The Internet of Things (IOT – also referred to as Machine to Machine communication, or M2M) is well on its way to reality, with a wide range of market penetration predictions and potential verticals for the savvy and aggressive providers who aim to tame it.  Intel projects 2015 uptake to be 3.8 billion devices globally; whilst 2020 projections are 30 billion devices from ABI Research, and 50 billion devices with “$14.4 “trillion in bottom-line potential”, from Cisco Systems.[1]  There were some very early movers, such as the European Union, for example, which established an Internet of Things (IOT) Working Group on August 10, 2010.[2]  Three years later, the United States Federal Trade Commission (FTC) has already initiated an enforcement action against an IOT service provider due to flawed security and false claims and misrepresentations in advertising.[3]  Now, following last year’s 4th EU, IOT Conference,[4] regulators and industry everywhere, are swiftly strategizing and paving the way forwards:

(1) In South America, IoT World meets in Brazil, was held in São Paulo, from May 21-24, 2013;[5]

(2) In the Middle East, The M2M Middle East Forum, was held in Dubai, UAE, on September 22-23, 2013;[6]

(3) In North America, The 2013 M2M and Internet of Things (IOT) Global Summit, was held in Washington, D.C. from October 1-2, 2013;[7]

(4) In Africa, The 1st Workshop On The Internet Of Things (IOT 2013), is now scheduled for October 7, in East London, South Africa;[8]

(5) In Europe, The Internet of Things World Forum, is now scheduled for November 12-13, 2013, in London, UK;[9]

(6) In Asia, The Internet of Things Asia 2014 Exhibition and Conference, is now scheduled for April 21-22, 2014, in Singapore;[10]

The fact remains, however, that myriad options exist for vertical and horizontal exploitation of this space, and the same number of options – apparently subject to multiplication by itself – exists in the form of coordination, regulation, optimization, protocols, and security.  As a result, and due to the need to develop common understandings and definitions across these 6 (“six”) centers of gravity, we have devised and provided the within Table of 7 elements (on the X-axis), times 30 elements (on the Y-axis), as a conceptual framework for industry and regulators within and between these 6 centers of gravity, to utilize on internal deliberations and joint consultations.  Just select a coordinate where X and Y meet, conceptualize the kind(s) of IOT/M2M offering that would fit there, and strategize on the most appropriate or most preferable “iPages” for it or them (see note 2, below).  We hope it helps!

X-Axis (BUSCOPF):

BIODIVERSITY;

UTILITIES;

SECURITY;

CULTURE;

OFFICE;

PROJECTS/POLICIES;

FINANCE.

Y-Axis (SCOPE):

SERVICES (6):

-General/Government

-Regulated

-Integrated

-Personal/Apparel

-eBusiness

-Shared/Social

 

CONTROLS (5):

-Structure

-Product

-Infrastructure

-Emergency

-System

 

OPERATIONS (7):

-Supply/Logistics

-Communications

-Humanitarian

-Entry/Egress

-Municipal/Medical

-Economic/Exchange

-Scientific

 

PRODUCTS (7):

-Personal/Apparel

-Regulated

-Infotainment

-Networked

-Consumer

-eBusiness

-Shared/Social

 

EVALUATIONS (5):

-Efficiencies

-Insurance Risk

-Gathered Data

-Health & Safety

-Threats & Alerts

 

©2013. S’imprime-ça (Ottawa, Canada). http://www.simprime-ca.com.  Free “BST” use, duplication, and distribution is permitted if including this attribution block verbatim.

 *********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Alyssa Oursler, InvestorPlace Assistant Editor.  Morgan Stanley Gushes on the Internet of Things.  Analysts take a deep dive into the trend with 29-page note.  Published on investorplace.com, September 30, 2013.  Web: http://investorplace.com/2013/09/csco-morgan-stanley-internet-of-things/

[2] Euroalert.  Expert Group on the Internet of Things set up.  Published on euroalert.net, August 11, 2010.  Web: http://euroalert.net/en/news.aspx?idn=10271 This Expert Group now has 6 (“six”) sub groups, being one for each of identification, privacy, architectures, governance, ethics, and standards (I would call this “iPages“).  A Summary of their 10th Meeting in Brussels, Belgium, in November 2012, is available here: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1747

[3] See e.g. Paul.  With Settlement, FTC Issues Warning On IP-Enabled Cameras.  Published on securityledger.com, September 4, 2013.  Web: https://securityledger.com/2013/09/with-settlement-ftc-issues-warning-on-ip-enabled-cameras/

[4] Forum Europe.  Post-Conference Report from The 4th Annual Internet of Things Europe.  Shaping Europe’s Future Internet Policy – The road to Horizon 2020.  The Conference was held in Brussels, Belgium, on November 12-13, 2012.  Published on eu.ems.com.  Web: http://www.eu-ems.com/event_images/Downloads/IoT%20post%20conference%20report%20-%202012.pdf

[5] IoT World meets in Brazil, was held in São Paulo, Brazil, from May 21-24, 2013. Published on theinternetofthings.eu.  Web: http://www.theinternetofthings.eu/iot-world-meets-brazil-s%C3%A3o-paulo-21st-24th-may-2013

[6] The M2M Middle East Forum, was recently held in Dubai, UAE, on September 22-23, 2013.  Published on dmgeventsme.com.  Web: http://dmgeventsme.com/m2mforumme/

[7] The 2013 M2M and Internet of Things (IOT) Global Summit, was recently held in Washington, D.C. on October 1-2, 2013.  Published on eu-ems.com.  Web: http://www.eu-ems.com/summary.asp?event_id=173&page_id=1432

[8] The 1st Workshop On The Internet Of Things (IOT 2013), is scheduled for October 7, in East London, South Africa.  Published on isat.cs.uct.ac.za.  Web: http://isat.cs.uct.ac.za/IoT2013_Workshop/isat_web_iot/index.html

[9] The Internet of Things World Forum, is scheduled for November 12-13, 2013, in London, UK.  Published on internetofthingsconference.com.  Web: http://iotinternetofthingsconference.com/

[10] The Internet of Things Asia 2014 Exhibition and Conference, is scheduled for April 21-22, 2014, in Singapore. Published on internetofthingsasia.com.  Web: http://www.internetofthingsasia.com/

Advertisements

The recent announcement of pending closure for Nirvanix,[1] a CSP, highlights a number of points that I have often stressed as critical in data assessment prior to cloud usage, cloud vendor assessment, cloud contracting specifically, and data protection and retention in general.  These are:

1. “In addition – always (have) a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.”[2]

2. “If you have critical functionalities that have moved completely or almost completely to a cloud-based solution… then it is highly-advisable to have a backup cloud.[3]

3. Protect and backup your data as per your assessment of the V5 Interplay…the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.[4]

4. Mature cloud users should be in a state where “Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor.[5]

To now learn that many large and systemically significant entities in a host of industries have massive amounts of data with this one provider that they are now rushing to remove before the pending shutdown,[6] is quite worrying in terms of Cybersecurity, Cloud best practices, and attendant potential legal liability.

OPTIONS:

Of course, any speculation is pure speculation, as I have no personal knowledge of their arrangements, whether or not these exits are orderly, or if they will be concluded in good time.  However, one would expect that:

(i) for the most critical data in that V5 interplay;

(ii) multiple CSPs should have been used;

(iii) offsite backup should not have been automatically discontinued;

(iv) a detailed exit protocol (“cloud emigration”) would have been contractually agreed-upon in advance, with access to the key or contracted staff – including migration/emigration as a service providers or other such specialists;

(v) guaranteed continued availability of staff and data as was already specified in the original SLA; and

(vi) either CSP insurance (as with employment practices insurance, business interruption or business continuity insurance, or some such), a portion of the client fees segregated in advance by lockbox arrangement to pre-fund an orderly exit, or any host of other arrangements to cover those exit costs, would have been specified as preconditions for entering into a cloud services agreement in the first instance, laid-out in detail, mutually agreed, practiced and reviewed for updates from time to time, and enacted as and when needed.

CONCLUSIONS:

This case is quite instructive, and many cloud users will, doubtless, take note and a few pointers for their own contracts (whether as promptly amended or when next renewed), so as to avoid future problems when this kind of situation replicates, or any other foreseeable or unforeseen eventuality causes a similar rumble of thunder to ripple across the Cloud-sphere.  They must be able to promptly, securely, and in an organized fashionrein-in” and “reel-back” their uploaded data from the cloud, without having their own clients and data subjects rain thunder and lightning down on them, for any failure to so do.[7]  If their data gets stuck in CSP insolvency wranglings, then a whole host of new twists and turns will develop.

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects), and has sector experience in healthcare, communications, financial services, real estate, international trade, eCommerce, Cloud, and Outsourcing.

 

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, high stakes, strategic projects (investigations, procurements, and consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

 


[1] Isha Suri.  Nirvanix Closing Down, Gives Two Weeks’ Notice of Service Shutdown.  Published on siliconangle.com, September 24, 2013.  Web: http://siliconangle.com/blog/2013/09/24/nirvanix-closing-down-gives-two-weeks-notice-of-service-shutdown/

[2] Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  (at “Disadvantages potential – Vendor Inelasticity”).  Published on ogalaws.wordpress.com, December 28, 2011.  Web: https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/

[3] Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right (at “1. Backup Cloud).  Published on ogalaws.wordpress.com, March 11, 2013.  Web: https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/

[4] Id. at “4. Traditional off-Cloud Backup”, and at footnote 13).

[5] Ekundayo George.  In who’se pocket is your data packet? – International Data Governance (at “d”).  Published February 6, 2013.  Web: https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/

[6] Jeffrey Schwartz.  Cloud Storage Provider Nirvanix Goes Belly-Up, Customers Panic To Move Data.  Published on virtualizationreview.com, September 19, 2013.  Web: http://virtualizationreview.com/blogs/the-schwartz-cloud-report/2013/09/nirvanix-goes-belly-up.aspx?goback=.gde_1864210_member_275308263#!

[7]Risk Management” (such as in preventing to the extent possible, planning for, and effectively prevailing with regard to this type of snafu) and “Stakeholder Management” (calming and reassuring those division heads and business unit leaders who’se core and critical functions are residing, and hopefully resiliently so, in the Cloud, during any time of crisis), have been identified as the new and added “need to have” softer business skills for IT professionals who plan to survive and thrive in the rapidly evolving (and reputedly short-skilled) Cloud space.  See Steve Ranger.  Big data, cloud computing experts hard to hire, bosses admit.  Published on techrepublik.com, September 23, 2013.  Web: http://www.techrepublic.com/blog/european-technology/big-data-cloud-computing-experts-hard-to-hire-bosses-admit/?tag=nl.e077&s_cid=e077&ttag=e077&ftag=TRE9ae7a1a.  For a broader overview of the changing nature of IT skills with regard to changing technologies, such as Cloud Computing, see Ekundayo George.  Why “will” IT jobs persist through changing technology, and why “must” IT initial education and ongoing training be both constant, and consistent?  Published on ogalaws.wordpress.com. June 5, 2013.  Web: https://ogalaws.wordpress.com/2013/06/05/why-will-it-jobs-persist-through-changing-technology-and-why-must-it-initial-education-and-ongoing-training-be-both-constant-and-consistent/

The Internet and Social Media have rapidly become indispensable tools for networking, productivity, and information gathering and sharing as used by people from all ages, stages in life or work, and nations.

What is Social Media?

Having developed to fulfill the above roles, resulting online communities of avid users have developed into global multilingual, multicultural, and multidisciplinary social mediums (plural “media”) for:

Creativity (web pages, youtube, hulu, flickr, picasa, interactive sites, shareware);

Collaboration (intranets, wikipedia, second life, dropbox, you send it, whatsapp);

Commentary (wikis, intranets, blogs, pinterest, RSS feeds, newsgroups, news and articles);

Commerce (listservs, monster, ebay, craigslist, angie’s list, amazon, tremor video, directories);

Connection (email, text, twitter, facebook, myspace, dating sites, instagram, linkedin); and

Cloud applications (software, infrastructure, platform, security, and other “as a service” offerings in some or all the above, eGovernance, and public, private, and hybrid clouds;

and many other distinct offerings and versions for such online community activities now known and/or yet to become well known.  In sum, however, these are all mediums or platforms and utilities through which people, being social, may responsibly interact in a way that “enriches” society.

Why should its use be governed?

Responsible and proper use of the Internet and Social Media “E.N.R.I.C.H.E.S.” our society; i,e, it:

Educates,

Negates falsehoods, and both enables and enhances

Relationships,

Introductions,

Commerce,

Help and assistance and self-help,

Expression, and

Social and national security.

However, as with most if not all things, there is a potential downside to online community participation.  Businesses with employees and contractors all need to ensure that their workers are not getting themselves and their employer (or principal in the case of agents), into legal problems or embarrassing situations as a result of their online activities.  As a result, employers should develop and enforce robust social media usage policies that more closely address the unique qualities of these online communities, as online communities (site terms of use, internal employee policies, and generalized rules), and not just the generic “social media”.  One way to do this is to divide the policy, after a good preamble, into 4 (“four”) parts: (i) “Please” rules; (ii) “Don’t” rules; (iii) “Always Appreciate” rules; and (iv) “Affirmations and Signatures”.  These categories need not appear in the order given, and they may be mixed and matched.

What these rules might cover?

                Please” Rules.

Depending upon the mix of internal (intranets) and external (news and articles commentary) social media considered, the employer should remind employees to be respectful and responsible in their online activities, to use disclaimers so as to prevent attribution to their employer of any personal comment or action when not specifically authorized, and to use good judgment and avoid underhanded actions.  The employer should also ask employees to remember their day jobs and consider how their actions outside the workplace “may” impact upon any or all of them, their employer, their employer’s business and reputation, and their employer’s customers.  Also, the employer might remind site users and employees to clearly identify their sources when possible and advisable, including with hyperlinks; as well as a reminder to comply with (and not use the social media platform in an effort to circumvent or violate), any legal compulsion under which they must act in a certain way, or any lawful document by which they are bound, such as any court order, consent order or settlement agreement, injunction, or restraining order

                Don’t” Rules.

These rules will revolve around actions beyond simple decorum, to include a host of specific prohibitions against online IP infringement, a bar on criminality and all forms of stalking, or sexual or other harassment or bullying, and a further prohibition on any breach through use of online interaction to breach applicable internal data retention policies, or protections for client confidentiality, privacy, and proprietary employer information.  Advisories to avoid personal attacks and offensive language, as well as defamation, would also be in order.  In the absence of a BYOD policy, the employer may also bar the use of work devices for personal reasons, including by barring access to certain sites or by implementing some monitoring regimes, with advance notice, of course.  This group of rules will also limit or bar the installation of third-party programmes, software or utilities, without advance approval from designated employer personnel; impose restrictions or bars on anonymizing postings and other participation; and issue a blanket prohibition on circumventing any site or employer security protocols or programs.

                Always Appreciate” Rules.

These will include notifications of how online behavior is tracked and include a consent to monitoring by their use, as well as an explanation of the use of cookies – both standard and persistent, in accordance with applicable laws and regulations.  Online community members and employees should also be reminded to always appreciate the permanency of their online activities and postings, and the interplay of different policies – such as anti-harassment and anti-sexual harassment, human rights, confidentiality, and applicable codes of conduct to include professional conduct through professional licensing bodies.  This group of rules should also encourage recognizing the value of accuracy in commentary, the desirability of respecting  alternate viewpoints in online dialogues, the advisability of not pretending to be an expert and inviting embarrassment when the true experts chime-in, and the benefits to peace of mind and avoiding open hostility in staying away from controversial topics.  The employer will also draw attention to the complaints escalation policy and any alternate dispute resolution mechanisms that it prefers or mandates for members of its workforce, any or all of the online communities that it hosts, or both of these.

                Affirmations, Disclaimers, and Signatures.

Here, the user or member of that social medium – whether or not an employee – should be invited as a condition of use and membership, to clearly acknowledge the fact that any user breaching the usage policy, applicable law, or company rules and regulations is sanctionable up to and including cessation of privileges and termination of employment as applicable; as well as a notification that the employer or forum host reserves the right to proceed against them in a suit at law or in equity to recover any or all of its costs incurred to defend itself in any legal or regulatory matter, or the proceeds of any settlement it paid and legal fees, or its reputation, actually or allegedly emanating from that user or member’s conduct.  All users and members must also affirm that they are of a jurisdictional age to use the social medium in the first place, that they will maintain the confidentiality and control of their accounts and log-on credentials, and where appropriate, that they will not directly breach or permit the breach through third party use of their accounts or credentials, of specific laws of concern to that community.  These may include: obscenity and pornography restrictions; child pornography as a separate and distinct carve-out; terrorist activity; hate crimes; and money-laundering.  Also, in addition to the standard and weighty disclaimers of the site host and/or employer, and somewhere in the entire policy, the employer – if based in the United States or otherwise touched by United States’ law and the National Labor Relations Act (NLRA), should include a guarantee of protected “concerted activity”, such as employee rights to free discussion in social media of their terms and conditions of work, to organize or unionize and discuss such issues, and to bargain collectively through their own chosen representatives, all without fear or threat of termination or other punishment.  Finally, somewhere in the policy, there should be discussion of what the employer or medium host would like to feel free to do with, to, or through user accounts in the case of a generally-defined or specifically-named (general always gives more leeway), emergency situation.

Summary.

Due to the wide use and ubiquity of social media and the “tri-screen convergence[1] that it continues to foster, these rules must be carefully crafted to identify and address the specific audience for each rule or each subrule, whether: (i) employees using an employer-hosted or employer-sponsored site; (ii) employees on their own time or during work time, but using other sites; (iii) non-employees using the employer-hosted or employer-sponsored site.  Of course, separate policies may be developed, e.g.: (a) Social Media Policy; (b) Code of Conduct & Confidentiality Policy; (c) Online Community Usage Policy, as appropriate, and intertwined with cross-referencing.  A Data Retention Policy should also be disclosed, as it covers all users, along with a summary of the policy carve-outs or other procedures that might come into play when dealing with internal investigations, discipline and ongoing compliance monitoring, and requests for law enforcement assistance.  A single and all-encompassing policy may also be used with separate sub-headings and carve-outs for these, where inapplicable to a specific audience as here identified.  However, that is a matter of entity-specific choice, and diverse new offerings will challenge established thought leadership on the best or most appropriate way to devise and deliver “any” policy.[2]

In any case, social media policies should be comprehensive, but they need not be unduly convoluted.  Once you have the basics, you can build on it and go as deep as you want to for each sub-element.  Remember, it does not hurt to get advice from legal counsel as the field is fraught with traps, and many areas of law need to be considered and factored-in, to properly blend and balance-out the end-product.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, eCommerce, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in New York, New Jersey, and Washington, D.C.  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Individuals can now use one device to watch a movie (formerly and exclusively done in the theatre or on a television), get news updates (formerly done through the radio, television, or print media), and get in touch with friends and family or businesses and business associates (formerly done through a fixed line at home, in the office, or in a telephone booth).  Now, the TV screen, the computer screen, and the laptop screen, can all be melded into a smartphone that is portable, always on (battery power and novel charging methods allowing), and can translate.

[2] Take for example, “Twitter Amplify”, which allows viewers to engage in the kind of “online” running commentary that would have driven fellow viewers to distraction if delivered verbally and over the dialogue in question as it happened.  In addition, through Twitter’s media partnerships, brand advertisers can also reach out to twitter users who have shown interest in their offerings through tweeting, liking, following, viewing their ads, or otherwise.  See e.g. Tanzina Vega.  Twitter Lets Brands Reach Viewers of Their TV Ads.  Posted on nytimes.com, May 23, 2013.  Online: >http://www.nytimes.com/2013/05/24/business/media/twitter-lets-brands-find-viewers-of-their-tv-ads.html?partner=rss&emc=rss&_r=1&goback=.gde_66325_member_243714222&<

The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”.  The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1]  According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had.  The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages.  Admittedly, it could have been significantly more than this.  That number is not insignificant.  However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.

 

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

 

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[2] Federal Bureau of Investigation (FBI).  Press Release.  Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer.  Published by the FBI on fbi.gov, May 2, 2013.  Online: >

http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer<

[3] Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.  Published January 17, 2013, on ogalaws.com.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

In August, 2000, the United States Securities and Exchange Commission (the “Commission”) first published Regulation FD (17 C.F.R. §243.100 et seq.),[1] which read in pertinent part, that:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.[2]  (Emphasis added).

 

In August, 2008, the Commission issued guidance that permitted the above disclosures to be made through company websites,[3] with certain caveats and conditions.

 

Recently, on April 2, 2013, the Commission has again taken a step to address the advancements of (not so new anymore) media in allowing publicly-traded companies and other issuers to disclose material nonpublic information through the Facebook and Twitter[4] social networking channels.[5]

“We do not wish to inhibit the content, form, or forum of any such disclosure, and we are mindful of placing additional compliance burdens on issuers.  In fact, we encourage companies to seek out new forms of communication to better connect with shareholders”.[6]

 

Here now, we have a treble conundrum – (a) what is the order of precedence of the many “forms of communication” or channels now available to issuers for such information releases; (b) which channels will each issuer even use; and (c) will/should there be any distinction in channels used by any issuer or any group or industry of issuers, for releases of different types of information??

“We believe that company disclosure should be more readily available to investors in a variety of locations and formats to facilitate investor access to that information. […] A company’s website is an obvious place for investors to find information about the company, and a substantial majority of large public companies already provide access to their Commission filings through their websites”.[7]

 

It therefore behooves the Commission to now go a little bit further in mandating that issuers – (a) define such an ordering or precedence of channels; (b) state which channels that they will use; and (c) address any distinctions in channel use for releases of different types of information.  Such mandate or guidance would better fit Regulation FD to the times and accord with the Commission ethos on disclosure, generally, and social media, specifically.

 

            Currently Available Channels.

In no particular order, I count 22 (“twenty-two”) channels through which issuers can make statements or otherwise regularly or occasionally disseminate information; whether or not material or public.  These are Blogs, Press Releases, Annual Reports, interim Regulatory Filings, Websites, RSS feeds, email alerts, sms/texts, Facebook, YouTube, Twitter, Teleconferences, Webinars, News Conferences, EDGAR, Annual Shareholder Meetings, and Electronic Shareholder Forums.  The foregoing number 17, and so the remaining 5 (“five”) channels will be introduced and described in more detail, below.

 

            Suggested Macro-level (group) Ordering.

I would start by organizing these channels into 3 (“three”) groups:

(i) a Static Foundational group (SF) of 4 channels – where information once placed, is generally there for the duration, and the medium can also serve as a repository for prior releases of information.  The four items here, would be the issuer’s main Website (with or without an attached static blog), the issuer’s main Facebook page (whether or not interactive), EDGAR (publicly accessible, United States Securities and Exchange Commission’s “Electronic Data Gathering, Analysis and Retrieval” system for issuer filings), and the issuer’s Annual Reports (which once released with their audited financial statements, are seldom amended or re-stated without very good cause);

 

(ii) a Live Regulated group (LR) of 6 channels – where the speakers are known and often seen, and the format is often interactive.  This includes the Teleconference (such as one with market Analysts), the Webinar, the News Conference (whether strictly for media or for all comers), the Annual Shareholder Meeting, and interactive Electronic Shareholder Forums.  A sixth channel in this group is the interim Regulatory Filing.  Although not interactive and possessing qualities of the SF group, interim Regulatory Filings can be more easily amended and can be either regular or irregular in their appearance, as per the specific filer or the industry of the filer.  I place them here because even though they are non-interactive, they are more “live regulated” than “static foundational”; similarly, Electronic Shareholder Forums are both interactive and virtual, but still highly regulated under applicable Securities Laws;

 

(iii) a Virtual Responsibility group (VR) of 7+5 channels– where the speaker, author, or poster can be anyone specifically or apparently authorized to speak by or on behalf of the issuer, the audience is not restricted to persons with a direct interest in the issuer or the business of the issuer, and the consequences for material mis-statements or intentionally and misleadingly incomplete disclosures can be broad, international, and damaging in the extreme.  Despite these dangers, the medium is virtual and may potentially “go viral” with a quickness, and so self-regulation and corporate responsibility are more the norm.  This group includes Twitter (with a current character limit that cannot possibly accommodate both the message and all necessary and advisable disclaimers), YouTube (where hundreds of thousands, or even millions of “hits”/“views” can precede adult supervision and removal of the content in question), interactive or standalone blogs, RSS feeds, email alerts, sms/texts, and print or electronic Press Releases.

 

The five remaining VR channels in an “EVR” sub-category, standing for “Enhanced” or heightened responsibility, are “C-suite” outlets, being:

(i) 2 channels in SF-C (personal Facebook pages and personal websites);

(ii) 2 channels in VR-C (personal Twitter accounts, and personal blogs);

(iii) 1 grouped channel in LR-C (book signings, CEO roundtables, economic fora, and outside and often-unscripted and unaccompanied conferences and other speaking engagements).

 

            Suggested Micro-level (specific) Ordering?

There appears to be good Commission precedent, indeed a preference, for using multiple sites, or ranking multiple channels as “recognized channels of distribution” for the dissemination of information.  As stated in the 2008 interpretive guidance on use of issuer websites:

“[…] where disclosure of information is required under the Exchange Act, we have allowed companies to make such information available to investors on their web sites with their web sites serving, depending on the circumstance, as a supplement to EDGAR, as an alternative to EDGAR, or as a stand-alone method of providing information to investors independent of EDGAR”.[8]

 

Hence, on one interpretation of this sentence, so long as there is a central or reference site as a recognized channel on which the data is publicly posted and accessible, the data can also be posted elsewhere, on other similarly recognized channel(s) “reasonably designed to provide broad, non-exclusionary distribution of the information to the public”.[9]

 

            REFERENCE SITE (Static Foundational):

For reference sites, I would suggest that co-equality be given to EDGAR, the issuer’s main website, and the issuer’s main Facebook page.  In this way, any or all could be used, deemed, and construed as categorically authoritative.  EDGAR, due to the regulatory filings made there; the issuer’s main website, due to its centrality and expected diligent maintenance; and the issuer’s main Facebook page, due to its popularity as a means to engage in 2-way communication with shareholders, customers, and the public at large.  This triple redundancy also covers for instances where either or both of EDGAR and the issuer’s main website may be inaccessible due to maintenance or unwanted intrusion, in which event a Facebook alert might be speedily issued and significant information releases in the interim period would rapidly there migrate; with the corollary for the issuer’s main website when both EDGAR and Facebook are unavailable.  Of course, issuers will need to ensure that their Facebook pages are pre-set to be fully open and accessible, including for those page visitors who are not Facebook subscribers – as there are still some people who have yet to sign-up, or who were signed-up but have now left.

 

The Commission notes that issuers with large Analyst followings and market capitalizations may need to do little to alert the market to new postings on their websites, which will be rapidly picked up and disseminated by the financial press, but that those issuers with less of a following or market capitalization “may need to take more affirmative steps so that investors and others know that information is or has been posted on the company’s web site and that they should look at the company web site for current information about the company”.[10]  As an example for purposes of this proposal and comment, that might be a blog post, email alert, RSS feed, or tweet (in the VR group) detailing and alerting to the material as already posted on that issuer’s main website; or perhaps a teleconference, news conference, or interim regulatory filing (in the LR group) undertaking to post the materials on the issuer’s main website or another Reference Site at or by a set date and time.

 

In the words of the Commission:

“If the information is important, companies should consider taking additional steps to alert investors and the market to the fact that important information will be posted – for example, prior to such posting, filing or furnishing such information to us or issuing a press release with the information. Adequate advance notice of the particular posting, including the date and time of the anticipated posting and the other steps the company intends to take to provide the information, will help make investors and the market aware of the future posting of information, and will thereby facilitate the broad dissemination of the information”.[11]

 

            VIRTUAL (Virtual Responsibility, and Enhanced Virtual Responsibility):

It is important to state that blogs were specifically in the contemplation of the Commission when the 2008 guidance was issued, with the Commission opining at note 60, that “[f]or purposes of Regulation FD, a posting on a blog, by or on behalf of the company, would be treated the same as any other posting on a company’s web site. The company would have to consider the factors outlined above to determine if the blog posting could be considered “public””.[12]  A blog may highlight additional data on the Reference Site with appropriate wording, but a tweet will need to be very narrowly-tailored as a mere “tombstone” announcement or pointer arrow, in order to avoid attendant liability for omission of material facts in electronic and other disclosures under antifraud and related provisions of the Securities Act (1933), the Securities Exchange Act (1934) and their related Rules and Regulations as amended; and other applicable laws.  So long as the URL is correctly referenced by that tweet, then there should be no misstatement of material fact.

In addition, the Commission was already considering the use of CEO blogs as far back as 2000, when it wrote: “Company-sponsored “blogs,” which can include CEO blogs and investor relations blogs, among others, are recent additions to company web sites”.[13]  The argument can therefore be made that based on this earlier guidance, a CEO blog with a large subscription base is analogous to an issuer’s main blog, and that a CEO Facebook page with a similarly large subscriber base is also akin to the issuer’s main Facebook page.  Hence, rather than competing, each may be considered and treated as a “recognized channel of distribution” in this VR group.  The Commission did not explicitly state or imply this reasoning, but from a cumulative reading of their guidance and a review of the specific facts of the Netflix Investigation, such an argument if made today, should certainly have strong merit.

 

            LIVE (Live Regulated):

As stated earlier, the speakers at a news conference or at an annual shareholders’ meeting are always seen, and very often quite well-known to the audience.  So too, the corporate author of an interim regulatory filing is easily discernible – even if the document is filed by accountants, auditors, or legal counsel.  Things can be a little different with electronic shareholder forums, where nobody is seen or heard – but their words are; with teleconferences, where the speaker is a disembodied voice; and with webinars, where audience members may or may not know enough about the presenters to be able to put a name to a face.  However, due to their very public nature and the likelihood that anything or everything said will be rapidly analyzed and acted-upon by investors, all of these live instances are tightly regulated when involving issuers.  There are legal and commonsense limits on: (i) what may be said that is not certain (speculation and inaccuracy); (ii) what may be predicted that is not guaranteed (earnings estimates and guidance, whether qualitative or quantitative); (iii) work or negotiations recently commenced or in progress (contract negotiations that may or may not close, significant milestones projected or reached, and significant contracts or other engagements secured); and (iv) the type and extent of disclaimers that must accompany forward-looking data, in general.  Thanks to the open-access that members of the public have to EDGAR, interim regulatory flings can also be picked-up, analyzed, and acted-upon quite rapidly.  As a result, the importance of ensuring that information publications and disseminations in all channels of this group are accompanied by one or more of (a) alerts to their release; or (b) timely publication and dissemination of the same actual information through either or both of the other channel groups (SF or VR), is shown here with the greatest of clarity.

 

            Channel Disclosure Sequencing:

Now, knowing what is where, let us consider the following relationship matrix for this schema.

 

 

SF

LR

VR

First Disclosure

 

 

 

SF

1

2=

2=

LR

2=

1

2=

VR

2=

2=

1

 

Following this sequencing table:

(i) Where information is first disclosed in a Static Foundational (SF) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Live Regulated (LR) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility channels).

(ii) Where information is first disclosed in a Live Regulated (LR) channel, alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should be disclosed, in either or both of a Static Foundational (SF) channel and a Virtual Responsibility (VR) channel (including the three Enhanced Virtual Responsibility).

(iii) Where information is first disclosed in a Virtual Responsibility (VR) Channel (whether or not “Enhanced”), alerts as to this disclosure (whether intentional or unintentional) should be timely posted or the original information should also be disclosed, in either or both of a Static Foundational (SF) channel and a Live Regulated (LR) channel.

 

Each case must be judged on its own merits, as the Commission so rightly states.  However, with the ability to interlink and cross-post or simul-post on social media accounts, it is not impossible for a Facebook or blog-happy C-Suite member to simultaneously or shortly thereafter tweet a quick link of the posting that can be caught by and posted on, the issuer’s main website, blog, or Facebook page – with or without an added human intermediary, but hopefully with prior clearance as to both postings, by the IR Director and legal counsel.  However, if a selective (VR tweet) disclosure of material non-public information follows a selective (webinar Q&A or other unscripted LR) disclosure of the same, then the third SF group (Form 8-K in EDGAR, the issuer main website, and the issuer main Facebook page) will remain open for a corrective and “public” disclosure within the prescribed time limits, before greater liabilities and penalties can accrue.

“Indeed, one of the key benefits of the Internet is that companies can make information available to investors quickly and in a cost-effective manner”.[14]

 

It is notable that a number of print media houses are transitioning fully or preferably to an online format, making the speed at which they can issue story updates (and analyst updates in the financial press) as gleaned from issuer sources and sites, that much faster.  In addition, a tweet or a Facebook update costs practically nothing, financially, and the effort with the limited character content of the former, is negligible.  However, to follow-up on that short message, can be quite a challenge at times.  The speed of dissemination advantage for the disseminator, should not come at the expense of public convenience, or lead to confusion in that investors cannot determine where to look first, or where to look for the most definitive and most frequently and recently updated statement of a relevant situation, or guidance on an issuer’s financial position.

 

Channel Usage and Ranking for Disclosures:

“We emphasize for issuers that the steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, non-public information, including the social media channels that may be used and the types of information that may be disclosed through these channels, are critical to the fair and efficient disclosure of information. Without such notice, the investing public would be forced to keep pace with a changing and expanding universe of potential disclosure channels, a virtually impossible task”.[15]

 

As the Commission had so rightly concluded, in order for this schema to function properly (i.e. to avoid forcing the investing public to spend time scrambling through channels in search of that information, while missing opportunities), issuers and non-issuers alike will need to state which of the 22 channels they will regularly use for their material and general disclosures in the three channel categories, in what order those channels might best be consulted, and which types of regulated information will be disseminated on which disclosure channels.  This sounds complicated, but categorizing the universe of potential regulated information – both day-to-day and for special situations, will likely assist.  I would propose just four such non-exhaustive categories of regulated information: (1) Availability of channels; (2) Market financial data; (3) Pending, planned, or public events; and (4) Significant public announcements.  To avoid repetition, these will be defined further in the below draft format of a re-stated Regulation FD.

 

Collective “hashtags” Rules for these 22 Channels.

In order to work towards steady compliance with the various standards that may be applicable to the making of statements, generally, and information management in particular (always consult legal counsel for your specific situation and jurisdiction), entities – issuers and non-issuers alike, might further consider the “hashtags” rules, which read as follows.

 

H—ardware and bandwidth considerations and ERP should be tailored to such factors as issuer market capitalization, number of shareholders, and likelihood of an event that might precipitate a spike in web traffic;

 

A-ccess and acceptance logs (with periodic counts and inventory of linkers, likers, subscribers, and followers and so forth), to show the degree to which a site is accessed by investors, the markets, and the media (all being and remaining subject to the “do not track me”, or “please forget me”, and other such evolving digital rights that may butt against it), may also be desirable to establish and maintain;

 

S-Structure, Sincerity, and Security, means that the policies and procedures at the issuer should be designed to ensure: (i) Structure – appropriate disclosure controls and procedures should be in place and enforced, and only certain persons should be authorized and trained to release information and represent the issuer online, and monitored and re-trained as needed on an ongoing basis; (ii) Sincerity – facts and figures should not be released unless verifiable or otherwise justifiable, and positions should not be taken that are subject to serious challenge as insincere or in violation of applicable securities or other law; and (iii) Security – significant care should be taken to guard against hacking and spoofing, hijack, DDoS attack and the like, as well as premature or inappropriate information release, the posting of damaging messages by activists[16] or disgruntled employees as purportedly from the issuer, or other lapse or mishap;

“Since all communications made by or on behalf of a company are subject to the antifraud provisions of the federal securities laws, companies should consider taking steps to put into place controls and procedures to monitor statements made by or on behalf of the company on these types of electronic forums”.[17]

 

H-yperlinks should be: (i) avoided if to information an issuer knew or should have known was materially false or misleading; and (ii) otherwise used with linking explanations or rationales, responsibility disclaimers (to the extent a linking issuer wasn’t involved or “entangled” in the preparation of the linked information), content disclaimers (to the extent a linking issuer does not explicitly or implicitly endorse, approve, or otherwise “adopt” the linked information), and (iii) if possible, exit notices or standalone intermediate screens preceding access to linked data offsite;[18]

 

T-raditional channels and Talking-points, means that the issuer should continue to use traditional channels alongside social media channels, in order to: (i) properly control and coordinate its Public Relations and Investor Relations (PR/IR) functions; (ii) maintain consistency of message, brand, and information release procedures across all channels used; and (iii) retain the capacity and credibility to speedily correct erroneous information released, and make the necessary subsequent public releases, following the intentional or inadvertent release of material nonpublic information.[19]  Failure to maintain use of traditional channels may subject an issuer to allegations of discrimination or lack of notice by those “non-avid” new media users, or those who prefer primary reliance on print and broadcast media for their news & current affairs;

 

A-lways date– (and where advisable, also time-) stamp new releases, or as “last modified”; and archive older material separately, but in searchable or browsable format, so as to avoid any confusion regarding the precedence of the data and statements contained therein, and to maintain safe harbor protections against re-publication of previously published and posted (historical) materials or statements – absent some “affirmative restatement or reissuance” of same, which may invoke antifraud legal proscriptions and an affirmative duty to clarify and/or update them;

 

G-enerate distance, always, from third-party posts and statements in online and interactive fora such as Shareholder fora, especially mis-statements; and always remind other participants that silence does not equate agreement, consent, or endorsement, and of the forum’s terms of use (which should never precondition usage on participant waiver of their securities law protections);

 

S-ummaries, Propriety, Overviews, and Tombstones, means that each and all of these should be appropriately delineated as such (with titles, added explanatory language and terms, or website placement and display in close proximity to hyperlinks to the underlying material, where appropriate), and clear directions to readers on where and how to access the underlying information on which they are based.  In addition, the propriety (of content, manner, and timing) should always be vetted prior to release in seeking the advice of counsel, which is an indicia of good faith and best efforts in attempting compliance with Regulation FD; and any other data necessarily disclosed so as to make those summaries not materially misleading, confusing, or incomplete, should be disclosed with the release, or timely thereafter with prior notice to expect it – especially (if possible) within the limited character sets of tombstone releases via Twitter.

 

A Restated Regulation FD, as re-vamped per the above considerations, may well resemble the following markup:

 

*************************************************

§ 243.100 General rule regarding selective disclosure.

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(k).  (e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

 

(b)

(1) Except as provided in paragraph (b)(2) of this section, paragraph (a) of this section shall apply to a disclosure made to any person outside the issuer:

(i) Who is a broker or dealer, or a person associated with a broker or dealer, as those terms are defined in Section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a));

(ii) Who is an investment adviser, as that term is defined in Section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(11)); an institutional investment manager, as that term is defined in Section 13(f)(6)of the Securities Exchange Act of 1934 (15 U.S.C. 78m(f)(6)), that filed a report on Form 13F (17 CFR 249.325) with the Commission for the most recent quarter ended prior to the date of the disclosure; or a person associated with either of the foregoing. For purposes of this paragraph, a “person associated with an investment adviser or institutional investment manager” has the meaning set forth in Section 202(a)(17) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(17)), assuming for these purposes that an institutional investment manager is an investment adviser;

(iii) Who is an investment company, as defined in Section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3), or who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) thereof, or an affiliated person of either of the foregoing. For purposes of this paragraph, “affiliated person” means only those persons described in Section 2(a)(3)(C), (D), (E), and (F) of the Investment Company Act of 1940 (15 U.S.C. 80a-2(a)(3)(C), (D), (E), and (F)), assuming for these purposes that a person who would be an investment company but for Section 3(c)(1) (15 U.S.C. 80a-3(c)(1)) or Section 3(c)(7) (15 U.S.C. 80a-3(c)(7)) of the Investment Company Act of 1940 is an investment company; or

(iv) Who is a holder of the issuer’s securities, under circumstances in which it is reasonably foreseeable that the person will purchase or sell the issuer’s securities on the basis of the information.

 

(2) Paragraph (a) of this section shall not apply to a disclosure made:

(i) To a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant);

(ii) To a person who expressly agrees to maintain the disclosed information in confidence;

(iii) In connection with a securities offering registered under the Securities Act, other than an offering of the type described in any of Rule 415(a)(1)(i) through (vi) under the Securities Act (§ 230.415(a)(1)(i) through (vi) of this chapter) (except an offering of the type described in Rule 415(a)(1)(i) under the Securities Act (§ 230.415(a)(1)(i) of this chapter) also involving a registered offering, whether or not underwritten, for capital formation purposes for the account of the issuer (unless the issuer’s offering is being registered for the purpose of evading the requirements of this section)), if the disclosure is by any of the following means:

(A) A registration statement filed under the Securities Act, including a prospectus contained therein;

(B) A free writing prospectus used after filing of the registration statement for the offering or a communication falling within the exception to the definition of prospectus contained in clause (a) of section 2(a)(10) of the Securities Act;

(C) Any other Section 10(b) prospectus;

(D) A notice permitted by Rule 135 under the Securities Act (§ 230.135 of this chapter);

(E) A communication permitted by Rule 134 under the Securities Act (§ 230.134 of this chapter); or

(F) An oral communication made in connection with the registered securities offering after filing of the registration statement for the offering under the Securities Act.

[65 FR 51738, Aug. 24, 2000, as amended at 70 FR 44829, Aug. 3, 2005; 74 FR 63865, Dec. 4, 2009; 75 FR 61051, Oct. 4, 2010; 76 FR 71877, Nov. 21, 2011]

 

§ 243.101 Definitions.

This section defines certain terms as used in Regulation FD (§§ 243.100 -243.103).

(a) Availability of channels.  “Availability of channels”, means with regard to any or all of the channels identified and defined under this § 243-101 wherein material nonpublic information and general company information may be discussed or disclosed, their status as available to the public for access, attendance, and consultation along with any restrictions or pre-conditions, or reasons for their non-availability to the extent it is known and/or prudent, with projected timelines for resumption of availability.

 

(b) Categories of regulated information.  “Categories of regulated information” as defined under this § 243-101, collectively and individually means, as described herein:

(1) Availability of channels.

(2) Market financial data.

(3) Pending, planned or public events.

(4) Significant public announcements.

 

(c) Channels.  “Channels”, collectively and individually means:

(1) A static foundational group, including as of or by the entity, a corporate website, a corporate blog, an annual report, and the Commission’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.

(2) A live and regulated group, including as of or by the entity, any teleconference, webinar, news conference, annual shareholder meeting, electronic shareholder forum, or interim regulatory filing including restatements of interim and annual reports, that occurs between annual reports.

(3) A virtual responsibility group, including Twitter, YouTube, blogs, RSS feeds, email alerts, sms/texts, and print or electronic press releases.

(4) An enhanced virtual responsibility group, including as of or by the entity, any twitter account, blog, Facebook page, or personal website of a senior official or so closely identified with a senior official by sufficient members of the public to require its inclusion here, as well as any senior official book signing, roundtable, economic forum, or outside conference or speaking engagement.

 

Note (channels):

The Commission recognizes and notes that this listing is not exhaustive and remains subject to change with existing and developing technologies and business practices, and company Boards of Directors are encouraged to use their own business judgment in assessing which additional channels they will place in these above categories either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(d) Channel usage and ranking for disclosures.  “Channel usage and ranking for disclosures”, shall mean the listing by an issuer of which of the channels identified herein it shall use for disclosing both general information and categories of regulated information, as well as for making general communications to investors, consumers, the markets and the public.  This listing shall be accompanied by a ranking of where to look first, second, third, and so forth, in issuers’ crafting and maintenance of systems that are reasonably designed to provide broad, non-exclusionary distribution of information to the public.  Such a channel usage and ranking for disclosures will prevent investing and other interested members of the public from having to scramble through multiple channels as defined herein, in search of critical and  time-sensitive categories of regulated information that others can more easily find and use to guide their decision-making.

 

(e) (a) Intentional. A selective disclosure of material nonpublic information is “intentional” when the person making the disclosure either knows, or is reckless in not knowing, that the information he or she is communicating is both material and nonpublic.

 

(f) (b) Issuer. An “issuer” subject to this regulation is one that has a class of securities registered under Section 12 of the Securities Exchange Act of 1934 (15 U.S.C. 78l), or is required to file reports under Section 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(d)), including any closed-end investment company (as defined in Section 5(a)(2) of the Investment Company Act of 1940) (15 U.S.C. 80a-5(a)(2)), but not including any other investment company or any foreign government or foreign private issuer, as those terms are defined in Rule 405 under the Securities Act (§ 230.405 of this chapter).

 

(g) Long weekend.  “Long weekend”, shall mean a weekend that due to a fixed or floating celebration or holiday or festive event recognized as a United States federal holiday, is at least 3 (“three”) days in length to add a Friday or a Monday or both, and during the full business days or the partial business days of which long weekend any 2 (“two”) of the New York Stock Exchange (NYSE) for all physically-trade securities, the National Association of Securities Dealers Automated Quotation (NASDAQ) system for securities of issuer’s regulated by the Commission, and the Chicago Board Options Exchange (CBOE) for all trading activities, are closed for business.

 

(h) Market financial data.  “Market financial data” means any earnings, financial projections and data, any changes to earnings or financial projections and data, any significant or notifiable trades or movements in the securities or instruments of the entity, and any and all regulatory filings with the United States Securities and Exchange Commission (SEC) or other domestic or foreign body of the same or similar competence.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(i) Pending, planned, and public events.  “Pending, planned, and public events” means any meeting of the Board of Directors or Shareholders, any public appearance or speaking engagement of a senior official of the entity as defined under this § 243.101, where material information may be discussed or disclosed (which engagement’s initial notification and the eventual attendance of persons may be conditioned on appropriate security considerations, advisories, and precautions), any real or virtual meeting with Analysts, any teleconference or press conference, any meeting of shareholders, and any other happening, prior to its happening, that the entity wishes to publicize or is required to publicize, subject to appropriate security considerations, advisories, and precautions.  This listing is not exhaustive and company Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(j) (c) Person acting on behalf of an issuer. “Person acting on behalf of an issuer” means any senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser), or any other officer, employee, or agent of an issuer who regularly communicates with any person described in § 243.100(b)(1)(i), (ii), or (iii), or with holders of the issuer’s securities. An officer, director, employee, or agent of an issuer who discloses material nonpublic information in breach of a duty of trust or confidence to the issuer shall not be considered to be acting on behalf of the issuer.

 

(d) Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

 

(k) (e) Public disclosure.

(1) Except as provided in paragraph (e) (k)(3) and paragraph (k)(4) of this section, an issuer shall make the “public disclosure” of information required by § 243.100(a) by furnishing to or filing with the Commission a Form 8-K (17 CFR 249.308) disclosing that information.

(2) An issuer shall be exempt from the requirement to furnish or file a Form 8-K if it instead disseminates the information through another method (or combination of methods) of disclosure in accordance with its channel usage and ranking for disclosures and section (k)(3) or (k)(4), as appropriate, that is reasonably designed to provide broad, non-exclusionary distribution of the information to the public.

 

Intentional Disclosures.

(3) Where the issuer becomes aware that material non-public information has been intentionally disclosed as defined in § 243.100(a), the issuer shall:

(i) First make the information that was intentionally so disclosed available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(ii) In any and all of (k)(3)(i)(A) through (k)(3)(i)(F) except (k)(3)(i)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iii) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

 

Note: (Compliance burden):

With the advent and wide availability of mobile productivity tools and applications, the Commission does not see it as an undue burden for an issuer to be required to post material nonpublic information or any corrective disclosure after the intentional or unintentional release of material nonpublic information, either or both of which may well already be readily available to the senior officer responsible for the corrective disclosure as an email attachment or other portable document, to a given channel after a trading day or over a weekend or Long Weekend.

 

Non-intentional Disclosures.

(4) Where the issuer becomes aware that there has been a non-intentional disclosure of material non-public information as described in § 243.100(a), the issuer shall:

(i) First alert investors to the non-intentional disclosure on either or both of a live regulated channel and a virtual responsibility channel, along with the anticipated location on a static foundational channel and a timeline for the pending availability of that material nonpublic information or any corrective disclosure on a static foundational channel, within 6 (“six”) hours of the original release on any trading day, and within 12 (“twelve”) hours of the original release on any weekend or Long Weekend;

(ii) The issuer shall thereafter make the information that was unintentionally disclosed, available on a static foundational site:

(A) Within 2 (“two”) hours if the original information was disclosed between 9:00 a.m. and 11:00 a.m. Eastern Standard Time on any trading day;

(B) Within 30 (“thirty”) minutes if the original information was disclosed between 11:00 a.m. and 3:00 p.m. Eastern Standard Time on any trading day;

(C) Within 1 (“one”) hour after the immediate next market opening, if the original information was disclosed between 3:00 p.m. and 6:00 p.m. Eastern Standard Time on any trading day;

(D) Within a reasonable time but not later than 2 (“two”) hours after the immediate next market opening, if the original information was disclosed between 6:00 p.m. and 9:00 a.m. Eastern Standard Time on any sequence of days that includes at least one trading day;

(E) Within the duration of that trading day where a trading day is expanded and more than 2 (“two”) full hours of that expanded trading day remain, or otherwise as under section (C) or (D) as appropriate;

(F) Within 72 (“seventy-two”) hours whether or not that sequence of days includes a trading day, if the original information was disclosed after the markets have closed or outside the preceding available timelines, or otherwise when commencement of the next trading day due to a long weekend or other eventuality is actually or projected to be in excess of 72 (“seventy-two”) hours distant;

(aa) Where an issuer has credible information verifiable by a third party that the intentional release of material nonpublic information has occurred as a result of technological malfeasance or intrusion, purported whistleblower action, activist leak, or criminality and otherwise qualifies under this section, the issuer may invoke this section in its public statements and refrain from the corrective disclosure required under this Regulation FD if it shall within 72 (“seventy-two”) hours of such a release apply to the Commission for a Commission Standalone Determination (CSD), and the Commission shall within an additional 72 (“seventy-two”) hours issue a binding determination with a manner and time for action and compliance, that either:

(1.1) the issuer shall not make the additional or corrective disclosures due to their potential to unduly publicize the workings of a pending internal investigation or law enforcement activity; to disclose a critical vulnerability in the national security or critical infrastructure; to potentially and adversely impact upon the fiscal viability or key activities of an issuer involved in functions of critical infrastructure or national security; or to adversely impinge upon competition or any pending merger, acquisition, or reorganization.

(1.2) the issuer shall make the additional or corrective disclosures;

(1.3) the issuer shall not make the additional or corrective disclosures pending further direction by the Commission on receipt by the Commission sine die of guidance on the issuer’s eligibility under (F)(aa)(1.1), from any or all of the Director of National Intelligence (DNI), or the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), or the Presidency;

(iii) In any and all of (k)(4)(ii)(A) through (k)(4)(ii)(F) except (k)(4)(ii)(F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of that material nonpublic information or a corrective disclosure within 12 (“twelve”) hours of the original release, whether or not the release occurs during a trading day or over a weekend or long weekend.

(iv) In the case of (F)(aa), the issuer shall also disclose on either or both of a live regulated channel and a virtual responsibility channel, notification of the location and the actual availability or pending availability of the notification or other relevant information within 12 (“twelve”) hours before or after its original application for a CSD, and within 2 (“two”) hours after receipt of each subsequent item of guidance or direction from the Commission, whether or not the initial release occurs, or the CSD application or subsequent guidance or direction is received, during a trading day or over a weekend or long weekend.

 

(f) Senior official. “Senior official” means any director, executive officer (as defined in § 240.3b-7 of this chapter), investor relations or public relations officer, or other person with similar functions.

 

(l) Senior official.  “Senior official” means for purposes of this Regulation FD (§§ 243.100 -243.103) and with regard to an issuer, any member of the board of directors, any executive officer charged with overall administration or operations, any officer in charge of a principal business unit or division or function, including without limitation, contingencies, finance, human resources, information or technology systems, international operations, investor relations, legal affairs, logistics, marketing, public relations, regulatory compliance, sales, or any significant project or initiative or policymaking function, whether styled as a director, or a president or a vice-president, or otherwise, and including other senior officials with the same or similar functions in any subsidiary of the issuer, as well as the issuer and the issuer representative or issuer representatives as the case may be in a business combination or joint venture or consortium or coalition in which the issuer or a subsidiary of the issuer holds an overall voting position or a right to the gross or net receivables in excess of 15% (“fifteen”) percent of the total in any class or sub-class of instrument, whether or not contingent, evidencing a right to such voting position or a right to share in the gross or net receivables of a business combination or joint venture or consortium or coalition.  Any other officer or employee or authorized agent  of the issuer who is not a senior official by title or function but who has established what the issuer or a third-party may reasonably consider to be a significant following, readership, subscriber base or like status in the social or professional mileu whether through or as a demonstrably recognized channel of distribution for matters of or relating to the issuer, shall also be considered and treated by the issuer as a senior official for purposes of this Regulation FD.

 

(m) (g) Securities offering. For purposes of § 243.100(b)(2)(iv) [iii – Dodd Frank, 10.4.2010].

(1) Underwritten offerings. A securities offering that is underwritten commences when the issuer reaches an understanding with the broker-dealer that is to act as managing underwriter and continues until the later of the end of the period during which a dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated);

(2) Non-underwritten offerings. A securities offering that is not underwritten:

(i) If covered by Rule 415(a)(1)(x) (§ 230.415(a)(1)(x) of this chapter), commences when the issuer makes its first bona fide offer in a takedown of securities and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities in that takedown (unless the takedown is sooner terminated);

(ii) If a business combination as defined in Rule 165(f)(1) (§ 230.165(f)(1) of this chapter), commences when the first public announcement of the transaction is made and continues until the completion of the vote or the expiration of the tender offer, as applicable (unless the transaction is sooner terminated);

(iii) If an offering other than those specified in paragraphs (a) and (b) of this section, commences when the issuer files a registration statement and continues until the later of the end of the period during which each dealer must deliver a prospectus or the sale of the securities (unless the offering is sooner terminated).

 

(n) Significant public announcement.  “Significant public announcement” means any announcement or notification to the public that could be reasonably considered to impact the market in share price or trading volume of the securities of the issuer or otherwise impact upon the decision of any person or entity to invest or not invest in the issuer, including if internal to the issuer or an affiliate of the issuer any environmental events, legal and regulatory actions, investigations, incidents involving internal controls, or cyber incidents, and if external to the issuer and its affiliates but that the Board of Directors reasonably determines may have an impact in the chain of supply or the markets of the issuer or on the operations of the issuer, then any of the above events of any other entity or party or group or affiliation of entities or parties in any combination, in any place or jurisdiction, including any political event or events.  This listing is not exhaustive and Boards of Directors are encouraged to use their own business judgment in assessing which additional events and elements they will place in this category either as and when they appear or occur or arise, or before they appear or occur or arise.

 

(o) Trading day.  “Trading day” is defined as running from 9:30 a.m. to 4:00 p.m. Eastern Standard Time from Monday through and including Friday, in accordance with the regular business hours of the physical New York Stock Exchange (NYSE) in New York City, United States of America.  Any earlier cessation of trading on a trading day or any curtailment or expansion of a trading day whether planned or unplanned, shall be treated for purposes of this Regulation FD, as provided in this Regulation FD (§§ 243.100 – 243.103).

 

§ 243.102 No effect on antifraud liability.

No failure to make a public disclosure required solely by § 243.100 shall be deemed to be a violation of Rule 10b-5 (17 CFR 240.10b-5) under the Securities Exchange Act.

 

********************************************

Possible Approaches for Issuers and Non-issuers, alike.

Whether or not utilizing the above-presented schema and/or channel ordering, it would be prudent for issuers and non-issuers alike, to adopt some sort of channel usage and ranking for their disclosures, and post the same to standalone hard links or prominently within the legal & disclaimers sections of their Static Foundational channels (website, Facebook, filings).

 

“We have since encouraged “honest, carefully considered attempts to comply with Regulation FD”.  (Securities and Exchange Commission in Release No. 34-69279 of April 2, 2013, at page 2,[20]  citing to Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Motorola, Inc., Release No. 34-46898 (Nov. 25, 2002)).[21]

 

Adopting the spirit of the foregoing (whether or not it becomes law), may become one such honest and carefully considered attempt to comply with Regulation FD in which investors and members of the general public can see the sequence of channels through which the most accurate, relevant, and timely words of an issuer or any other company might be disseminated, and consult these in order of precedence to determine the most current state of affairs.  Such an approach may assist in limiting certain liabilities for companies as they provide alerts to, release to, materially disclose to, update, and otherwise educate investors, market intermediaries, customers, and the public.  This will help stabilize markets at volatile times; growing Regulation FD compliance by ensuring no investor is unduly favored or unfairly disadvantaged in accessing “material nonpublic information” from or about a company; whether or not it is an “Issuer”.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, public finance and state Blue Sky laws, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

 

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

 

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

 This article does not constitute legal advice or create any lawyer-client relationship.


[1] General Rule Regarding Selective Disclosure, also known as “Regulation FD” (Fair Disclosure).

[2] Id.

[3] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance).  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[4] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings.  Release No. 34-69279 / April 2, 2013.  Online: >http://www.sec.gov/litigation/investreport/34-69279.pdf<

[5] Id. at 1, 4. This journey began when on July 3, 2012, Reed Hastings who is the Netflix CEO, posted the following on his personal Facebook page just before 11:00 a.m., Eastern time:

Congrats to Ted Sarados, and his amazing content licensing team.  Netflix monthly viewing exceeded 1 billion hours for the first time ever in June.  When House of Cards and Arrested Development debut, we’ll blow these records away.  Keep going, Ted, we need even more!

As (i) Netflix had not previously advised shareholders that the CEOs Facebook page would be used to make such announcements; because (ii) the CEO had not used his personal Facebook page to make such company-related announcements in the past; and (iii) as the Facebook announcement was neither accompanied by nor shortly thereafter followed by any Press Release, any announcement on the main Netflix Facebook page or website, or any interim Regulatory Filing (e.g. Form 8-K, which is an omnibus interim Regulatory Filing format), the Commission took issue and commenced an investigation.  Of note, the share price stood at $70.45 at the time of posting, and the markets closed 2 hours later at 1:00 p.m. for the 4th of July holiday.  Even though Reed Hastings had 200,000 + subscribers to his personal Facebook page at the time (including shareholders, analysts, bloggers, and reporters), the posted message only diffused slowly through regular and online social channels.  Despite this, the Netflix share price had still risen to $81.72 at the close of the first trading day after the July 4th holiday break.

[6] Id. at 5.

[7] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance), at 8-9.  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[8] Id. at 12.

[9] Id. at 25.

[10] Id. at 21.

[11] Id. at 23.

[12] Id. at 26.

[13] United States Securities and Exchange Commission.  Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (Aug. 7, 2008) (2008 Guidance), at 41.  Online: >http://www.sec.gov/rules/interp/2008/34-58288.pdf<

[14] Id. at 6.

[15] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings.  Release No. 34-69279 / April 2, 2013, at 7.  Online: >http://www.sec.gov/litigation/investreport/34-69279.pdf<

[16] See e.g. CBC News.  Fake White House bomb report causes brief stock market panic: Associated Press Twitter account hacked.  Posted (and occurring) on April 23, 2013.  Online: >http://www.cbc.ca/news/business/story/2013/04/23/business-ap-twitter.html<

[17] Supra note 13 at 40-41.

[18] Id. at 32.

[19] See generally In the Matter of Secure Computing Corporation and John McNulty, Release No. 34-46895 / November 25, 2002.  Online: >http://www.sec.gov/litigation/admin/34-46895.htm< ; Litigation Release No. 17860 (Securities and Exchange Commission v. Siebel Systems, Inc. (Civil Action No. 1:02-CV02330 (JDB)).  Online: >http://www.sec.gov/litigation/complaints/comp17860.htm< ; In the Matter of Siebel Systems, Inc., Release No. 34-46896 / November 25, 2002.  Online: > http://www.sec.gov/litigation/admin/34-46896.htm< ; In the Matter of Raytheon Company and Franklyn A. Caine, Release No. 34-46897 / November 25, 2002.  Online: > http://www.sec.gov/litigation/admin/34-46897.htm<

[20] See Supra note 15.

[21] United States Securities and Exchange Commission.  Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Motorola, Inc.  Release No. 34-46898 / November 25, 2002.  Online: >http://www.sec.gov/litigation/investreport/34-46898.htm<

I would say there are essentially 7 (“seven”) stages in this trajectory, being:

(i) SaaP;

(ii) SaaS;

(iii) SaaR;

(iv) S3aUR;

(v) PcSS;

(vi) SaEE/SaEA;

(vii) PC3S.

Kindly allow me to explain.

SaaP – Software as a Product:

(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days.  It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.

SaaS – Software as a Service:

(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade.  Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.

SaaR – Software as a Right:

(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR).  Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions.  As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them).  As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.

S3aUR – Software and Systemic Security at Undue Risk:

(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management.  There are climatic and other intervening “exigent events”.  However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.

PCSS – Persistent Cloud Security Systems:

(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5]  Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.

SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:

(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used.  It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon.  The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented.  At that point, one or more governments may “force” this Stage 6.

There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals.  Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?!  A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.

Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort.  This will be resisted on a number of fronts and may cause unrest in several jurisdictions.  However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.

As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed.  Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.

PC3S – Pure Collectivized Communications Culture System:

(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System.  If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia?  A number of 20th and 21st Century books and movies may quickly come to mind.[6]

SUMMARY:

Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”!  It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published on ogalaws.wordpress.com, January 17, 2013.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[2] See Adam Edelman/New York Daily News.  Cyberbunker hosting site said to be dropping virtual ‘nuclear bomb’ on Internet with massive, global denial of service attack.  Published Wednesday, March 27, 2013 on nydailynews.com.  Online: >http://www.nydailynews.com/news/national/internet-nuked-massive-ongoing-cyber-attack-experts-article-1.1300372 <  It is “alleged” that a private dispute of some sort between Cyberbunker (a Dutch internet hosting business that will take all-comers, “except child porn and anything related to terrorism”), and The Spamhaus Project (a non-profit centred in London and Geneva, but with operating nodes in ten nations, that “works to help email providers filter out spam”), has led to the largest DDOS in history with a data stream attack magnitude of 300 billion bits per second, when 50 billion bits would suffice to bring-down the online service of many significant online businesses, including major banks.  The fact that most people have seen no significantly noticeable disruptions due to this “attack”, just goes to show the added resilience built into the system since this kind of attack was first noticed, understood, and responded to by industry and regulators. Personally, I saw some emails come through on device group “A”, but they were delayed on others – thankfully, nothing time-sensitive, and I was aware of them due to my own system of redundancies in having those multiple email access points and service providers.  Microsoft also just switched a “massive” few more users over to Outlook, so that may have also played a part in my own delayed email receipt.  In any case, investigations are ongoing into the source of the current and sustained attacks, but as with others, the true perpetrators may remain hidden.  See Infra, note 5.  See also The Spamhaus Project homepage.  Online: > http://www.spamhaus.org/organization/<; The Cyberbunker Data Centers homepage.  Online:  >http://www.cyberbunker.com< (the Cyberbunker website was verified by this author as unreachable online, at the time this SaaS Visioning-out article posted).

[3] See e.g.  Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right, at Note 17.  Posted March 11, 2013, on ogalaws.com.  Online:> https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[4] See e.g. Mikael Ricknäs, IDG News Service.  AWS takes aim at security conscious enterprises with new appliance.  Published on itworld.com, March 27, 2013.  Online: >http://www.itworld.com/cloud-computing/349894/aws-takes-aim-security-conscious-enterprises-new-appliance?goback=.gde_1864210_member_226976359<  Amazon Web Services has introduced a standalone, secondary cloud-based system to manage cryptographic keys that will be used in the cloud, with limited AWS access through “strict” separation of administrative and operational duties between the vendor and the client, and segregation and limitation of access according to business need.  SOD best practices are thus clearly translated into the cloudsphere.

[5] See Gil David.  The Dark Side of the Internet.  Published on israeldefence.com, December 1, 2012.  Online:

>http://www.israeldefense.com/?CategoryID=483&ArticleID=1756<  This article provides a fairly good overview of what we are all dealing with on a daily basis, with regard to the Deep Web.  I will post at a later date, regarding some of my thoughts on how this might spur and/or impact upon, that promised “Internet of Things” to come.

[6] I think I will also have to post at a later date on what might constitute “work”, when machines do so much of one type of work, and many of the other types are outsourced to someone, somewhere else.  As automation really took hold on a massive scale in the industrial west (Japan, Europe, North America, South Korea) in the 1960s and 1970s, much was said about the coming leisure society as machines did so much, that people would have more time on their hands to relax and actually enjoy life.  Now, the “massively unemployed, migrating mass populations” in almost all geographic zones and nations, mean something clearly went very wrong.  We are a few steps away from chaos; one that may well start in the European Union –or with one or more of its “pending former” members.  Should this happen and spread as political leaders continue making very bad calls, Anonymous, Environmentalists, Occupy, and the Anti-Globalization folks will look like child’s play, even when first combined and then multiplied.

Much ado has been made about the hacking threat from overseas, with regard to cybersecurity.[1]  Indeed, several commentators repeatedly reinforce that belief.[2]  The truth, however, is that Information Technology and Information Systems (IT/IS) employees and contractors, right here in North America, might be the greatest danger and the weakest link in the chain.  The story recently surfaced of a man who had outsourced his many software development contracts at several different employers, to offshore developers in China.[3]  He provided them with all his access codes and scripts, and was basically absent at work.  For how long he did this, or how much additional data those sub-contractors were able to access and potentially download from those employers, and who they were … we may never fully know!

 

As I have stated at length,[4] you need to take a comprehensive approach to Cybersecurity that also watches the employees and contractors at your back, while you are watching the outsiders in front of you.  In scanning only those 180 degrees left to right, and those 180 degrees north to south at your front, you are missing exactly that same size of iceberg at your back.  You must engage in strict Segregation of Duties, initial background checks, datalogs and audit trails, constant network monitoring, and other actions.

 

Apparently, only one of his employers noticed a problem, and sought (outsourced) a deeper look.  Even then, why did it take so long for them to discover that: (i) the credentials assigned to a domestic worker; (ii) were accessing the system out of work hours, almost non-stop; (iii) from a place where the worker was not last noted to have traveled?  There needs to be more of a focus on internal security, employee access logging (where and when, for how long, and how frequently), and real-time system access audits.

 

Clearly, it seems that some U.S. employers are still far from having a serious approach to Cybersecurity.[5]

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is also an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

 


[1] Mark Clayton, Staff writer.  Cyber security in 2013: How vulnerable to attack is US now?  Published on csmonitor.com, January 9, 2013.  Online: >http://www.csmonitor.com/layout/set/print/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video<

[2] Ed Beeson/The Star-Ledger.  N.J. businesses should brace for higher cyber security costs, complexity, experts warn.  Published on nj.com, January 15, 2013.  Online: >http://www.nj.com/business/index.ssf/2013/01/nj_businesses_should_brace_for.html<

[3] Claire Gordon.  Man Reportedly Outsources His Own Job To China — Then Spends His Time Watching Cat Videos.

Published on jobs.aol.com, January 16, 2013.  Online: >http://jobs.aol.com/articles/2013/01/16/man-outsources-his-own-job-china/<

[4] Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.

Published on ogalaws.wordpress.com, December 9, 2011.  Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[5] More details about the May, 2012 discovery of that employee are available here.  See Andrew Valentine.  Case Study: Pro-active Log Review Might Be A Good Idea.  Published on verizonbusiness.com, January 14th, 2013.  Online: >http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/#more-2659<

%d bloggers like this: