Tuesday, April 22, 2014

HOW NOT TO MANAGE YOUR SOCIAL MEDIA ACCOUNTS

I read with a mixture of humor and sadness about the teen in Florida who lost her father’s age discrimination settlement when she posted on Facebook that her father’s former employer would be paying for her vacation in Europe, thereby violating a strict nondisclosure stipulation in the settlement agreement.  I would guess that family dinners in that house were pretty strained for a while.

A funnier story is that of a Pennsylvania man wanted for assault who shared his picture on Facebook – obtained from the police department’s website only moments after it was posted – which he  accompanied by “LOL” (“laugh out loud” for any Luddites reading this) and other comments mostly consisting of deleted expletives.  The police immediately noticed the re-posting, contacted him posing as a woman, and arranged to meet him for a cigarette.  After hiding from the police for three months, the man engineered his own arrest within one hour after his gleeful use of Facebook.

There are hundreds of these stories.  Although amusing, I can’t help but wonder what on earth these people are thinking.  Or more accurately, are they thinking at all?  But while these are obvious blunders, what about the more subtle disclosures that the average person makes every day?  “I started my new job today at ABC.  Thankfully I have only a 10 minute commute.”   “City opened a great new dog park right next to my apartment.  Great for that after work outing.”  “Have to be in Dubuque again next week – only flight that gets me there for Monday meeting leaves Sunday at noon.”

Bits of information like this are communicated all the time, and seem innocent enough. But put them together with your professional bio on LinkedIn, photos of your house and dog on Instagram, cookies showing your shopping history…well, you get the picture.  And so can others.  

Among other things, the massive amount of data that we voluntarily disclose has enabled cybercriminals to refine their phishing scams.  The once popular generic mass emails from the Nigerian prince or Swedish lottery have given way to the personal email from a bank, credit card company or neighbor.  Using the personal information that is freely available, “spear phishers” are able to target individuals or shared-interest groups with personalized communications in an attempt to gain access to really valuable personal information, such as passwords, credit card numbers or even social security numbers.  

If you’re curious about your own vulnerability, do a simple Google® search of your name and look at the “images” item that will show up near the top of the search results.  I’m not a big social media user, so I found mostly a bunch of trademarks (I’m listed as the attorney of record in the publicly available records of the United States Patent and Trademark Office), sketches of fellow entreVIEW bloggers, photos of others at Gray Plant Mooty, and a bunch of things that mean nothing to me.  There was also a picture of my mother (maybe from her obituary?) and a vacation picture of some friends that I simply cannot figure out how it was connected with me.  Even with this limited information, someone could put a pretty good profile together for emails that might look legitimate to me.

So, think before you post, don’t “friend” anyone you don’t really know, never give up a password, and study that email address and message before you click on the hyperlink.  Or just don’t click on the link at all. 

Is it only a matter of time before we have Darwin Awards for social media postings, or is it something that already exists and I’ve just missed it?

Wednesday, April 16, 2014

FTC STILL IN CHARGE OF PRIVACY ENFORCEMENT: TEN LESSONS FROM WYNDHAM

The Federal Trade Commission (FTC ) is the most active and aggressive federal government agency to investigate and enforce data privacy and security laws against businesses. Section 5 of the FTC Act empowers the agency to bring enforcement actions against businesses for unfair or deceptive trade practices. Thanks to Section 5, the FTC has already brought over 50 data privacy and security actions against businesses that have resulted in settlements and consent decrees.  

So, it was with some surprise that, when the FTC filed suit against the Wyndham hotel franchisor following a data security breach initiated by hackers from Russia, Wyndham was not anxious to settle the case. Instead, Wyndham challenged the FTC’s basic authority to assert an unfairness claim against a business based upon data security practices and brought a motion to dismiss the claim. A ruling in favor of Wyndham would have sent shockwaves through the privacy world and stymied FTC actions going forward. This, however, was not to be.

On April 7, Judge Esther Salas denied Wyndham’s motion to dismiss and affirmed the FTC’s authority to initiate and enforce such actions relating to data privacy and security. The case will now proceed to determine Wyndham’s potential liability, unless Wyndham folds and settles.

TOP TEN LESSONS LEARNED FROM THIS FIRST ROUND IN WYNDHAM:

1. Review website privacy policies and terms of use and make sure they are accurate and consistent. Judge Salas was not persuaded by Wyndham’s argument that its privacy policy expressly disclaimed responsibility for the security of customer data collected by its franchisees, and applied only “to the extent we control the Information.” Wyndham cited language in its privacy policy that “expressly disclaims making any representations about the security of payment-card data collected by the Wyndham-branded hotels.” The court however pointed out other language in the same Wyndham privacy policy that emphasized the “importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests” and stated that it “applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities.” The court found that a reasonable customer might have understood the policy to cover data security practices at both company-owned and franchised hotels to the extent Wyndham controls the information. 

2. Perform a data privacy and security compliance audit.  Perform an audit as necessary  to determine what policies, procedures, and practices are in place at your business relative to the collection, use, and sharing of personal information.  What federal, state, and international laws apply?  Are your policies and procedures appropriate and do they follow best practices?  Consider both administrative and technical safeguards.

3. Include privacy concerns in all vendor agreements.  Data privacy and security issues should be covered in all vendor agreements and not just those that are related to computer software and related technology.  The recent Target data breach was the result of an HVAC vendor’s lax protection of its password credentials, which ultimately allowed the unauthorized access to the Target point of sale system. 

4. Make sure you have a data breach response plan in place.   Do not wait until you have a data breach to have an action plan in place. Appoint a person or team responsible for handling any data breach and have in place a process for dealing with breaches. Legal counsel, upper management, IT, public relations, and employees must all be included in the plan and process.

5. Provide ongoing and appropriate training. Data privacy and security can be easily compromised by lax employees who are not sufficiently trained in the data privacy and security policies and procedures of a business. Through inappropriate activities employees may inadvertently allow for unauthorized access. Training of both employees and management is essential to assure compliance with data privacy and security policies and laws and to mitigate risks of a data breach.

6. Consider available insurance. New forms of cyber insurance are available to mitigate risk of a data breach but should be scrutinized for value and coverage. 

7. Learn from past FTC consent decrees and settlements. While consent decrees and settlements are supposed to be limited to the specific facts and circumstances, there are clearly best practices that can be discerned from these actions, and they also highlight activities that should be avoided. In the absence of any specific FTC rules or regulations that set forth reasonable data security practices, a business is almost forced to consider the inadequate data security practices cited in its enforcement actions. For more on this, see this recent article by Daniel J. Solove  and Woodrow  Hartzog. 

8. Franchisor Liability.  Of particular interest to the franchise community was the court’s finding that Wyndham, as a franchisor, was potentially liable.  The court rejected Wyndham’s contention that “as a matter of law, it [Wyndham] is necessarily a separate entity from Wyndham-branded hotels,” such that each maintain their own computer networks and engage in separate data collection practices. Franchisors should review their relationship with franchisees relative to network access, connectivity, and control of information.

9. Judge Salas’ April 7 decision is not the final round. This decision was reached by a single federal district court judge and it only denied a motion to dismiss the FTC’S complaint. The FTC’S authority   could still be challenged in other district courts or appealed. More importantly, as the district court itself noted, “a liability determination is for another day.” For this reason, “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the Court denies a motion to dismiss given the allegations in this complaint—which must be taken as true at this stage—in view of binding and persuasive precedent.”

10. Stay tuned for possible federal legislation. In light of the NSA/Snowden affair and the Target data breach, we may finally see some action in terms of federal data privacy and security law. There has been a flurry of activity in Congress, and several legislative proposals are being considered relative to data privacy and security. Five bills have been introduced that would set nationwide standards for data security and breach notification. These bills would pre-empt the patchwork of state laws that currently exist. One of these laws may even become law before the Wyndham case is finally resolved.

Thursday, April 10, 2014

Minnesota Cup Begins 10th Season

As a friendly notice to all of our aspiring entrepreneur readers, the Minnesota Cup recently kicked off its tenth season. If you don’t know, the Minnesota Cup is a statewide business plan competition for entrepreneurs and small business owners. Gray Plant Mooty has been a long-time sponsor of the Minnesota Cup (and the high tech division). We have posted about the competition many times over the past few years, including herehere and here.  

The Minnesota Cup added a new division to its format this year (food/beverage/agriculture) to go along with the other six division categories from last year – energy/clean tech/water, general, high tech, life science/health IT, social and student. Each division will produce one winner, who then will compete for the overall grand prize awarded on September 10th (hopefully after a nice warm summer to reward us all for the Polar Vortexes we endured this winter). Each division finalist and runner-up will be awarded cash prizes, and the grand prize winner will receive $50,000 in seed money. You can visit the Minnesota Cup's website for additional details and information about the competition.

In addition to the prize money awarded to winners of the competition, there are many good reasons for entering the Minnesota Cup. 

Participants will have access to several programs throughout the year regarding various areas of business development (marketing, raising capital, accounting, legal, etc.).  

There are many good opportunities in the program to network with other entrepreneurs and those who serve the entrepreneurial community (investors, advisors, lawyers, accountants, etc.).  

Semi-finalists are also assigned mentors who can help with the development of their business plan. Just participating in the Minnesota Cup will create great impetus for you to refine your business plan and move to the next phase of development.

The fact that finalists from the last 5 years have raised nearly $75 million in financing is one measure of the impact that the Minnesota Cup has had on its participants. 

Best of luck to this year’s participants, especially those who are regular readers of entreVIEW!

Tuesday, April 8, 2014

What: Julie Zauzmer, Conning Harvard: Adam Wheeler, the Con Artist Who Faked His Way into the Ivy League (Guilford, Connecticut: Lyons Press, 2012)

Why: A fascinating cautionary tale of overweening ambition that trumps honesty and fair play.
  
Full disclosure: Although for a while I was in the running, I ultimately failed to gain admission to the Harvard class of ’79, and so in the back of my mind there’s always been the nagging question of what more I could have done to push my application across the finish line at the Neon H. I ended up at what by anyone’s standards are good schools (Carleton CollegeStanford Law School and Oxford University), so it isn’t a case of wondering what went wrong with my life, but what was it about me that Harvard didn’t like?

Fast forward almost 40 years.  I’m browsing in the library stacks on a Saturday afternoon and Conning Harvard catches my eye. I flip the book open and read the first sentence: “It is hard to get into Harvard nowadays.”  This appeals to my acquired English sense of understatement. I check the book out. It turns out to be a fascinating story.

20th-century fascist dictator (think mustache) once said, “If you tell a big enough lie and tell it frequently enough, it will be believed.” The subject of Conning Harvard, a kid named Adam Wheeler, really took this to heart. A public school kid from Delaware, he initially focuses on venerable Bowdoin College in Maine, which does not require SAT scores for admission. He acquires a copy of a compilation of successful college application essays, and, instead of using them as inspiration for his own essay, simply lifts an entire essay, changing a few details here and there. Presto! Next stop Bowdoin!

The technique worked so well in gaining admission that he starts to plagiarize, not always well or skillfully, other people’s work in his classes. Sooner or later a professor gets suspicious, but by that time Wheeler has successfully transferred to Harvard as a result of an application that contains fake recommendations, altered transcripts, and plagiarized essays. His cheating escalates, and he wins prestigious awards based on the superior but little-known work of others.  Finally, on the cusp of obtaining Harvard’s endorsement for the Rhodes Scholarship, everything unravels (and even then, he is in the process of transferring to Stanford). At the end of the book, Wheeler has been prosecuted for defrauding Harvard, and has just violated the terms of his parole by submitting another doctored resume for—of all things—an unpaid internship.

This is clearly a smart, resourceful kid. Unfortunately, we are left with no clue as to what motivated him, but by the end the wheels have definitely come off. In any event, his story presents a cautionary tale for those who aim for big things but are unwilling to pay their dues or play by the rules. Is it so difficult to imagine this guy as a midlevel executive at Enron, or the founder of a technology company hell-bent on exiting at the top? 

Wednesday, April 2, 2014

Lessons Entrepreneurs Can Learn From Comedians

I haven’t gone to a comedy club in at least five years, but that changed this past weekend. I went to the Acme Comedy Club in the North Loop and over the course of 90 minutes watched four different comedians perform. 

As I was thinking about what I should write about for this blog post, it came to me: What can entrepreneurs learn from comedians? As one of the comedians noted, most people’s greatest fear is public speaking—and what do comedians do for a living? They speak in front of a group of strangers, and even worse, they try to make them laugh. Some would rather walk barefoot on hot burning coal, eat a live millipede, or sky dive before they would speak in front of a group of strangers. So, there must be something we (entrepreneurs) can learn from comedians…right?

Here are a few lessons entrepreneurs can learn from comedians:

1. Be bold. Comedians must go big or go home. They must own their jokes and deliver them without hesitation. Entrepreneurs must be the same way about their businesses. Live and breathe your business. If you don’t believe and put everything you have into your business, no one else will.

2. Practice your pitch. Comedians practice their jokes several times over. They practice delivering them in front of friends, other comedians, and audiences until they have perfected the timing, tone, and delivery of the joke. It’s important for entrepreneurs to perfect their pitch as well. Deliver your story in a simple and confident manner. Know the ins and outs of your company and be prepared to answer any question.

3. If something doesn’t go over well, acknowledge it and move on. If a joke doesn’t go over well, comedians acknowledge that fact to the crowd (avoiding the awkward silence in the room) and move on to another joke. Similarly, if a product or service isn’t received well in the market, identify the issue and fix it. There’s no benefit to you or your investors denying its existence. 

4. When something does go well, milk it for all its worth. You may not think that catheters are a humorous topic, but one comedian I saw last weekend literally spent over ten minutes on catheter jokes. The first couple of catheter jokes were a hit with the audience and he just kept going, until he ran out of catheter-related jokes. As an entrepreneur, if your product or service takes off, figure out how you can capitalize on that success.

5. Be thankful. After performing, comedians always thank the audience. Similarly, entrepreneurs must value their customers. If you don’t have customers, you don’t have a business. Listen to and appreciate the people that keep your business alive.

Wednesday, March 26, 2014

Details on Amendments to the Minnesota Angel Tax Credit

Regular readers of entreVIEW are no doubt aware that the Minnesota Angel Tax Credit, a frequent topic of interest here, ran out of funds a few weeks ago. The $12.2 million available for issuance had been used up by early March, as predicted in a prior post.  

You’re probably aware that Governor Dayton just signed a tax relief bill passed by the legislature last week. I’d like to think that the reason for bipartisan action on tax relief so early in the session is because of all the contacts made by entreVIEW readers who were encouraged by my prior post to contact their legislators to support the Angel Tax Credit. (I’m sure it didn’t have anything to do with political wrangling in an election year.)

The good news, as you may know if you’ve been reading the Business Journal, is that, buried in the tax relief measure’s 50-plus pages, an additional $3 million of Angel Tax Credit funding was allocated for this year. According to the article, the Minnesota Department of Economic Development will begin accepting applications for this year’s additional funds on March 31st, and expects to have all funds allocated by May 11th.  Obviously, this won’t fully satisfy the demand for this year, but it may help those who just missed the funding cutoff earlier this year. 

Also, the legislation extends the angel tax credit program through 2016, with $15 million in credits available for each of 2015 and 2016. If the past is any guide, this amount is likely to be far less than the demand (as $15 million in total credits will probably be allocated this year by mid-May), but it is better than nothing and is evidence that the legislature is beginning to view the angel tax credit as an important factor for Minnesota start-ups trying to raise capital.

There were other changes made to the Angel Tax Credit in the new law, a few of them notable:

Of the $15 million allocation in 2015 and 2016, $7,500,000 will be reserved (until October 1 of each year) for allocation to qualified greater Minnesota, minority, or women-owned businesses.

An investor who is an officer or principal of the qualified business or who owns or controls 20% or more of the voting power or shares of such business will no longer be eligible for credit on investments made in that business.

The three-year holding period for investments won’t apply to a qualified investor who dies before the end of the three-year period.

Fortunately I haven’t had any clients or contacts who would have benefitted from the third bullet above, but I do know several who would have been impacted by the first two bullets.

I’m glad to see the program survive because it has helped facilitate the raising of angel capital. We’ll have to wait and see how these other modifications affect the program over the next couple of years.

Given past activity, more posts on the Angel Tax Credit this year are inevitable. We can only hope the weather will warm up before we’ve got something more to write…. 

Monday, March 24, 2014

HOW MUCH ARE YOU WILLING TO PAY FOR PRIVACY?

How much are you willing to pay for personal privacy? 50₵ off a McDonald’s hamburger? 20% off groceries? Participation in the $1 Billion NCAA Tournament Bracket Challenge?

As users of Facebook, we exchange our personal details in order to connect with anyone and everyone. We sell our privacy to the supermarket when we allow loyalty programs to track purchases and reward us with frozen vegetables and gasoline discounts. We relinquish our privacy to airlines when we download their app to our smartphone to get more efficient service and better information. We disclose personal financial information to Quicken for a chance to win $1 billion in a NCAA basketball pool.  

While we have become used to the idea of giving up a certain amount of privacy in exchange for a service or discount do we really understand what that means? How much does our personal privacy mean to us?

Earlier this month, the issues surrounding data privacy and security were discussed and debated at the Global Privacy Summit in Washington DC, sponsored by the International Association of Privacy Professionals (IAPP). [My prior post on becoming a certified privacy professional through the IAPP can be found here].  The three days at the Summit were filled with topnotch sessions covering a variety of privacy issues, including a particularly compelling talk by Julia Angwin about the cost of personal privacy. 

Following are some highlights of the Summit:

1.  The Cost of Privacy: Julia Angwin described how she spent $2,200 and countless hours trying to reclaim her privacy.

Ms. Angwin stopped using google and gmail. No longer was she going to have her gmail scanned with selected information offered to advertisers. She unfriended her friends on Facebook, started using DuckDuck Go, a privacy protecting search engine, purchased the OFF Pocket, a cellphone case that blocks signals to and from the phone, subscribed to Trusted ID – a company that promised to opt her out from large data brokers, added a privacy filter to shield her laptop screen from voyeurs in the coffee shop, and purchased other privacy related services. Her efforts and the price paid for enhanced privacy are detailed in her recent New York Times editorial, Has Privacy Become a Luxury Good? She analogized privacy to organic food. Consumers may now be willing to pay a premium for privacy and businesses would be wise to jump into this market for privacy sensitive products and services. Her book, Dragnet Nation: a Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance, was also released at the Summit. 

2.  FTC Activity: Edith Ramirez, FTC Chairwoman, discussed FTC plans for the development of guidelines for data de-identification, the upcoming release of a FTC report on data brokers, and the need for new federal data security legislation. She supports stronger rulemaking authority and enforcement capabilities for the FTC relative to data security with more FTC efforts to come in mobile location tracking issues. 

Ramirez also appeared with officials from the U.S Department of Commerce, Canada, and the European Union to announce efforts to help businesses ensure compliance with global data privacy rules. This was clearly in response to EU criticism of the Safe Harbor approach that has allowed US businesses to self certify compliance with EU privacy regulations. Ms. Ramirez pointed out that the FTC has recently brought 13 actions under the Safe Harbor.

3. EU Data Protection: Data protection regulators from the UK, France, and the Netherlands discussed the intense debate going on in the EU over the potential overhaul of the entire data protection regime. One of the key elements of the overhaul is a “one stop shop” approach that would allow multinational companies to deal with one data protection regulator rather than multiple regulators in each member state. 

4. Privacy at the NSA Rebecca Richards, the newly appointed and first ever Civil Liberties and Privacy Officer (CLPO) at the National Security Agency (NSA), made her first public appearance at the Summit. Her job is to provide expert advice to the Director of the NSA and oversight of NSA’s civil liberties and privacy related activities. Her appointment was one of the reforms specifically called upon by President Obama. Ms. Richards identified the enormous challenge she faces of being the voice of privacy and supporting an agency with national security issues at stake.  

5. Digital Medicine: George Savage, the Chief Medical Officer of Proteus Digital Health, demonstrated his latest innovation- an ingestible smart micro sensor. The size of a grain of sand, the sensor is co-formulated with a pharmaceutical product.  When swallowed, it emits a signal like a digital heartbeat that is detected by band-aid like patch monitor worn by the patient. The patch tracks the heart rate, sleep pattern, and other activities of the patient. Dr. Savage ingested the micro-sensor and as he spoke we watched as the data was transmitted in real time through his smartphone to a colorful display on a television screen. While this tracking capability holds enormous potential benefits for healthcare research and medical treatment it also raises significant privacy issues.

So how much do we value privacy? Can the free market save us and give us choices that protect our personal information and privacy? Will government step in with more regulations? Will we follow the European model and make personal privacy a human right?

Stay tuned as the discussion and debate promises to become even more amplified and interesting. 

And, watch out for the drones!