custody or control, and putting the recipient on notice that any further such behaviour would be in violation of applicable state and federal laws, with citation to a leading 2015 case in that jurisdiction of the United States federal District Court for the Northern District of California (USDC, NDCA), in which the court had barred similar “website data scraping” conduct.[6]

 

hiQ promptly filed for a Temporary Restraining Order (TRO) in California federal court (USDC, NDCA),[7] to bar any actual application of that cease-and-desist language pending ultimate determination of the underlying matters in a court of competent jurisdiction.  And so it was, that on Monday, August 14, 2017, the court granted hiQ its TRO.[8]

 

 

ANALYSIS:

 

CRAIGSLIST

In the case that LinkedIn cited within its cease-and-desist letter to hiQ, Craigslist, Inc., had filed a Complaint against the defendant, but the defendant had not timely answered.  As a result, Craigslist then applied for and was granted, a Default Judgement.[9]  According to the ruling, a certain Brian Niessen, a Craigslist user, had answered a Craigslist advertisement posted by another Craigslist user, for a “Skilled Hacker at Scraping Web Content”.[10]  Niessen had described himself as a hacker, and professed that he was already scraping several thousand websites, including “[c]raigslist, Twitter, Groupon, Zagat, and others.”[11]  3taps then entered into a business relationship with Niessen to continue his scraping, for them, which Craigslist stated was in violation of its terms of use (TOU) and constituted a breach of contract because Niessen, as a registered Craigslist user, had agreed to the TOU on several occasions.[12]

 

“The TOU prohibit, among other things, “[a]ny copying, aggregation, display, distribution, performance or derivative use of craigslist or any content posted on craigslist whether done directly or through intermediaries, […]”[13]

 

Craigslist did secure injunctions against the Niessen co-defendants, including Lovely, PadMapper, and 3taps.[14]  However, Niessen – named along with those co-defendants in the Amended Complaint with its 17 Claims for Relief,[15] was somewhat more elusive; as he was first difficult to effectively serve with the Complaint, and then after being served, he failed to provide an answer within the specified time.[16]  As a result, the Clerk of Court first entered a Notice of Default against Niessen, and then Craigslist made Motion for a Default Judgement against Niessen, which the court granted.[17]

 

 

LINKEDIN –

LinkedIn had sought a response by May 31, 2017 to its cease-and-desist letter of May 23, 2017.[18]  However, hiQ filed its Complaint for Declaratory and Injunctive relief against LinkedIn on June 7, 2017.[19]  In summary, with the first paragraph of the Introduction for same, hiQ writes:

 

“This is an action for declaratory relief under the Declaratory Judgment Act, 28 U.S.C. § 2201 and 2202, and for injunctive relief under California law.  hiQ seeks a declaration from the Court that hiQ has not violated and will not violate federal or state law by accessing and copying wholly public information from LinkedIn’s website.  hiQ further seeks injunctive relief preventing LinkedIn from misusing the law to destroy hiQ’s business, and give itself a competitive advantage through unlawful and unfair business practices and suppression of California Constitutional free speech fair guarantees.  hiQ also seeks damages to the extent applicable.”[20]

 

hiQ did promptly and appropriately seek and retain counsel to engage in discussions with LinkedIn upon receipt of the cease-and-desist letter, in order to better understand LinkedIn’s position and seek an accommodative solution to their serious differences.[21]  LinkedIn argued through counsel that it was protecting the interests of its users and seeking to remedy violations of state and federal laws; and hiQ argued through counsel that not only did LinkedIn lack any proprietary interests in the posted data, which was still owned by its users, but that LinkedIn was therefore attempting to “pervert the purpose of the laws at issue by using them to destroy putative competitors, engage in unlawful and unfair business practices and suppress the free speech rights of California citizens and businesses.”[22]

 

On May 30, 2017, hiQ then sent its own letter to LinkedIn seeking the ongoing interim website access that would allow it to persist as a going concern – because “complying with LinkedIn’s demands would essentially destroy hiQ’s business”,[23] while continuing discussions towards “a mutually amicable resolution” of their impasse.  However, on receiving no response, hiQ filed its Complaint for declaratory and injunctive relief.[24]

 

 

HIQ –

The parties entered into a standstill agreement that preserved hiQ’s access to the public LinkedIn data, and agreed to convert hiQ’s original motion into one for a preliminary injunction, after the court had heard the initial party arguments on the hiQ complaint on July 27, 2017.[25]  In California federal District Court, “[a] plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.[26]  Within the United States Court of Appeals for the Ninth Circuit, which lays-down controlling precedent for United States Federal District Courts in California and several other states and territories,[27] there is a sliding scale for the standard of proof on these elements; which means “a stronger showing of one element may offset a weaker showing of another.”[28]

 

The court also grappled, inter alia, with the language of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030,[29] which prohibits and sanctions unauthorized (whether lacking authorization ab initio or with authorization later revoked), or improperly elevated or improperly applied access to a computer or computer system, because although the LinkedIn profiles were public, they rested on one or more private servers, which were computers.[30]  However, as the court finally opined, “[…] hiQ has, at the very least, raised serious questions as to applicability of the CFAA to its conduct.[31]

 

“The CFAA must be interpreted in its historical context, mindful of Congress’ purpose. The CFAA was not intended to police traffic to publicly available websites on the Internet – the Internet did not exist in 1984. The CFAA was intended instead to deal with “hacking” or “trespass” onto private, often password-protected mainframe computers.”[32]

 

With regard to hiQ‘s claims that the LinkedIn conduct had violated applicable California free speech laws, the court was more circumspect.  hiQ had cited to Robins v. Pruneyard Shopping Ctr.,[33] a case involving attempts to curtail political speech in a privately-owned shopping mall, to analogize that the LinkedIn site was a public forum akin to a shopping mall with guaranteed free access, free speech, and free association, because “[…] the state’s guarantee of free expression may take precedence over the rights of private property owners to exclude people from their property.”[34]

 

The court was very loathe to start traveling down this most slippery of slopes, stating that: no court had, as yet, extended Pruneyard to the internet in so complete a manner; unlike a shopping mall, the Internet had no single controlling authority; there may result significant repercussions on the capacity of social media hosts to curate posted materials in such a public forum; and there was a lingering question as to whether the same rules would apply to the websites of small, medium, and large entities, alike.[35]  The court therefore concluded, that “[i]n light of the potentially sweeping implications discussed above and the lack of any more direct authority, the Court cannot conclude that hiQ has at this juncture raised “serious questions” that LinkedIn’s conduct violates its constitutional rights under the California Constitution.[36]

 

On the balance, the court agreed that hiQ had raised enough of a question as to whether LinkedIn’s actions against it had violated the provisions of California’s Unfair Competition Law (UCL)[37] by “leveraging its power in the professional networking market for an anticompetitive purpose”;[38] disagreed that hiQ had either claimed to be a third-party beneficiary of LinkedIn’s promise to its users that they could control the publicity of their profiles, or shown that a third-party could assert such a claim of promissory estoppel in the first instance;[39] and agreed that the public interest favoured a granting of hiQ’s injunction, because “[i]t is likely that those who opt for the public view setting expect their public profile will be subject to searches, date (sic) mining, aggregation, and analysis.”[40]

 

 

CONCLUSION:

 

Of note, regarding all of its claims and especially the estoppel claim, hiQ had also argued that LinkedIn had long acquiesced to its usage of the website and publicly available user data in this way; including attending hiQ conferences where the host thoroughly explained its methodology and business model, and even gave at least one LinkedIn employee an award.[41]  Indeed, some industry commentators have opined that LinkedIn has merely had a change in policy subsequent to its acquisition by Facebook which the courts should not enjoin, and they foresee several other negative repercussions from the outcome of this case if hiQ prevails, and they expect LinkedIn to appeal the District Court ruling.[42]  However, there are also several strong voices supporting hiQ that see negative repercussions if LinkedIn prevails.[43]

 

Suffice it so say that for now, LinkedIn has been Ordered to withdraw its cease and desist letters to hiQ, and stop blocking hiQ, both with immediate effect from the August 14, 2017 date of the Order of Edward M. Chen, United States District Judge.[44]

 

We await LinkedIn’s appeal,[45] if any, but in the interim …… all who so do, are advised to publicly shout, and to publicly whisper, with caution, because they never know who might be cataloguing their words – and where those words that they own might land; (or more specifically, land the originator of those very words) in this Gig e-conomy[46] that exemplifies the gentle admonition that “sharing is daring!

 

 

*********************************************************************

 

Author:

Ekundayo George is a lawyer and sociologist.  He is a keen student of organizational and micro-organizational behavior and has gained significant experience in regulatory compliance, litigation, and business law and counseling.  He has been licensed to practise law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America.  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services and Public Finance, Public Procurement, Healthcare and Public Pensions, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors.

 

Of note, Mr. George has now worked at the municipal government, provincial government, and federal government levels in Canada, as well as at the municipal government, state government, and federal government levels in the United States.  He is also a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and enjoys complex systems analysis in legal, technological, and societal milieux.

 

Trained in Legal Project Management (and having organized and managed several complex projects before practising law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams.  Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: healthcare; education and training; law and regulation; policy and plans; statistics, economics, and evaluations including feasibility studies and business cases; infrastructure; and information technology/information systems (IT/IS) – also sometimes termed information communications technologies (ICT).  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.  Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

 

 

[1] See Infra note 7 at Introduction, ¶2.  hiQ does specifically state in its Complaint, that: “hiQ does not analyze the private sections of LinkedIn, such as profile information that is only visible when you are signed-in as a member, or member private data that is visible only when you are “connected” to a member. Rather, the information that is at issue here is wholly public information visible to anyone with an internet connection.”  But See HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 6.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>…

“LinkedIn maintains that […] while the information that hiQ seeks to collect is publicly viewable, the posting of changes to a profile may raise the risk that a current employee may be rated as having a higher risk of flight under Keeper even though the employee chose the Do Not Broadcast setting. hiQ could also make data from users available even after those users have removed it from their profiles or deleted their profiles altogether. LinkedIn argues that both it and its users therefore face substantial harm absent an injunction; if hiQ is able to continue its data collection unabated, LinkedIn members’ privacy may be compromised, and the company will suffer a corresponding loss of consumer trust and confidence” [emphasis added].

[2] Id. at Introduction, ¶5.  On this point, hiQ writes to specify LinkedIn’s 5 levels of profile visibility preference, and emphasize its own limited access to and use of same:

“LinkedIn members can choose to (1) keep their profile information private; (2) share only with their direct connections; (3) share with connections within three degrees of separation; (4) allow access only to other signed-in LinkedIn members, or (5) allow access to everyone, even members of the general public who may have no LinkedIn account and who can access the information without signing in or using any password. It is only this fifth category of information – wholly public profiles – that is at issue here: hiQ only accesses the profiles that LinkedIn members have made available to the general public.”

[3] Thomas Lee.  LinkedIn, HiQ Spat Presents Big Questions for Freedom, Innovation.  Published July 8, 2017 on sfchronicle.com.  Web: <http://www.sfchronicle.com/business/article/LinkedIn-HiQ-spat-presents-big-questions-for-11274133.php#comments>

[4] Ibid.

[5] LinkedIn Corporation.  RE: Demand to Immediately Cease and Desist Unauthorized Data Scraping and other Violations of LinkedIn’s User Agreement.  Letter dated May 23, 2017.  Web: <https://static.reuters.com/resources/media/editorial/20170620/hiqvlinkedin–ceaseanddesist.pdf>

[6] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[7] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017).  COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF. Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[8] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[9] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[10] Id. at 2.

[11] Ibid.

[12] Id. at 3.

[13] Id. at 2.

[14] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 3.  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[15] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. November 20, 2012).  First Amended Complaint.

Web: <http://www.3taps.com/images/pics/430_Amended Compalint .pdf>

[16] Supra note 14 at 3.

[17] Ibid.

[18] LinkedIn Corporation.  RE: Demand to Immediately Cease and Desist Unauthorized Data Scraping and other Violations of LinkedIn’s User Agreement.  Letter dated May 23, 2017.  Web: <https://static.reuters.com/resources/media/editorial/20170620/hiqvlinkedin–ceaseanddesist.pdf>

[19] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017). COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF.  Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[20] Id. at Introduction, ¶1.

[21] Id. at ¶¶27-8.

[22] Id. at ¶28.

[23] Id. at ¶¶34, 38, 46.

[24] Id. at ¶29.

[25] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 3.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>…

[26] Id. at 4.

[27] The United States Court of Appeals for the Ninth Circuit covers Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, the Northern Mariana Islands, Oregon, and Washington state.  See generally Geographical Boundaries of United States Courts of Appeals and United States District Courts.  Online: <https://www.supremecourt.gov/about/Circuit Map.pdf>

[28] Supra note 25 at 4.

[29] Congress of the United States, United States Code18 USC 1030: Fraud and related activity in connection with computers.  Title 18: Crimes and Criminal Procedure; Part I: Crimes; Chapter 47: Fraud and False Statements. Web: <uscode.house.gov/browse/prelim@title18/part1/chapter47&edition=prelim>

[30] Supra note 25 at 10.

[31] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 16.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[32] Id. at 10.

[33] See Robins v. Pruneyard Shopping Ctr., 23 Cal. 3d 899, 905 (1979).

[34] Supra note 31 at 18

[35] Id. at 19.

[36] Id. at 20-21.

[37] See Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §17200 et seq.

[38] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 21.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[39] Id. at 23.

[40] Id. at 24.

[41] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017). COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF. Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA), at ¶7.  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[42] See generally Tristan Greene.  The future of your data could rest in the outcome of LinkedIn vs HiQ case.  Posted August 24, 2017 on thenextweb.com.  Web: <https://thenextweb.com/insider/2017/08/24/hiq-is-the-david-to-linkedins-goliath-in-legal-battle-over-user-data/#.tnw_Q1Tn05Hv>…

[43] Id.

[44] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 21.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[45]  – Reserved

[46] For a general overview of the Gig e-conomy and its monopoly potential, see e.g. Ekundayo George.  Monopolies and Market Dominance in the “GIG” e-conomy: What Might These Look Like / Are We There Yet?  Published July 16, 2017 on ogalaws.wordpress.com.  Web: <https://ogalaws.wordpress.com/2017/07/16/monopolies-and-market-dominance-in-the-gig-e-conomy-what-might-this-look-like-are-we-there-yet/>

Advertisements

1. INTRODUCTION –

The Law Societies of Alberta, Saskatchewan, and Manitoba, being the “Prairie Law Societies”, have initiated a dialogue – the “Innovating Regulation Consultation”,[1] to engage the local legal profession in a discussion of entity-based regulation, as opposed to the generally prevalent paradigm of practitioner-based regulation.[2]  With a multifactorial consideration of entity regulation, compliance-based entity regulation, and alternative business structures or ABS (which I have blogged on before),[3] the responses have, understandably, been both highly varied and voluminous.  Having recently attended a Town Hall meeting on the subject in Edmonton, I can summarize my own understanding of and thinking on, entity-based regulation, as follows; with advance and cumulative credit given for the inputs of all Town Hall meeting participants, the leadership of the prairie law societies, and authors featured on the website.[4]

 

2. PRACTICE OPTIONS –

The practice of law in the prairies varies widely.  This ranges in the traditional firm format from sole practitioners – including in very remote areas, through firms of 2-10 lawyers, then of 11-25 lawyers, and finally, larger entities of 26 and more licensed legal practitioners.  Too, there are corporate in-house counsel; government legal department lawyers; court duty counsel, children’s aid lawyers, and legal aid practitioners; as well as lawyers in other settings who may be regulated, such as those working within non-profit entities, or carrying licenses from multiple jurisdictions with rules that don’t always overlap.[5]

As such, one size will not fit all applications, and on this we can all agree.  Despite the significant and legitimate resistance to adding an additional layer of law society regulation and compliance, there is much that can be said for the anticipated benefits of drilling-down on problem areas, encouraging firm peers to “actually” be collegial and supportive of one another in terms of watching those problem areas, enhancing client satisfaction at a time when “apps” and other professions are making significant inroads into the legal market  with few to none of the burdens of entry and licensing, and the public – whether through fiscal constraints or generalized dissatisfaction, is increasingly constrained in access to justice.

 

3. ENTITY REGULATION OPTIONS –

Considering the discussions had and the materials presented, I can summarize three options for entity regulation of the legal profession: Tri-thematic option, 5 Key management principles option, and the “PACES” paradigm option.  I will now present and discuss these in some greater depth, as follows.

 

a. TRI-THEMATIC[6]:

This option has three principal themes, each with three of its own sub-elements for a total of nine compliance lines.

 

i. Professionalism:

-File management (file integrity, timeliness and limitations statutes, conflicts checks);

-Professional management (CPD, human resource practice, competence and civility);

-Professional insurance (naming conventions, advertising, SRO compliance and communications).

 

ii. Confidentiality:

-Client management (returning calls, retainer letters, non-engagement letters);

-Security (physical and cyber-security, combating burnout through work-life balance, and combating substance abuse);

-File retention, subordinates oversight, and safeguarding client property.

 

iii. Operations:

-Financial management, trust accounting, peer consulting and sustainability;

-Practice management (day-to-day management, certifications, access to justice);

-Business insurance, legal and regulatory compliance, and diversity.

 

b. 5 KEY MANAGEMENT PRINCIPLES[7]:

This option, as put forward by the prairie law societies, has 5 major principles, with several sub-elements that I have structured into a total of nineteen compliance lines.

 

i. Practice Management:

-Managing the practice;

-Managing practitioners;

-Managing a staff;

-Playing a role for the improvement of justice administration and access to justice, through:

I. Informing low income clients of alternate options and service providers;

II. Training staff to engage appropriately with self-represented litigants;

III. Considering taking-on matters for members of under-served populations.

 

ii. Client Management:

-Managing client communications;

-Managing client expectations;

-Managing conflicts of interest.

 

iii. File Management:

-Ensuring consistent procedures for opening of client files;

-Ensuring consistent procedures for closing client files;

-Managing the documentation in (and of) client files.

 

iv. Financial Management:

-Managing business planning and budgeting;

-Managing entity finances;

-Ensuring consistent billing practices;

-Ensuring appropriate and adequate insurance coverage;

-Managing business continuity, succession planning, and entity dissolution planning.

 

v. Professional Management:

-Managing currency and best practices in established firm practice areas;

-Managing capacity and competency building in selected new firm practice areas;

-Ensuring civil relations within the profession;

-Playing a role for the improvement of equity, diversity, and inclusion within the firm, through:

I. Training staff towards cultural competency in the delivery of legal services;

II. Working towards equal opportunity, diversity and inclusion in recruitment and hiring;

III. Working towards equal opportunity, diversity and inclusion in promotions;

IV. Ensuring the work environment accommodates equity diversity, inclusion, and disabilities.

 

iii. 5, P-A-C-E-S[8]:

This option has five major, free-form principles, with the intention that entities selecting this option will be able to create and add-in their own sub-elements as compliance lines that they find both suitable and attainable considering their own interests, ranges of practise, geographic scopes of operations, human and capital resources, and such other considerations that they deem applicable.

– “P”rofessional Standards and Competence;

– “A”ccounting and Stewardship;

– “C”lient Interactions and Marketing;

– “E”thics and Stakeholder Management;[9]

– “S”ecurity, Cybersecurity, and Compliance;

 

4. COMPLIANCE-BASED ENTITY REGULATION OPTIONS –

 

a. SOLE PRACTITIONERS:

Perhaps it would be best to leave the sole practitioners as directly-regulated individuals without any additional levels of law society regulation, for obvious reasons of time and resources.  But, then again, it might be a relatively simple thing to have sole practitioners annually check the boxes on a form and submit that form to the appropriate law society or law societies (SRO), in order to certify that: (i) they subscribe to a particular entity regulation option (likely the tri-thematic option for sole practitioners); (ii) they are aware of and undertake to regularly (throughout the one year reporting period) review the contents and requirements of that entity regulation option as promulgated by the SRO; (iii) they undertake to continue to develop and update their internal compliance procedures in accordance therewith; and (iv) they will endeavour to have, by a specified time (perhaps by the third form submission), a written compliance code and procedures in place for SRO inspection and stress test.[10]

 

b. SMALL and MEDIUM LAW FIRMS:

Similarly, firms of 2-10 practitioners and firms of 11-25 practitioners might be given the option to choose between the Tri-Thematic (having 9 distinct compliance lines) and the 5 Key Management Principles (having 19 distinct compliance lines), with a single champion or a firm committee for each of the 5 Key Management Principles.  In this case, the firm might be required to check the boxes on a form (twice yearly) and submit said form to the appropriate law society or law societies (SRO), to certify that: (i) it subscribes to a particular entity regulation option (as the firm shall select); (ii) it is aware of and undertakes to regularly (throughout the six month reporting period) review the contents and requirements of that regulation option as promulgated by the SRO and discuss them internally; (iii) it undertakes to continue to develop and update its internal compliance procedures in accordance therewith; and (iv) the firm will endeavour to have, by a specified time (perhaps by the fifth form submission), a written compliance code and procedures in place for SRO inspection and stress test.

 

c. LARGE LAW FIRMS:

Firms of 26+, on the other hand, might be mandated to apply the 5 Key Management Principles, or develop their own “5, P-A-C-E-S[11] content and distinct compliance lines – with a single champion or committee for each of these 5 primary letters, pursuant to what those firms perceive as the risks, their client bases and practice settings, and their size or geographic scope and operational reach, because firm policies, expectations, and culture tend to determine the conduct of legal practitioners therein.[12]  Each one of these large firms might therefore be required to check the boxes on a form (twice yearly) and submit that form to the appropriate law society or law societies (SRO), to certify that: (i) it subscribes to a particular entity regulation option (as the firm shall select, within limits); (ii) it is aware of and undertakes to regularly (throughout the six month reporting period) review the contents and requirements of that regulation option as promulgated by the SRO and discuss them internally; (iii) it undertakes to continue to develop and update its internal compliance procedures in accordance therewith; and (iv) the firm will endeavour to have, by a specified time (perhaps by the fifth form submission), a written compliance code and procedures in place for SRO inspection and stress test.

 

5. CONCLUSION –

Admittedly, the consultation is still in its very early stages, and so significant work remains to be done by both the regulators and the regulated.  This, however, constitutes my two cents, and my learned colleagues in prairie and other jurisdictions will, doubtless, add their own 98 to this our ongoing debate.

 

***********************************************************

 

 

Author:

Ekundayo George is a lawyer and sociologist.  He has also taken courses in organizational and micro-organizational behavior, and gained significant experience in regulatory compliance, litigation, and business law and counseling.  He is licensed to practise law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America.  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors.  He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

Trained in Legal Project Management (and having organized and managed several complex projects before practising law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams.  Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: healthcare; education and training; law and regulation; policy and plans; statistics, economics, and evaluations including feasibility studies; infrastructure; and information technology/information systems (IT/IS) – also sometimes termed information communications technologies (ICT).  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.  Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

[1] Innovating Regulation – a collaboration of the Prairie Law Societies of Alberta, Manitoba, and Saskatchewan on consulting the legal profession regarding transitioning to entity and compliance-based regulation.  Visited May 8, 2016.  Online: http://www.lawsocietylistens.ca/

[2] Id.

[3] Ekundayo George.  U.K. Alternative Business Structures (ABS) – Caution is best for new law practice models.  Posted on ogalaws.wordpress.com, October 7, 2011.  Online:  https://ogalaws.wordpress.com/2011/10/07/u-k-alternative-business-structures-abs-caution-is-best-for-new-law-practice-models/

[4] Numerous or overly-detailed footnotes and citations would simply and unnecessarily re-hash the consultation website and the large volume of materials there offered for the reading of all interested parties, at their own leisure.

[5] Not all law societies, bar associations and the like move in the same direction or even at the same time, and so permitted actions in one jurisdiction may always subject one to query in another.  Hence, collaborative efforts on such as these on seeking consensus and buy-in amongst several SROs and their members on matters of key and common importance are always and equally welcome to those with multiple licenses, and the simply curious.

[6] These three themes are my own composition, as inspired by materials on the website and my own experiences.

[7] These five management principles are the creation of the Prairie law societies, and additional details regarding same are available on the consultation website.  I have, however, moved or slightly modified some of their sub-elements for fit and format.

[8] These five elements are my own composition, as inspired by materials on the website and my own experiences.

[9] Of note, this term “stakeholder engagement” is sufficiently broad to encompass shareholders in a law firm and the non-lawyer shareholders and/or directors in an ABS, and also sits on the same line as ethics to allow for a proper balancing of profit motives in an ABS, against the professional interests of an entity’s licensed practitioners.

[10] I suggest SRO inspection and stress tests in situ as opposed to submission in full format, due to the volume of materials, the diversity of practice settings, and the fact that some of the larger firms or more specialized practitioners might want to keep their plans confidential – especially if publicly owned as an ABS, when these may be akin to Trade Secrets; the improper disclosure of which might subject those unwitting officers and directors in the ABS to a securities derivative suit from shareholders when the share price is diminished or firm reputation hit.

[11] Again, this is my own formulation.

[12] These determinants of conduct and choice of regulatory option, however, are from the consultation website.

In his letter to shareholders that accompanied the 2014 annual report for Omaha, Nebraska’s sprawling Berkshire Hathaway Inc., Warren Buffet, the longtime chairman and chief executive officer, stated that he had chosen a successor, predicted potentially tougher times ahead in the quest for growth at the company, and identified 3 (“three”) historically recurrent business challenges that could fell even the oldest and largest of businesses:

 

“My successor will need one other particular strength: the ability to fight off the ABCs of business decay, which are arrogance, bureaucracy and complacency. When these corporate cancers metastasize, even the strongest of companies can falter. The examples available to prove the point are legion (…)” (Emphasis added).[1]

 

As shown in my May, 2014 post on corporate crisis management,[2] there are a whole host of “issues” that can befall a company, and severely damage or even destroy it if not properly addressed or prevented in the first instance. I would therefore not only echo Mr. Buffett on these three potential maladies that he has identified, but add 6 (“six”) more that I have repeatedly seen in my work experience and research, to total 9 (“nine”) such avoidable agents of business decay.

 

These other six, are:

  1. Debt;
  2. e-Issues (eCommerce, the environment, employment practices);
  3. Fiscal and Competitive Malfeasance (tax evasion, fraud and financial statement/disclosure issues, market abuses);
  4. GRC (governance, risk, and compliance) Failings;[3]
  5. Hue & Cry” (public reaction – including social media campaigns, boycott calls, and general “sanction or reaction traction” with regulators or prosecutors regarding an adverse event involving the company;
  6. i-Issues (most commonly being – incomplete or inappropriate preparation for surging demand, shoddy or absent contingency planning, insufficient capitalization, unreliable or skittish funding sources, and inattention to ongoing management obligations especially in supply chain quality control and general logistics, operations safety and security including cybersecurity, outsourcing and vendor competence and regulatory compliance, and oversight of all of these to include an adequate, available, and recommended internal whistleblower apparatus, and enforcing strict information governance and document retention policies).

 

A review of recent and historic business news will yield more than enough examples for each and every point, and so I will not go out of my way to name names. Suffice it to say, that if you want real business longevity for your venture – regardless of its current stage or state, then as with everything else, you need to look far beyond, and cover much more, than the mere basics or the ABC’s, and consistently so.

 

*****************************************************************

Author:

Ekundayo George is a lawyer and sociologist. He has also taken courses in organizational and micro-organizational behavior, and gained significant experiences in business law and counseling, diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America. See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

Trained in Legal Project Management (and having organized and managed several complex projects before practicing law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams. Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – also sometimes termed Information Communications Technologies (ICT). See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein. Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

[1] Warren Buffet. Letter to Shareholders for Fiscal Year 2014, at page 37.  Posted on berkshirehathaway.com, February 2015. Online: <http://www.berkshirehathaway.com/letters/2014ltr.pdf>

See also Luciana Lopez and Jonathan Stempel.  Warren Buffett says Berkshire has ‘right person’ as heir.

Posted on reuters.com, February 28, 2015.  Online: <http://www.reuters.com/article/2015/02/28/us-berkshire-buffett-letter-idUSKBN0LW0MG20150228>

[2] Ekundayo George. Corporate Crisis Management 101 – The A, B, Cs of Lessons Learned.  Posted on ogalaws.wordpress.com, May 7, 2014. Online: <https://ogalaws.wordpress.com/2014/05/07/corporate-crisis-management-101-the-a-b-cs-of-lessons-learned/>

[3] Ekundayo George. Governance, Risk, and Compliance (GRC): a 4-part policy framework. Posted on ogalaws.wordpress.com, October 21, 2012. Online:<https://ogalaws.wordpress.com/2012/10/21/grc-an-overview-part-1/>

PREAMBLE:

So far in this study, we have introduced the complexities of 3 of the 5 Domains or “faces” of Data as a complex system: Form Factors,[1] Applications,[2] and Categories.[3] Now, in Part 4, we consider End-Users.

 

ANALYSIS:

End-Users.

These are the different users and user-groups who can and do, make various uses of the data.

 

Level 2 (provenance): As the ultimate consumer, that end-user can be any or all of an individual or a group, a business or business group, or a government or government agency, or government collective. Hence, at this level, we have placed just two options: (i) Insiders, who are the known and permitted users of the data, and (ii) Outsiders, who are the not permitted but sometimes known users of the data, if and when a breach can be tracked-back to its point of origin,[4] or when the user without permission can be found.

 

Level 3 (management): Here, the end-users can be categorized into three separate groups for management purposes. (i) Vetted, are those end-users who have been cleared and properly credentialed for data access. (ii) Unknown users are those with spoofed or un-trusted credentials – whether it is hacked passwords, expired security certificates, or other sharp workarounds of security protocols that allow data access. (iii) CMC, are those criminal, malicious, or compromised users who may appear to be vetted or unknown, but who have ulterior motives. The essential and constant challenge for all IT security and IT governance professionals is to ensure that the vetted remain vetted; the unknown do not become or appear to be vetted; and that the CMC remain on the outside of the trusted data-user community. [5]

 

Level 4 (security): As with earlier installments, there are on this level, categories for: (i) identity and access management (IAM); (ii) management “controls for risk, encryption, and security technique” (CREST); and two categories for regulatory compliance, being (iii) Regulatory Compliance (generic) which includes privacy and Intellectual Property Rights (IPR); and (iv) Regulatory Compliance (specific), which includes subnational, national, and transnational rules, and any industry-specific codes of compliance.

 

Level 5 (attack vectors): Here, we will specify the attack vectors as targeted at or emanating from, one or more of these five distinct groups. These are: (i) individual; (ii) family; (iii) group or network; (iv) business or business group; and (v) government, or government agency or collective. The individual might be a hacktivist, or someone with a form factor that has been unknowingly compromised. The family, again, might just be the innocent victim of a botnetted[6] machine within the household that identifies their IP address as the attack’s malicious source. The group or network may have third-party packet sniffer software installed that its Sys-admin does not catch, or chooses to ignore and/or not disclose to others. And then, the business or business group may be compromised directly, or through a third-party vendor.[7] Recent revelations about alleged government cooperation with internet and technology companies,[8] show how this fifth attack vector might stand alone; might combine with the third in a complicit Sys-admin (who does or does not see a lawful warrant); or might even combine with a targeted intelligence operation by a government agency that sees a keylogger, for example, installed on a business or household form factor known or suspected to be used by, some person of interest.[9]

 

Level 6 (aggregation): Finally, data end-users can also be found and aggregated across 6 spaces. There are two, under each of: (a) being at the individual’s option (such as for biometrics and geolocation, or other consumer-friendly applications – as opted-into or “not” opted-out of); (b) the commercial need and machine-driven (such as for SCADA/Supervisory Control and Data Acquisition, RFID/Radiofrequency Identification, or other business-inspired or business enhancing applications; and (c) the Government-aggregation (for various overt matters including health, morals and welfare, on one hand; or for covert matters, such as law enforcement and intelligence-driven surveillance operations, on the other hand).

 

CONCLUSION:

The depth and breadth of Data as a complex system continue to be enhanced by the interactions of its five Domains, and of the many faces therein. Having now considered Form Factors, Applications, Categories, and End-Users, our next and final installment will consider the “Scale” Data Domain.[10]

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in legal, technological, and societal milieux.

 

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams. See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

____________________________________________________

[1] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published on ogalaws.wordpress.com, November 1, 2013. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[2] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 2 – Applications). Published on ogalaws.wordpress.com, December 27, 2013. Online: >https://ogalaws.wordpress.com/2013/12/27/the-100-faces-of-data-a-5-part-complex-systems-study-part-2-applications/<

[3] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 3 – Categories). Published on ogalaws.wordpress.com, February 4, 2014. Online: >https://ogalaws.wordpress.com/2014/02/04/the-100-faces-of-data-a-5-part-complex-systems-study-part-3-categories/<

[4] Both insiders and outsiders can be sources of significant threat to any business, or other data producer or data consumer. However, some research shows that the most significant threat comes from the outsider. See e.g. Ericka Chickowski. Should Insiders Really Be Your Biggest Concern? Published on darkreading.com, April 23, 2013.   Online: > http://www.darkreading.com/insider-threat/should-insiders-really-be-your-biggest-c/240153455 <. See contra. Ponemon Institute. Fourth Annual Benchmark Study on Patient Privacy and Data Security. Published on ponemon.org, March 12, 2014. Online: >http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-data-security< In the medical field with regard to patient data security, insider risk is greater.

[5] There is a technical, definitional difference between unauthorized and non-credentialed. Credentials, such as passwords, pass keys, and biometric inputs all grant access, and so a properly credentialed user may be vetted and therefore authorized to access data on system A, but although vetted, “not” unauthorized to access data on system B. That user on system A may nevertheless try to gain access to data on system B, as a CMC (criminal, malicious, or compromised) user. On the other hand, if one gains access or attempts to gain access to data on system A or system B with stolen or spoofed credentials (apparently vetted), or through a credentials workaround (clearly non-credentialed), then this is essentially a non-credentialed access by an unknown user (absent the availability of more information), and it is unauthorized.

[6] Jeremy Reimer. FBI: Over one million computers working for botnets. Posted on arstechnica.com, June 14, 2007. >http://arstechnica.com/security/2007/06/fbi-over-one-million-computers-working-for-botnets/<

[7] Brian Krebs. Email Attack on Vendor Set Up Breach at Target. Published on krebsonsecurity.com, February 12, 2014. Online: >http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/<

[8] Anthony Wing Kosner. All Major Tech Companies Say NSA Actions Put Public Trust In Internet At Risk. Published on forbes.com, December 9, 2013. Online: >http://www.forbes.com/sites/anthonykosner/2013/12/09/all-major-tech-companies-say-nsa-actions-puts-public-trust-in-internet-at-risk/<

[9] Declan McCullagh. Feds use keylogger to thwart PGP, Hushmail. Published on cnet.com, July 10, 2007. Online: >http://www.cnet.com/news/feds-use-keylogger-to-thwart-pgp-hushmail/<

[10] See Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 5 – Scale).  Published on ogalaws.wordpress.com, May 15, 2014.  Online: >http://www.ogalaws.wordpress.com/2014/05/15/the-100-faces-of-data-a-5-part-complex-systems-study-part-5-scale/<

PREAMBLE:

In this data-driven world, we approached data from a complex systems perspective and assigned 5 data domains or “faces” as follows: Form Factors, Applications, Categories, End-Users, and Scale.  In Part 1 – Form Factors,[1] we identified some of the data devices through which data impacts upon us, and we impact upon the data.  In Part 2 – Applications,[2] we looked at the tools we use to collect, collate, and manipulate that data.  Now, in Part 3, we look at some of the different “Categories” of this Data.

ANALYSIS:

Categories.

These are the different ways in which we describe, define, and otherwise compartmentalize our data, in order to make it more malleable, manageable, and ultimately intelligible.

Level 2 (management): At this level, we have placed just two options: (i) an Externalized one for aggregation and analytics; and (ii) an Internalized one for commoditization and consumption.  In the first category, we have the original “Big Data” as collected, which is then aggregated and analyzed in various ways, by person and/or by machine.  It is the end-product in pieces, predictions and prognostications, or printouts, which is then packaged into more manageable morsels for the ultimate consumer.  That ultimate consumer can be any or all of a business, an individual or group, or a government or government agency.

Level 3 (security): As our focus is on the categories of data in a general sense, this “security” level will differ somewhat in its focus on the base-level “non-controls” or “intentional security lapses” that can now generally apply to data in three different spheres.  These, collectively termed “EULA3” or “EULA Cubed“,[3] are: (i) End-User Legal Authority; (ii) End-user License Autonomy; and (iii) End-User Leveraged Ability.  The first refers to the copyright exemption-like authority now permitting many end-users to further customize and develop commercial off-the-shelf software, such as screensavers, skins, avatars, and general gaming applications.[4]  The second refers to the various degrees of autonomy from traditional and restrictive use and geographic licensing that some consumers have, by using unlocked data devices – whether lawfully or not so lawfully unlocked.  This can range from having data devices function to reach data from geographic locations where they would not otherwise have been functioning; through number or service portability and the freedom it provides from multi-year service contracts with single providers; to opting-out of otherwise automated software updates and pre-sale software bundling.[5]  The third refers to the enhanced data-centric abilities that end-users now have as a result of the interconnected nature of data and the many faces of data.[6]  With the increasing expanse and depth of social media and apps for almost anything thinkable and unthinkable, there is no longer really any such thing as “use only as recommended”, because many future uses (Applications) of today’s data devices (Form Factors) – and of the data itself, are yet to be set-down or even known, and whether or not lawful where or when so ultimately used.

Level 4 (provenance): On this level, there are four categories for the origin of the data.  These are Social, Business, Personal and Government.  (i) Social as a source category, can include anything and everything ever put online.  (ii) Business as a source category, can include any and all personally identifiable, preference, contact information, and other data (personal data) voluntarily or involuntarily provided to a business by a consumer, or by another business.  Some restrictions on resale and usage, or transfer by and between internal divisions may apply, as per the entity’s Privacy Policy.  However, there can be exemptions for certain categories of data; additional concessions and goodies, such as rebates and special offers can be provided to customers who give the data custodian company carte blanche with regard to their provided data; and, of course, there are those instances where things go wrong or misplaced, or when careless business moves and messy business bankruptcies lead to provided data finding its way into dumpsters,[7] pawn shops,[8] second-hand and auctioned goods,[9] and to provided data being otherwise exposed through data breaches.[10]  (iii) Personal as a source category, may include spoken or written communications, non-verbal cues, and the contents of a lost wallet, purse, form factor, or mass storage device.  Finally, (iv) government as a source category, encompasses all the information that a government has (or could possibly have) on the individual or the business within its jurisdiction (or data-reach), for whatever reason, and from whatever other or intermediary origin point.

Level 5 (attack surfaces): As with the prior data domains covered – Form Factors and Applications – there are myriad, overlapping, and ever-multiplying attack vectors.  Here, we will merely identify the five transitional steps as attack surfaces within data categorization, where attacks may occur.  These are, at: (i) creation, collection, and collation; (ii) tokenization, encryption, and manipulation; (iii) storage and access; (iv) transmission and transportation (whether actual or virtual); and (v) disposal and destruction.[11]

Level 6 (aggregation): Finally, and just as with Applications, all Data “Categories” levels can be found and aggregated across the same 6 spaces as identified for Applications.  These are: (i) Cloud API; (ii) Datacenter; (iii) In-house server; (iv) workgroup; (v) single system desktop or laptop, social media, or gaming console/application; and (vi) mobile, to include tablet, smartphone, and wearable-tech.

CONCLUSION:

The depth and breadth of Data as a complex system continue to be enhanced by the interactions of its five Domains, and of the many faces therein. Having now considered Form Factors, Applications, and Categories, our next and penultimate installment will consider the “End-Users” Data Domain.[12]

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in legal, technological, and societal milieux.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors).  Published on ogalaws.wordpress.com, November 1, 2013.  Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[2] Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 2 – Applications).  Published on ogalaws.wordpress.com, December 27, 2013.  Online: >https://ogalaws.wordpress.com/2013/12/27/the-100-faces-of-data-a-5-part-complex-systems-study-part-2-applications/<

[3] Ekundayo George.  Ctrl-Shift-Del: 2013’s Top 5 Technology Trends for Consumers (at section z:  “End-User Legal Authority/ License Autonomy/ Leveraged Ability (EULA3, or cubed)”).  Posted on ogalaws.com, March 16, 2013.  Web: >https://ogalaws.wordpress.com/tag/end-user-leveraged-ability/<

[4] Id.

[5] Id.

[6] Id.

[7] Chris Saldana, Reporter.  Dumpster Full of Personal Information Discovered.  Posted on 8newsnow.com, September 18, 2007.  Online: >http://www.8newsnow.com/Global/story.asp?S=7091061&nav=168XJuYl<

[8] Danielle Walker, Reporter. Doctor’s stolen laptop found at pawn shop; data of 652 patients exposed.  Posted on scmagazine.com, April 1, 2013.   Online: >http://www.scmagazine.com/doctors-stolen-laptop-found-at-pawn-shop-data-of-652-patients-exposed/article/286812/<

[9] Joe Willis, Regional Chief Reporter.  Workers’ personal information found in cabinet sold at auction.  Posted on thenorthernecho.co.uk, August 5, 2013.  Online: >http://www.thenorthernecho.co.uk/news/10589828.County_Durham_workers__personal_information_found_in_cabinet_sold_to_Spennymoor_man_at_Newcastle_auction/?ref=nt<

[10] Sean Sposito.  Data breaches: It’s likely to happen to you. Published on theglobeandmail.com, January 28, 2014.  Online: >http://www.theglobeandmail.com/report-on-business/international-business/data-breaches-its-likely-to-happen-to-you/article16558877/?page=all<

[11] The 3 customary data state categorizations of: (A) Data at rest; (B) Data in use; and (C) Data in motion, are too limited for the purposes of our schema, and any comprehensive implementation of a Data Loss Prevention (DLP) regime.

[12] See Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 4 – End-Users)Posted on ogalaws.wordpress.com, April 9, 2014.   Online: >http://www.ogalaws.wordpress.com/2014/04/09/the-100-faces-of-data-a-5-part-complex-systems-study-part-4-end-users-2/<

As this New Year starts and we all get back into the swing of work, or looking for work, or retirement, as the case may be, now is as good a time as any to reflect on what it means to be an ideal employee.

                Committed (old school):

There was a time when the ideal employee only needed to be “committed”, to his or her employer – whether in the public sector or private sector, and to a lifetime of employment with that employer.

                Conscientious:

Then the environmental movement came about, with the growth surge and popularity of Corporate Social Responsibility (CSR), which led to a search for “conscientious” candidates for employment, in some industries and service sectors.  Truth be told, there are certainly a good number of employers who could care less, or who would even, perhaps, prefer those with no pre-set views or that fully reject prevailing “environmentally-correct” or “socially-responsible” or “politically-correct” or “anti-globalization” platforms; which platforms in some cases have brought-out quite extreme and obnoxious behaviours on both sides of the fence, as adjudged by the fence-sitters in that space, place, and time.  To be conscientious about the fighting issues and only those issues, is the raison d’être at one end of the spectrum.  At the other end, however, to be conscientious about the bottom line and solely the bottom line – to the point of blatant, repeated unethical behaviour or illegality in some cases, is highly valued.

                Connected:

Now, we have the “Social” phase, with potential employers themselves or through contracted third-parties, trolling criminal record and other databases, the Internet and social media in an effort to develop a better picture of the person and the “contacts or connections” of the person, who’s paper resume, personal video, multimedia resume, or LinkedIn or Facebook profile has been sent to their inbox, pasted on their private wall, or delivered by hand.  As a result of this highly disruptive paradigm-shift, the 5 (“five”) recurrent questions in HR circles, have now become:

(i) to whom are they connected;

(ii) where;

(iii) how;

(iv) what causes or entities do they like or follow; and

(v) how will any or all of this help or hurt us if we bring them onboard?

Alas, if you have no online profile, or too few connections but years of experience, then “some” HR professionals may well think you are hiding something due to the assumption that “everyone” now has an appreciable online presence and a large connection group through all of which the original data subject may itself, be or become far better known to them through open source and standoff means.

Unfortunately, the lack of an online presence or even a large connection group does not necessarily signify an issue.  I am sure that there are many people who have simply never gotten around to it, face restrictions on what they can post online due to current and former employers or their specific lines of work, or who have simply rebelled against what they feel is over-sharing and information overload.

To counter for this potential bias, it is likely high time to go back to the basics and focus on the “Committed” aspect, as in Committed (new school), in looking to the core of what an ideal employee is, or should develop into.

Committed (new school):

With a resounding yes, we can all agree that (at least in the western world and other parts that sincerely follow the western model), two core work assumptions are now gone, forever:

(i) that there is lifetime employment on offer; and

(ii) that the employment relationship is one with more obligation of employee to employer, than employer to employee.

Today, people will have more than one career, and often simultaneously; and there are a mix of mutual obligations and rights between the employer and employee – now codified by law and custom.  On account of this, the assessment of commitment is multifactor, multidisciplinary, and always in flux.  We can look at it through the 3 sub-elements of that commitment; being: (i) Culture; (ii) Competence; and (iii) Coordination.

(i) CULTURE.

Culture is a system of values, beliefs, and norms that guides worldviews, behaviours, and relationships. The employer will have a culture, and the potential employee will have taken in the culture of one or more societies or prior employers; resulting in quite a complex of motivators.  Organizations tend to be rather intolerant of newcomers who try to change the culture from the inside-out, once allowed inside.  If a person joins an employer after being attracted by the culture, then a later discovery of mismatch, or that the culture is not quite as it seemed, can lead to disillusionment, acting-out (in performance issues or whistleblowing), or separation – whether voluntary or involuntary.  Where HR speaks of “a good fit”, they are referring to their culture, and the likelihood that the potential recruit will both say “ok”, and actually decide to stay.

Behavioural interviewing is one way of assessing how the candidate will fit into the established order.  However, some veterans of the process can be very good at giving the right-sounding answers, only to be and present a later disaster.  This is why it is essential for the employer to project its true culture to potential hires, and for jobseekers to be true to themselves in their search and responses to interview questions.  If this is just to be a survival job, then what’s your problem?  Go with the right attitude and don’t try to change the whole place around you, if you know you won’t be there for the long-term.

(ii) COMPETENCE.

Competence is that mix of skills, abilities, certifications, and knowledge (SACK) that makes the candidate attractive to a potential employer.  The potential employer may have listed a specific requirement, or the potential candidate may be targeting that employer, or working with a third-party recruiter who does the match-making as go-between.  However, in all cases, the goal is to get a match and have as many SACK-points in common as possible.

Here, we can get a better appreciation of that mutuality of obligations mentioned earlier.  If the person is hired to do a specific job because of his or her SACK, then where the SACK is not used or under-used, due to any or all of re-tasking, lack of work, or disorganization and mismanagement, then the new hire will not be happy.  Mental muscles not used will tend to atrophy over time; especially in fast-moving infotainment fields such as IT and graphic design.  In this way, candidates who are under-used, will soon become candidates again, so that they can get meaningful work that they enjoy.  While it is true that this is not always the employer’s fault, especially in a slowed economy where work can be scarce in some lines, the truth of the matter is that employees are now more focused on their own longevity and their own bottom line, as lifelong loyalty to the employer – even a government employer– is no more.  It is one thing to grow with the company ….. but the company has to be growing (or at least stable) when they get there, and not just presenting a promise of growth or stability at some indeterminate point in the future.  There are, however, differences of individual risk appetite, and so this factor may still vary.

(iii) COORDINATION.

Where the employee has accepted the culture and has the right SACK, then the only remaining questions are – (I) can he or she demonstrate an ability to coordinate these in delivering for the employer; and (II) at what level can he or she do this, and with or without additional training or supervision.  There are four levels: Planning, Leading, Undertaking and Understanding, and Managing (PLUM), and we will consider them out of order.

(a)          Understanding and Undertaking:

This is the résumé or covering letter excerpt that speaks of undertaking tasks with minimal supervision.  Can the employee understand simple instructions and undertake the work to deliver a satisfactory (or preferably above satisfactory) end-result?  This is at the basic level.  For the intermediate level, the question is can the employee understand the results of a SWOT (strengths, weaknesses, opportunities and threats) analysis and independently apply his or her individual effort to capitalize on opportunities and strengths (product placement or service excellence), or address weaknesses and threats (brand recognition, market penetration, or negative publicity).  For the advanced level, can the employee both plan and conduct a detailed SWOT analysis, and then coherently communicate the results to others?

(b)          Planning:

This is the capacity of the employee to plan or co-plan any combination of events, projects, compliance programs, or succession.  It would clearly include the planning of a program to address the results of a SWOT analysis at an advanced or intermediate level, or the planning of a discrete employee initiative – such as a training seminar, a new product presentation or service rollout, or a packaging concept or promotional design competition in an environment where the employer had initially encouraged such collaboration and input.

(c)           Leading:

Of course, these factors are presented in no particular order, and so the employee may be given a managerial role (over strategic projects, such as social media outreach) before a purely leadership role (of a shop floor team, for example), and at a multitude of available levels from front-line supervisor, through middle management, to executive assistant.  Specific roles will be determined by the available talent, and the organizational need for leaders of change, projects, teams, events, or training, amongst others.

(d)          Managing:

Some people have natural interpersonal skills, whilst others will have to be coached or trained.  The “naturals” will be easily and speedily recognized in those environments where management is alert and open to its in-house talent, and additional opportunities will be presented to further hone and apply those innate skills as and when found.  Employees can also be or become skilled at managing resources (finance, logistics, human resources) or compliance (legal and regulatory affairs, or shareholder communications) through education and training, and past or current work experience.

SUMMARY.

Committed, Conscientious, and Connected are still valid macro-level descriptors of ideal employees.  However, “Committed” is dynamic, with its own micro-keys of culture, competence, and coordination.

Constant growth, constant learning, and constant expansion of the SACK (skills, abilities, certifications, and knowledge) that one possesses and brings to the job negotiation table is mandatory – because everyone else is doing the same thing and competition is only becoming more intense.  Rent-seeking is also a new constant, as the worker should be constantly seeking-out and plucking the juiciest and most demonstrable PLUMS (planning, leadership, understanding and undertaking, and management) as assignments and means by which to deliver value to the employer, and further fill-out the proprietary and portable sack on the employee’s back.  “As I help you, I also help myself”, but in a non-selfish way!!

For the prospective and current employer, the key to recruiting and retaining the “right fit” is to have and communicate the right culture, seek-out (and actually use once onboard) the right competencies, and have enough “plums” in the air to offer:

(i) sufficient;

(ii) meaningful work; and

(iii) personal growth opportunities; with

(iv) job satisfaction; and

(v) benefits and work-life balance;

to keep people (and the sacks on their backs) around.  I refrain from saying “the right people”, because everyone who wants to and is given the opportunity, is capable of growing into a series of increasingly responsible roles.

It has often been said that the more things change, such as the “committed” employee, the more they remain the same.  Do you agree?

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in the legal, technological, and societal milieu.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

%d bloggers like this: