BACKGROUND:

 

SPEECH –

An example of “public speech”, in this context, would be an open and notorious change to one’s LinkedIn profile, such as adding a project, an interest, or a competency and skill; and then positively choosing to publicize these profile changes to one’s network.

 

WHISPER –

An example of a “public whisper”, in this context, would be changing one’s skills or communication preferences to show openness to career opportunities, thereby letting recruiters know that one might be interested in opportunities; willingly sharing one’s LinkedIn profile with potential recruiters; or making a public speech as above, but then “specifically” choosing to not announce this profile change to one’s network or to members of the general public.

 

LINKEDIN

LinkedIn    (“LinkedIn”) is a very widely-used networking site that allows users to choose between making such public speech and public whispers, in their settings preferences.

 

hiQ

hiQ Labs, Inc. (“hiQ”), is a data analytics entity that has developed and deployed automated “bots” that can access public speech and that last definitional element of a public whisper[1] (hushed or stealthy profile changes) on LinkedIn in a Skill Mapper, allegedly not always in accordance with LinkedIn user-selected visibility preferences,[2] and then further share, publicize or sell the results whether in the raw or aggregated formats to its own customer base of interested employers and parties and persons attempting to contact such job-seeking, job-interested, and passively job interested LinkedIn users.

 

“Companies like LinkedIn, Twitter and Facebook view scraping of the data generated by their users not just as theft – they sometimes charge to license data (to higher level business users) – but a violation of their users’ privacy, because some information can be limited so not all users can view it”[3] [additional words in parentheses].

 

Understandably, LinkedIn, “which charges recruiters, salespeople and job hunters for higher levels of access to profile data”,[4] issued a 3-page cease-and-desist letter to hiQ on May 23, 2017,[5] advising the recipient that it was in violation of the LinkedIn user agreement with those behaviours, notifying  the recipient that additional security precautions had been implemented to prevent any recurrence, demanding that the recipient delete and destroy all such “improperly obtained material” in its possession or custody or control, and putting the recipient on notice that any further such behaviour would be in violation of applicable state and federal laws, with citation to a leading 2015 case in that jurisdiction of the United States federal District Court for the Northern District of California (USDC, NDCA), in which the court had barred similar “website data scraping” conduct.[6]

 

hiQ promptly filed for a Temporary Restraining Order (TRO) in California federal court (USDC, NDCA),[7] to bar any actual application of that cease-and-desist language pending ultimate determination of the underlying matters in a court of competent jurisdiction.  And so it was, that on Monday, August 14, 2017, the court granted hiQ its TRO.[8]

 

 

ANALYSIS:

 

CRAIGSLIST

In the case that LinkedIn cited within its cease-and-desist letter to hiQ, Craigslist, Inc., had filed a Complaint against the defendant, but the defendant had not timely answered.  As a result, Craigslist then applied for and was granted, a Default Judgement.[9]  According to the ruling, a certain Brian Niessen, a Craigslist user, had answered a Craigslist advertisement posted by another Craigslist user, for a “Skilled Hacker at Scraping Web Content”.[10]  Niessen had described himself as a hacker, and professed that he was already scraping several thousand websites, including “[c]raigslist, Twitter, Groupon, Zagat, and others.”[11]  3taps then entered into a business relationship with Niessen to continue his scraping, for them, which Craigslist stated was in violation of its terms of use (TOU) and constituted a breach of contract because Niessen, as a registered Craigslist user, had agreed to the TOU on several occasions.[12]

 

“The TOU prohibit, among other things, “[a]ny copying, aggregation, display, distribution, performance or derivative use of craigslist or any content posted on craigslist whether done directly or through intermediaries, […]”[13]

 

Craigslist did secure injunctions against the Niessen co-defendants, including Lovely, PadMapper, and 3taps.[14]  However, Niessen – named along with those co-defendants in the Amended Complaint with its 17 Claims for Relief,[15] was somewhat more elusive; as he was first difficult to effectively serve with the Complaint, and then after being served, he failed to provide an answer within the specified time.[16]  As a result, the Clerk of Court first entered a Notice of Default against Niessen, and then Craigslist made Motion for a Default Judgement against Niessen, which the court granted.[17]

 

 

LINKEDIN –

LinkedIn had sought a response by May 31, 2017 to its cease-and-desist letter of May 23, 2017.[18]  However, hiQ filed its Complaint for Declaratory and Injunctive relief against LinkedIn on June 7, 2017.[19]  In summary, with the first paragraph of the Introduction for same, hiQ writes:

 

“This is an action for declaratory relief under the Declaratory Judgment Act, 28 U.S.C. § 2201 and 2202, and for injunctive relief under California law.  hiQ seeks a declaration from the Court that hiQ has not violated and will not violate federal or state law by accessing and copying wholly public information from LinkedIn’s website.  hiQ further seeks injunctive relief preventing LinkedIn from misusing the law to destroy hiQ’s business, and give itself a competitive advantage through unlawful and unfair business practices and suppression of California Constitutional free speech fair guarantees.  hiQ also seeks damages to the extent applicable.”[20]

 

hiQ did promptly and appropriately seek and retain counsel to engage in discussions with LinkedIn upon receipt of the cease-and-desist letter, in order to better understand LinkedIn’s position and seek an accommodative solution to their serious differences.[21]  LinkedIn argued through counsel that it was protecting the interests of its users and seeking to remedy violations of state and federal laws; and hiQ argued through counsel that not only did LinkedIn lack any proprietary interests in the posted data, which was still owned by its users, but that LinkedIn was therefore attempting to “pervert the purpose of the laws at issue by using them to destroy putative competitors, engage in unlawful and unfair business practices and suppress the free speech rights of California citizens and businesses.”[22]

 

On May 30, 2017, hiQ then sent its own letter to LinkedIn seeking the ongoing interim website access that would allow it to persist as a going concern – because “complying with LinkedIn’s demands would essentially destroy hiQ’s business”,[23] while continuing discussions towards “a mutually amicable resolution” of their impasse.  However, on receiving no response, hiQ filed its Complaint for declaratory and injunctive relief.[24]

 

 

HIQ –

The parties entered into a standstill agreement that preserved hiQ’s access to the public LinkedIn data, and agreed to convert hiQ’s original motion into one for a preliminary injunction, after the court had heard the initial party arguments on the hiQ complaint on July 27, 2017.[25]  In California federal District Court, “[a] plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.[26]  Within the United States Court of Appeals for the Ninth Circuit, which lays-down controlling precedent for United States Federal District Courts in California and several other states and territories,[27] there is a sliding scale for the standard of proof on these elements; which means “a stronger showing of one element may offset a weaker showing of another.”[28]

 

The court also grappled, inter alia, with the language of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030,[29] which prohibits and sanctions unauthorized (whether lacking authorization ab initio or with authorization later revoked), or improperly elevated or improperly applied access to a computer or computer system, because although the LinkedIn profiles were public, they rested on one or more private servers, which were computers.[30]  However, as the court finally opined, “[…] hiQ has, at the very least, raised serious questions as to applicability of the CFAA to its conduct.[31]

 

“The CFAA must be interpreted in its historical context, mindful of Congress’ purpose. The CFAA was not intended to police traffic to publicly available websites on the Internet – the Internet did not exist in 1984. The CFAA was intended instead to deal with “hacking” or “trespass” onto private, often password-protected mainframe computers.”[32]

 

With regard to hiQ‘s claims that the LinkedIn conduct had violated applicable California free speech laws, the court was more circumspect.  hiQ had cited to Robins v. Pruneyard Shopping Ctr.,[33] a case involving attempts to curtail political speech in a privately-owned shopping mall, to analogize that the LinkedIn site was a public forum akin to a shopping mall with guaranteed free access, free speech, and free association, because “[…] the state’s guarantee of free expression may take precedence over the rights of private property owners to exclude people from their property.”[34]

 

The court was very loathe to start traveling down this most slippery of slopes, stating that: no court had, as yet, extended Pruneyard to the internet in so complete a manner; unlike a shopping mall, the Internet had no single controlling authority; there may result significant repercussions on the capacity of social media hosts to curate posted materials in such a public forum; and there was a lingering question as to whether the same rules would apply to the websites of small, medium, and large entities, alike.[35]  The court therefore concluded, that “[i]n light of the potentially sweeping implications discussed above and the lack of any more direct authority, the Court cannot conclude that hiQ has at this juncture raised “serious questions” that LinkedIn’s conduct violates its constitutional rights under the California Constitution.[36]

 

On the balance, the court agreed that hiQ had raised enough of a question as to whether LinkedIn’s actions against it had violated the provisions of California’s Unfair Competition Law (UCL)[37] by “leveraging its power in the professional networking market for an anticompetitive purpose”;[38] disagreed that hiQ had either claimed to be a third-party beneficiary of LinkedIn’s promise to its users that they could control the publicity of their profiles, or shown that a third-party could assert such a claim of promissory estoppel in the first instance;[39] and agreed that the public interest favoured a granting of hiQ’s injunction, because “[i]t is likely that those who opt for the public view setting expect their public profile will be subject to searches, date (sic) mining, aggregation, and analysis.”[40]

 

 

CONCLUSION:

 

Of note, regarding all of its claims and especially the estoppel claim, hiQ had also argued that LinkedIn had long acquiesced to its usage of the website and publicly available user data in this way; including attending hiQ conferences where the host thoroughly explained its methodology and business model, and even gave at least one LinkedIn employee an award.[41]  Indeed, some industry commentators have opined that LinkedIn has merely had a change in policy subsequent to its acquisition by Facebook which the courts should not enjoin, and they foresee several other negative repercussions from the outcome of this case if hiQ prevails, and they expect LinkedIn to appeal the District Court ruling.[42]  However, there are also several strong voices supporting hiQ that see negative repercussions if LinkedIn prevails.[43]

 

Suffice it so say that for now, LinkedIn has been Ordered to withdraw its cease and desist letters to hiQ, and stop blocking hiQ, both with immediate effect from the August 14, 2017 date of the Order of Edward M. Chen, United States District Judge.[44]

 

We await LinkedIn’s appeal,[45] if any, but in the interim …… all who so do, are advised to publicly shout, and to publicly whisper, with caution, because they never know who might be cataloguing their words – and where those words that they own might land; (or more specifically, land the originator of those very words) in this Gig e-conomy[46] that exemplifies the gentle admonition that “sharing is daring!

 

 

*********************************************************************

 

Author:

Ekundayo George is a lawyer and sociologist.  He is a keen student of organizational and micro-organizational behavior and has gained significant experience in regulatory compliance, litigation, and business law and counseling.  He has been licensed to practise law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America.  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services and Public Finance, Public Procurement, Healthcare and Public Pensions, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors.

 

Of note, Mr. George has now worked at the municipal government, provincial government, and federal government levels in Canada, as well as at the municipal government, state government, and federal government levels in the United States.  He is also a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and enjoys complex systems analysis in legal, technological, and societal milieux.

 

Trained in Legal Project Management (and having organized and managed several complex projects before practising law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams.  Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: healthcare; education and training; law and regulation; policy and plans; statistics, economics, and evaluations including feasibility studies and business cases; infrastructure; and information technology/information systems (IT/IS) – also sometimes termed information communications technologies (ICT).  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.  Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

 

 

[1] See Infra note 7 at Introduction, ¶2.  hiQ does specifically state in its Complaint, that: “hiQ does not analyze the private sections of LinkedIn, such as profile information that is only visible when you are signed-in as a member, or member private data that is visible only when you are “connected” to a member. Rather, the information that is at issue here is wholly public information visible to anyone with an internet connection.”  But See HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 6.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>…

“LinkedIn maintains that […] while the information that hiQ seeks to collect is publicly viewable, the posting of changes to a profile may raise the risk that a current employee may be rated as having a higher risk of flight under Keeper even though the employee chose the Do Not Broadcast setting. hiQ could also make data from users available even after those users have removed it from their profiles or deleted their profiles altogether. LinkedIn argues that both it and its users therefore face substantial harm absent an injunction; if hiQ is able to continue its data collection unabated, LinkedIn members’ privacy may be compromised, and the company will suffer a corresponding loss of consumer trust and confidence” [emphasis added].

[2] Id. at Introduction, ¶5.  On this point, hiQ writes to specify LinkedIn’s 5 levels of profile visibility preference, and emphasize its own limited access to and use of same:

“LinkedIn members can choose to (1) keep their profile information private; (2) share only with their direct connections; (3) share with connections within three degrees of separation; (4) allow access only to other signed-in LinkedIn members, or (5) allow access to everyone, even members of the general public who may have no LinkedIn account and who can access the information without signing in or using any password. It is only this fifth category of information – wholly public profiles – that is at issue here: hiQ only accesses the profiles that LinkedIn members have made available to the general public.”

[3] Thomas Lee.  LinkedIn, HiQ Spat Presents Big Questions for Freedom, Innovation.  Published July 8, 2017 on sfchronicle.com.  Web: <http://www.sfchronicle.com/business/article/LinkedIn-HiQ-spat-presents-big-questions-for-11274133.php#comments>

[4] Ibid.

[5] LinkedIn Corporation.  RE: Demand to Immediately Cease and Desist Unauthorized Data Scraping and other Violations of LinkedIn’s User Agreement.  Letter dated May 23, 2017.  Web: <https://static.reuters.com/resources/media/editorial/20170620/hiqvlinkedin–ceaseanddesist.pdf>

[6] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[7] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017).  COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF. Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[8] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[9] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA).  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[10] Id. at 2.

[11] Ibid.

[12] Id. at 3.

[13] Id. at 2.

[14] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. October 9, 2015).  ORDER Granting Application for Default Judgment, issued by Charles R. Breyer, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 3.  Web: <http://law.justia.com/cases/federal/district-courts/california/candce/3:2012cv03816/257395/280/>

[15] Craigslist, Inc v. 3Taps, Inc et al, 12-cv-03816-CRB (N.D. Cal. November 20, 2012).  First Amended Complaint.

Web: <http://www.3taps.com/images/pics/430_Amended Compalint .pdf>

[16] Supra note 14 at 3.

[17] Ibid.

[18] LinkedIn Corporation.  RE: Demand to Immediately Cease and Desist Unauthorized Data Scraping and other Violations of LinkedIn’s User Agreement.  Letter dated May 23, 2017.  Web: <https://static.reuters.com/resources/media/editorial/20170620/hiqvlinkedin–ceaseanddesist.pdf>

[19] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017). COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF.  Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA).  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[20] Id. at Introduction, ¶1.

[21] Id. at ¶¶27-8.

[22] Id. at ¶28.

[23] Id. at ¶¶34, 38, 46.

[24] Id. at ¶29.

[25] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 3.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>…

[26] Id. at 4.

[27] The United States Court of Appeals for the Ninth Circuit covers Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, the Northern Mariana Islands, Oregon, and Washington state.  See generally Geographical Boundaries of United States Courts of Appeals and United States District Courts.  Online: <https://www.supremecourt.gov/about/Circuit Map.pdf>

[28] Supra note 25 at 4.

[29] Congress of the United States, United States Code18 USC 1030: Fraud and related activity in connection with computers.  Title 18: Crimes and Criminal Procedure; Part I: Crimes; Chapter 47: Fraud and False Statements. Web: <uscode.house.gov/browse/prelim@title18/part1/chapter47&edition=prelim>

[30] Supra note 25 at 10.

[31] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 16.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[32] Id. at 10.

[33] See Robins v. Pruneyard Shopping Ctr., 23 Cal. 3d 899, 905 (1979).

[34] Supra note 31 at 18

[35] Id. at 19.

[36] Id. at 20-21.

[37] See Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §17200 et seq.

[38] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 21.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[39] Id. at 23.

[40] Id. at 24.

[41] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-LB (N.D. Cal. June 7, 2017). COMPLAINT FOR DECLARATORY JUDGMENT UNDER 22 U.S.C. § 2201 THAT PLAINTIFF HAS NOT VIOLATED: (1) THE COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030); (2) THE DIGITAL MILLENNIUM COPYRIGHT ACT (17 U.S.C. §1201);(3) COMMON LAW TRESPASS TO CHATTELS; OR (4) CAL. PENAL CODE § 502(c); INJUNCTIVE RELIEF TO ENJOIN: (1) INTENTIONAL INTERFERENCE WITH CONTRACT AND PROSPECTIVE ECONOMIC ADVANTAGE; (2) UNFAIR COMPETITION (CAL. BUS. & PROF. CODE § 17200); (3) PROMISSORY ESTOPPEL; AND (4) VIOLATION OF CALIFORNIA FREE SPEECH LAW; AND RELATED MONETARY RELIEF. Filed 2017, in the United States District Court for the Northern District of California (USDC, NDCA), at ¶7.  Web: <https://www.unitedstatescourts.org/federal/cand/312704/1-0.html>

[42] See generally Tristan Greene.  The future of your data could rest in the outcome of LinkedIn vs HiQ case.  Posted August 24, 2017 on thenextweb.com.  Web: <https://thenextweb.com/insider/2017/08/24/hiq-is-the-david-to-linkedins-goliath-in-legal-battle-over-user-data/#.tnw_Q1Tn05Hv>…

[43] Id.

[44] HiQ Labs, Inc. v. LinkedIn Corporation, 17-cv-03301-EMC (N.D. Cal. August 14, 2017).  Order Granting Plaintiff’s Motion for Preliminary Injunction, issued by Edward M. Chen, United States District Judge, United States District Court for the Northern District of California (USDC, NDCA), at 21.  Web: <https://assets.documentcloud.org/documents/3932131/2017-0814-Hiq-Order.pdf>

[45]  – Reserved

[46] For a general overview of the Gig e-conomy and its monopoly potential, see e.g. Ekundayo George.  Monopolies and Market Dominance in the “GIG” e-conomy: What Might These Look Like / Are We There Yet?  Published July 16, 2017 on ogalaws.wordpress.com.  Web: <https://ogalaws.wordpress.com/2017/07/16/monopolies-and-market-dominance-in-the-gig-e-conomy-what-might-this-look-like-are-we-there-yet/>

Advertisements

 

INTRODUCTION:

I will not get into legalese, as this is but a conceptual take on the topic.  I came across the following New York Times article,[1] which posed the question “Is It Time to Break Up Google?”  That article had been cited by a more recent one that spoke of the dominant market positions of the so-called FAAAN stocks (described as Facebook, Amazon, Alphabet, Apple and Netflix) or sometimes FAANG stocks (Facebook, Amazon, Apple, Netflix and Google), and the potential need to limit or dismantle them for such reasons as to protect the consumer, or to better protect against the loss or misuse of personal data, or to maintain market integrity, investment and productivity, and dynamism through vigorous multiparty competition.[2]  I will use FAAAN and FAANG interchangeably.

 

This is the language of competition regulators – avoiding monopolies, carefully watching oligopolies, and protecting the consumer from any entity that would abuse its dominant position in the market to take advantage of them.  There are competing schools in different regulator domains, however, as one side says that competition spurs innovation (European Union stance), whilst the other side appears more comfortable with FAAAN entity market shares than it was with those in telecommunications, oil and gas, and railways (United States stance).[3]  The Standard Oil Company, which maintained a 90% market share for twenty years, is often cited as the posterboy for monopoly power in the United States – but was it really so villainous?[4]  In any case, before we apply a solution, we must first answer 3 essential questions:

 

  1. What, exactly, are these FAAAN entities allegedly dominant in?
  • Facebook has a leading position in social media, through its control of Facebook Messenger, WhatsApp, and Instagram (and now sharing control, with Alphabet/Google, of approximately 56% of the U.S. market for mobile advertising).[5]
  • Amazon has a leading position in e-commerce, with its ubiquitous shopping portal (now handling approximately 30% of all U.S. e-commerce sales),[6] and in the provision of cloud hosting and data centre services.
  • Alphabet/Google has a leading position in online search, online video through its control of Youtube, and in the revenue yield from online advertising (now earning approximately 78% of all U.S. search advertising revenues).[7]
  • Apple has a leading position in smartphones wearables, and tablets, through its iPhone (now accounting for approximately 60% of global smartphone sales),[8] iPad, Watch, Mac, and MacBook lines.
  • Netflix also has a leading position in “over the top” (OTT) movie, performance, and documentary streaming (now reaching approximately 75% of all U.S. streaming service viewers).[9]

 

Are these indications of dominance, we ask, or just a solid and perhaps (for now) unassailable lead in markets resoundingly disrupted?

 

“Movies and television could become like opera and novels, because there are so many other forms of entertainment. Someday, movies and TV shows will be historic relics. But that might not be for another 100 years.”[10]

 

For example, all of these FAAAN stocks, other than Apple, may be especially dominant in the United States, but with the U.S. share of global e-commerce expected to fall from 20.7% in 2016 to 16.9% in 2020, while China’s share of it rises from 47% to 59.5% in the same period,[11] then given the restrictions on market entry into China,[12] how can any current such “dominance”, persist?

 

Microsoft is also sometimes mentioned as a market dominator, with its leading positions in operating system software, desktops and mobile, cloud hosting, big data, analytics, and online storage through its data centres; as is Uber, with its stated goal to dominate the ride-hailing space on a global scale.

 

  1. What, precisely, is the market or who, precisely, is the consumer that these FAANG entities are allegedly dominating?

Let us now start to break things down a little further, step by step.

 

VERTICALS –

I think we can all agree that there are three consumer verticals: government, business, and generic consumers – meaning neither of the preceding two verticals.  From there, however, things can get quite tricky, with this hierarchy of 3 verticals, then 5 sectors, then 30 groups, and finally, their many included elements.  Of course, each regulator or group of regulators assessing these entities, has its own domain, such as the United States (with its long tradition of Antitrust regulation), Canada (with its long experience in near oligopolies for financial services and telecommunications), Russia and China (with growing experience in competition regulation, and where Uber recently partnered with Yandex in Russia,[13] and earlier with Didi Chuxing in China,[14] for ride-hailing, or “on-demand transportation”), and the European Union (where Facebook,[15] Alphabet/Google,[16] Apple,[17] and Microsoft,[18] have all had run-ins with the local Competition regulator).

 

In the investing community, there are a number of ways to segment the market.  The diversified Standard & Poor’s 500 Index uses 11 market sectors,[19] and the NASDAQ (technology-heavy) index follows the Industry Classifications Benchmark (ICB) system, to create ten market sectors.[20]  There is some overlap between these two, but the Toronto Stock Exchange (energy and financial services- heavy) index has just seven market sectors.[21]  Personally, I have long used a modified schema of about 16 sectors, but I think it is time to change the whole approach because these FAAAN / FAANG entities have disrupted much, will continue to do so, and have spawned a whole series of ecosystems of disruptors that cross sectoral boundaries, serve multiple verticals, and make a mockery of most if not all commonly used methods of market and competition analysis, including clear regulatory categorization, for purposes of finding and assessing the impact of a dominant position.  This is collectively the “gig” -economy of on-demand piecework, tempwork, and peer-to-peer transacting that circumvents big businesses, with “gig” now having a U.S. labor market share now estimated at 34% and projected to rise to 43% by 2020.[22]

 

Hence, my analytical proposal is this:

 

 

SECTORS –

We start with 5 very broad sectors, and then break things down further.  Those five sectors, are: General Goods and Services; Specialized Goods and Services; Digital Tools, Applications and Services; Social Infotainment; and the Gig e-conomy.

 

GENERAL GOODS AND SERVICES SECTOR:

Here, I have placed the 8 key groups of Government, Manufacturing and Industry, Materials, Oil and Gas, Retail and Wholesale, Security, Transportation, and Utilities.

Government, is further divided across the 5 elements of: regulation; education and tutoring; standard setting; libraries and archives; and dispute resolution and keeping the peace.

Manufacturing and Industry, are further divided across the 5 elements of: aerospace and defence; construction and engineering; transportation and utilities infrastructure; technology, hardware, communications equipment and components and peripherals; and services.

Materials, are further divided across the 5 elements of: paper and forest products; metals and mining; construction materials and components; advanced materials; and CAD-CAM, and GIS and other services.

Oil and Gas, are further divided across the 5 elements of: oil and gas services; drilling and equipment; transportation and storage; refining, trade, plastics and chemicals; and other.

Retail and Wholesale, are further divided across the 5 elements of: leisure; household durable and furniture; household discretionary and personal products; retail (multiline and specialty); and luxury goods, apparel, and textiles.

Security, is further divided across the 5 elements of: national security and defence; societal security and emergency management; physical and industrial safety and security, and emergency management; personal safety and security, and incident response; and virtual security, and incident and event management.

Transportation, is further divided across the 5 elements of: public transportation networks; commercial transportation networks; carriage for hire and ride-hailing; personal and shared mobility properties; and drones and autonomous vehicles.

Utilities, are further divided across the 5 elements of: electric and gas; wind, solar, and water; nuclear; biomass and multi-utility; and other.

 

 

SPECIALIZED GOODS AND SERVICES SECTOR:

Here, I have placed the 8 key groups of Conglomerates, Financial Services, Food, Health and Wellness, Information Communications Technologies, Information and Data Techniques, Personal Services,  and Shelter.

Conglomerates, are further divided across the 5 elements/variants of: food, beverage, and consumer products; information communications technologies and information and data techniques; leisure, property, and transportation; technology, industry, and manufacturing; and services.

Financial Services, are further divided across the 5 elements of: consumer, trade, and business banking and finance, and cash and payment provision and processing; mortgages, home equity lines of credit, and real estate investment trusts; financial planning and advising, and portfolio and asset management; trusts and estates; and insurance and reinsurance.

Food, is further divided across the 5 elements of: crops; kept animals and kept animal products; beverages and other consumables; wholesale, retail, and restaurant; and processing, packaging, and distribution.

Health and Wellness, is further divided across the 5 elements of: medical and surgical services; medical and surgical equipment; pharmacology; mental and spiritual health; and fitness and alternatives.

Information Communications Technologies, are further divided across the 5 elements of: publishing, and printed media; cable, over-air, over the top, and satellite television; radio and satellite radio; fiber optics, telephone, and voice over internet protocol; and audio-visual and peripherals.

Information and Data Techniques, are further divided across the 5 elements of: collection and collation; privacy, security, and anonymization; storage and retrieval; transactions and analysis; and disposal.

Personal Services, are further divided across the 5 elements of: professional services; personal assistants, managers, and agents; virtual assistants; crisis, wardrobe, image and media consultants; and household staff.

Shelter, is further divided across the 5 elements of: single family; multi-family; mobile accommodations; hotel, motel, cruise and resort; and plant, office, maintenance and janitorial.

 

 

DIGITAL TOOLS, APPLICATIONS, AND SERVICES SECTOR:

Here, I have placed 8 key groups, and without any further division across elements because the developed and developing options are still far too broad to be coherently and comprehensively captured, if ever.  These 8, are:

  • Consumer Software, and Productivity applications.
  • eBooks, eNews, and other eMedia.
  • eCommerce.
  • eLearning.
  • Employment and Contracting.[23]
  • Entity Clouds and data centres for Big Data, storage, hosting, managed solutions, and analytics.
  • Online advertising, including by profile, location, nearfield communication, and radiofrequency identification;
  • Online search, mapping and geo-tagging or tracking, and navigation.

 

 

SOCIAL INFOTAINMENT SECTOR:

Here, I have placed the 2 key groups of Hardware; and Services.

Hardware, is further divided across the 5 elements of: phones; tablets; desktop devices; virtual and augmented reality; and content creation through interactive and autonomous devices with and without artificial intelligence.

Services, are further divided across the 5 elements of: standard and streaming live theatre, motion pictures, and video; standard and streaming live concerts, performance arts, and audio; social and chat, and introductions and networking; gaming, group casts, and similar interactions; and content creation, experiential learning, and immersive transactions.

 

 

GIG E-CONOMY SECTOR:

So now, let us use a “gig” e-conomy approach to assess the dominance issue across the preceding market sectors.  I think that you may well find yourself agreeing that there is no dominance at play, and that the competition is still quite healthy across the board.  Here, I have placed those “on demand” goods and services available through rapidly advancing technology that are or may be applicable.  Please note that no single person can possibly name all members of any subgroup and the Apps and Bots of competitors, as they multiply, morph, and merge on both daily and intraday bases; but I will, however, try to give sufficient coverage to convey the depth, breadth, and scope of offerings available.[24]

 

On-demand General Goods and Services, and their related providers or aggregators would be found here, such as Baidu Baike, The Canadian Encyclopedia, Encyclopedia Britannica, Encyclopedia.com, The Free Dictionary.com, Wikipedia and World Book Online (Government: libraries and archives); 3D printers (Materials: CAD-CAM, and GIS and other services); Alibaba, Amazon, Costco, WalMart, and Yandex (Retail and Wholesalewhole group); AppRiver, Bitdefender, Symantec/Norton, Kaspersky, McAfee, and Webroot SecureAnywhere Antivirus (Security: virtual security); and Uber, Lyft, Ourbus, Didi Chuxing, BlaBlaCar, and Yandex (Transportation: carriage for hire and ride-hailing).

 

On-demand Specialized Goods and Services, and their related providers or aggregators would be found here, such as Apple, Alphabet and Microsoft (Conglomerates: Information communications technologies – smartphones of iPhone, Pixel and Lumia, along with Watch, Mac, iPad, Surface, OneNote, and the operating systems of iOS, macOS, Linux, Android, Windows, and other solutions based on non-proprietary or open-source code); Amazon and Microsoft (Conglomerates: information and data techniques – cloud services); Consumer, trade, and business banking and finance (Financial Services: portals and standalone Apps of the major banks, worldwide, along with Fintech disruptors like rate.com and Kreditech); Android Pay, Apple Wallet, Bitcoin, Etherium, LG Pay, Microsoft Wallet, Samsung Pay or Samsung Pay Mini, Yandex Money, Alipay, PayPal and Stripe[25] (Financial Services: smartphone-based and web-based cash and payment provision and processing); Fund Razr, Indiegogo, Kickstarter, GoFundMe, AngelList, and CrowdCube (Financial Services: Consumer, trade, and business banking and finance); AlphaStreet, MyLo, Robinhood, and WealthBar (Financial Services: financial planning and advising, and portfolio and asset management); Deliveroo, Grubhub, Just-eat, Postmates, Door-Dash, UberEATS, Amazon, and Instacart (Food: processing, packaging, and distribution); SiriusXM and free AM/FM radio around the world[26] (Information Communications Technologies: radio and satellite radio); Netflix, Spotify, NotJustOk, YouTube, Hulu, Sling, HBO, and Amazon (Information Communications Technologies: cable, over-air, over the top, and satellite television); Google, Alibaba, Yandex, Amazon Web Services, Facebook, Tencent, Microsoft Cloud/Azure (Information and Data Techniqueswhole group, as also listed in Conglomerates, above); Monster, LinkedIn, Upwork, TaskRabbit (Personal Services: – whole group); Airbnb, Love Home Swap, Onefinestay (Shelter: hotel, motel, cruise and resort); and Handy, Homejoy, Merry Maids, Molly Maid, Life Maid Easy, and Bee Clean (Shelter: plant, office, maintenance and janitorial).

 

On-demand Digital Tools, Applications, and Services, and their related providers or aggregators would be found here, such as Apple’s App Store, Google’s Play Store, Adobe, Corel, Microsoft/Windows, Etherium, Intuit and QuickBooks (Consumer software and productivity applications); Amazon Kindle, Voyage, and Oasis, Barnes & Noble Glowlight, Nook, and Touch, and the Kobo and Aura (eBooks); Amazon, Alibaba, Costco, Craigslist, DaWanda, eBay, Etsy, Shopify, WalMart and Yandex (eCommerce); ADrive, Apple iCloud, Box, Dropbox, Google Drive, iDrive, Media Fire, Mozy, Microsoft OneDrive, and PhotoBucket (Entity Clouds – storage); Accenture Cloud Hosting Services, Amazon Web Services, CSC Cloud Computing Services, Canadian Cloud Hosting, Canadian Web Hosting, CenturyLink, Cloud Sigma, Dimension Data Cloud Surround, Distil Networks, Fujitsu Cloud Solutions, Google App Engine/Cloud Platform, Helion Public Cloud, Lunacloud, Microsoft Azure/Cloud, OpenShift, OpenStack Cloud, Rackspace, Softlayer, Verizon Terremark, ViaWest KINECTed Cloud, and VMware (Entity Clouds and Data Centres for Big Data, hosting, managed solutions, and analytics); Google, Facebook, Snap, Twitter and Youtube (online advertising, including by profile, location, nearfield communication, and radiofrequency identification); and Google, Baidu, and Yandex (online search, mapping and geo-tagging or tracking, and navigation).

 

On-demand Social Infotainment, and their related providers or aggregators would be found here, such as Apple iOS/macOS ecosystems, Blackberry smartphones and data centres, Facebook Oculus Rift, Google Android ecosystem along with Cardboard, Daydream Viewer, and robotics and autonomy, HTC Vive, Huawei smartphones, LG smartphones, Microsoft Windows ecosystem along with HoloLens and Windows Mixed reality, Samsung Gear and robotics and autonomy, Sony Playstation VR and robotics and autonomy, Linux, and other environments and platforms created using open source or non-proprietary code (Hardwarewhole group); Netflix, NotJustOk, Spotify, YouTube, Hulu, Sling, HBO, Pokemon, and Amazon (Serviceswhole group); and Facebook, WhatsApp, Tencent, WeChat, Vodi, Instagram, LinkedIn, Monster, Match.com, Lavalife, eHarmony, and Zoosk (Services – social, chat, and introductions and networking; gaming, group casts, and similar interactions; and content creation, experiential learning and immersive transactions.  You may have noticed that “on-demand Social Infotainment” anticipates content creation by both the hardware makers and the service providers with ever more collaboration, hence the lines become consumers and producers of content have become irrevocably blurred and blended.  Similarly, the gig e-conomy’s “on-demand social infotainment” and “on-demand digital tools, applications, and services” sectors rely upon one another for continuity – the social infotainment needs all that the digital has to offer, and the digital feeds the rising ubiquity of the social infotainment.

 

  1. Considering the above and now fuller picture of the competitive landscape, is any one of these FAAN/FAANG entities really dominant in any meaningful way?

The answer to this, must therefore be a resounding No. There are a number of groups in which a few players have literally occupied the entire field.  However, in no place is there only one entity.  Clearly, then, competition is alive and fierce in all sectors and groups, as laid out in this analytical scheme.

Any Facebook domination alleged for social media fades away with the diversity of competitors and offerings found within the converged gig e-conomy’s “on-demand social infotainment”;

Any Amazon domination alleged for e-commerce and for search, fades away with the diversity of competitors and offerings under the converged gig e-conomy Sector’s “on-demand general goods and services”, and “on-demand specialized goods and services”.

Any Alphabet/Google domination alleged for online search, online video, and online advertising revenue yield, fades away with the diversity of competitors and offerings under the converged gig e-conomy’s “on demand digital tools, applications, and services”.

Similarly, any Apple domination alleged in smartphones, wearables and tablets, fades away with the diversity of manufacturers and operators found in the converged gig e-conomy sector’s “on-demand specialized goods and services”, as conglomerates offering information and communications technologies, and undertaking information and data techniques.

Finally, any Netflix domination alleged for “over-the-top” (OTT) movie, performance, and documentary streaming, fades away with the diversity of entities competing to deliver services within the converged gig e-conomy’s “on-demand social infotainment”.

 

 

SUMMARY:

It is only if, and when, well-funded market operators start to occupy whole sectors (in the new schema laid out here), taking out whole swathes of their competitors and content providers[27] in Pacman “gig”-abites to become the sole players in many of the specific groups within those sectors, that we should start to worry about abuse of dominant positions, monopolies, and over-concentration in the control of personal data[28] – incessant data breaches[29] and global ransomware events,[30] notwithstanding.

 

Perhaps, you agree now?!

 

********************************************************************

 

Author:

Ekundayo George is a lawyer and sociologist.  He has also taken courses in organizational and micro-organizational behavior, and gained significant experience in regulatory compliance, litigation, and business law and counseling.  He has been licensed to practise law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America.  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, e-commerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors.  He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

 

Trained in Legal Project Management (and having organized and managed several complex projects before practising law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams.  Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: healthcare; education and training; law and regulation; policy and plans; statistics, economics, and evaluations including feasibility studies and business cases; infrastructure; and information technology/information systems (IT/IS) – also sometimes termed information communications technologies (ICT).  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.  Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

 

[1] Jonathan Taplin.  Is It Time to Break Up Google?  Published on nytimes.com, April 22, 2017.  Web: >https://www.nytimes.com/2017/04/22/opinion/sunday/is-it-time-to-break-up-google.html?_r=2<

[2] David McLaughlin.  Are Facebook and Google the New Monopolies?: QuickTake Q&A.  Published on Bloomberg.com, July 12, 2017. Web: >https://www.bloomberg.com/news/articles/2017-07-13/antitrust-built-for-rockefeller-baffled-by-bezos-quicktake-q-a<  See also Ayanna Alexander.  Mobile App Location Sharing Brings Awesome Opportunities, Privacy Fears.  Published on bna.com, July 11, 2017.  Web: >https://www.bna.com/mobile-app-location-b73014461529/<

[3] Ramsi Woodcock.  EU’s Antitrust ‘War’ on Google and Facebook Uses Abandoned American Playbook.  Published on observer.com, July 14, 2017.  >http://observer.com/2017/07/eus-antitrust-war-google-facebook-uses-american-playbook-margrethe-vestager-european-union/<

[4] Alex Epstein.  Vindicating Standard Oil, 100 years later.  Published on dailycaller.com, May 13, 2011.  Web: >http://dailycaller.com/2011/05/13/vindicating-standard-oil-100-years-later/2/<

[5] David McLaughlin.  Are Facebook and Google the New Monopolies?: QuickTake Q&A.  Published on Bloomberg.com, July 12, 2017. Web: >https://www.bloomberg.com/news/articles/2017-07-13/antitrust-built-for-rockefeller-baffled-by-bezos-quicktake-q-a<

[6] Ibid.

[7] Ibid.

[8] Ibid.

[9] Sarah Perez.  Netflix reaches 75% of US streaming service viewers, but YouTube is catching up.  Published on techcrunch.com, April 10, 2017.  Web: >https://techcrunch.com/2017/04/10/netflix-reaches-75-of-u-s-streaming-service-viewers-but-youtube-is-catching-up/<

[10] Joe Nocera.  Can Netflix Survive in the New World It Created?  Published on nytimes.com, June 15, 2016.  Web: >https://www.nytimes.com/2016/06/19/magazine/can-netflix-survive-in-the-new-world-it-created.html<

Quoting Reed Hastings – Chairman of the Board, President, Chief Executive Officer, Netflix.

[11] Patrick Seitz.  Move Over FANGs, China’s BAT Stocks Go From Copycats To Fat Cats.  Published on investors.com, July 14, 2017.  Web: >http://www.investors.com/research/industry-snapshot/move-over-fangs-chinas-bat-stocks-go-from-copycats-to-fat-cats/?src=A00220&yptr=yahoo<

[12] IdSee also infra, note 14.

[13] Eric Auchard and Anastasia Teterevleva.  Uber and Yandex to combine ride-hailing in Russia and beyond.  Published on reuters.com, July 13, 2017.  Web: >http://www.reuters.com/article/us-uber-tech-m-a-yandex-idUSKBN19Y10V<  The new entity will operate regionally, in Russia, Armenia, Azerbaijan, Belarus, Georgia and Kazakhstan.

[14] Scott Cendrowski.  Uber Had No Way Out of China Except Through a Merger With Didi.  Published on fortune.com, July 31, 2016.  Web: >http://fortune.com/2016/08/01/uber-didi-merger/<

[15] Jason Aycock.  Facebook eases into crosshairs of EU antitrust watchdogs.  Published on seekingalpha.com, July 3, 2017.  Web: >https://seekingalpha.com/news/3276761-facebook-eases-crosshairs-eu-antitrust-watchdogs<

[16] Peter Sayer.  EU Competition Commissioner spells out priorities: Google as Alphabet is still under investigation.  Published on pcworld.com, October 26, 2015.  Web: >http://www.pcworld.com/article/2997529/android/eu-competition-commissioner-spells-out-priorities-google-as-alphabet-is-still-under-investigation.html<

[17] Sean Farrell and Henry McDonald.  Apple ordered to pay €13bn after EU rules Ireland broke state aid laws.  Published on theguardian.com, August 30, 2016.  Web: >https://www.theguardian.com/business/2016/aug/30/apple-pay-back-taxes-eu-ruling-ireland-state-aid<

[18] Charles Arthur.  Microsoft loses EU antitrust fine appeal.  Published on theguardian.com, June 27, 2012.  Web: >https://www.theguardian.com/technology/2012/jun/27/microsoft-loses-eu-antitrust-fine-appeal<

[19] These 11 S&P 500 market sectors are: Energy, Materials, Industrials, Consumer Discretionary, Consumer Staples, Health care, Financials, Real Estate, Information Technology, Telecommunications Services, and Utilities.

See S&P 500 Factsheet – Sector Breakdown.  Published on ca.spindices.com and visited on July 13, 2017.  Web: >http://ca.spindices.com/indices/equity/sp-500<

[20] These 10 NASDAQ market sectors are: Oil and Gas, Basic materials, Industrials, Consumer Services, Consumer Goods, Healthcare/Financials, Technology, Telecommunications, and Utilities.  See NASDAQ Composite Index – COMP Fact Sheet – Industry Breakdown.  Published on nasdaqomx.com and visited July 13, 2017.  Web: >https://indexes.nasdaqomx.com/Index/Overview/COMP<

[21] These 7 TSE market sectors are: Clean Technology, Diversified Industries, Energy and Energy Services, Life Sciences, Mining, Real Estate, and Technology.  See The Toronto Stock Exchange, Sector and Product Profiles.  Published on tsx.com and visited July 13, 2017.  Web: >http://tsx.com/listings/listing-with-us/sector-and-product-profiles<

[22] Patrick Gillespie.  Intuit: Gig economy is 34% of US workforce.  Published on money.cnn.com, May 24, 2017.  Web: >http://money.cnn.com/2017/05/24/news/economy/gig-economy-intuit/index.html<

[23] Including this as a standalone group has become a necessity, thanks to the enabling rise of the “gig” e-conomy.  See e.g. Nick Wells. The ‘gig economy’ is growing — and now we know by how much.  Published on cnbc.com, October 13, 2016.  Web: >http://www.cnbc.com/2016/10/13/gig-economy-is-growing-heres-how-much.html<

[24] All names and marks mentioned herein are and remain the property of their respective owners, and no good or service or provider of same that is mentioned or omitted or referenced whether in whole or in part within this article or within its attached notes is either endorsed or disdained.

[25] Memberful.  Stripe vs PayPal: Who should you choose?  Published on memberful.com and visited on July 15, 2017.  Web: >https://memberful.com/blog/stripe-vs-paypal/<

[26] John-Erik Koslosky.  Sirius XM’s Strongest Competition May Surprise You.  Published on fool.com, September 12, 2015.  Web: >https://www.fool.com/investing/general/2015/09/12/sirius-xms-strongest-competition-may-surprise-you.aspx<

[27] Nick Wingfield and Michael J. de la Merced.  Amazon to Buy Whole Foods for $13.4 Billion.  Published on nytimes.com, June 16, 2017.  Web: >https://www.nytimes.com/2017/06/16/business/dealbook/amazon-whole-foods.html<

[28] Business Leader.  Google dominates search. But the real problem is its monopoly on data.  Published on theguardian.com, April 19, 2015.  Web: >https://www.theguardian.com/technology/2015/apr/19/google-dominates-search-real-problem-monopoly-dataSee also Ben Thompson.  Facebook and the Cost of Monopoly.  Published on stratechery.com, April 19, 2017.  Web: >https://stratechery.com/2017/facebook-and-the-cost-of-monopoly/<

[29] Dave Burton.  Minimize “Dwell Time” to Cut the Cost of Data Center Breaches.  Published on infosecisland.com, October 20, 2016.  Web: >http://www.infosecisland.com/blogview/24835-Minimize-Dwell-Time-to-Cut-the-Cost-of-Data-Center-Breaches.htmlSee also Jessica Davis.  Former Bupa employee posts 1 million records for sale on dark web.  Published on healthcareitnews.com, July 14, 2017.  Web: >http://www.healthcareitnews.com/news/former-bupa-employee-posts-1-million-records-sale-dark-web<   See Generally Ekundayo George.  Cybersecurity: Its not just about “B” for Bob, but also eCommerce, Structure, and Trust.  Published on ogalaws.wordpress.com, November 3, 2014  Web: >https://ogalaws.wordpress.com/2014/11/03/cybersecurity-its-not-just-about-b-for-bob-but-also-ecommerce-structure-and-trust/<

[30] Jesse McKenna.  WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It.  Published on infosecisland.com, July 12, 2017.  Web: >http://www.infosecisland.com/blogview/24941-WannaCry-How-We-Created-an-Ideal-Environment-for-Malware-to-Thrive-and-How-to-Fix-It.html<

ECJ

INTRODUCTION:

On October 6, 2015,[1] the Court of Justice of the European Union (ECJ) declared invalid a decision of the European Commission on July 26, 2000[2] that had, pursuant to the relevant EU data protection law,[3] granted and acknowledged safe harbour for certain United States entities when transferring the personal data of European Union citizens to, and processing and storing that data within the United States. The case had been referred to the ECJ for a preliminary ruling from the High Court of Ireland, with a subsequent non-binding Opinion from the ECJ Advocate General, Yves Bot,[4] that the ECJ eventually followed.

CASE HISTORY:

The case began when Maximilian Schrems, an Austrian Citizen (and law student at that time), spearheaded a group to file a complaint with the Irish Data Protection Commissioner (DPC)[5] against Facebook Ireland Ltd, which is the company’s European headquarters. When Billy Hawkes, the Irish DPC rejected the case,[6] Schrems and his group sought and were granted judicial review at the High Court of Ireland.[7] Citing pre-emption on the key issues by European law, Mr. Justice Hogan adjourned the case pending referral to the European Court of Justice (ECJ).[8] Those key issues were: (a) whether the Edward Snowden revelations of 2013[9] revealed such a wholesale (both actual and potential) lack of compliance with European law that the U.S. Safe Harbour provisions with regard to transferring the personal information of European Citizens were essentially invalid; and (b) whether EU member states were bound by controlling EU privacy laws regarding those safe harbours, or free to pursue their own investigations into allegations of privacy breach or other non-compliance as and when needed, and were then subsequently able to suspend data transfers if they violated EU laws and/or EU citizen rights. Advocate General Bot had opined in the affirmative on both of these points,[10] and the ECJ agreed.

IMPLICATIONS:

Being effective immediately and with no grace period (or period of suspended invalidity as would likely have been applicable in Canada,[11] were the matter heard under Canadian jurisdiction),[12] the ruling immediately put the businesses and business practices of thousands of entities in legal jeopardy for their reliance on an invalid law. Fortunately for all, the European Union’s 28 national data protection authorities, acting through their Article 29 Working Party, issued an October 16, 2015 statement[13] encouraging those entities impacted by the ruling to negotiate, establish, and implement their own interim measures to ensure compliance with the ruling, including, in a later Q&A compliance release of November 6, 2015, that they “consider putting in place any legal and technical solutions to mitigate any possible risks they face when transferring data”;[14] assuring European businesses and citizens that privacy and data protection remained key elements of European law, and that they would issue further guidance at a national level, but at a later date; and implying quite strongly, that coordinated enforcement actions might issue if an appropriate successor framework could not be negotiated with the United States by the end of January, 2016.[15] That specific “deadline” language, read:

“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”[16]

Essentially, then, the Commissioners agreed to implement a suspended enforcement as they could not retroactively seek or secure any period of suspended invalidity from the ECJ, and nobody had asked for one to be considered on the possibility of such a decision resulting. It would have been interesting to read the ECJ views on Canadian and other such precedent …. Perhaps we’ll read that some other time!

For now, we watch as companies scramble to “not” comply with this newly invalid law;[17] we wait for both that national European guidance (whether or not uniform or coordinated);[18] and we follow – to the extent made public – negotiations between the United States and Europe up to January 31, 2016. There may already be light at the end of that negotiation tunnel, as two identical bills – H.R.1428[19] in the House of Representatives (now passed by the full House), and S.1600 in the United States Senate[20] may eventually grant the United States District Court for the District of Columbia (USDC, DC) exclusive jurisdiction to hear foreign citizens’ privacy breach complaints against federal (not state) government actors of the United States. But, only the President can sign any final version of either Bill, into law.

In addition, the matter – now transferred back to the Irish High Court for further deliberations, may still result in a finding that Facebook cannot provide adequate data privacy protections for European citizens. If again referred or appealed to the ECJ, and upheld, Facebook’s European operations might cease under subsequent enforcement actions in one or many European jurisdictions on such a ruling.

And so, one way or the other, we wait![21]

*****************************************************************

Author:

Ekundayo George is a lawyer and sociologist. He has also taken courses in organizational and micro-organizational behavior, and gained significant experiences in regulatory compliance, litigation, and business law and counseling. He is licensed to practice law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America. See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

Trained in Legal Project Management (and having organized and managed several complex projects before practicing law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams. Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – also sometimes termed Information Communications Technologies (ICT). See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein. Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

[1] Schrems (Judgment) [2015] EUECJ C-362/14 (06 October 2015), [2015] EUECJ C-362/14, [2015] WLR(D) 403, EU:C:2015:650, ECLI:EU:C:2015:650. Online: http://www.bailii.org/eu/cases/EUECJ/2015/C36214.html

[2] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7)

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

[4] Case C-362/14 Maximillian Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14, Opinion of AG Bot (23 September 2015). Online: http://www.uni-muenster.de/Jura.itm/hoeren/itm/wp-content/uploads/C0362_2014-EN-Opinion.pdf

[5] RTE News. Data Protection Commissioner says no action will be taken against Apple and Facebook. Published on rte.ie, July 26, 2013. Online: http://www.rte.ie/news/2013/0726/464770-data-protection/

[6] Id.

[7] Schrems v. Data Protection Commissioner [2014] IEHC 310 (18 June 2014). Online:http://www.bailii.org/ie/cases/IEHC/2014/H310.html

[8] Ruadhán Mac Cormaic. High Court refers Facebook privacy case to Europe. Published on irishtimes.com, June 19, 2014. Online: http://www.irishtimes.com/business/technology/high-court-refers-facebook-privacy-case-to-europe-1.1836657

[9] Barton Gellman. Edward Snowden, after months of NSA revelations, says his mission’s accomplished. Published on washingtonpost.com, December 23, 2013. Online: >http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

[10] Supra note 4.

[11] Schachter v. Canada, [1992] 2 S.C.R. 679 at 715-16, 1992 CanLII 74 (SCC) per Lamer, CJ. Online: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/903/index.do

A court may strike down legislation or a legislative provision but suspend the effect of that declaration until Parliament or the provincial legislature has had an opportunity to fill the void. This approach is clearly appropriate where the striking down of a provision poses a potential danger to the public (…) or otherwise threatens the rule of law (…). It may also be appropriate in cases of underinclusiveness as opposed to overbreadth. For example, in this case some of the interveners argued that in cases where a denial of equal benefit of the law is alleged, the legislation in question is not usually problematic in and of itself. It is its underinclusiveness that is problematic so striking down the law immediately would deprive deserving persons of benefits without providing them to the applicant. At the same time, if there is no obligation on the government to provide the benefits in the first place, it may be inappropriate to go ahead and extend them. The logical remedy is to strike down but suspend the declaration of invalidity to allow the government to determine whether to cancel or extend the benefits. (Citations omitted).

[12] As I wrote in an earlier blog post, Canadians are very much aware of the challenges of international data governance and transnational privacy protection. See e.g. Ekundayo George. In who’se pocket is your data packet? – International Data Governance. Published on ogalaws.wordpress.com, February 6, 2013. Online:

https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/

[13] Article 29 Working Party (Art. 29 WP). Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14). Brussels, October 16, 2015. Online: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

[14] European Commission – Fact Sheet. Q&A: Guidance on transatlantic data transfers following the Schrems ruling.

MEMO/15/6014. Brussels, November 6, 2015. Online: http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm

[15] Supra, note 13.

[16] Id.

[17] See e.g. supra, note 14.

[18] Technology executives and politicians alike have even warned that if these concerns over, and an increasingly vocal resistance to, targeted and/or bulk collection of personal data through government surveillance continue to “trend”, we may very soon see a real splintering of the internet into several disparate and walled-off variants. See e.g. Stephen Lawson, IDG News Service. Jitters over US surveillance could break the Internet, tech leaders warn. Published on itworld.com, October 8, 2014. Online: http://www.itworld.com/article/2825590/security/jitters-over-us-surveillance-could-break-the-internet–tech-leaders-warn.html

[19] First introduced in the United States House of Representatives (the “House”) on March 18, 2015 by Representative F. James Sensenbrenner, a Wisconsin Republican, the HR.1428 Bill is officially known as The Judicial Redress Act of 2015, and has a stated purpose “[t]o extend Privacy Act remedies to citizens of certified states, and for other purposes”. Online: https://www.congress.gov/bill/114th-congress/house-bill/1428/all-info

[20] First introduced in the United States Senate (the “Senate”) on June 17, 2015 by Senator Christopher S. Murphy, a Connecticut Democrat, the S.1600 Bill has now been referred (as H.R.1428) to the Senate Judiciary Committee, but it is yet to be considered and voted upon by the full Senate. Online: https://www.congress.gov/bill/114th-congress/senate-bill/1600/all-info

[21] *Reserved (pending further news).

Looking back to 2013, I had predicted the 5 top technology trends (specifically for consumers) in that year, to be:

(i) Accelerated lived experience;

(ii) Bring Your Own Device (BYOD);

(iii) Crowdsourcing;

(iv) Distance education; and

(v) End-User legal authority/license autonomy/leveraged ability (EULA3). [1]

These pretty much held true, and even lasted both into and through 2014. The pace of instantaneous news, social tweets and alerts, and all manner of reality TV from financing pitches, through entire shows that are literally “celebrity selfie-cams”, to instantaneous gratification through crowd sourcing of funding, business and consumer information, and general gossip, have created this ever accelerating lived experience. Ever greater sales of handheld devices have forced employers to draft BYOD policies for employees too attached to their own devices to let them go, and all manner of distance education is now available for a fee, or for free in the ever-expanding offerings of Massive Open Online Course (MOOC).[2] As well, immersive gaming, as it develops with optional story lines, the move to taking software bits as building blocks for people to create their own widgets and full applications, and the myriad of customizable self-help, professional, and practical document templates available online, taken together, will only further speed EULA3.[3]

Fully justified then (and thankfully so) in my predictions, let us now move on to 2015-16, then. Here, in the midst of technology and its relentless forward motion, all I see – is “Paper”! This stands for:

Personalization;

A3 (aggregation, analytics, and advising);

Protection;

eMoney; and

Remoting. We will consider them in turn, and in that order.

Personalization:

Whether it is widgets, backgrounds, wallpapers, icons, ringtones, and home screen layouts of the ipod, android, iphone, desktop, laptop, or tablet,[4] personalization and customization are all the rage for maximizing the user-centric experience.

“The constantly connected consumers of today are extremely savvy, using all available channels and devices to research, review, compare prices and ultimately purchase products. Basic personalization (such as name and account personalization and dynamic interest or product content) no longer serves consumers’ demand for deeper levels of real-time personalized information. Increasingly, these savvy consumers are taking their business to companies that provide more than basic personalization and automated lifecycle campaigns. Customers now prefer brands that deliver individualized experiences that match their needs in the present moment”.[5]

Even giants of the online world, such as Yahoo,[6] have now realized that the way to truly reach and engage your customer, it to intimately know your customer for and through, “Real-time Marketing[7] and personalization practices. Personalization is based on gathering and analyzing observation data, to analyze and make predictions based upon what you know. This is why A3, which underlies real-time marketing, will also be a top trend for 2015-16, in my prediction.

A3 (Aggregation, Analytics, and Advising):

The SAS Institute, Inc., put out a 2013 white paper on demand sensing and shaping through big data analytics,[8] which perfectly sums-up the first stage of the real-time marketing process. In the second stage, I would add demand supporting and serving, which sustains that demand in existence by providing those cues to trigger it (familiarity, emotional advertising triggers, positive associations in product placement, and so forth), and thence return customers to your established, satisfaction-source.

Big Data (and its means of collection)[9] do have other applications beyond the pure consumer, however. These include generic disaster management applications,[10] and estimating or better “guess”-timating the true incremental and future impacts of climate change on humans and the environment.[11]

Protection:

With all of this data and its very many faces,[12] along with the potential to gather and analyze it, and the undisputed value of the end result in the predictive analytics space, there is a growing need at all levels, for more robust protective mechanisms – wherever it falls on the spectrum of privacy practices,[13] data governance and document preservation, or cybersecurity. IT in general, is looking forward to a banner year in 2015.[14] The IT security sub-sector, for its part, is not too far off, either, with a spate of increasingly spectacular, recent[15] and historical[16] hacks and cyberattacks drawing the attention of the risk management industry,[17] regulators,[18] private businesses,[19] and concerned citizens in an ongoing and multi-sided tussle,[20] both amongst themselves and with criminal elements. A very large data breach was just disclosed at Anthem Inc. (a health insurer with operations across 14 states), in which up to 80 million records of Personally Identifiable Information (PII) – but apparently no Personal Health Information (PHI), according to initial evaluations – are suspected to have been compromised.[21]

eMoney:

Despite the dangers and concerns, however, the pace of progress continues to pick-up, with electronic payments of the Paypal variety moving to Square and eMoney, in the largely unregulated (and hacked)[22] Bitcoin, and the more mainstream proposed and competing offerings of CurrentC from the Merchant Customer Exchange (MCX) – which was also hacked,[23] and Google Wallet, Softcard, and Apple Pay.

Remoting:

With ever-more personalized experiences being available through more and more interconnected devices, we are moving towards an Internet of Things (IoT) that raises even more cybersecurity concerns that now include remote access and remote control/takeover,[24] whether or not authorized or even traceable back to source.[25] This has led one commentator to describe this future state as the “Internet of Bad Things”.[26] Going further to consider the impetus for a change in our security mindset, consider the words of Dr. Arati Prabhakar, the director of the United States Defence Advanced Research Projects Agency (DARPA), when she said:

“The largest explosion of millisecond machine actions will take place when billions of IoT devices are deployed. Until we find a way to authenticate, view, audit, analyze and block IoT devices often connected to cloud computing, we frankly shouldn’t be putting IoT out there. As the security industry saying goes, “money trumps security,” and as increasingly more of these IoT product (sic) are released, cybersecurity will just be playing catch-up. With potentially billions of these devices being deployed all over the world, this could lead to a cyber attack free-for-all of catastrophic proportions.”[27]

However, remoting is not all doom and gloom. Witness the growing use of crowdfunding to raise money for important events, popular initiatives, or proposed or emerging or growing business ventures; and even the burgeoning business of “pay to watch” that has now gone from the original voyeur cams, through specialized YouTube channels where you can pay to watch people play video games,[28] or modern day South Korea, where people will pay to remotely watch someone – a “broadcast jockey” – do something as mundane as eating.[29] Drones, scene capture devices, and wearable devices in ever-lighter cameras (from glass and its successors, through GoPro, police cam, dash cam, spy cam, home surveillance, commercial and industrial surveillance, government surveillance, and mobile devices in any and all form factors now known or yet to come, and from the clunky to the micro- or nano-scale), will combine[30] to bring more, and ever uniquer, shareable, monetizable remoting experiences to come![31]

CONCLUSION

These then, are my PAPER predictions for technology in 2015-16 – Personalization, A3 (aggregation, analytics, and advising), Protections, eMoney, and Remoting. I think they will come to fruition, just as predicted, but we have to wait and see. Enjoy the view!

*****************************************************************

Author:

Ekundayo George is a lawyer and sociologist. He has also taken courses in organizational and micro-organizational behavior, and gained significant experiences in business law and counseling, diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America. See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

Trained in Legal Project Management (and having organized and managed several complex projects before practicing law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams. Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – also sometimes termed Information Communications Technologies (ICT). See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein. Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

[1] Ekundayo George. Ctrl-Shift-Del: 2013’s Top 5 Technology Trends for Consumers. Posted March 16, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/16/ctrl-shift-del-2013s-top-5-technology-trends-for-consumers/<

[2] Wikipedia.org. Massive Open Online Course (MOOC), a definition. Online: >http://en.wikipedia.org/wiki/Massive_open_online_course<

[3] Supra note 1.

[4] See e.g. selected Android personalization offerings, on display for download at the google store. Online:

>https://play.google.com/store/apps/category/PERSONALIZATION<

[5] Katrina Conn. Moving Beyond Basic Personalization to Real-Time Marketing. Posted January 7, 2014, on Clickz.com. Online: >http://www.clickz.com/clickz/column/2321243/moving-beyond-basic-personalization-to-real-time-marketing<

[6] Yahoo. The Balancing Act: Getting Personalization Right. Posted on yahoo.com. Online: >https://advertising.yahoo.com/Insights/BALANCING-ACT.html<

[7] Supra note 5. “Real-time marketing is the ongoing cycle of engagement, data management, analytical insights and optimization – performed continuously and immediately. In other words, it’s the streamlined management of data, transformed into actionable insight that is used to enhance your customer’s experience.”

[8] The SAS Institute. White Paper: Unlocking the Promise of Demand Sensing and Shaping Through Big Data Analytics – How to Apply High-Performance Analytics in Your Supply Chain. Published on idgenterprise.com, and visited February 2, 2015. Online: >http://resources.idgenterprise.com/original/AST-0112051_UnlockingPromise.pdf<

[9] Dennis Keohane. Aaron Levie, Box see drones and Internet of Things as data sources of the future. Posted September 23, 2014, on betaboston.com. Online: >http://betaboston.com/news/2014/09/23/aaron-levie-box-data-drones-internet-of-things/<

[10] See e.g. Robert A. Runge and Isabel Runge. Data-Driven Disaster Management. Posted October 29, 2014, on nextgov.com. Online: >http://www.nextgov.com/technology-news/tech-insider/2014/10/data-driven-disaster-management/97700/?oref=voicesmodule<

[11] See e.g. Chelsea Harvey. UN REPORT: Our Climate Change Future Is Terrifying And Emissions Need To Stop Completely As Soon As Possible. Posted November 4, 2014, on businessinsider.com. Online: >

http://www.businessinsider.com/un-climate-report-stop-all-greenhouse-emissions-2014-11

< ; See also Carl Zimmer. Ocean Life Faces Mass Extinction, Broad Study Says. Posted January 15, 2015, on nytimes.com. Online: >http://www.nytimes.com/2015/01/16/science/earth/study-raises-alarm-for-health-of-ocean-life.html?_r=0<

[12] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Posted November 1, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[13] Amber Hunt, The Cincinnati Enquirer. Experts: Wearable tech tests our privacy limits. Posted February 5, 2015, on usatoday.com. Online: >http://www.usatoday.com/story/tech/2015/02/05/tech-wearables-privacy/22955707/< In one of my earlier blogs (if updated), the “User-Generated Legality Issues” (UGLIs) created by these treasure troves of “quantified self” data available through wearable devices, would be “self-outing 104”.

See e.g. Ekundayo George. The Video Privacy Protection Act (VPPA) Amendment of 2012 – Self-Outing 103? Posted January 11, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/11/the-video-privacy-protection-act-vppa-amendment-of-2013-self-outing-103/<

[14] Steve Ranger. Bigger budgets, better tech: Why 2015 is a good year to be working in IT. Posted February 4, 2015, on techrepublic.com. Online: >http://www.techrepublic.com/blog/european-technology/bigger-budgets-better-tech-why-2015-is-a-good-year-to-be-working-in-it/?tag=nl.e101&s_cid=e101&ttag=e101&ftag=TRE684d531<

[15] Pedro Hernandez. Xbox Live, PSN Back Online After Holiday DDoS Attacks. Posted December 29, 2014, on eweek.com. Online: >http://www.eweek.com/security/xbox-live-psn-back-online-after-holiday-ddos-attacks.html< See also the comprehensive hacking and public shaming of Sony, through compromised emails.

[16] I referenced several of the more historical, spectacular hacks in this earlier blog post. Ekundayo George. Cybersecurity: Its not just about “B” for Bob, but also eCommerce, Structure, and Trust. Posted November 3, 2014, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2014/11/03/cybersecurity-its-not-just-about-b-for-bob-but-also-ecommerce-structure-and-trust/<

[17] Pinsent Masons (out-law.com), citing the Institute of Chartered Accountants in England and Wales (ICAEW).

Cyber risks evolving faster than business capabilities, says accountancy body. Posted October 30, 2014, on out-law.com. Online: >http://www.out-law.com/en/articles/2014/october/cyber-risks-evolving-faster-than-business-capabilities-says-accountancy-body/<

[18] Aliya Sternstein. Report: Agencies Aren’t Properly Vetting All Cyber Contractors. Published September 9, 2014, on nextgov.com. Online: >http://www.nextgov.com/cybersecurity/2014/09/agencies-contractor-employees-cyber-workforce/93620/<

[19] Aliya Sternstein. 97 Percent of Key Industries Doubt Security Compliance Can Defy Hackers. Posted July 10, 2014, on nextgov.com. Online: >http://www.nextgov.com/cybersecurity/2014/07/97-percent-key-industries-doubt-security-compliance-can-defy-hackers/88324/?oref=ng-relatedstories<

[20] See e.g. In the Matter of a Warrant to Search a Certain email Account Controlled and Maintained by Microsoft Corporation. Memorandum and Order of James C. Francis IV, United States Magistrate Judge, released April 25, 2014. 13 Mag. 3814, United States District Court for the Southern District of New York (SDNY). Online: >https://s3.amazonaws.com/s3.documentcloud.org/documents/1149373/in-re-matter-of-warrant.pdf<

Just reading through this decision, which from the first paragraph defines the complexity of this issue, shows the many interests, laws and policies, and considerations at stake in that constant tussle between individual rights and privacy, business interests (including the personalization push), and the mandates of law enforcement and national security – whether nationally and across borders, or when multiple nations do or claim to have a primary stake.

The further steps since taken in that ongoing effort by the United States government to access emails stored on servers that are physically located in Ireland, only further underline the complexities and interests at stake. See also Mark Scott. Ireland Lends Support to Microsoft in Email Privacy Case. Posted December 25, 2014, on bits.blogs.nytimes.com. Online:>http://bits.blogs.nytimes.com/2014/12/24/ireland-lends-support-to-microsoft-in-email-privacy-case/?_r=0&module=ArrowsNav&contentCollection=Technology&action=keypress&region=FixedLeft&pgtype=Blogs<

[21] Elizabeth Weise, USA Today. Massive breach at health care company Anthem Inc. Posted February 5, 2015, on usatoday.com. Online: >http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/<

[22] Zack Whittaker for Zero Day. Bitstamp exchange hacked, $5M worth of bitcoin stolen. Posted January 5, 2015, on zdnet.com. Online: >http://www.zdnet.com/article/bitstamp-bitcoin-exchange-suspended-amid-hack-concerns-heres-what-we-know/<

[23] Ryan Mac, Forbes Staff. Apple Pay Rival and Walmart-backed MCX Hacked, User Emails Snatched. Posted October 29, 2014, on forbes.com. Online: >http://www.forbes.com/sites/ryanmac/2014/10/29/apple-pay-rival-and-walmart-backed-mcx-hacked-user-emails-compromised/<

[24] Katie Fehrenbacher. The real breakthrough of Google Glass: controlling the internet of things. Posted March 23, 2013, on gigacom.com. Online: >https://gigaom.com/2013/03/23/the-real-breakthrough-of-google-glass-controlling-the-internet-of-things/<

[25] Larry Karisny. Getting Cybersecurity to Actually Work: More Connections, More Problems. Posted September 15, 2014, on digitalcommunities.com. >http://www.digitalcommunities.com/articles/Getting-Cybersecurity-to-Actually-Work.html<

“Before we discuss solutions to these cybersecurity problems, let’s take a look at what the future looks like in our continually interconnected world. From social media to smart phones apps to the IoT promise of smart everything, we are reaching a point of truly not knowing what is connect to what — and hackers know this. Take the Target breach — the attacker used backdoor access to the company’s energy management systems to then access a server containing confidential customer information. We are increasing (sic) digitizing our people and machine processes, and are beginning to lose control of what we are doing.”  

[26] Zach Ferres. The Internet of (Bad) Things. Posted November 5, 2014, on linkedin.com. Online: >https://www.linkedin.com/pulse/article/20141105140616-28760747-the-internet-of-bad-things<

[27] Larry Karisny. DARPA Director Calls for Cybersecurity Change. Posted November 7, 2014, on digitalcommunities.com. Online: >http://www.digitalcommunities.com/articles/DARPA-Director-Calls-for-Cybersecurity-Change.html<

[28] By Josh Warwick, video by Phil Allen. Meet the 21-year-old YouTuber who made millions playing video games. Posted October 16, 2014, on telegraph.co.uk. Online: >http://www.telegraph.co.uk/men/the-filter/11139724/Meet-the-21-year-old-YouTuber-who-made-millions-playing-video-games.html<

[29] Stephen Evans. The Koreans who televise themselves eating dinner. Posted February 4, 2015, on BBC.com. Online: >http://www.bbc.com/news/magazine-31130947<

[30] Luisa Rollenhagen. Guy Hacks Google Glass to Steer Drone. Posted August 23, 2013 on mashable.com. Online:

>http://mashable.com/2013/08/24/drone-pilots-google-glass/<

[31] See e.g. Erin Carson. 2015: 4 IT job skills for the new year. Posted January 8, 2015, on techrepublic.com. Online: >http://www.techrepublic.com/article/2015-4-it-job-skills-for-the-new-year/<

Canvassing conventional and learned wisdom, I would humbly say that at least one of my predictions (protections) is echoed and supported in the focus here on “security skills” in this piece by HR and IT professionals. Three of my other predictions (Remoting, A3, and Personalization) are at least strongly implicated, in the call for “versatility” and skills in “project management”. “Desktop support” is the fourth 2015 IT job skill set listed by Techrepublic.

PREFACE:

Just the other day, when I was looking over a post on the 5 largest cyberbreaches of 2014 (to date),[1] my mind went back to the Case of Bob,[2] a malfeasing cyber breach insider, on whom I blogged in an earlier post.  The top 5 list sequenced a total of 309 million records.[3]  That is, I believe, enough to cover stealing one record each, from every Citizen of Canada (34 million), Italy (61 million), France (63 million), the United Kingdom (64 million), and Germany (82 million); at a total of 304 million records, according to their respective population counts in 2013.[4]  Looking only domestically, in the United States, this 309 million could account for the loss of a single record (e.g. social security number) for all but 6 million U.S. Citizens in a 315 million population count at 2013.[5]  That’s a whole lot of broken (out/into) records![6]

Clearly, this is a big and growing problem.  And so, I decided to look a little more closely at that list, focus-in on the non-American example of South Korea,[7] and lay-down a better understanding of why the cyber realm remains so hard to secure – not just from last year’s big breaches at Target,[8] Adobe,[9] and LivingSocial,[10] but persistently and consistently for even those most tech-savvy of U.S. businesses and veterans of the eCommerce and eBanking verticals, including Google/Gmail,[11] Home Depot,[12] JPMorgan Chase & Co,[13] and eBay;[14] along with assorted state and federal government entities.[15]

I will look at the problem from four angles: “B” for Bob, “E” for eCommerce, “S” for Structure, and “T” for Trust; addressing the challenges and opportunities in which, obviously requires certain “b-e-s-t” practices.  This is a simplification of an extremely complex issue, but a useful approach, nevertheless.

 

THE B-ANGLE:

Bob[16] was not the first, nor will he be the last insider to “go rogue”.  The debate continues on whether insiders or outsiders are the greater threat.

“The fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up,” (…)[17]

“It would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access. A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.”[18]

However, it is the safest and the highest of best practices, to do one’s utmost best to protect against both, and each through the other, in a figure of eight lattice-work.

Suggested solutions include: proper and more comprehensive onboarding and offboarding; segregation of duties; rigorous credentialing and authorization procedures; real-time access and event logging; training and discipline with enforced usage rules (BYOD, social media, portable media, telecommuting); behavioural guidance including full disclosure of privacy limitations and waivers as applicable (travel and mobile security, regulatory compliance, data governance, eDiscovery, and cybersecurity); and so forth – including ONGOING due diligence on ALL employees, vendors, contractors, and counterparties on these parameters.[19] Just as banks were looking to their law firms to harden cyber defences,[20] regulators and especially financial sector regulators, have also been increasingly focused on the issue of cybersecurity.

The question we need to all ask as regulators is should we be considering the cyber threat as something as fundamental to institutions as capital levels. I’m not saying yet that they’re equal but we should probably start discussing them in the same breath[.][21] The legal community has long weighed-in on this issue for and regarding others, but has only recently and so publicly, been forced to look at its own house, with some resulting and readily available, practical guidance on the starting point for a law firm cyber audit that is easily applicable to other industries.[22]

 

THE E-ANGLE:

eCommerce is a 5-edged sword (hard to see in reality – especially as anything easy to wield or even effective, but logically easy to conceptualize). There are the two (alleged) counterparties; there are each of the (apparent) originating and destination locations; and then there are the (acceptable, accredited, and accepted) payment parameters. These are the five.

Counterparties are “alleged” because one or more may be fictitious or on a borrowed or pilfered identity.  Originating and destination locations may be fronts, dead drops, or non-existent.  And the acceptable payment methods may have one party presenting something with false accreditation that is accepted as valid until it is too late to halt the deal;[23] something with proper accreditation that is intercepted before being properly accepted by the intended recipient;[24] or something with proper accreditation that is accepted by a fictitious or otherwise fraudulent counterparty.[25]

Albeit fraught with dangers, eCommerce has become indispensable in an interconnected, and beyond line of sight business world.  The best we can do is manage it, harden it in advance, and adapt as and when a new vulnerability is shown in this constant battle for sword edges between victims, and rogues.

 

THE S-ANGLE:

Now, we look back to South Korea, and ask whether there is any structural strength or weakness that makes the nation a recurring[26] and worthy[27] target for cybercrime; and the answer is a very loud yes.

With a wealthy and tech savvy population that has a GDP/PPP over US $33,000, South Korea in 2013, was Asia’s 4th largest economy, 12th largest in the world, and 10th largest, globally, in terms of trade in merchandise and services, alone.[28] In that same year, the economy grew by 2.8%, and had a projected 2014 growth forecast of 3.5-4%.[29]

Essentially, South Koreans are connected, mobile-friendly, and absolutely just love eCommerce.  Nearly 80% of the population is online, which makes it the most connected country in the world.[30]  Mobile penetration has also long been high,[31] with 75% of South Koreans using smartphones overall, and a 98% penetration rate for the 18-24 demographic.[32] On the subject of eCommerce, the consultant Borderfree, “found that an increasing number of South Koreans shop overseas retailers to find lower prices, leverage parcel forwarding to save on shipping costs and join online communities to resell imported items they don’t want.”[33]  Since at least 2008, it has been quite commonplace for South Koreans to send and receive gift certificates and discount coupons by mobile or smart phone, which can be redeemed just by showing the phone and having it scanned, making coupon clipping (and paper coupons), things of the past.[34]

“From smartphones with flexible, foldable screens to smart refrigerators where you can view the inside contents while shopping; or smart communities, where even your child’s wanderings can be tracked through a central operations centre, Korean companies are on the cutting edge of technology.  Each is vying to be the first to develop the Next Big Thing.”[35]

Hence it follows that if everything cyber-new is there, as in methods and applications in a target-rich environment, then every old and new form of cyber offence will also follow into this nation that is essentially structured and functions, as a massive testbed!

This factor is further underscored by the fact that: “South Koreans have on average five credit cards, compared to two in the U.S., and the country has the highest credit card penetration globally.  Consumers in South Korea also use credit more often.  There are 129.7 credit card transactions per year in South Korea, compared to 77.9 credit card transactions annually in the U.S.[36]  Newer technologies introduced will invariably have often unforeseen vulnerabilities that have yet to be patched, and credit card ownership and use have, to date, hardly proved to be entirely risk-free.

It is therefore no surprise that cyber-criminals will congregate at that confluence of high credit card use, high technology, extreme connectivity and mobility, and intense eCommerce that is South Korea.

 

THE T-ANGLE:

I have written, elsewhere, that data has very many “faces” – ranging through Form Factors, Applications, Categories, End-users, and Scale; and therefore presenting many attack surfaces vulnerable to myriad and multiplying attack vectors.[37]  Yes, we can (and must) generally trust the data of and provided by counterparties in an eCommerce-driven world, but why not also verify? Too few are taking the time to fully go through the steps, due to cost and time concerns.  When you receive an email, does the return email match the claimed sender, is the content their usual, are the links or required/suggested actions suspicious in any way?  When it is a business, does the contact information match what they list in a directory (remembering that the spoof site found through an internet search is still a spoof site)?  If this is a claimed professional, are they registered somewhere in a searchable official or regulatory database with the same contact data?  Finally, if it is a financial institution account communication, then do you do business with them?  If the answer is no, or your financial services provider does not send you such open login requests, then you should delete the message! These are very basic steps.

Forensic investigations, eDiscovery, disaster preparedness and recovery, and assessing the effect and impact of remediation measures are now greatly aided by better information governance;[38] as well as backups balanced with commonsense and due diligence in knowing what you are getting into with specific situations as a cloud vendor, a cloud user, or a basic data custodian.[39]

 

CONCLUSION:

Banks had all the money, but data custodians have all the data. Criminals therefore go after the motherlodes of data (financial services entities, telecommunications providers, medical legal and accounting professionals, governments, and other data-loaded intermediaries including high volume vendors – supermarkets, department stores, and hardware stores) where no shotguns or facemasks are needed, because they are unseen and can blend into that stream of blissfully unmonitored eCommerce.

Whether stupendously big, or comparatively small,[40] and even if we don’t hear about them publicly or immediately,[41] there will likely still be hacks for quite some time to come. However, all is far from lost, despite the mind-numbing possibility of staggering single and cumulative future data breaches in new markets,[42] and due to developing mobile and virtual payment and settlement solutions – regardless of the breach’s apparent or alleged nation of origin.

“However, I also think that all threats can be adequately considered when you focus on: (a) achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tolls to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) the accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.”[43]

In the end, it all starts with leadership, because where there is no buy-in for doing what needs to be done from the higher-ups due to cost concerns, short sightedness, or bad advice, there will be little to no I.T. security budget, best practices will be whatever the heck everyone feels like doing at the time, and a breach will surely come.[44]

At the very least, then, in response to Bob & Co. and what they can do, you should sincerely cube that B!

_____________________________________________________

 

Author:

Ekundayo George is a lawyer and a sociologist. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

 

Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant- sourcing, managing, and delivering on large, strategic projects with multiple stakeholders and multidisciplinary teams. Our competencies include program investigation, sub-contracted procurement of personnel and materiel, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through a highly-credentialed resource pool with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – sometimes also termed Information Communications Technologies, or ICT). See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

 

***********************************************************************

[1] Chris DiMarco. The top 5 largest cyberbreaches of 2014 (for now). Published October 9, 2014 on insidecounsel.com. Online: >http://www.insidecounsel.com/2014/10/09/the-top-5-largest-cyberbreaches-of-2014-for-now?page=1<

The writer gave these top 5, in ascending order, as: Gmail/Google (5 million), Korea Credit Bureau (20 million), Home Depot (56 million), JPMorgan & Chase Co. (83 million), and eBay (145 million). See also infra, notes 11-14, and 7.

[2] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013 on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[3] Supra, note 1.

[4] See generally, Wikipedia.

[5] Id.

[6] This is especially true as a sixth big breach has been added since the list was first made, which now fully covers those 6 million “formerly” lucky U.S. Citizens. See e.g. Steve Kovach. Nearly 7 Million Dropbox Passwords Have Been Hacked. Published October 13, 2014, on businessinsider.com. Online: >http://www.businessinsider.com/dropbox-hacked-2014-10<

[7] Initially pegged at 20 million (which number I have retained), the Korea Credit Bureau breach was later re-calculated to have impacted 27 million South Koreans. See Steve Ragan. 27 million South Koreans affected by data breach. Published August 25, 2014, on csoonline.com. Online: >http://www.csoonline.com/article/2597617/data-protection/27-million-south-koreans-affected-by-data-breach.html<

[8] CBC News. Target data hack affected 70 million people. Published January 10, 2014, on cbc.ca. Online: >http://www.cbc.ca/news/business/target-data-hack-affected-70-million-people-1.2491431<

[9] Chris Welch. Over 150 million breached records from Adobe hack have surfaced online. Published November 7, 2013, on theverge.com. Online: >http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online<

[10] Rachel King for Zero Day. LivingSocial confirms hacking; More than 50 million accounts affected. Published April 26, 2013, on zdnet.com. Online: >http://www.zdnet.com/livingsocial-confirms-hacking-more-than-50-million-accounts-affected-7000014606/<

[11] See generally Google Corporate. Cleaning up after password dumps. Published September 10, 2014, on googleonlinesecurity.blogspot.ca. Online: >http://googleonlinesecurity.blogspot.ca/2014/09/cleaning-up-after-password-dumps.html<

[12] Ben Elgin, Michael Riley, and Dune Lawrence. Home Depot Hacked After Months of Security Warnings. Published September 18, 2014, on businessweek.com. Online: >http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open<

[13] Jim Finkle and Karen Freifeld. States probe JPMorgan Chase as hack seen fueling fraud. Published Friday, October 3, 2014, on reuters.com. Online: >http://www.reuters.com/article/2014/10/03/us-jpmorgan-cybersecurity-idUSKCN0HS1ST20141003<

[14] Jennifer Abel. eBay hacked again? BBC reports hijacked seller accounts. Published September 23, 2014, on consumeraffairs.com. Online: >http://www.consumeraffairs.com/news/ebay-hacked-again-bbc-reports-hijacked-seller-accounts-092314.html<

[15] Administrative Office of the Washington Courts. Washington Courts Data Breach Information Center: Common Questions. Visited November 3, 2014 (regarding a data breach discovered in February/March, 2013). Online: >http://www.courts.wa.gov/newsinfo/?fa=newsinfo.displayContent&theFile=dataBreach/commonQuestions< ;

The Associated Press in Washington. Records of up to 25,000 Homeland Security staff hacked in cyber-attack.

Published Saturday August 23, 2014, on theguardian.com. Online: >http://www.theguardian.com/technology/2014/aug/23/homeland-security-25000-employees-hacked<

[16] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[17] Sophie Curtis. Credit card details of 20m South Koreans leaked. Published January 20, 2014, on telegraph.co.uk. Online: >http://www.telegraph.co.uk/technology/internet-security/10584348/Credit-card-details-of-20m-South-Koreans-leaked.html<, comments on the Korea Credit Bureau case by Matt Middleton-Leal, regional director for the UK and Ireland at security firm CyberArk.

[18] Id.

[19] Indeed, both of the monumental hacks – at Target and Korea Credit Bureau, were accomplished through third parties: Krebs on Security, Email Attack on Vendor Set Up Breach at Target. Published February 12, 2014, on Krebsonsecurity.com. Online: >http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/< ; Lucian Ciolacu. Contractor with USB Stick Commits Biggest Credit Card Data Heist in South Korean History. Published January 21, 2014, on hotforsecurity.com. Online: >http://www.hotforsecurity.com/blog/contractor-with-usb-stick-commits-biggest-credit-card-data-heist-in-south-korean-history-7667.html<

As a result, some banks with their own compliance concerns, are now quite nervous about their law firms as vulnerable third parties. See e.g. Jennifer Smith and Emily Glazer of Dow Jones Business News. Banks Demand That Law Firms Harden Cyberattack Defenses. Published October 26, 2014, on nasdaq.com. Online: >

http://www.nasdaq.com/article/banks-demand-that-law-firms-harden-cyberattack-defenses-20141026-00022<

[20] Id. Jennifer Smith and Emily Glazer of Dow Jones Business News.

[21] Kara Scannell in New York. NY bank regulator targets cyber threat. Published October 6, 2014, on ft.com. Online: >http://www.ft.com/cms/s/0/5a981338-4cdf-11e4-a0d7-00144feab7de.html#axzz3HghMk1j4< quote of Benjamin Lawsky, Superintendent for New York’s Department of Financial Services.

[22] Sharon D. Nelson & John W. Simek. Clients Demand Law Firm Cyber Audits. Published in ABA Law Practice Magazine Vol 39, Number 6 (Nov./Dec. 2013) Online: >http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html<

[23] As with a stolen credit card, a bounced cheque, or counterfeit cash, for example.

[24] As with a man in the middle attack (spoofed eCommerce website, or legitimate but infected site with cross-site scripting), for example.

[25] As in advance fee fraud, for example.

[26] In July of 2011, two websites (Cyworld and Nate) run by SK Communications of South Korea were breached, resulting in a loss of some 35 million records. “Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites’ many millions of members.” See BBC. Millions hit in South Korean hack. Published July 28, 2011, on bbc.com. Online: >http://www.bbc.com/news/technology-14323787< . One year later, in July, 2012, South Korean authorities announced arrests in the case of hacks impacting 8.7 million users at KT Corp, the nation’s number one fixed line operator and number two mobile operator.

 

“The company says hackers stole subscribers’ names, phone and personal identification numbers, and then sold the data to telemarketers.”

 

“An illegally installed computer program had collected subscribers’ information over several months, KT Corp said.”

 

See BBC. South Korea arrests phone firm KT Corp hacking suspects. Published July 30, 2012, on bbc.com. Online: >

http://www.bbc.com/news/technology-19048494<

[27] To impact the Personally Identifiable Information (PII) records of 40% of an entire nation’s population in a single stroke, is certainly a major scoop, by any reckoning. Especially ironic, are the circumstances of this hack:

 

Customer details appear to have been swiped by a worker at the Korea Credit Bureau, a company that offers risk management and fraud detection services.” (Where were the vendor due diligence, segregation of duties, and the internal fraud controls?) (Emphasis added).

 

“The worker, who had access to various databases at the firm, is alleged to have secretly copied data onto an external drive over the course of a year and a half.” (Where were the access and event logs, “business need only” access privilege limitations, and random audits?) (Emphasis added).

 

See Sophia Yan and K.J. Kwon. Massive data theft hits 40% of South Koreans. Published January 21, 2014, on cnn.com. Online: >http://money.cnn.com/2014/01/21/technology/korea-data-hack/< See also supra, note 13, Jim Finkle and Karen Freifeld (JPMorgan Chase & Co.).

[28] Foreign and Commonwealth Office of the United Kingdom. Guidance: Overseas Business Risk – South Korea.

Last updated May 27, 2014, and published on gov.uk. Online: >https://www.gov.uk/government/publications/overseas-business-risk-south-korea/overseas-business-risk-south-korea<

[29] Id.

[30] Daniela Forte. South Korea Stands Out as Ecommerce Market for U.S. Retailers. Published June 19, 2014, on multichannelmerchant.com. Online: >http://multichannelmerchant.com/must-reads/south-korea-stands-out-in-ecommerce-market-for-u-s-retailers-19062014/<

[31] The Associated Press. Korea has nearly as many cell phones as people. Last updated January 28, 2009, and published on nbcnews.com. Online: >http://www.nbcnews.com/id/28893283/ns/technology_and_science-tech_and_gadgets/t/korea-has-nearly-many-cell-phones-people/#.VFKb0xbClGM<

[32] Id., and supra note 30.

[33] Supra note 30.

[34] Reuters. Paper is passe for tech-savvy South Koreans. Published Friday, May 9, 2008, on reuters.com. Online: >http://www.reuters.com/article/2008/05/09/us-korea-coupons-idUSS0914416520080509<

[35] Gordon Hamilton. Asia Pacific report: South Korea now a global technology tiger. Published November 25, 2013, on biv.com. Online: > http://www.biv.com/article/2013/11/asia-pacific-report-south-korea-now-a-global-techn/<

[36] Sarah Jones. South Korea boasts highest global credit card penetration: report. Published June 27, 2014, on luxurydaily.com. Online: >http://www.luxurydaily.com/south-korea-boasts-highest-global-credit-card-penetration-report/<

[37] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published November 1, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[38] Ekundayo George. To Gatto from Zubulake: 2 Thumbs-up for Better Information Governance/Anti-Spoliation. Published March 31, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/31/to-gatto-from-zubulake-2-thumbs-up-for-better-information-governanceanti-spoliation/<

[39] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right. Published March 11, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< You cannot leave everything to a vendor or counterparty, if and when you are primarily responsible for your own security and the security of the data that you host at rest, in transit, or subject to access and change, for others.

[40] Terry Collins and Anne D’Innocenzio for The Associated Press. Twitter hackers nab data on 250,000 accounts. Published February 2, 2013, on ottawacitizen.com. Online: >http://www.ottawacitizen.com/business/Twitter+hackers+data+accounts/7911027/story.html<

[41] Ben Elgin, Dune Lawrence and Michael Riley. Coke Gets Hacked And Doesn’t Tell Anyone. Published November 4, 2012, on bloomberg.com. Online: >http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html< This kind of silence is changing, however, due to increasing regulatory focus on cyber risks and cyber events, and a push for timely and full disclosure and remediation when it may impact the bottom line, systemically important entities, or public or investor confidence.

[42] China and India are the most populous nations on earth, with well over 1 Billion citizens, each; but comparatively (with all other nations) very low ratios of banked citizens, and citizens with access to organized credit facilities. The promised easing of China’s restrictions on foreign credit card issuers paves the way for many of the entry-market credit card products that we see in the West – secured cards, rechargeable cards, debit cards, and the like, along with the juicy fees for annual access, loading, overdrafts, late payments, cash advances, and per transaction. Of course, this will require the taking, keeping, and updating of vast amounts of data on a vast population; creating a single and captive, target rich environment of irresistible size that will remain very vulnerable to any lapses in data governance and/or cyber best practices. See generally Joe McDonald of The Associated Press. China easing credit card monopoly opening door for Visa, MasterCard. Published October 30, 2014, on ctvnews.ca. Online: >http://www.ctvnews.ca/business/china-easing-credit-card-monopoly-opening-door-for-visa-mastercard-1.2078518<

[43] Ekundayo George. Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec. Published May 16, 2013, on wordpress.ogalaws.com. Online: >https://ogalaws.wordpress.com/2013/05/16/individual-allegedly-wreaks-havoc-with-former-employer-another-teachable-moment-in-infosec-2/<

[44] See e.g. Supra note 12, Ben Elgin, Michael Riley, and Dune Lawrence (Home Depot).

The Internet of Things (IOT – also referred to as Machine to Machine communication, or M2M) is well on its way to reality, with a wide range of market penetration predictions and potential verticals for the savvy and aggressive providers who aim to tame it.  Intel projects 2015 uptake to be 3.8 billion devices globally; whilst 2020 projections are 30 billion devices from ABI Research, and 50 billion devices with “$14.4 “trillion in bottom-line potential”, from Cisco Systems.[1]  There were some very early movers, such as the European Union, for example, which established an Internet of Things (IOT) Working Group on August 10, 2010.[2]  Three years later, the United States Federal Trade Commission (FTC) has already initiated an enforcement action against an IOT service provider due to flawed security and false claims and misrepresentations in advertising.[3]  Now, following last year’s 4th EU, IOT Conference,[4] regulators and industry everywhere, are swiftly strategizing and paving the way forwards:

(1) In South America, IoT World meets in Brazil, was held in São Paulo, from May 21-24, 2013;[5]

(2) In the Middle East, The M2M Middle East Forum, was held in Dubai, UAE, on September 22-23, 2013;[6]

(3) In North America, The 2013 M2M and Internet of Things (IOT) Global Summit, was held in Washington, D.C. from October 1-2, 2013;[7]

(4) In Africa, The 1st Workshop On The Internet Of Things (IOT 2013), is now scheduled for October 7, in East London, South Africa;[8]

(5) In Europe, The Internet of Things World Forum, is now scheduled for November 12-13, 2013, in London, UK;[9]

(6) In Asia, The Internet of Things Asia 2014 Exhibition and Conference, is now scheduled for April 21-22, 2014, in Singapore;[10]

The fact remains, however, that myriad options exist for vertical and horizontal exploitation of this space, and the same number of options – apparently subject to multiplication by itself – exists in the form of coordination, regulation, optimization, protocols, and security.  As a result, and due to the need to develop common understandings and definitions across these 6 (“six”) centers of gravity, we have devised and provided the within Table of 7 elements (on the X-axis), times 30 elements (on the Y-axis), as a conceptual framework for industry and regulators within and between these 6 centers of gravity, to utilize on internal deliberations and joint consultations.  Just select a coordinate where X and Y meet, conceptualize the kind(s) of IOT/M2M offering that would fit there, and strategize on the most appropriate or most preferable “iPages” for it or them (see note 2, below).  We hope it helps!

X-Axis (BUSCOPF):

BIODIVERSITY;

UTILITIES;

SECURITY;

CULTURE;

OFFICE;

PROJECTS/POLICIES;

FINANCE.

Y-Axis (SCOPE):

SERVICES (6):

-General/Government

-Regulated

-Integrated

-Personal/Apparel

-eBusiness

-Shared/Social

 

CONTROLS (5):

-Structure

-Product

-Infrastructure

-Emergency

-System

 

OPERATIONS (7):

-Supply/Logistics

-Communications

-Humanitarian

-Entry/Egress

-Municipal/Medical

-Economic/Exchange

-Scientific

 

PRODUCTS (7):

-Personal/Apparel

-Regulated

-Infotainment

-Networked

-Consumer

-eBusiness

-Shared/Social

 

EVALUATIONS (5):

-Efficiencies

-Insurance Risk

-Gathered Data

-Health & Safety

-Threats & Alerts

 

©2013. S’imprime-ça (Ottawa, Canada). http://www.simprime-ca.com.  Free “BST” use, duplication, and distribution is permitted if including this attribution block verbatim.

 *********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Alyssa Oursler, InvestorPlace Assistant Editor.  Morgan Stanley Gushes on the Internet of Things.  Analysts take a deep dive into the trend with 29-page note.  Published on investorplace.com, September 30, 2013.  Web: http://investorplace.com/2013/09/csco-morgan-stanley-internet-of-things/

[2] Euroalert.  Expert Group on the Internet of Things set up.  Published on euroalert.net, August 11, 2010.  Web: http://euroalert.net/en/news.aspx?idn=10271 This Expert Group now has 6 (“six”) sub groups, being one for each of identification, privacy, architectures, governance, ethics, and standards (I would call this “iPages“).  A Summary of their 10th Meeting in Brussels, Belgium, in November 2012, is available here: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1747

[3] See e.g. Paul.  With Settlement, FTC Issues Warning On IP-Enabled Cameras.  Published on securityledger.com, September 4, 2013.  Web: https://securityledger.com/2013/09/with-settlement-ftc-issues-warning-on-ip-enabled-cameras/

[4] Forum Europe.  Post-Conference Report from The 4th Annual Internet of Things Europe.  Shaping Europe’s Future Internet Policy – The road to Horizon 2020.  The Conference was held in Brussels, Belgium, on November 12-13, 2012.  Published on eu.ems.com.  Web: http://www.eu-ems.com/event_images/Downloads/IoT%20post%20conference%20report%20-%202012.pdf

[5] IoT World meets in Brazil, was held in São Paulo, Brazil, from May 21-24, 2013. Published on theinternetofthings.eu.  Web: http://www.theinternetofthings.eu/iot-world-meets-brazil-s%C3%A3o-paulo-21st-24th-may-2013

[6] The M2M Middle East Forum, was recently held in Dubai, UAE, on September 22-23, 2013.  Published on dmgeventsme.com.  Web: http://dmgeventsme.com/m2mforumme/

[7] The 2013 M2M and Internet of Things (IOT) Global Summit, was recently held in Washington, D.C. on October 1-2, 2013.  Published on eu-ems.com.  Web: http://www.eu-ems.com/summary.asp?event_id=173&page_id=1432

[8] The 1st Workshop On The Internet Of Things (IOT 2013), is scheduled for October 7, in East London, South Africa.  Published on isat.cs.uct.ac.za.  Web: http://isat.cs.uct.ac.za/IoT2013_Workshop/isat_web_iot/index.html

[9] The Internet of Things World Forum, is scheduled for November 12-13, 2013, in London, UK.  Published on internetofthingsconference.com.  Web: http://iotinternetofthingsconference.com/

[10] The Internet of Things Asia 2014 Exhibition and Conference, is scheduled for April 21-22, 2014, in Singapore. Published on internetofthingsasia.com.  Web: http://www.internetofthingsasia.com/

The recent announcement of pending closure for Nirvanix,[1] a CSP, highlights a number of points that I have often stressed as critical in data assessment prior to cloud usage, cloud vendor assessment, cloud contracting specifically, and data protection and retention in general.  These are:

1. “In addition – always (have) a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.”[2]

2. “If you have critical functionalities that have moved completely or almost completely to a cloud-based solution… then it is highly-advisable to have a backup cloud.[3]

3. Protect and backup your data as per your assessment of the V5 Interplay…the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.[4]

4. Mature cloud users should be in a state where “Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor.[5]

To now learn that many large and systemically significant entities in a host of industries have massive amounts of data with this one provider that they are now rushing to remove before the pending shutdown,[6] is quite worrying in terms of Cybersecurity, Cloud best practices, and attendant potential legal liability.

OPTIONS:

Of course, any speculation is pure speculation, as I have no personal knowledge of their arrangements, whether or not these exits are orderly, or if they will be concluded in good time.  However, one would expect that:

(i) for the most critical data in that V5 interplay;

(ii) multiple CSPs should have been used;

(iii) offsite backup should not have been automatically discontinued;

(iv) a detailed exit protocol (“cloud emigration”) would have been contractually agreed-upon in advance, with access to the key or contracted staff – including migration/emigration as a service providers or other such specialists;

(v) guaranteed continued availability of staff and data as was already specified in the original SLA; and

(vi) either CSP insurance (as with employment practices insurance, business interruption or business continuity insurance, or some such), a portion of the client fees segregated in advance by lockbox arrangement to pre-fund an orderly exit, or any host of other arrangements to cover those exit costs, would have been specified as preconditions for entering into a cloud services agreement in the first instance, laid-out in detail, mutually agreed, practiced and reviewed for updates from time to time, and enacted as and when needed.

CONCLUSIONS:

This case is quite instructive, and many cloud users will, doubtless, take note and a few pointers for their own contracts (whether as promptly amended or when next renewed), so as to avoid future problems when this kind of situation replicates, or any other foreseeable or unforeseen eventuality causes a similar rumble of thunder to ripple across the Cloud-sphere.  They must be able to promptly, securely, and in an organized fashionrein-in” and “reel-back” their uploaded data from the cloud, without having their own clients and data subjects rain thunder and lightning down on them, for any failure to so do.[7]  If their data gets stuck in CSP insolvency wranglings, then a whole host of new twists and turns will develop.

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects), and has sector experience in healthcare, communications, financial services, real estate, international trade, eCommerce, Cloud, and Outsourcing.

 

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, high stakes, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

 


[1] Isha Suri.  Nirvanix Closing Down, Gives Two Weeks’ Notice of Service Shutdown.  Published on siliconangle.com, September 24, 2013.  Web: http://siliconangle.com/blog/2013/09/24/nirvanix-closing-down-gives-two-weeks-notice-of-service-shutdown/

[2] Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  (at “Disadvantages potential – Vendor Inelasticity”).  Published on ogalaws.wordpress.com, December 28, 2011.  Web: https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/

[3] Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right (at “1. Backup Cloud).  Published on ogalaws.wordpress.com, March 11, 2013.  Web: https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/

[4] Id. at “4. Traditional off-Cloud Backup”, and at footnote 13).

[5] Ekundayo George.  In who’se pocket is your data packet? – International Data Governance (at “d”).  Published February 6, 2013.  Web: https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/

[6] Jeffrey Schwartz.  Cloud Storage Provider Nirvanix Goes Belly-Up, Customers Panic To Move Data.  Published on virtualizationreview.com, September 19, 2013.  Web: http://virtualizationreview.com/blogs/the-schwartz-cloud-report/2013/09/nirvanix-goes-belly-up.aspx?goback=.gde_1864210_member_275308263#!

[7]Risk Management” (such as in preventing to the extent possible, planning for, and effectively prevailing with regard to this type of snafu) and “Stakeholder Management” (calming and reassuring those division heads and business unit leaders who’se core and critical functions are residing, and hopefully resiliently so, in the Cloud, during any time of crisis), have been identified as the new and added “need to have” softer business skills for IT professionals who plan to survive and thrive in the rapidly evolving (and reputedly short-skilled) Cloud space.  See Steve Ranger.  Big data, cloud computing experts hard to hire, bosses admit.  Published on techrepublik.com, September 23, 2013.  Web: http://www.techrepublic.com/blog/european-technology/big-data-cloud-computing-experts-hard-to-hire-bosses-admit/?tag=nl.e077&s_cid=e077&ttag=e077&ftag=TRE9ae7a1a.  For a broader overview of the changing nature of IT skills with regard to changing technologies, such as Cloud Computing, see Ekundayo George.  Why “will” IT jobs persist through changing technology, and why “must” IT initial education and ongoing training be both constant, and consistent?  Published on ogalaws.wordpress.com. June 5, 2013.  Web: https://ogalaws.wordpress.com/2013/06/05/why-will-it-jobs-persist-through-changing-technology-and-why-must-it-initial-education-and-ongoing-training-be-both-constant-and-consistent/

%d bloggers like this: