The Internet of Things (IOT – also referred to as Machine to Machine communication, or M2M) is well on its way to reality, with a wide range of market penetration predictions and potential verticals for the savvy and aggressive providers who aim to tame it.  Intel projects 2015 uptake to be 3.8 billion devices globally; whilst 2020 projections are 30 billion devices from ABI Research, and 50 billion devices with “$14.4 “trillion in bottom-line potential”, from Cisco Systems.[1]  There were some very early movers, such as the European Union, for example, which established an Internet of Things (IOT) Working Group on August 10, 2010.[2]  Three years later, the United States Federal Trade Commission (FTC) has already initiated an enforcement action against an IOT service provider due to flawed security and false claims and misrepresentations in advertising.[3]  Now, following last year’s 4th EU, IOT Conference,[4] regulators and industry everywhere, are swiftly strategizing and paving the way forwards:

(1) In South America, IoT World meets in Brazil, was held in São Paulo, from May 21-24, 2013;[5]

(2) In the Middle East, The M2M Middle East Forum, was held in Dubai, UAE, on September 22-23, 2013;[6]

(3) In North America, The 2013 M2M and Internet of Things (IOT) Global Summit, was held in Washington, D.C. from October 1-2, 2013;[7]

(4) In Africa, The 1st Workshop On The Internet Of Things (IOT 2013), is now scheduled for October 7, in East London, South Africa;[8]

(5) In Europe, The Internet of Things World Forum, is now scheduled for November 12-13, 2013, in London, UK;[9]

(6) In Asia, The Internet of Things Asia 2014 Exhibition and Conference, is now scheduled for April 21-22, 2014, in Singapore;[10]

The fact remains, however, that myriad options exist for vertical and horizontal exploitation of this space, and the same number of options – apparently subject to multiplication by itself – exists in the form of coordination, regulation, optimization, protocols, and security.  As a result, and due to the need to develop common understandings and definitions across these 6 (“six”) centers of gravity, we have devised and provided the within Table of 7 elements (on the X-axis), times 30 elements (on the Y-axis), as a conceptual framework for industry and regulators within and between these 6 centers of gravity, to utilize on internal deliberations and joint consultations.  Just select a coordinate where X and Y meet, conceptualize the kind(s) of IOT/M2M offering that would fit there, and strategize on the most appropriate or most preferable “iPages” for it or them (see note 2, below).  We hope it helps!

X-Axis (BUSCOPF):

BIODIVERSITY;

UTILITIES;

SECURITY;

CULTURE;

OFFICE;

PROJECTS/POLICIES;

FINANCE.

Y-Axis (SCOPE):

SERVICES (6):

-General/Government

-Regulated

-Integrated

-Personal/Apparel

-eBusiness

-Shared/Social

 

CONTROLS (5):

-Structure

-Product

-Infrastructure

-Emergency

-System

 

OPERATIONS (7):

-Supply/Logistics

-Communications

-Humanitarian

-Entry/Egress

-Municipal/Medical

-Economic/Exchange

-Scientific

 

PRODUCTS (7):

-Personal/Apparel

-Regulated

-Infotainment

-Networked

-Consumer

-eBusiness

-Shared/Social

 

EVALUATIONS (5):

-Efficiencies

-Insurance Risk

-Gathered Data

-Health & Safety

-Threats & Alerts

 

©2013. S’imprime-ça (Ottawa, Canada). http://www.simprime-ca.com.  Free “BST” use, duplication, and distribution is permitted if including this attribution block verbatim.

 *********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Alyssa Oursler, InvestorPlace Assistant Editor.  Morgan Stanley Gushes on the Internet of Things.  Analysts take a deep dive into the trend with 29-page note.  Published on investorplace.com, September 30, 2013.  Web: http://investorplace.com/2013/09/csco-morgan-stanley-internet-of-things/

[2] Euroalert.  Expert Group on the Internet of Things set up.  Published on euroalert.net, August 11, 2010.  Web: http://euroalert.net/en/news.aspx?idn=10271 This Expert Group now has 6 (“six”) sub groups, being one for each of identification, privacy, architectures, governance, ethics, and standards (I would call this “iPages“).  A Summary of their 10th Meeting in Brussels, Belgium, in November 2012, is available here: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1747

[3] See e.g. Paul.  With Settlement, FTC Issues Warning On IP-Enabled Cameras.  Published on securityledger.com, September 4, 2013.  Web: https://securityledger.com/2013/09/with-settlement-ftc-issues-warning-on-ip-enabled-cameras/

[4] Forum Europe.  Post-Conference Report from The 4th Annual Internet of Things Europe.  Shaping Europe’s Future Internet Policy – The road to Horizon 2020.  The Conference was held in Brussels, Belgium, on November 12-13, 2012.  Published on eu.ems.com.  Web: http://www.eu-ems.com/event_images/Downloads/IoT%20post%20conference%20report%20-%202012.pdf

[5] IoT World meets in Brazil, was held in São Paulo, Brazil, from May 21-24, 2013. Published on theinternetofthings.eu.  Web: http://www.theinternetofthings.eu/iot-world-meets-brazil-s%C3%A3o-paulo-21st-24th-may-2013

[6] The M2M Middle East Forum, was recently held in Dubai, UAE, on September 22-23, 2013.  Published on dmgeventsme.com.  Web: http://dmgeventsme.com/m2mforumme/

[7] The 2013 M2M and Internet of Things (IOT) Global Summit, was recently held in Washington, D.C. on October 1-2, 2013.  Published on eu-ems.com.  Web: http://www.eu-ems.com/summary.asp?event_id=173&page_id=1432

[8] The 1st Workshop On The Internet Of Things (IOT 2013), is scheduled for October 7, in East London, South Africa.  Published on isat.cs.uct.ac.za.  Web: http://isat.cs.uct.ac.za/IoT2013_Workshop/isat_web_iot/index.html

[9] The Internet of Things World Forum, is scheduled for November 12-13, 2013, in London, UK.  Published on internetofthingsconference.com.  Web: http://iotinternetofthingsconference.com/

[10] The Internet of Things Asia 2014 Exhibition and Conference, is scheduled for April 21-22, 2014, in Singapore. Published on internetofthingsasia.com.  Web: http://www.internetofthingsasia.com/

The recent announcement of pending closure for Nirvanix,[1] a CSP, highlights a number of points that I have often stressed as critical in data assessment prior to cloud usage, cloud vendor assessment, cloud contracting specifically, and data protection and retention in general.  These are:

1. “In addition – always (have) a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.”[2]

2. “If you have critical functionalities that have moved completely or almost completely to a cloud-based solution… then it is highly-advisable to have a backup cloud.[3]

3. Protect and backup your data as per your assessment of the V5 Interplay…the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.[4]

4. Mature cloud users should be in a state where “Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor.[5]

To now learn that many large and systemically significant entities in a host of industries have massive amounts of data with this one provider that they are now rushing to remove before the pending shutdown,[6] is quite worrying in terms of Cybersecurity, Cloud best practices, and attendant potential legal liability.

OPTIONS:

Of course, any speculation is pure speculation, as I have no personal knowledge of their arrangements, whether or not these exits are orderly, or if they will be concluded in good time.  However, one would expect that:

(i) for the most critical data in that V5 interplay;

(ii) multiple CSPs should have been used;

(iii) offsite backup should not have been automatically discontinued;

(iv) a detailed exit protocol (“cloud emigration”) would have been contractually agreed-upon in advance, with access to the key or contracted staff – including migration/emigration as a service providers or other such specialists;

(v) guaranteed continued availability of staff and data as was already specified in the original SLA; and

(vi) either CSP insurance (as with employment practices insurance, business interruption or business continuity insurance, or some such), a portion of the client fees segregated in advance by lockbox arrangement to pre-fund an orderly exit, or any host of other arrangements to cover those exit costs, would have been specified as preconditions for entering into a cloud services agreement in the first instance, laid-out in detail, mutually agreed, practiced and reviewed for updates from time to time, and enacted as and when needed.

CONCLUSIONS:

This case is quite instructive, and many cloud users will, doubtless, take note and a few pointers for their own contracts (whether as promptly amended or when next renewed), so as to avoid future problems when this kind of situation replicates, or any other foreseeable or unforeseen eventuality causes a similar rumble of thunder to ripple across the Cloud-sphere.  They must be able to promptly, securely, and in an organized fashionrein-in” and “reel-back” their uploaded data from the cloud, without having their own clients and data subjects rain thunder and lightning down on them, for any failure to so do.[7]  If their data gets stuck in CSP insolvency wranglings, then a whole host of new twists and turns will develop.

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects), and has sector experience in healthcare, communications, financial services, real estate, international trade, eCommerce, Cloud, and Outsourcing.

 

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, high stakes, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

 


[1] Isha Suri.  Nirvanix Closing Down, Gives Two Weeks’ Notice of Service Shutdown.  Published on siliconangle.com, September 24, 2013.  Web: http://siliconangle.com/blog/2013/09/24/nirvanix-closing-down-gives-two-weeks-notice-of-service-shutdown/

[2] Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  (at “Disadvantages potential – Vendor Inelasticity”).  Published on ogalaws.wordpress.com, December 28, 2011.  Web: https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/

[3] Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right (at “1. Backup Cloud).  Published on ogalaws.wordpress.com, March 11, 2013.  Web: https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/

[4] Id. at “4. Traditional off-Cloud Backup”, and at footnote 13).

[5] Ekundayo George.  In who’se pocket is your data packet? – International Data Governance (at “d”).  Published February 6, 2013.  Web: https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/

[6] Jeffrey Schwartz.  Cloud Storage Provider Nirvanix Goes Belly-Up, Customers Panic To Move Data.  Published on virtualizationreview.com, September 19, 2013.  Web: http://virtualizationreview.com/blogs/the-schwartz-cloud-report/2013/09/nirvanix-goes-belly-up.aspx?goback=.gde_1864210_member_275308263#!

[7]Risk Management” (such as in preventing to the extent possible, planning for, and effectively prevailing with regard to this type of snafu) and “Stakeholder Management” (calming and reassuring those division heads and business unit leaders who’se core and critical functions are residing, and hopefully resiliently so, in the Cloud, during any time of crisis), have been identified as the new and added “need to have” softer business skills for IT professionals who plan to survive and thrive in the rapidly evolving (and reputedly short-skilled) Cloud space.  See Steve Ranger.  Big data, cloud computing experts hard to hire, bosses admit.  Published on techrepublik.com, September 23, 2013.  Web: http://www.techrepublic.com/blog/european-technology/big-data-cloud-computing-experts-hard-to-hire-bosses-admit/?tag=nl.e077&s_cid=e077&ttag=e077&ftag=TRE9ae7a1a.  For a broader overview of the changing nature of IT skills with regard to changing technologies, such as Cloud Computing, see Ekundayo George.  Why “will” IT jobs persist through changing technology, and why “must” IT initial education and ongoing training be both constant, and consistent?  Published on ogalaws.wordpress.com. June 5, 2013.  Web: https://ogalaws.wordpress.com/2013/06/05/why-will-it-jobs-persist-through-changing-technology-and-why-must-it-initial-education-and-ongoing-training-be-both-constant-and-consistent/

The Internet and Social Media have rapidly become indispensable tools for networking, productivity, and information gathering and sharing as used by people from all ages, stages in life or work, and nations.

What is Social Media?

Having developed to fulfill the above roles, resulting online communities of avid users have developed into global multilingual, multicultural, and multidisciplinary social mediums (plural “media”) for:

Creativity (web pages, youtube, hulu, flickr, picasa, interactive sites, shareware);

Collaboration (intranets, wikipedia, second life, dropbox, you send it, whatsapp);

Commentary (wikis, intranets, blogs, pinterest, RSS feeds, newsgroups, news and articles);

Commerce (listservs, monster, ebay, craigslist, angie’s list, amazon, tremor video, directories);

Connection (email, text, twitter, facebook, myspace, dating sites, instagram, linkedin); and

Cloud applications (software, infrastructure, platform, security, and other “as a service” offerings in some or all the above, eGovernance, and public, private, and hybrid clouds;

and many other distinct offerings and versions for such online community activities now known and/or yet to become well known.  In sum, however, these are all mediums or platforms and utilities through which people, being social, may responsibly interact in a way that “enriches” society.

Why should its use be governed?

Responsible and proper use of the Internet and Social Media “E.N.R.I.C.H.E.S.” our society; i,e, it:

Educates,

Negates falsehoods, and both enables and enhances

Relationships,

Introductions,

Commerce,

Help and assistance and self-help,

Expression, and

Social and national security.

However, as with most if not all things, there is a potential downside to online community participation.  Businesses with employees and contractors all need to ensure that their workers are not getting themselves and their employer (or principal in the case of agents), into legal problems or embarrassing situations as a result of their online activities.  As a result, employers should develop and enforce robust social media usage policies that more closely address the unique qualities of these online communities, as online communities (site terms of use, internal employee policies, and generalized rules), and not just the generic “social media”.  One way to do this is to divide the policy, after a good preamble, into 4 (“four”) parts: (i) “Please” rules; (ii) “Don’t” rules; (iii) “Always Appreciate” rules; and (iv) “Affirmations and Signatures”.  These categories need not appear in the order given, and they may be mixed and matched.

What these rules might cover?

                Please” Rules.

Depending upon the mix of internal (intranets) and external (news and articles commentary) social media considered, the employer should remind employees to be respectful and responsible in their online activities, to use disclaimers so as to prevent attribution to their employer of any personal comment or action when not specifically authorized, and to use good judgment and avoid underhanded actions.  The employer should also ask employees to remember their day jobs and consider how their actions outside the workplace “may” impact upon any or all of them, their employer, their employer’s business and reputation, and their employer’s customers.  Also, the employer might remind site users and employees to clearly identify their sources when possible and advisable, including with hyperlinks; as well as a reminder to comply with (and not use the social media platform in an effort to circumvent or violate), any legal compulsion under which they must act in a certain way, or any lawful document by which they are bound, such as any court order, consent order or settlement agreement, injunction, or restraining order

                Don’t” Rules.

These rules will revolve around actions beyond simple decorum, to include a host of specific prohibitions against online IP infringement, a bar on criminality and all forms of stalking, or sexual or other harassment or bullying, and a further prohibition on any breach through use of online interaction to breach applicable internal data retention policies, or protections for client confidentiality, privacy, and proprietary employer information.  Advisories to avoid personal attacks and offensive language, as well as defamation, would also be in order.  In the absence of a BYOD policy, the employer may also bar the use of work devices for personal reasons, including by barring access to certain sites or by implementing some monitoring regimes, with advance notice, of course.  This group of rules will also limit or bar the installation of third-party programmes, software or utilities, without advance approval from designated employer personnel; impose restrictions or bars on anonymizing postings and other participation; and issue a blanket prohibition on circumventing any site or employer security protocols or programs.

                Always Appreciate” Rules.

These will include notifications of how online behavior is tracked and include a consent to monitoring by their use, as well as an explanation of the use of cookies – both standard and persistent, in accordance with applicable laws and regulations.  Online community members and employees should also be reminded to always appreciate the permanency of their online activities and postings, and the interplay of different policies – such as anti-harassment and anti-sexual harassment, human rights, confidentiality, and applicable codes of conduct to include professional conduct through professional licensing bodies.  This group of rules should also encourage recognizing the value of accuracy in commentary, the desirability of respecting  alternate viewpoints in online dialogues, the advisability of not pretending to be an expert and inviting embarrassment when the true experts chime-in, and the benefits to peace of mind and avoiding open hostility in staying away from controversial topics.  The employer will also draw attention to the complaints escalation policy and any alternate dispute resolution mechanisms that it prefers or mandates for members of its workforce, any or all of the online communities that it hosts, or both of these.

                Affirmations, Disclaimers, and Signatures.

Here, the user or member of that social medium – whether or not an employee – should be invited as a condition of use and membership, to clearly acknowledge the fact that any user breaching the usage policy, applicable law, or company rules and regulations is sanctionable up to and including cessation of privileges and termination of employment as applicable; as well as a notification that the employer or forum host reserves the right to proceed against them in a suit at law or in equity to recover any or all of its costs incurred to defend itself in any legal or regulatory matter, or the proceeds of any settlement it paid and legal fees, or its reputation, actually or allegedly emanating from that user or member’s conduct.  All users and members must also affirm that they are of a jurisdictional age to use the social medium in the first place, that they will maintain the confidentiality and control of their accounts and log-on credentials, and where appropriate, that they will not directly breach or permit the breach through third party use of their accounts or credentials, of specific laws of concern to that community.  These may include: obscenity and pornography restrictions; child pornography as a separate and distinct carve-out; terrorist activity; hate crimes; and money-laundering.  Also, in addition to the standard and weighty disclaimers of the site host and/or employer, and somewhere in the entire policy, the employer – if based in the United States or otherwise touched by United States’ law and the National Labor Relations Act (NLRA), should include a guarantee of protected “concerted activity”, such as employee rights to free discussion in social media of their terms and conditions of work, to organize or unionize and discuss such issues, and to bargain collectively through their own chosen representatives, all without fear or threat of termination or other punishment.  Finally, somewhere in the policy, there should be discussion of what the employer or medium host would like to feel free to do with, to, or through user accounts in the case of a generally-defined or specifically-named (general always gives more leeway), emergency situation.

Summary.

Due to the wide use and ubiquity of social media and the “tri-screen convergence[1] that it continues to foster, these rules must be carefully crafted to identify and address the specific audience for each rule or each subrule, whether: (i) employees using an employer-hosted or employer-sponsored site; (ii) employees on their own time or during work time, but using other sites; (iii) non-employees using the employer-hosted or employer-sponsored site.  Of course, separate policies may be developed, e.g.: (a) Social Media Policy; (b) Code of Conduct & Confidentiality Policy; (c) Online Community Usage Policy, as appropriate, and intertwined with cross-referencing.  A Data Retention Policy should also be disclosed, as it covers all users, along with a summary of the policy carve-outs or other procedures that might come into play when dealing with internal investigations, discipline and ongoing compliance monitoring, and requests for law enforcement assistance.  A single and all-encompassing policy may also be used with separate sub-headings and carve-outs for these, where inapplicable to a specific audience as here identified.  However, that is a matter of entity-specific choice, and diverse new offerings will challenge established thought leadership on the best or most appropriate way to devise and deliver “any” policy.[2]

In any case, social media policies should be comprehensive, but they need not be unduly convoluted.  Once you have the basics, you can build on it and go as deep as you want to for each sub-element.  Remember, it does not hurt to get advice from legal counsel as the field is fraught with traps, and many areas of law need to be considered and factored-in, to properly blend and balance-out the end-product.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, eCommerce, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in New York, New Jersey, and Washington, D.C.  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Individuals can now use one device to watch a movie (formerly and exclusively done in the theatre or on a television), get news updates (formerly done through the radio, television, or print media), and get in touch with friends and family or businesses and business associates (formerly done through a fixed line at home, in the office, or in a telephone booth).  Now, the TV screen, the computer screen, and the laptop screen, can all be melded into a smartphone that is portable, always on (battery power and novel charging methods allowing), and can translate.

[2] Take for example, “Twitter Amplify”, which allows viewers to engage in the kind of “online” running commentary that would have driven fellow viewers to distraction if delivered verbally and over the dialogue in question as it happened.  In addition, through Twitter’s media partnerships, brand advertisers can also reach out to twitter users who have shown interest in their offerings through tweeting, liking, following, viewing their ads, or otherwise.  See e.g. Tanzina Vega.  Twitter Lets Brands Reach Viewers of Their TV Ads.  Posted on nytimes.com, May 23, 2013.  Online: >http://www.nytimes.com/2013/05/24/business/media/twitter-lets-brands-find-viewers-of-their-tv-ads.html?partner=rss&emc=rss&_r=1&goback=.gde_66325_member_243714222&<

The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”.  The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1]  According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had.  The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages.  Admittedly, it could have been significantly more than this.  That number is not insignificant.  However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.

 

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

 

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[2] Federal Bureau of Investigation (FBI).  Press Release.  Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer.  Published by the FBI on fbi.gov, May 2, 2013.  Online: >

http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer<

[3] Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.  Published January 17, 2013, on ogalaws.com.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

In August, 2000, the United States Securities and Exchange Commission (the “Commission”) first published Regulation FD (17 C.F.R. §243.100 et seq.),[1] which read in pertinent part, that:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.[2]  (Emphasis added).

 

In August, 2008, the Commission issued guidance that permitted the above disclosures to be made through company websites,[3] with certain caveats and conditions.

 

Recently, on April 2, 2013, the Commission has again taken a step to address the advancements of (not so new anymore) media in allowing publicly-traded companies and other issuers to disclose material nonpublic information through the Facebook and Twitter[4] social networking channels.[5]

“We do not wish to inhibit the content, form, or forum of any such disclosure, and we are mindful of placing additional compliance burdens on issuers.  In fact, we encourage companies to seek out new forms of communication to better connect with shareholders”.[6]

 

Here now, we have a treble conundrum – (a) what is the order of precedence of the many “forms of communication” or channels now available to issuers for such information releases; (b) which channels will each issuer even use; and (c) will/should there be any distinction in channels used by any issuer or any group or industry of issuers, for releases of different types of information??

“We believe that company disclosure should be more readily available to investors in a variety of locations and formats to facilitate investor access to that information. […] A company’s website is an obvious place for investors to find information about the company, and a substantial majority of large public companies already provide access to their Commission filings through their websites”.[7]

 

It therefore behooves the Commission to now go a little bit further in mandating that issuers – (a) define such an ordering or precedence of channels; (b) state which channels that they will use; and (c) address any distinctions in channel use for releases of different types of information.  Such mandate or guidance would better fit Regulation FD to the times and accord with the Commission ethos on disclosure, generally, and social media, specifically.

 

            Currently Available Channels.

In no particular order, I count 22 (“twenty-two”) channels through which issuers can make statements or otherwise regularly or occasionally disseminate information; whether or not material or public.  These are Blogs, Press Releases, Annual Reports, interim Regulatory Filings, Websites, RSS feeds, email alerts, sms/texts, Facebook, YouTube, Twitter, Teleconferences, Webinars, News Conferences, EDGAR, Annual Shareholder Meetings, and Electronic Shareholder Forums.  The foregoing number 17, and so the remaining 5 (“five”) channels will be introduced and described in more detail, below.

 

            Suggested Macro-level (group) Ordering.

I would start by organizing these channels into 3 (“three”) groups:

(i) a Static Foundational group (SF) of 4 channels – where information once placed, is generally there for the duration, and the medium can also serve as a repository for prior releases of information.  The four items here, would be the issuer’s main Website (with or without an attached static blog), the issuer’s main Facebook page (whether or not interactive), EDGAR (publicly accessible, United States Securities and Exchange Commission’s “Electronic Data Gathering, Analysis and Retrieval” system for issuer filings), and the issuer’s Annual Reports (which once released with their audited financial statements, are seldom amended or re-stated without very good cause);

 

(ii) a Live Regulated group (LR) of 6 channels – where the speakers are known and often seen, and the format is often interactive.  This includes the Teleconference (such as one with market Analysts), the Webinar, the News Conference (whether strictly for media or for all comers), the Annual Shareholder Meeting, and interactive Electronic Shareholder Forums.  A sixth channel in this group is the interim Regulatory Filing.  Although not interactive and possessing qualities of the SF group, interim Regulatory Filings can be more easily amended and can be either regular or irregular in their appearance, as per the specific filer or the industry of the filer.  I place them here because even though they are non-interactive, they are more “live regulated” than “static foundational”; similarly, Electronic Shareholder Forums are both interactive and virtual, but still highly regulated under applicable Securities Laws;

 

(iii) a Virtual Responsibility group (VR) of 7+5 channels– where the speaker, author, or poster can be anyone specifically or apparently authorized to speak by or on behalf of the issuer, the audience is not restricted to persons with a direct interest in the issuer or the business of the issuer, and the consequences for material mis-statements or intentionally and misleadingly incomplete disclosures can be broad, international, and damaging in the extreme.  Despite these dangers, the medium is virtual and may potentially “go viral” with a quickness, and so self-regulation and corporate responsibility are more the norm.  This group includes Twitter (with a current character limit that cannot possibly accommodate both the message and all necessary and advisable disclaimers), YouTube (where hundreds of thousands, or even millions of “hits”/“views” can precede adult supervision and removal of the content in question), interactive or standalone blogs, RSS feeds, email alerts, sms/texts, and print or electronic Press Releases.

 

The five remaining VR channels in an “EVR” sub-category, standing for “Enhanced” or heightened responsibility, are “C-suite” outlets, being:

(i) 2 channels in SF-C (personal Facebook pages and personal websites);

(ii) 2 channels in VR-C (personal Twitter accounts, and personal blogs);

(iii) 1 grouped channel in LR-C (book signings, CEO roundtables, economic fora, and outside and often-unscripted and unaccompanied conferences and other speaking engagements).

 

            Suggested Micro-level (specific) Ordering?

There appears to be good Commission precedent, indeed a preference, for using multiple sites, or ranking multiple channels as “recognized channels of distribution” for the dissemination of information.  As stated in the 2008 interpretive guidance on use of issuer websites:

“[…] where disclosure of information is required under the Exchange Act, we have allowed companies to make such information available to investors on their web sites with their web sites serving, depending on the circumstance, as a supplement to EDGAR, as an alternative to EDGAR, or as a stand-alone method of providing information to investors independent of EDGAR”.[8]

 

Hence, on one interpretation of this sentence, so long as there is a central or reference site as a recognized channel on which the data is publicly posted and accessible, the data can also be posted elsewhere, on other similarly recognized channel(s) “reasonably designed to provide broad, non-exclusionary distribution of the information to the public”.[9]

 

            REFERENCE SITE (Static Foundational):

For reference sites, I would suggest that co-equality be given to EDGAR, the issuer’s main website, and the issuer’s main Facebook page.  In this way, any or all could be used, deemed, and construed as categorically authoritative.  EDGAR, due to the regulatory filings made there; the issuer’s main website, due to its centrality and expected diligent maintenance; and the issuer’s main Facebook page, due to its popularity as a means to engage in 2-way communication with shareholders, customers, and the public at large.  This triple redundancy also covers for instances where either or both of EDGAR and the issuer’s main website may be inaccessible due to maintenance or unwanted intrusion, in which event a Facebook alert might be speedily issued and significant information releases in the interim period would rapidly there migrate; with the corollary for the issuer’s main website when both EDGAR and Facebook are unavailable.  Of course, issuers will need to ensure that their Facebook pages are pre-set to be fully open and accessible, including for those page visitors who are not Facebook subscribers – as there are still some people who have yet to sign-up, or who were signed-up but have now left.

 

The Commission notes that issuers with large Analyst followings and market capitalizations may need to do little to alert the market to new postings on their websites, which will be rapidly picked up and disseminated by the financial press, but that those issuers with less of a following or market capitalization “may need to take more affirmative steps so that investors and others know that information is or has been posted on the company’s web site and that they should look at the company web site for current information about the company”.[10]  As an example for purposes of this proposal and comment, that might be a blog post, email alert, RSS feed, or tweet (in the VR group) detailing and alerting to the material as already posted on that issuer’s main website; or perhaps a teleconference, news conference, or interim regulatory filing (in the LR group) undertaking to post the materials on the issuer’s main website or another Reference Site at or by a set date and time.

 

In the words of the Commission:

“If the information is important, companies should consider taking additional steps to alert investors and the market to the fact that important information will be posted – for example, prior to such posting, filing or furnishing such information to us or issuing a press release with the information. Adequate advance notice of the particular posting, including the date and time of the anticipated posting and the other steps the company intends to take to provide the information, will help make investors and the market aware of the future posting of information, and will thereby facilitate the broad dissemination of the information”.[11]

 

            VIRTUAL (Virtual Responsibility, and Enhanced Virtual Responsibility):

It is important to state that blogs were specifically in the contemplation of the Commission when the 2008 guidance was issued, with the Commission opining at note 60, that “[f]or purposes of Regulation FD, a posting on a blog, by or on behalf of the company, would be treated the same as any other posting on a company’s web site. The company would have to consider the factors outlined above to determine if the blog posting could be considered “public””.[12]  A blog may highlight additional data on the Reference Site with appropriate wording, but a tweet will need to be very narrowly-tailored as a mere “tombstone” announcement or pointer arrow, in order to avoid attendant liability for omission of material facts in electronic and other disclosures under antifraud and related provisions of the Securities Act (1933), the Securities Exchange Act (1934) and their related Rules and Regulations as amended; and other applicable laws.  So long as the URL is correctly referenced by that tweet, then there should be no misstatement of material fact.

In addition, the Commission was already considering the use of CEO blogs as far back as 2000, when it wrote: “Company-sponsored “blogs,” which can include CEO blogs and investor relations blogs, among others, are recent additions to company web sites”.[13]  The argument can therefore be made that based on this earlier guidance, a CEO blog with a large subscription base is analogous to an issuer’s main blog, and that a CEO Facebook page with a similarly large subscriber base is also akin to the issuer’s main Facebook page.  Hence, rather than competing, each may be considered and treated as a “recognized channel of distribution” in this VR group.  The Commission did not explicitly state or imply this reasoning, but from a cumulative reading of their guidance and a review of the specific facts of the Netflix Investigation, such an argument if made today, should certainly have strong merit.

 

            LIVE (Live Regulated):

As stated earlier, the speakers at a news conference or at an annual shareholders’ meeting are always seen, and very often quite well-known to the audience.  So too, the corporate author of an interim regulatory filing is easily discernible – even if the document is filed by accountants, auditors, or legal counsel.  Things can be a little different with electronic shareholder forums, where nobody is seen or heard – but their words are; with teleconferences, where the speaker is a disembodied voice; and with webinars, where audience members may or may not know enough about the presenters to be able to put a name to a face.  However, due to their very public nature and the likelihood that anything or everything said will be rapidly analyzed and acted-upon by investors, all of these live instances are tightly regulated when involving issuers.  There are legal and commonsense limits on: (i) what may be said that is not certain (speculation and inaccuracy); (ii) what may be predicted that is not guaranteed (earnings estimates and guidance, whether qualitative or quantitative); (iii) work or negotiations recently commenced or in progress (contract negotiations that may or may not close, significant milestones projected or reached, and significant contracts or other engagements secured); and (iv) the type and extent of disclaimers that must accompany forward-looking data, in general.  Thanks to the open-access that members of the public have to EDGAR, interim regulatory flings can also be picked-up, analyzed, and acted-upon quite rapidly.  As a result, the importance of ensuring that information publications and disseminations in all channels of this group are accompanied by one or more of (a) alerts to their release; or (b) timely publication and dissemination of the same actual information through either or both of the other channel groups (SF or VR), is shown here with the greatest of clarity.

 

            Channel Disclosure Sequencing:

Now, knowing what is where, let us consider the following relationship matrix for this schema.

 

 

SF

LR

VR

First Disclosure

 

 

 

SF

1

2=

2=

LR

2=

1

2=

VR

2=

2=

1

 

Following this sequencing table:

(i) Where information is first disclosed in a Static Foundational (SF) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Live Regulated (LR) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility channels).

(ii) Where information is first disclosed in a Live Regulated (LR) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Static Foundational (SF) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility).

(iii) Where information is first disclosed in a Virtual Responsibility (VR) Channel (whether or not “Enhanced”), alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should also be disclosed, in either or both of a Static Foundational (SF) channel and a Live Regulated (LR) channel.

 

Each case must be judged on its own merits, as the Commission so rightly states.  However, with the ability to interlink and cross-post or simul-post on social media accounts, it is not impossible for a Facebook or blog-happy C-Suite member to simultaneously or shortly thereafter tweet a quick link of the posting that can be caught by and posted on, the issuer’s main website, blog, or Facebook page – with or without an added human intermediary, but hopefully with prior clearance as to both postings, by the IR Director and legal counsel.  However, if a selective (VR tweet) disclosure of material non-public information follows a selective (webinar Q&A or other unscripted LR) disclosure of the same, then the third SF group (Form 8-K in EDGAR, the issuer main website, and the issuer main Facebook page) will remain open for a corrective and “public” disclosure within the prescribed time limits, before greater liabilities and penalties can accrue.

“Indeed, one of the key benefits of the Internet is that companies can make information available to investors quickly and in a cost-effective manner”.[14]

 

It is notable that a number of print media houses are transitioning fully or preferably to an online format, making the speed at which they can issue story updates (and analyst updates in the financial press) as gleaned from issuer sources and sites, that much faster.  In addition, a tweet or a Facebook update costs practically nothing, financially, and the effort with the limited character content of the former, is negligible.  However, to follow-up on that short message, can be quite a challenge at times.  The speed of dissemination advantage for the disseminator, should not come at the expense of public convenience, or lead to confusion in that investors cannot determine where to look first, or where to look for the most definitive and most frequently and recently updated statement of a relevant situation, or guidance on an issuer’s financial position.

 

Channel Usage and Ranking for Disclosures:

“We emphasize for issuers that the steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, non-public information, including the social media channels that may be used and the types of information that may be disclosed through these channels, are critical to the fair and efficient disclosure of information. Without such notice, the investing public would be forced to keep pace with a changing and expanding universe of potential disclosure channels, a virtually impossible task”.[15]

 

As the Commission had so rightly concluded, in order for this schema to function properly (i.e. to avoid forcing the investing public to spend time scrambling through channels in search of that information, while missing opportunities), issuers and non-issuers alike will need to state which of the 22 channels they will regularly use for their material and general disclosures in the three channel categories, in what order those channels might best be consulted, and which types of regulated information will be disseminated on which disclosure channels.  This sounds complicated, but categorizing the universe of potential regulated information – both day-to-day and for special situations, will likely assist.  I would propose just four such non-exhaustive categories of regulated information: (1) Availability of channels; (2) Market financial data; (3) Pending, planned, or public events; and (4) Significant public announcements.  To avoid repetition, these will be defined further in the below draft format of a re-stated Regulation FD.

 

Collective “hashtags” Rules for these 22 Channels.

In order to work towards steady compliance with the various standards that may be applicable to the making of statements, generally, and information management in particular (always consult legal counsel for your specific situation and jurisdiction), entities – issuers and non-issuers alike, might further consider the “hashtags” rules, which read as follows.

 

H—ardware and bandwidth considerations and ERP should be tailored to such factors as issuer market capitalization, number of shareholders, and likelihood of an event that might precipitate a spike in web traffic;

 

A-ccess and acceptance logs (with periodic counts and inventory of linkers, likers, subscribers, and followers and so forth), to show the degree to which a site is accessed by investors, the markets, and the media (all being and remaining subject to the “do not track me”, or “please forget me”, and other such evolving digital rights that may butt against it), may also be desirable to establish and maintain;

 

S-Structure, Sincerity, and Security, means that the policies and procedures at the issuer should be designed to ensure: (i) Structure – appropriate disclosure controls and procedures should be in place and enforced, and only certain persons should be authorized and trained to release information and represent the issuer online, and monitored and re-trained as needed on an ongoing basis; (ii) Sincerity – facts and figures should not be released unless verifiable or otherwise justifiable, and positions should not be taken that are subject to serious challenge as insincere or in violation of applicable securities or other law; and (iii) Security – significant care should be taken to guard against hacking and spoofing, hijack, DDoS attack and the like, as well as premature or inappropriate information release, the posting of damaging messages by activists[16] or disgruntled employees as purportedly from the issuer, or other lapse or mishap;

“Since all communications made by or on behalf of a company are subject to the antifraud provisions of the federal securities laws, companies should consider taking steps to put into place controls and procedures to monitor statements made by or on behalf of the company on these types of electronic forums”.[17]

 

H-yperlinks should be: (i) avoided if to information an issuer knew or should have known was materially false or misleading; and (ii) otherwise used with linking explanations or rationales, responsibility disclaimers (to the extent a linking issuer wasn’t involved or “entangled” in the preparation of the linked information), content disclaimers (to the extent a linking issuer does not explicitly or implicitly endorse, approve, or otherwise “adopt” the linked information), and (iii) if possible, exit notices or standalone intermediate screens preceding access to linked data offsite;[18]

 

T-raditional channels and Talking-points, means that the issuer should continue to use traditional channels alongside social media channels, in order to: (i) properly control and coordinate its Public Relations and Investor Relations (PR/IR) functions; (ii) maintain consistency of message, brand, and information release procedures across all channels used; and (iii) retain the capacity and credibility to speedily correct erroneous information released, and make the necessary subsequent public releases, following the intentional or inadvertent release of material nonpublic information.[19]  Failure to maintain use of traditional channels may subject an issuer to allegations of discrimination or lack of notice by those “non-avid” new media users, or those who prefer primary reliance on print and broadcast media for their news & current affairs;

 

A-lways date– (and where advisable, also time-) stamp new releases, or as “last modified”; and archive older material separately, but in searchable or browsable format, so as to avoid any confusion regarding the precedence of the data and statements contained therein, and to maintain safe harbor protections against re-publication of previously published and posted (historical) materials or statements – absent some “affirmative restatement or reissuance” of same, which may invoke antifraud legal proscriptions and an affirmative duty to clarify and/or update them;

 

G-enerate distance, always, from third-party posts and statements in online and interactive fora such as Shareholder fora, especially mis-statements; and always remind other participants that silence does not equate agreement, consent, or endorsement, and of the forum’s terms of use (which should never precondition usage on participant waiver of their securities law protections);

 

S-ummaries, Propriety, Overviews, and Tombstones, means that each and all of these should be appropriately delineated as such (with titles, added explanatory language and terms, or website placement and display in close proximity to hyperlinks to the underlying material, where appropriate), and clear directions to readers on where and how to access the underlying information on which they are based.  In addition, the propriety (of content, manner, and timing) should always be vetted prior to release in seeking the advice of counsel, which is an indicia of good faith and best efforts in attempting compliance with Regulation FD; and any other data necessarily disclosed so as to make those summaries not materially misleading, confusing, or incomplete, should be disclosed with the release, or timely thereafter with prior notice to expect it – especially (if possible) within the limited character sets of tombstone releases via Twitter.

 

A Restated Regulation FD, as re-vamped per the above considerations, may well resemble the following markup:

 

*************************************************

§ 243.100 General rule regarding selective disclosure.

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(k).  (e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

 

(b)

(1) Except as provided in paragraph (b)(2) of this section, paragraph (a) of this section shall apply to a disclosure made to any person outside the issuer:

(i) Who is a broker or dealer, or a person associated with a broker or dealer, as those terms are defined in Section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a));

(ii) Who is an investment adviser, as that term is defined in Section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(11)); an institutional investment manager, as that term is defined in Section 13(f)(6)of the Securities Exchange Act of 1934 (15 U.S.C. 78m(f)(6)), that filed a report on Form 13F (17 CFR 249.325) with the Commission for the most recent quarter ended prior to the date of the disclosure; or a person associated with either of the foregoing. For purposes of this paragraph, a “person associated with an investment adviser or institutional investment manager” has the meaning set forth in Section 202(a)(17) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(17)), assuming for these purposes that an institutional investment manager is an investment adviser;

(iii) Who is an investment company, as defined in Section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3), or who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) thereof, or an affiliated person of either of the foregoing. For purposes of this paragraph, “affiliated person” means only those persons described in Section 2(a)(3)(C), (D), (E), and (F) of the Investment Company Act of 1940 (15 U.S.C. 80a-2(a)(3)(C), (D), (E), and (F)), assuming for these purposes that a person who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) of the Investment Company Act of 1940 is an investment company; or

(iv) Who is a holder of the issuer’s securities, under circumstances in which it is reasonably foreseeable that the person will purchase or sell the issuer’s securities on the basis of the information.

 

(2) Paragraph (a) of this section shall not apply to a disclosure made:

(i) To a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant);

(ii) To a person who expressly agrees to maintain the disclosed information in confidence;

(iii) In connection with a securities offering registered under the Securities Act, other than an offering of the type described in any of Rule 415(a)(1)(i) through (vi) under the Securities Act (§ 230.415(a)(1)(i) through (vi) of this chapter) (except an offering of the type described in Rule 415(a)(1)(i) under the Securities Act (§ 230.415(a)(1)(i) of this chapter) also involving a registered offering, whether or not underwritten, for capital formation purposes for the account of the issuer (unless the issuer’s offering is being registered for the purpose of evading the requirements of this section)), if the disclosure is by any of the following means:

(A) A registration statement filed under the Securities Act, including a prospectus contained therein;

(B) A free writing prospectus used after filing of the registration statement for the offering or a communication falling within the exception to the definition of prospectus contained in clause (a) of section 2(a)(10) of the Securities Act;

(C) Any other Section 10(b) prospectus;

(D) A notice permitted by Rule 135 under the Securities Act (§ 230.135 of this chapter);

(E) A communication permitted by Rule 134 under the Securities Act (§ 230.134 of this chapter); or

(F) An oral communication made in connection with the registered securities offering after filing of the registration statement for the offering under the Securities Act.

[65 FR 51738, Aug. 24, 2000, as amended at 70 FR 44829, Aug. 3, 2005; 74 FR 63865, Dec. 4, 2009; 75 FR 61051, Oct. 4, 2010; 76 FR 71877, Nov. 21, 2011]

 

§ 243.101 Definitions.

This section defines certain terms as used in Regulation FD (§§ 243.100 -243.103).

(a) Availability of channels.  “Availability of channels”, means with regard to any or all of the channels identified and defined under this § 243-101 wherein material nonpublic information and general company information may be discussed or disclosed, their status as available to the public for access, attendance, and consultation along with any restrictions or pre-conditions, or reasons for their non-availability to the extent it is known and/or prudent, with projected timelines for resumption of availability.

 

(b) Categories of regulated information.  “Categories of regulated information” as defined under this § 243-101, collectively and individually means, as described herein:

(1) Availability of channels.

(2) Market financial data.

(3) Pending, planned or public events.

(4) Significant public announcements.

 

(c) Channels.  “Channels”, collectively and individually means:

(1) A static foundational group, including as of or by the entity, a corporate website, a corporate blog, an annual report, and the Commission’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.

(2) A live and regulated group, including as of or by the entity, any teleconference, webinar, news conference, annual shareholder meeting, electronic shareholder forum, or interim regulatory filing including restatements of interim and annual reports, that occurs between annual reports.

(3) A virtual responsibility group, including Twitter, YouTube, blogs, RSS feeds, email alerts, sms/texts, and print or electronic press releases.

(4) An enhanced virtual responsibility group, including as of or by the entity, any twitter account, blog, Facebook page, or personal website of a senior official or so closely identified with a senior official by sufficient members of the public to require its inclusion here, as well as any senior official book signing, roundtable, economic forum, or outside conference or speaking engagement.

 

Note (channels):

The Commission recognizes and notes that this listing is not exhaustive and remains subject to change with existing and developing technologies and business practices, and company Boards of Directors are encouraged to use their own business judgment in assessing which additional channels they will place in these above categories either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(d) Channel usage and ranking for disclosures.  “Channel usage and ranking for disclosures”, shall mean the listing by an issuer of which of the channels identified herein it shall use for disclosing both general information and categories of regulated information, as well as for making general communications to investors, consumers, the markets and the public.  This listing shall be accompanied by a ranking of where to look first, second, third, and so forth, in issuers’ crafting and maintenance of systems that are reasonably designed to provide broad, non-exclusionary distribution of information to the public.  Such a channel usage and ranking for disclosures will prevent investing and other interested members of the public from having to scramble through multiple channels as defined herein, in search of critical and  time-sensitive categories of regulated information that others can more easily find and use to guide their decision-making.

 

(e) (a) Intentional. A selective disclosure of material nonpublic information is “intentional” when the person making the disclosure either knows, or is reckless in not knowing, that the information he or she is communicating is both material and nonpublic.

 

(f) (b) Issuer. An “issuer” subject to this regulation is one that has a class of securities registered under Section 12 of the Securities Exchange Act of 1934 (15 U.S.C. 78l), or is required to file reports under Section 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(d)), including any closed-end investment company (as defined in Section 5(a)(2) of the Investment Company Act of 1940) (15 U.S.C. 80a-5(a)(2)), but not including any other investment company or any foreign government or foreign private issuer, as those terms are defined in Rule 405 under the Securities Act (§ 230.405 of this chapter).

 

(g) Long weekend.  “Long weekend”, shall mean a weekend that due to a fixed or floating celebration or holiday or festive event recognized as a United States federal holiday, is at least 3 (“three”) days in length to add a Friday or a Monday or both, and during the full business days or the partial business days of which long weekend any 2 (“two”) of the New York Stock Exchange (NYSE) for all physically-trade securities, the National Association of Securities Dealers Automated Quotation (NASDAQ) system for securities of issuer’s regulated by the Commission, and the Chicago Board Options Exchange (CBOE) for all trading activities, are closed for business.

 

(h) Market financial data.  “Market financial data” means any earnings, financial projections and data, any changes to earnings or financial projections and data, any significant or notifiable trades or movements in the securities or instruments of the entity, and any and all regulatory filings with the United States Securities and Exchange Commission (SEC) or other domestic or foreign body of the same or similar competence.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(i) Pending, planned, and public events.  “Pending, planned, and public events” means any meeting of the Board of Directors or Shareholders, any public appearance or speaking engagement of a senior official of the entity as defined under this § 243.101, where material information may be discussed or disclosed (which engagement’s initial notification and the eventual attendance of persons may be conditioned on appropriate security considerations, advisories, and precautions), any real or virtual meeting with Analysts, any teleconference or press conference, any meeting of shareholders, and any other happening, prior to its happening, that the entity wishes to publicize or is required to publicize, subject to appropriate security considerations, advisories, and precautions.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(j) (c) Person acting on behalf of an issuer. “Person acting on behalf of an issuer” means any senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser), or any other officer, employee, or agent of an issuer who regularly communicates with any person described in § 243.100(b)(1)(i), (ii), or (iii), or with holders of the issuer’s securities. An officer, director, employee, or agent of an issuer who discloses material nonpublic information in breach of a duty of trust or confidence to the issuer shall not be considered to be acting on behalf of the issuer.

 

(d) Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

 

(k) (e) Public disclosure.

(1) Except as provided in paragraph (e) (k)(3) and paragraph (k)(4) of this section, an issuer shall make the “public disclosure” of information required by § 243.100(a) by furnishing to or filing with the Commission a Form 8-K (17 CFR 249.308) disclosing that information.

(2) An issuer shall be exempt from the requirement to furnish or file a Form 8-K if it instead disseminates the information through another method (or combination of methods) of disclosure in accordance with its channel usage and ranking for disclosures and section (k)(3) or (k)(4), as appropriate, that is reasonably designed to provide broad, non-exclusionary distribution of the information to the public.

 

Intentional Disclosures.

(3) Where the issuer becomes aware that material non-public information has been intentionally disclosed as defined in § 243.100(a), the issuer shall:

(i) First make the information that was intentionally so disclosed available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(ii) In any and all of (k)(3)(i)(A) through (k)(3)(i)(F) except (k)(3)(i)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iii) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

 

Note: (Compliance burden):

With the advent and wide availability of mobile productivity tools and applications, the Commission does not see it as an undue burden for an issuer to be required to post material nonpublic information or any corrective disclosure after the intentional or unintentional release of material nonpublic information, either or both of which may well already be readily available to the senior officer responsible for the corrective disclosure as an email attachment or other portable document, to a given channel after a trading day or over a weekend or Long Weekend.

 

Non-intentional Disclosures.

(4) Where the issuer becomes aware that there has been a non-intentional disclosure of material non-public information as described in § 243.100(a), the issuer shall:

(i) First alert investors to the non-intentional disclosure on either or both of a live regulated channel and a virtual responsibility channel, along with the anticipated location on a static foundational channel and a timeline for the pending availability of that material nonpublic information or any corrective disclosure on a static foundational channel, within 6 (“six”) hours of the original release on any trading day, and within 12 (“twelve”) hours of the original release on any weekend or Long Weekend;

(ii) The issuer shall thereafter make the information that was unintentionally disclosed, available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(iii) In any and all of (k)(4)(ii)(A) through (k)(4)(ii)(F) except (k)(4)(ii)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iv) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

 

(f) Senior official. “Senior official” means any director, executive officer (as defined in § 240.3b-7 of this chapter), investor relations or public relations officer, or other person with similar functions.

 

(l) Senior official.  “Senior official” means for purposes of this Regulation FD (§§ 243.100 -243.103) and with regard to an issuer, any member of the board of directors, any executive officer charged with overall administration or operations, any officer in charge of a principal business unit or division or function, including without limitation, contingencies, finance, human resources, information or technology systems, international operations, investor relations, legal affairs, logistics, marketing, public relations, regulatory compliance, sales, or any significant project or initiative or policymaking function, whether styled as a director, or a president or a vice-president, or otherwise, and including other senior officials with the same or similar functions in any subsidiary of the issuer, as well as the issuer and the issuer representative or issuer representatives as the case may be in a business combination or joint venture or consortium or coalition in which the issuer or a subsidiary of the issuer holds an overall voting position or a right to the gross or net receivables in excess of 15% (“fifteen”) percent of the total in any class or sub-class of instrument, whether or not contingent, evidencing a right to such voting position or a right to share in the gross or net receivables of a business combination or joint venture or consortium or coalition.  Any other officer or employee or authorized agent  of the issuer who is not a senior official by title or function but who has established what the issuer or a third-party may reasonably consider to be a significant following, readership, subscriber base or like status in the social or professional mileu whether through or as a demonstrably recognized channel of distribution for matters of or relating to the issuer, shall also be considered and treated by the issuer as a senior official for purposes of this Regulation FD.

 

(m) (g) Securities offering. For purposes of § 243.100(b)(2)(iv) [iii – Dodd Frank, 10.4.2010].

(1) Underwritten offerings. A securities offering that is underwritten commences when the issuer reaches an understanding with the broker-dealer that is to act as managing underwriter and continues until the later of the end of the period during which a dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated);

(2) Non-underwritten offerings. A securities offering that is not underwritten:

(i) If covered by Rule 415(a)(1)(x) (§ 230.415(a)(1)(x) of this chapter), commences when the issuer makes its first bona fide offer in a takedown of securities and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities in that takedown (unless the takedown is sooner terminated);

(ii) If a business combination as defined in Rule 165(f)(1) (§ 230.165(f)(1) of this chapter), commences when the first public announcement of the transaction is made and continues until the completion of the vote or the expiration of the tender offer, as applicable (unless the transaction is sooner terminated);

(iii) If an offering other than those specified in paragraphs (a) and (b) of this section, commences when the issuer files a registration statement and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated).

 

(n) Significant public announcement.  “Significant public announcement” means any announcement or notification to the public that could be reasonably considered to impact the market in share price or trading volume of the securities of the issuer or otherwise impact upon the decision of any person or entity to invest or not invest in the issuer, including if internal to the issuer or an affiliate of the issuer any environmental events, legal and regulatory actions, investigations, incidents involving internal controls, or cyber incidents, and if external to the issuer and its affiliates but that the Board of Directors reasonably determines may have an impact in the chain of supply or the markets of the issuer or on the operations of the issuer, then any of the above events of any other entity or party or group or affiliation of entities or parties in any combination, in any place or jurisdiction, including any political event or events.  This listing is not exhaustive and Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(o) Trading day.  “Trading day” is defined as running from 9:30 a.m. to 4:00 p.m. Eastern Standard Time from Monday through and including Friday, in accordance with the regular business hours of the physical New York Stock Exchange (NYSE) in New York City, United States of America.  Any earlier cessation of trading on a trading day or any curtailment or expansion of a trading day whether planned or unplanned, shall be treated for purposes of this Regulation FD, as provided in this Regulation FD (§§ 243.100 – 243.103).

 

§ 243.102 No effect on antifraud liability.

No failure to make a public disclosure required solely by § 243.100 shall be deemed to be a violation of Rule 10b-5 (17 CFR 240.10b-5) under the Securities Exchange Act.

 

********************************************

Possible Approaches for Issuers and Non-issuers, alike.

Whether or not utilizing the above-presented schema and/or channel ordering, it would be prudent for issuers and non-issuers alike, to adopt some sort of channel usage and ranking for their disclosures, and post the same to standalone hard links or prominently within the legal & disclaimers sections of their Static Foundational channels (website, Facebook, filings).

 

“We have since encouraged “honest, carefully considered attempts to comply with Regulation FD”.  (Securities and Exchange Commission in Release No. 34-69279 of April 2, 2013, at page 2,[20]  citing to Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Motorola, Inc., Release No. 34-46898 (Nov. 25, 2002)).[21]

 

Adopting the spirit of the foregoing (whether or not it becomes law), may become one such honest and carefully considered attempt to comply with Regulation FD in which investors and members of the general public can see the sequence of channels through which the most accurate, relevant, and timely words of an issuer or any other company might be disseminated, and consult these in order of precedence to determine the most current state of affairs.  Such an approach may assist in limiting certain liabilities for companies as they provide alerts to, release to, materially disclose to, update, and otherwise educate investors, market intermediaries, customers, and the public.  This will help stabilize markets at volatile times; growing Regulation FD compliance by ensuring no investor is unduly favored or unfairly disadvantaged in accessing “material nonpublic information” from or about a company; whether or not it is an “Issuer”.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, public finance and state Blue Sky laws, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

 

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

 

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

 This article does not constitute legal advice or create any lawyer-client relationship.


[1] General Rule Regarding Selective Disclosure, also known as “Regulation FD” (Fair Disclosure).

[2] Id.

[3] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance).  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[4] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings.  Release No. 34-69279 / April 2, 2013.  Online: >http://www.sec.gov/litigation/investreport/34-69279.pdf<

[5] Id. at 1, 4. This journey began when on July 3, 2012, Reed Hastings who is the Netflix CEO, posted the following on his personal Facebook page just before 11:00 a.m., Eastern time:

Congrats to Ted Sarados, and his amazing content licensing team.  Netflix monthly viewing exceeded 1 billion hours for the first time ever in June.  When House of Cards and Arrested Development debut, we’ll blow these records away.  Keep going, Ted, we need even more!

As (i) Netflix had not previously advised shareholders that the CEOs Facebook page would be used to make such announcements; because (ii) the CEO had not used his personal Facebook page to make such company-related announcements in the past; and (iii) as the Facebook announcement was neither accompanied by nor shortly thereafter followed by any Press Release, any announcement on the main Netflix Facebook page or website, or any interim Regulatory Filing (e.g. Form 8-K, which is an omnibus interim Regulatory Filing format), the Commission took issue and commenced an investigation.  Of note, the share price stood at $70.45 at the time of posting, and the markets closed 2 hours later at 1:00 p.m. for the 4th of July holiday.  Even though Reed Hastings had 200,000 + subscribers to his personal Facebook page at the time (including shareholders, analysts, bloggers, and reporters), the posted message only diffused slowly through regular and online social channels.  Despite this, the Netflix share price had still risen to $81.72 at the close of the first trading day after the July 4th holiday break.

[6] Id. at 5.

[7] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance), at 8-9.  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[8] Id. at 12.

[9] Id. at 25.

[10] Id. at 21.

[11] Id. at 23.

[12] Id. at 26.

[13] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance), at 41.  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[14] Id. at 6.

[15] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings.  Release No. 34-69279 / April 2, 2013, at 7.  Online: >http://www.sec.gov/litigation/investreport/34-69279.pdf<

[16] See e.g. CBC News.  Fake White House bomb report causes brief stock market panic: Associated Press Twitter account hacked.  Posted (and occurring) on April 23, 2013.  Online: >http://www.cbc.ca/news/business/story/2013/04/23/business-ap-twitter.html<

[17] Supra note 13 at 40-41.

[18] Id. at 32.

[19] See generally In the Matter of Secure Computing Corporation and John McNulty, Release No. 34-46895 / November 25, 2002.  Online: >http://www.sec.gov/litigation/admin/34-46895.htm< ; Litigation Release No. 17860 (Securities and Exchange Commission v. Siebel Systems, Inc. (Civil Action No. 1:02-CV02330 (JDB)).  Online: >http://www.sec.gov/litigation/complaints/comp17860.htm< ; In the Matter of Siebel Systems, Inc., Release No. 34-46896 / November 25, 2002.  Online: > http://www.sec.gov/litigation/admin/34-46896.htm< ; In the Matter of Raytheon Company and Franklyn A. Caine, Release No. 34-46897 / November 25, 2002.  Online: > http://www.sec.gov/litigation/admin/34-46897.htm<

[20] See Supra note 15.

[21] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Motorola, Inc.  Release No. 34-46898 / November 25, 2002.  Online: >http://www.sec.gov/litigation/investreport/34-46898.htm<

I would say there are essentially 7 (“seven”) stages in this trajectory, being:

(i) SaaP;

(ii) SaaS;

(iii) SaaR;

(iv) S3aUR;

(v) PcSS;

(vi) SaEE/SaEA;

(vii) PC3S.

Kindly allow me to explain.

SaaP – Software as a Product:

(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days.  It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.

SaaS – Software as a Service:

(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade.  Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.

SaaR – Software as a Right:

(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR).  Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions.  As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them).  As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.

S3aUR – Software and Systemic Security at Undue Risk:

(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management.  There are climatic and other intervening “exigent events”.  However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.

PCSS – Persistent Cloud Security Systems:

(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5]  Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.

SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:

(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used.  It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon.  The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented.  At that point, one or more governments may “force” this Stage 6.

There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals.  Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?!  A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.

Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort.  This will be resisted on a number of fronts and may cause unrest in several jurisdictions.  However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.

As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed.  Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.

PC3S – Pure Collectivized Communications Culture System:

(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System.  If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia?  A number of 20th and 21st Century books and movies may quickly come to mind.[6]

SUMMARY:

Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”!  It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published on ogalaws.wordpress.com, January 17, 2013.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[2] See Adam Edelman/New York Daily News.  Cyberbunker hosting site said to be dropping virtual ‘nuclear bomb’ on Internet with massive, global denial of service attack.  Published Wednesday, March 27, 2013 on nydailynews.com.  Online: >http://www.nydailynews.com/news/national/internet-nuked-massive-ongoing-cyber-attack-experts-article-1.1300372 <  It is “alleged” that a private dispute of some sort between Cyberbunker (a Dutch internet hosting business that will take all-comers, “except child porn and anything related to terrorism”), and The Spamhaus Project (a non-profit centred in London and Geneva, but with operating nodes in ten nations, that “works to help email providers filter out spam”), has led to the largest DDOS in history with a data stream attack magnitude of 300 billion bits per second, when 50 billion bits would suffice to bring-down the online service of many significant online businesses, including major banks.  The fact that most people have seen no significantly noticeable disruptions due to this “attack”, just goes to show the added resilience built into the system since this kind of attack was first noticed, understood, and responded to by industry and regulators. Personally, I saw some emails come through on device group “A”, but they were delayed on others – thankfully, nothing time-sensitive, and I was aware of them due to my own system of redundancies in having those multiple email access points and service providers.  Microsoft also just switched a “massive” few more users over to Outlook, so that may have also played a part in my own delayed email receipt.  In any case, investigations are ongoing into the source of the current and sustained attacks, but as with others, the true perpetrators may remain hidden.  See Infra, note 5.  See also The Spamhaus Project homepage.  Online: > http://www.spamhaus.org/organization/<; The Cyberbunker Data Centers homepage.  Online:  >http://www.cyberbunker.com< (the Cyberbunker website was verified by this author as unreachable online, at the time this SaaS Visioning-out article posted).

[3] See e.g.  Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right, at Note 17.  Posted March 11, 2013, on ogalaws.com.  Online:> https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[4] See e.g. Mikael Ricknäs, IDG News Service.  AWS takes aim at security conscious enterprises with new appliance.  Published on itworld.com, March 27, 2013.  Online: >http://www.itworld.com/cloud-computing/349894/aws-takes-aim-security-conscious-enterprises-new-appliance?goback=.gde_1864210_member_226976359<  Amazon Web Services has introduced a standalone, secondary cloud-based system to manage cryptographic keys that will be used in the cloud, with limited AWS access through “strict” separation of administrative and operational duties between the vendor and the client, and segregation and limitation of access according to business need.  SOD best practices are thus clearly translated into the cloudsphere.

[5] See Gil David.  The Dark Side of the Internet.  Published on israeldefence.com, December 1, 2012.  Online:

>http://www.israeldefense.com/?CategoryID=483&ArticleID=1756<  This article provides a fairly good overview of what we are all dealing with on a daily basis, with regard to the Deep Web.  I will post at a later date, regarding some of my thoughts on how this might spur and/or impact upon, that promised “Internet of Things” to come.

[6] I think I will also have to post at a later date on what might constitute “work”, when machines do so much of one type of work, and many of the other types are outsourced to someone, somewhere else.  As automation really took hold on a massive scale in the industrial west (Japan, Europe, North America, South Korea) in the 1960s and 1970s, much was said about the coming leisure society as machines did so much, that people would have more time on their hands to relax and actually enjoy life.  Now, the “massively unemployed, migrating mass populations” in almost all geographic zones and nations, mean something clearly went very wrong.  We are a few steps away from chaos; one that may well start in the European Union –or with one or more of its “pending former” members.  Should this happen and spread as political leaders continue making very bad calls, Anonymous, Environmentalists, Occupy, and the Anti-Globalization folks will look like child’s play, even when first combined and then multiplied.

Much ado has been made about the hacking threat from overseas, with regard to cybersecurity.[1]  Indeed, several commentators repeatedly reinforce that belief.[2]  The truth, however, is that Information Technology and Information Systems (IT/IS) employees and contractors, right here in North America, might be the greatest danger and the weakest link in the chain.  The story recently surfaced of a man who had outsourced his many software development contracts at several different employers, to offshore developers in China.[3]  He provided them with all his access codes and scripts, and was basically absent at work.  For how long he did this, or how much additional data those sub-contractors were able to access and potentially download from those employers, and who they were … we may never fully know!

 

As I have stated at length,[4] you need to take a comprehensive approach to Cybersecurity that also watches the employees and contractors at your back, while you are watching the outsiders in front of you.  In scanning only those 180 degrees left to right, and those 180 degrees north to south at your front, you are missing exactly that same size of iceberg at your back.  You must engage in strict Segregation of Duties, initial background checks, datalogs and audit trails, constant network monitoring, and other actions.

 

Apparently, only one of his employers noticed a problem, and sought (outsourced) a deeper look.  Even then, why did it take so long for them to discover that: (i) the credentials assigned to a domestic worker; (ii) were accessing the system out of work hours, almost non-stop; (iii) from a place where the worker was not last noted to have traveled?  There needs to be more of a focus on internal security, employee access logging (where and when, for how long, and how frequently), and real-time system access audits.

 

Clearly, it seems that some U.S. employers are still far from having a serious approach to Cybersecurity.[5]

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is also an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

 


[1] Mark Clayton, Staff writer.  Cyber security in 2013: How vulnerable to attack is US now?  Published on csmonitor.com, January 9, 2013.  Online: >http://www.csmonitor.com/layout/set/print/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video<

[2] Ed Beeson/The Star-Ledger.  N.J. businesses should brace for higher cyber security costs, complexity, experts warn.  Published on nj.com, January 15, 2013.  Online: >http://www.nj.com/business/index.ssf/2013/01/nj_businesses_should_brace_for.html<

[3] Claire Gordon.  Man Reportedly Outsources His Own Job To China — Then Spends His Time Watching Cat Videos.

Published on jobs.aol.com, January 16, 2013.  Online: >http://jobs.aol.com/articles/2013/01/16/man-outsources-his-own-job-china/<

[4] Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.

Published on ogalaws.wordpress.com, December 9, 2011.  Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[5] More details about the May, 2012 discovery of that employee are available here.  See Andrew Valentine.  Case Study: Pro-active Log Review Might Be A Good Idea.  Published on verizonbusiness.com, January 14th, 2013.  Online: >http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/#more-2659<

Business is complex:

Operating a successful business has become extremely complicated, especially operating a decentralized business that moves people and products (or services) on a cross-national basis.  The CEO is technically called-upon to have a finger on the pulse of the business, the share price (if a public entity), the applicable regulatory regimes (local, provincial or state, national, and regional with regard to its principal jurisdiction, then the same again for every nation in which it operates), Cybersecurity and privacy laws and protections, contingency planning, HR practices (both for the main entity and for any subcontractors in each and every jurisdiction where such subcontracting has gone), marketing and branding efforts both online and offline, and so forth.

CEOs are overworked:

At the same time, and as a result of this requirement for all-seeing and all-knowing CEO qualities (ready at a moment’s notice or with minimal briefing to respond to an unscripted journalistic query or a legislative summons/subpoena and investigation), a constant stream of what used to be paper that you could see and pile and file, and see as it decreased in amount, but is now “all electronic” in voicemails, (both on the portable smartphone and the office line), emails, texts, and attached spreadsheets, letters, and memos, demands to be immediately addressed.  Is it any wonder then, despite the occasional intentional fraud coming to the light of day, that a few things will be missed every now and then?

Help is available:

Most if not all CEOs have assistants, and VPs or Directors to assist them in running the company, with a handful of senior officers who may even add the “Chief” designation in their titles.  But, is it now time to go a little further, and broaden the pool of C-Suite membership?  I would say, yes, and propose an expansion to 10 (“ten”) such members, including the CEO, as divided into 4 working groups – in a “10/4 Formula”.

Ten Executive Officers:

As listed in acronym alphabetical order, the expanded “10/4” C-Suite would include the following members.

1. Chief Administrative Officer (CAO);

2. Chief Contingency policies, plans, and practices Officer (CCO);

3. Chief Executive Officer/Executive Director (CEO);

4. Chief Financial Officer/Comptroller (CFO);

5. Chief Information Communications Technology Officer (CIO);

6. Chief Legal Officer/General Counsel (CLO);

7. Chief Marketing Officer (CMO);

8. Chief Operating Officer/President/Managing Director (COO);

9. Chief Plans, Projects and Partnerships Officer/Chief Development Officer (CPO);

10. Cross-national Coordinating Officer (XCO).

(i)                 CAO (Chief Administrative Officer): Responsible for overall management of residual line and staff functions and their budgets, the CAO arguably has more authority than all of the other executive officers apart from the CEO.  Residual Line functions include security, supplies and procurement, and transportation (with IT already carved-out and assigned to the CIO).  Residual Staff functions include personnel and recruitment, work/life balance and morale, and plant and maintenance (with finance, and legal already carved-out and assigned to the CFO and CLO respectively).

(ii)               CCO (Chief Contingency policies, plans, and practices Officer): Working primarily with the CLO and the CPO, this executive officer will focus exclusively on forming contingency policies (both staff- and customer-facing), devising and implementing contingency plans, and instituting contingency best practices with entity-wide knowledge, training and testing, and modification as advised or required.  This executive officer would be supported by a team of technical and scientific experts, professionals with deep experience in that particular business or group of business lines, hedging strategy specialists and advisors (coordinated through or embedded with the CFO), and a host of disaster management practitioners well-versed in the mix of political, environmental, and societal hazards that the company might find itself facing.  We all see how complex emergencies can be created by the interplay of:

(a)    Combined environmental hazards (earthquake followed by a tsunami in Fukushima, Japan, that led to loss of life and food resources, radiation leakage, and mass evacuations that impacted both production capacity there and elsewhere, and consumption levels in Japan and other countries);

(b)   Combined human failing and product defect (excessive speed and bad watch practices in avoiding icebergs that led to the Titanic sinking with significant loss of life, with added contribution from bulkheads that did not rise all the way to the ceiling, allowing them to be over-topped by the incoming water);

(c)    Combined technical and human failings (allegedly bad directions and reputedly absent leadership that led to the grounding of the Costa Concordia, and to its captain being neither the last to leave the listing and helpless vessel, nor the first to lead a safe and orderly evacuation);

(d)   Combined technical and human failings (faulty production processes, sanitary practices, and management or regulator laxity) leading to recalls of raw foods (lettuce, peanuts, eggs), processed foods (packaged foods and processed or sold-raw meats), and other consumables in painkillers, pet food, and vitamins;

(e)    Single environmental hazard (volcanic eruptions on Iceland’s Eyjafjallajoekull glacier and on Chile’s Puyehue-Cordon Caulle volcanic chain, respectively) that shut down air traffic over vast areas; disrupting business and personal travel for a significant period of time and causing many billions in losses to be incurred;

(f)    Combined environmental hazards (hurricane and wind, with flooding) that destroy crops and inventories of goods, soak and damage transportation and infrastructure with salt water, and displace large numbers of people due to the lack of power, destruction of local food sources, and absence of safe and mould-free shelter; especially critical during colder weather that could also generate snow and ice, or during a storm season or tornado season –generating additional casualties from the perils of pollution and exposure to the elements;

(g)   Possible product defects (A.D. 2012 parking garage collapses in Elliot Lake, Ontario, in Woodbridge, New Jersey, and in Dorval, Florida) that are exacerbated or tested to destruction by heavy or concentrated loading (other building and structural cave-ins/collapses), harsh winds (Tacoma Narrows bridge collapse), and tremors (earthquakes and nearby blasting) or severe rains and flooding (sinkholes, bridge washouts, shore and hill erosion, and subterranean tunnel and sewer flooding), leading to loss of life, trapped and injured survivors who require complex and costly water rescue, aerial evacuation, and high-angle rescue (with or without enclosed space shoring, rescue dogs, and specialized robots or probes), significant infrastructural damage, and additional losses of homes, vehicles, and other property;

(h)   War or sustained insurrection and its knock-on effects in unregulated munitions flow, refugee movements, compounding food and medical deficiencies with resultant disease outbreaks, violence against refugees, and creeping destabilization of neighbouring and hitherto peaceful states;

(i)     Human maintenance and management failings coupled with an ultra-hazardous activity (massive oil discharge in the Gulf of Mexico, with ecosystem damage and sundry knock-on effects impacting businesses in the food, transportation, hospitality, and tourism sectors);

(j)     A constant stream of technical security failings opening access to corporate networks, special programs, critical infrastructure, and personal information.

The risks of something bad becoming “very” bad are significantly heightened in an interconnected, co-dependent, and wired world.  Climate Change threatens to put entire chains of unprepared suppliers, manufacturers, and growers out of business; whether due to direct disruptions or disruptions of their own third-party suppliers, manufacturers, and growers.  This can go on far down the line, and everyone could be stuck.[1]  Complex emergencies and preparations such as these require a lot of thought and planning, and likely now, verified certifications from counterparties that they have taken certain precautions to guard against being caught without a backup plan to the detriment of others.  This is the unenviable task of the CCO – to ensure full recovery from all disasters … in the long-term!  *The short term is a different story.*

(iii)             CEO (Chief Executive Officer/Executive Director): Responsible for the strategic directions and strategic outcomes of the company, the CEO is the head coach.  Assistant coaches are the other C-Suite members, and a “conductor” analogy will not work here because an orchestra cannot function when multiple conductors and sub-conductors are calling their teams of workers (in silos/fiefdoms) to play divergent, discordant tunes.  Inevitable results of the latter are committed cacophony, complete confusion, and a corporate collapse.

(iv)             CFO (Chief Financial Officer/Comptroller): This officer is responsible for all fiscal affairs, including Budgeting and Forecasting (projections, allocations, and analytics), Treasury (expenses and receipts, and credit and investment management), Financial Statements (reporting and internal audit), and all policies, protocols, personnel, and computer programs and platforms (tools) that are involved in this complex mix.

(v)               CIO/CTO (Chief Information Communications Technology Officer): The CIO is responsible for Network Architecture (designing, building, and configure a network that meets specifications and serves desired functions), Enterprise Resource Planning (allocation of and budgeting for, I.T. resources, including distinct subsystems for e-commerce, sales and billing, CRM and data governance, CAD/CAM, SCADA, and internal communications – voice, data, intranets, mobile applications), and Network Administration (access protocols, physical and electronic security, data integrity and backup, business continuity planning in the I.T. domain), and all policies, protocols, personnel, and computer programs (tools) that are involved in this complex mix.  An additional function of Privacy and Data Protection (PDP) may reside herein, with the office and functions of the XCO, or with the office and functions of the CAO.

(vi)             CLO/GC (Chief Legal Officer/General Counsel): The GC protects the organization against known and developing risk factors; represents the organization to third-parties and defends its interests (whether in contractual protections and advance due diligence, litigation and alternate dispute resolution, or to regulators and through regulatory processes including GRC (governance, risk, and compliance) functions, and IP registration and licensing), and advises the organization on overall legal strategy, or legal aspects/repercussions of specific or proposed strategies and actions.  The CLO will be assisted by subordinates and may have relationships with specialized outside law firms in desired fields (or practice area group environments),[2] to which he or she will assign work as needed to support In-House legal functions.

(vii)           CMO (Chief Marketing Officer): Marketing takes many forms, whether in the product or service itself, traditional print and radio advertising, or word of mouth (which includes word of web and word of viral video whether good or bad, and word of both product placement and recall).  Product recalls, though starting as negatives, may actually garner fans from the way in which the manufacturer or producer responds to the adverse event.  This role needs a nimble operator who has a good command of the technical marketing side (web and graphic design, wordplay, and psychology), and a social media team with dedicated monitoring functions, previously archived quick response webpages for a variety of scenarios, and an outside media analytics and PR firm on standby.  Special care must be taken where an employee comes aboard with his or her own social media following, or develops one while working on the company time and dime.  It can be a two-edged sword.

(viii)         COO (Chief Operating Officer/Managing Director/President): Keeping the day-to-day operations on an even keel, with proper and well-documented sales practices (Sales), timely and accurate order fulfillment (Manufacturing/Service Delivery), and above-board collection and revenue-recognition practices (Finance) is a critical chain to maintain in good working order, as it is the very lifeblood of the company.  A failing on any one of these three links, could throw the ship off course or even sink it.  Ideally, the COO will select either Sales or Manufacturing/Service Delivery as his or her primary focal point, and be assisted by 2 subordinates (for finance and the option not selected).  Strict segregation of duties (SOD) will prevent those deputies from dominating said functions, which must be the primary responsibilities of the CFO (Finance) and the CMO (Sales) respectively.  However, they must work to ensure that these three Executive Officers and their functions are all very well coordinated.

(ix)             CPO/CDO (Chief Plans, Projects and Partnerships Officer; also sometimes termed as the Chief Development Officer): Long-range planning, including succession planning and insurance strategy (except hedging which lies with the CFO), is the responsibility of this executive officer.  In addition, he or she will take the oversight lead on any critical projects (plant upgrades, significant new products), or partnerships that would otherwise and unduly distract one of the other executive officers.

(x)               XCO (Cross-national Coordinating Officer): Many businesses have an international profile, even those with only occasional foreign sales.  This can include employees of many nationalities, cultural or religious preferences and practices, far-flung operations or contract manufacturing plants and raw material sources, or exports to jurisdictions with myriad regulatory regimes.  It is the XCO’s job to ensure everyone is as close to being “on the same page” as possible, company ethical and compliance practices are adhered-to across the board – despite cultural differences, and that consistency is maintained in operations, administration, and responses to any crisis.

Four Working Groups):

(1)   Working Group 1 – Ongoing Operations (OO):

Led by the CEO, this working group would focus on oversight and control of day to day operations.  The CEO would be joined in this effort by the COO and the CMO.

(2)   Working Group 2 – Internal Controls (IC):

Led by the CFO, this working group would focus on compliance and internal controls in creating, implementing, monitoring, and updating a comprehensive GRC program.  In addition to “compliance”, this working group would also be tasked with leading in “cooperation” with regulators, due to the need from time to time for certain companies and industries to respond to requests for cooperation with regulators over investigations, boycotts and sanctions, recalls, security measures, and other joint action that needs high levels of coordination.  The CFO would be joined in this effort by the CAO and the CIO.

From time to time, and for better organizational coordination overall, OO and IC might hold unified meetings (virtual, in-person, or a combination of these), and they would be joined there by the CLO.  Of course, the CLO could also sit-in on IC and OO meetings when separate; time and workload permitting and as the needs of the working groups and the business so require.

(3)   Working Group 3 – Contingencies, Policies, and Projects (CPP):

Led by the CLO, this working group would focus on contingency planning, company policies, and the oversight of critical or large projects.  The CLO would be joined in this effort by the CCO and the CPO.

(4)   Working Group 4 – Global Oversight (GO):

Led by the XCO, this working group would focus on keeping an eye on the global pulse and wellness of a decentralized entity.  Of course, this working group would only be added as and when warranted.  Drawing on other executive officers to fulfill its mission and mandate, GO’s two component sub-groups would be:

*PACE (Privacy, Administration, Cybersecurity, and Environment), and

*COG (Contingencies, Operations, and GRC).

PACE: XCO as the standing lead, and joined by the CAO, CFO, CIO, and CPO.

COG: XCO as the interim lead, and joined by the CCO, CLO, CMO, and COO.  The CEO would be the standing lead for COG, as well as the unified meeting sit-in member for the GO and CPP working groups (as is the CLO for the OO and IC working groups).

Challenges:

Some might say that these functions replicate those of the Board and of the Committees of the Board, to an extent.  I agree in part because this group of 10 top company executives could essentially be said to constitute an Executive Board (supervising day to day functions).  The Supervisory Board (Board of Directors) would still be responsible for oversight, as 10/4 is merely designed to ensure that adequate attention is given at the day-to-day level of governance, to those items and points that have most often tended to cause slip-ups in recent memory (such as governance gaps; lax compliance or internal controls; financial misstatements; and inattention to plugging risks of faulty internal audit, insufficient segregation of duties, lax supervision, or failure to timely act on employee grievances including but not limited to harassment claims), and engage the Board’s attention to find, fix, and further prevent them from recurring, with other appreciable (and avoidable) regulatory and legal costs and repercussions.

Coordination of these now distributed executive-level functions would likely also be a challenge, at least initially.  However, once 10/4 is firmly in place and with the proper implementation of the proposed meeting and joint meeting structures, along with open lines of communication, this should diminish over time.

The need to pay perhaps exorbitant salaries to even more senior officers might also seem like a challenge.  However, there is plenty of un-utilized (read: “unemployed”) and otherwise under-deployed (“unhappily” under-employed) talent available in the current economic climate that would welcome the opportunity to apply themselves to these sometimes new and always interesting roles; not exactly for a pittance as professionals should be given their due respect, but with every intention of earning their way and growing with the company.

Opportunities:

Added specialization of function and better core focus, are obvious benefits.  Clearly, each of these ten functions demands a full-time focus.  C-Suite members will be better able to drill-down within their assigned roles with a lot less distracting “noise” and far fewer demands for assistance or advice on matters outside their scope that cause a frantic scurrying for the right answer, and sometimes outside the company at a cost commensurate with the urgency of the request from …. “higher up”.  More skills and abilities can therefore be retained in-house, and appropriate additional expertise sourced as needed, or retained on call, outside the company.

Growth Map:

Many companies will tend to “really” start with a core of 3 principals, the CEO, CMO, and CIO (if technology focused); or the CEO, CMO, and COO (if in services or a widget-maker).  Of course, all will wear multiple hats from the start, and be drawn to move in many directions at once.  While still small or a start-up, this can often be managed, albeit with a little effort and significantly less sleep.

After a time, they will generally add the CLO and CFO as compliance and cooperation, and the need to create, monitor, and keep-up proper records and accounts in-house (as opposed to having an on-call book-keeper), all become more important over time.  Other motivators for this expansion at the top might be the need to seek financing from Angel Investors or VCs, or preparation for an IPO – or even at that early stage, an acquisition of more capacity or talent that resides in another business.

Eventually, a CAO will be added to free-up CEO or CMO time spent on day-to-day administrative duties for other functions, and the CCO and CPO will be brought-on as the needs of the entity or best practices dictate; which may even precede the addition of a CLO or a CFO, or both.  Similarly, the presence or onset of major cross-national operations may bring in the XCO earlier, or later, in the growth process.

Summary:

10/4 is quite doable, and the first-movers, as always, will be able to iron-out the kinks early, and share or not share their tips with competitors in their industries as they strive to maintain their own competitive leads.  The four corner offices can thenceforth be reserved as boardrooms for meetings of the four working groups or other teams within the work environment that need the separation; while executives sit closer to the middle of the floor and the action, creating a more involved and collaborative decision-making model, and smoother workflow with face-time and an all-ranks accountability that self regulates against water-cooler lounging, social media misuse, and other forms of slacking-off, without the need for certain increasingly used (and sometimes highly intrusive) technical tools to protect and promote productivity.  Let’s see who, if anyone, will go for it first … 10/4?!

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published September 1, 2011, on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2011/09/01/cybersecurity-avoiding-destabilizing-data-disaster-d3/<

[2] See e.g. Ekundayo George.  Practice Area Group Environment – PAGE: (a version of) BigLaw’s Future?  Published November 2, 2012, on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2012/11/02/practice-area-group-environment-page-a-version-of-biglaws-future/<

Running through all of the complex formulae, one-minute pitches, expensive marketing courses, and intensive sales training rewards or retreats …. the common intent is always the same: just make that sale!

Some schools and entities have focused on the hard pitch, some on the soft sale, others on some form of psych. play in a “trend-trap” or a “pity-pitch”; and now …. there is Social Marketing (for some, Social Engineering), where your smartphone can do most if not all of the seller’s prior research as you blissfully (and with voluntary consent through your own location and privacy settings) walk and surf, search and like, tweet and text, post, and otherwise share your entire shopping and social history to the four (north, south, east and west) by four (friends and vendors, foreign and domestic government entities, third-party data and transaction processors including contracted aggregators and data miners, and cyber-criminals) winds.

The more that things change, however, the more they stay the same, as there is still a timeless essence in sales and branding, that, if paid sufficient attention, can constitute a best practice.  I intentionally exclude “marketing” and “promotion” as separate elements in the selling process, because these can be included or embedded, at various levels, deep within the elements that I do list here.  Some interesting and thoughtful examples of marketing (and de-marketing) embedded within the terms, price, relationship and reputation, amongst others, can be seen in this footnote;[1] although the article itself is some 2 years old, these examples are still quite applicable and relevant.  We have also heard of that phrase “it sells itself”, which is the ideal and every marketer’s dream.

 

What is this Timeless Essence?

If you have been reading some of my posts, you will know that I like using acronyms and mnemonics, i.e. first letters in a string of words that actually spell something meaningful or make … some sort of sense when put end-to-end.  The reason for this is because it forces and inspires a deeper level of thinking, and an active justification for putting things where they are in the chain, in the first place.  So as not to disappoint, I will continue that trend in this post.

With the first element not necessarily being the most important element, this “Timeless Essence” has 9 (“nine”) individual parts as follows: Price; Quality; Relationship and Reputation (the “R” complex); Selection, Seniority, Selectivity, and Security (the “S” complex); and Terms.

 

PRICE:

A listed price can be all-inclusive with taxes factored-in, or with a listed price subject to the fine print, or with a listed price exclusive of taxes, or in some other configuration or combination.

Specific pricing options can range from new arrivals at full price; through loss-leaders (insufficiently priced to make an appreciable profit on their own but rather designed to drive volume sales and encourage browsing sales or move co-branded products and services); to liquidation sales at give-away prices.  With regard to food staples, for example, yes, price alone can draw the customers.  However, if the quality or relationship is poor, or the selection is not sufficiently broad, then reputation will suffer and all but those who are tied to that location or vendor, will soon start to do their shopping elsewhere.

 

QUALITY:

Quality can refer to the item for sale or hire (product or service), the place and décor of the selling or hiring (trade dress, and the experience), or the knowledge or skill of the staff (relationship, and the rapport).  Very knowledgeable sales staff, for example in the realm of either mass-market or high-end electronics, can generate a good reputation, develop a loyal following that turns to them for mundane questions on products that the business does not even sell, and lead to incidental sales, or the offering of new products due to customer demand; and even the creation of new and profitable lines of business – i.e. becoming the one-stop source for repairing the products of different (and competing) vendors, for a fee.

 

THE “R” COMPLEX (2 distinct elements):

Relationship, refers to the “experience” on one level, and the “rapport” between the vendor and buyer, or the vendor and the referral source, on another level.  Where word of mouth marketing brings the lead in the door (or to the website when we de-emphasize the bricks and mortar), it is left to the salesperson or the online marketing department to make or break that sale.  The act of referral does play upon the reputation of the vendor in the eyes of the referring source, and this may or may not hold true for the one being introduced as a follow-on rapport is or is not developed.  Word of mouth advertising can be both positive and negative.

Of course, showing the interplay between these essence elements – a reputation for quality or offering good terms (long warranties, no money-down, extended hours), can also bring large volumes of people through the door (or otherwise, to the e-commerce store).

Reputation sometimes also suffers if and when unscrupulous competitors (or members of a different political party), engage in highly questionable competitive practices.  These will need to be countered, curtailed, and corrected.  At other times, however, the prospect will already have been sold through marketing or a description of the experience or the rapport from others.  A good example of this is the opening of a new movie in theatres.  Those first in line will have been pre-sold, or in the company of others who have been so enticed.  And others, visiting the theatre in the second and subsequent evenings, will go because of the ratings, the descriptions of those who went before them, or continued media hype and coverage.

Relationship and Reputation can come together with successful product or service placement in that opening movie.  The audience can both develop a rapport with the performers through the product or service (by rushing out to do likewise and share or repeat the experience for themselves), and thereby capitalize on the reputation of that product or service by their patronage, which also furthers its reputation …. all for what?  A minimal outlay if the actor or actress is already an avid user or fan of said item, and whether or not compensated for same.

 

THE “S” COMPLEX (4 distinct elements):

These 4 elements (selection, seniority, selectivity, and security) are all related.  Selection refers to the variety of items available.  A wider selection is a significant part of what allows the Big Box Stores to draw people from both near and far, despite the isolated or even desolate locations in which you sometimes find them.  Seniority, of course, distinguishes some older vendors or long-established businesses from the new ones that may eventually be short-lived fads, or soon out of business due to some other reason for their non-sustainability.  It also used to give some assurances – financial shenanigans aside – that a vendor would be around long enough to make good on its warranty promises if any problems arose.  However, in a market where prices have fallen and comparable replacements abound, this becomes less important.

Selectivity is what distinguishes the “hard-to-get” item or service from the more commonly available.  However, “at-first-glance” good knockoffs through piracy, and their obvious advantage in price, are causing significant and rising consternation for several famous brands – especially in a challenging economy where many customers want to feel and look fashionable but do not have the disposable income (or even employment) to go about it properly as the law-abiding citizens that they ought, and were long ago taught, to be.

Security, as in “a sense of personal security”, has always comforted knowing buyers of counterfeit outerwear, because to date, it has generally only been the sellers of knock-offs who faced the penalties and prosecutions.  This changes, of course, and very quickly, when fake jewelry or wrist-wear causes one’s skin to go green, or brings-out a severe allergic reaction.  The ultimate buyers of counterfeit drugs, foods, and beverages however, are generally quite unaware that they are buying fakes, and they sometimes pay with their health or their lives.

Security can also be a strong selling point with businesses prone to problems.  This can be passive security in cameras (as long as they work, are watched, and the tapes are kept for long enough to be relevant), in patrolling armed guards, or in perimeter controls and screening of entrants.  However, if the grocery store or convenience store in the middle of a hot zone or a war zone is the only place to get food and other necessities, then despite the insecurity, people WILL still find a way there.  So, there must always be quite some give and take amongst all 9 factors, and between “S” Complex factors.  Whether you speak of a Big Box Store or a War Zone corner store, “location, location, location”, long ago lost its leading-edge, pride of place.

 

TERMS:

Jurisdictions will differ on what constitutes the “essential terms” of an agreement, and when an agreement has been fully formed.  However, and though varying from case to case or category of agreement to category of agreement, recurring “essential” elements include price, the item of agreement or sale, and the fact (often by signed writing) that there is some sort of an agreement.  One term can always be a deal-breaker or a deal-maker, and both knowing (discovering) the other party’s squeal point, and how to sufficiently sweeten the deal by give on that point or take on another, will be key.  This is why good sales and marketing people always ask questions that, although not always seeming pertinent, are intended to reveal something directly, or to lower a barrier that prevents the person asking, from seeing it for themselves.

Summary:

This then, is the Timeless Essence, a best practice, in effective sales and marketing, including branding.  Real world examples may come to your mind as you think through these points and look around you, or, you may be spurred-on to become your own mogul.  Good luck (in the effort), give thanks (to those who inspired you), and really, go for it …. just make that sale!

***************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with experience in business law and counseling, diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com.  An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Nicholas P. Hopek, TSYS.  De-Marketing in Practice: Survival of the Fittest – and Most Profitable – Customers. Published in Thought Leadership n>genuity Magazine, Spring 2009.  Online: >>http://www.tsys.com/thoughtLeadership/ngenuityInAction/current_issue/Spring09DeMarketingInPractice.cfm<<

 

Since the “dot-com” era began, many Internet-driven businesses have come and gone.  Some resurfaced in a new guise, but others were never to be seen or heard from, again.  Why was this so, and what did some of them do correctly, that others did wrongly?  I think those that failed, did so for not meeting 1 (“one”) or more of the 7 (“seven”) checkpoints in the e-Commerce success formula, applicable both in the times gone by and in the current climate.  As further detailed below, these are: Acceptable Service Levels; Security; Policies and Privacy; Intellectual Property Rights (I.P.R.); Regulatory Compliance; Enforcement; and Dedicated Cashflows.

1.         ACCEPTABLE SERVICE LEVELS: If and when offering a service or product to the public, then the quality of that offering must be acceptable.  Bad product or bad service, leads to bad reputation.  With the current pace of word-of-mouth advertising through Social Media, a company’s reputation can be tanked, with a quickness.  Why spend so much time generating all that buzz, and then bet the company by offering something that is a substandard product (bug-infested), a service that is obviously not quite yet ready for primetime (the wider, mass market), or something that is otherwise badly managed in the initial rollout (going cheap on the launch)?

This may have worked for some businesses in the past, and it may still be tried in some cases by those businesses feeling secure or carefree enough with the substantial following for their product or service, or suite of same.  But, today?  No way!!  Beta testing is available for a reason.  Use it!  The more alternatives that proliferate, and providing that there is a relative inelasticity in providers, the less tolerant the market will be for mediocrity and unacceptable service levels.

2.         SECURITY: Of course, the company crown jewels (I.P.R., trade secrets including strategies and customer lists, and so forth), must be secured.  If not, then the model can be replicated either without shame and by an obvious copycat, or through reverse engineering with a very good idea of where they need to go, from having the product, your product, right there in front of them.  Physical security, electronic security, and a security frame of mind, must permeate the business and the workforce from top to bottom, in order to hit this checkpoint right.

The added networking functionalities that Social Media now gives to developers, programmers, and scientists, coupled with the fact that massive amounts of raw and unencrypted data can be lost (and are being regularly lost) on smartphones, laptops, and through online theft and hacking, means that achieving comprehensive Cybersecurity is no easy task, as I have already blogged.[1]  You may notice that some of the largest, most successful, longest-lasting e-Commerce successes are entities with a very zealous dedication to security.  Obviously, there are good reasons for this.

3.         POLICIES and PRIVACY: It is also vitally important to have effective and comprehensive policies on a variety of topics, so that there are no fatal gaps in employee guidance as to the policies and procedures that they need to follow in specific circumstances, or in those very tricky or novel situations where the guidance of other employers may be found lacking due to imprecision, or a lack of clarity, or a failure to consider and plan for such an eventuality – even by providing a dedicated line on which employees may call for guidance from a responsible person in the company.  Situations that should be policy-covered include but are not limited to, privacy breaches, emergencies and complex emergencies, Social Media usage, employee hiring (with appropriate background checks) and termination (with exit interviews and securing of access permissions and company property), and privacy and security, generally.

Where policies are lacking, employees may well take the initiative.  There is nothing wrong with having employees who can think for themselves, especially in a knowledge-driven economy or an Internet-driven business.  However, where employees lack the critical additional knowledge, subject matter expertise, or general leadership training and discipline to know what is best for the company and also in accordance with law, their initiative may initiate a problem, or two, or three.  Sometimes extrication is simple, and sometimes, it comes at a very steep price, including personal liability for directors and officers, very steep fines and regulatory penalties, lawsuits with their companion legal costs and expenses and insurance coverage disputes, and even destruction or dissolution of the company as a going concern.  It is better to lead and set the tone with a coherent policy, after careful business consideration and consultation with legal counsel.

4.         INTELLECTUAL PROPERTY RIGHTS (I.P.R.): Where the entity owns and has developed its own I.P.R., then this should be protected, of course, through proper registration and ongoing monitoring.  It is not prudent, and very much ill-advised, to put a branded product or service on the market without first ensuring that the name chosen, is available and free for use.  Otherwise, a flashy and expensive marketing campaign may lead directly to a messy and expensive legal battle for I.P.R. infringement or misuse.  This could be ruinous if the seed money or risk capital has already run out or nearly run out, and whether or not the deep-pocketed investors get frightened-away by that kind of rather costly, and potentially very bad publicity.

Similarly, the unauthorized use or willful misuse of the I.P.R. of another, can bring severe and negative consequences through suits and injunctions.  Even where the law is unclear or imprecise and with apparent loopholes, this does not prevent an incensed litigant or an ambitious prosecutor from applying novel theories and significant resources to make a test case stick, or to prove a point, or to chill or still the fervor of any and all who might think to follow a bad lead.

5.         REGULATORY COMPLIANCE: All of the foregoing ties-in with regulatory compliance.  This does not just apply to industry-specific regulations, but also to national laws; laws of the municipality, state, and province, as appropriate; and any International or otherwise multijurisdictional accords and protocols that may be or become relevant, or applicable, or appurtenant to the business or the business model in question.

Having a good idea of what is being planned or proposed, and where possible, being able to chime-in on the debate through a trade or industry group, are best practices.  It is better to know, plan, and prepare, than to be suddenly surprised.  Sometimes, even with the delayed applicability of new laws and regulations, the time, cost, and efforts required to become fully compliant – let alone the fines and penalties for failing to be so compliant – can be a drain on resources and an unwelcome distraction from the core mission.

6.         ENFORCEMENT: Additionally, all company policies must be regularly communicated, enforced, and audited for the degree of compliance therewith; otherwise the company may face more than its share of User-generated Legality Issues (UgLIs).[2]  As for leadership in this endeavor, even in a smaller company, it can be highly advisable to have both a Chief Compliance Officer and a Chief Privacy Officer.

To the extent that a candidate is qualified, both of these titles may be held by a single, double-hatted individual.  However, if that is the case, then it is advisable that the person hold no third portfolio, as the pace of development in both of those areas will keep him or her more than sufficiently occupied.  Indeed, many an entity may find it more affordable and prudent to have a limited In-House capacity in both of these areas, but outsource the bulk of its needs for guidance in privacy and compliance to legal providers who can promptly deliver legal updates and customized policies, in conjunction with occasional audits, and tweaking as the business matures and moves though standard and non-standard cycles, or other critical events (mergers and acquisitions, litigation, regulatory investigations, public offerings and buybacks, or insolvency).

7.         DEDICATED CASHFLOWS: The initial dot-com heydays were replete with businesses that sold nothing, gave away copious amounts of services or software or both of these for free, and essentially, burned through cash as though the patience of their dedicated investors would never end.  Eventually, it did, and so did they.

There has to be revenue, and it needs to be projected to start at some point down the line, right from the start.  This way, milestones can be recorded, and steps taken to address any failures to meet them – whether in extensions of time and financing, or in a change of policy or management, or both of these.  There is nothing wrong with having a loss-leader, and giving away services or software in order to capture market share and loyal customers.  Advertising, therefore, when responsibly and lawfully and tastefully done, is the easiest way to generate revenues, and build a business from the traffic to, or the following or patronage of, a popular site or service.

Summary: E-commerce and the Internet-driven business are still very much works in progress, as governments struggle to keep up with their ever-changing nature, and the consuming public (in sections and subsets of same), thrives on the tensions generated and in the spaces created, by this state of constant flux.

Some have accused the People’s Republic of China and the Russian Federation of high complicity in organized theft of strategic assets by exploiting flaws in and their failures on, one or more of the above 7 checkpoints.[3]  However, these alleged culprits are also obvious victims;[4] and allegations of economic espionage and leveraging for advantage, legally, not so legally, and quite illegally, including with government support or complicity,[5] are really nothing new.

Whether one’s problems show success or a failing equal to those of others on the same or substantially the same above checkpoints, is in the beholder’s eye.  Regardless, however, perhaps if regulators focused a little more on fixing the failings in this winning formula than spinning for sanctions and shame, more would thrive and succeed in this brave new, Online Great Game.

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice and has practiced, in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article is intended and presented for general information purposes and is not intended or construed or to be read, as constituting legal advice or creating any lawyer-client relationship.


[1] Ekundayo George. “Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.”  Oglaws.  Published on December 9, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/

[2] See Ekundayo George. “M”edia Effectiveness, at the text containing endnotes 5 through and including 12, for an explanation of this concept.  Ogalaws page Tab.  Available at: https://ogalaws.wordpress.com/media-effectiveness/

[3] United States of America, Office of the National Counterintelligence Executive (ONCIX)Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011.  Published in October, 2011.  Available at: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

[4] BBC News, TechnologyChina seeks to combat hi-tech crimewave.  Published on December 30, 2011.  Available at: http://www.bbc.co.uk/news/technology-16357238

See also BBC News, EuropeUK diplomats in Moscow spying row.  Published on Monday, January 23, 2006.  Available at: http://news.bbc.co.uk/2/hi/europe/4638136.stm

[5] New York Times.  Air France Denies Spying on Travelers.  Published on September 14, 1991.  Available at:   http://www.nytimes.com/1991/09/14/news/14iht-spy_.html

See generally Paul M. JoyalIndustrial Espionage Today and Information Wars of Tomorrow.  Integer Security, Inc. Information and Analytic Services.   A report prepared by Paul M. Joyal (President of Integer Security Inc.), for presentation at the 19th National Information Systems Security Conference, held in Baltimore, Maryland, U.S.A., on October 22-25,1996.  Available at: http://csrc.nist.gov/nissc/1996/papers/NISSC96/joyal/industry.pdf

See e.g. CTVNews.ca StaffCorporate espionage costing billions each year.  CTVNews.ca Published on Tuesday, November 21, 2011.  Available at: http://www.ctv.ca/CTVNews/CanadaAM/20111129/corporate-espionage-secrets-companies-111129/

%d bloggers like this: