You Detected a Data Breach. Now What?

You have detected a data breach. Alert!

You are the CEO of a mid-size company. As you are going about your day, minding your business, you get a call from your security department. It’s a call you really didn’t want. Security has detected suspicious file movements and wants your directions about what to do next. You have likely suffered a data breach.

Now what?

Ideally, you will go to your shelf and pull out your executive copy of the company’s data breach plan. But what if you don’t have a plan?

As with most policies, the time to develop your data breach plan is “before you need it.” In this case, it’s important for two main reasons. First, the law requires you to have a plan if you have Massachusetts customers (as part of a Written Information Security Plan, or WISP) or are in one of any number of regulated industries. Second, odds are high that your business will suffer a data breach sooner or later.

If you don’t have a plan yet, you are not alone. About 20% of companies have not yet developed a plan, according to a 2015 Ponemon study. If you do have a plan but aren’t totally confident in it, again, you are not alone. About 2/3 of companies with a plan weren’t confident in their plans in the same study. If you don’t have a plan, or if you do have a plan and wonder whether it covers everything it should, this post is for you.

Your company’s data breach plan should include each of these important elements:

    The Right Crowd. When you develop your plan, you should include at minimum your security, technology, legal, customer service, and PR/communications folks, as well as representatives from any areas specifically affected. For example, include someone from HR when developing policies about handling HR data. Depending on the size of your organization, this group might include anywhere from 2 people to 20. In final form, your plan should include the roles and responsibilities of people from all of these groups as well. If you don’t have the right people in the room from the start, you face the very real possibility of chaos when a data breach occurs.

    Administrative, Technical, and Physical Safeguards. Your plan should cover how you are going to keep your data as safe as possible. You may not be able to prevent every breach, but you can reduce the number and severity of breaches by taking some basic cybersecurity steps. Administrative safeguards have to do with people’s behaviors and knowledge. Examples include policies about access to and use of data, hardware, and software; background checks; agreements; and training. Technical safeguards have to do with preventing access electronically. Examples include encryption, separating identifier and content data, roles-based systems access, and regular logging and auditing of access to systems. Physical safeguards have to do with preventing physical access to sensitive information. Examples include locked filing cabinets, secure workstations, video surveillance, biometric locks, and ID badges.

    Business Continuity. Your plan should tell you how to keep your business running if you do not have access to your computers or files. This may or may not be included in your normal business continuity plan, so be sure to check. A natural disaster that takes out one of your two locations will play out very differently from a ransomeware attack that ties up your entire network.

    Specific Steps. A data breach plan should ideally cover exactly who does what, and when. In the heat of the moment, your employees may not be thinking clearly; your plan should guide them so that they avoid panicked mistakes. In creating the plan, your organization should spend some time figuring out what its greatest vulnerabilities are and how it will address a resulting breach should it occur. (Ideally, of course, you will find ways to reduce these vulnerabilities during the course of developing your plan, but we live in the real world where time and budget are always constraints.) A data breach plan should cover these specific steps:

    • Escalation: When do you contact your internal and external security team and lawyers? When do you contact your Chief Information Officer? CEO? Your board? If there is any indication of a major incident, your first call should be to your data forensics consultant; the consultant will help you avoid accidentally harming your own systems or destroying any evidence. Beyond that, your next calls will depend a great deal on your organizational structure and preferences.
    • Investigation. If your business can afford it, you should enlist outside help with a data breach; legal, PR, and data forensics consultants will have experience that you may not have internally. They will also be able to give you perspective in a stressful situation. It is important to know who you will contact for outside help ahead of time. Be sure to keep their contact information in your breach plan. During the course of investigation, no matter who is conducting it, it is most important that you avoid destroying evidence, notify law enforcement, and ask the right questions: What specifically was compromised? What can we do to prevent further damage? Can this system be quarantined? What data can be salvaged? What data can we still trust? Can we trace who did it? And perhaps most importantly, is it a data breach as defined by law?
    • Most laws and regulations define “data breach” slightly differently from one another. Generally, though, a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

    • Responses/Reporting. If you determine that your incident is a data breach under applicable law, you will need to report the breach. The law or regulation that applies to your situation will tell you who you need to contact. Most of the time, you will need to tell law enforcement and the people whose information was affected by the breach. You may also need to tell investors, state attorneys general, regulators, credit reporting agencies, or the media. In order to expedite reporting, you should consider having template versions of communications to these parties in your data breach plan.
    • Remediation. First, protect your customers from further damage. Make sure that any information that has been placed on the web is removed, including information on cached sites. Second, make sure that your company is protected for the future. Ideally, the same kind of incident should never happen to the same company twice. After the excitement has died down, evaluate what happened. Follow any steps recommended by your data forensics consultant. Consider whether you need to revamp any contractor relationships, contracts, technology, training programs, or physical safeguards.
    • Re-Evaluation and Practice. Take a look at your breach plan. How well did it perform? Would you do something differently next time? If so, amend the plan. If the plan worked well, practice it. You should run internal and external drills regularly, so use this opportunity for another run-through.

And now? If you already have a plan, great! You should make sure it contains all of these elements, then practice it this week. If you do not have a plan, don’t panic! Gather the folks in your company who need to be involved and develop one. This week.

Does your company have a plan? Do you trust that it will work if you need to implement it tomorrow?

Agricultural Leases, or A Horse is a Horse

A single horse

A horse, a horse! My kingdom has a horse.*

If you have been following the United States Senate hearings on the nomination of Judge Neil Gorsuch for the Supreme Court, you may have heard some discussions about how judges should read statutes and the constitution. Without getting too technical, while at the same time trying to avoid the risk of oversimplification, the Senators have been talking principally about two schools of thought. One is that judges should read the words and apply them, period, whatever the result. The second school is that judges should read the words in the context of the problem the writers were trying to resolve and give them a meaning that the writers intended, or would have intended if they had foreseen the problem in the case before the court, even if the writers did not use exactly the right words.

The Iowa Supreme Court last month decided a case that is an instructive example of how these two theories play out when courts read statutes that, if applied according to their plain meaning, could lead to absurd results. The case involved a statute addressing the definition of agricultural leases. The particular question was, “Does a single horse make a farm?”  Porter vs. Harden (Iowa S. Ct. No. 15–0683, Filed March 10, 2017 Amended March 13, 2017). In answering the question, the majority of the court employed the context based rule whereas the dissent, and the Iowa Court of Appeals before it, employed the plain meaning rule.

The question arose in the setting of a lease termination and the answer was important because Iowa law gives tenants differing protections depending on the type of property being leased and the duration of the lease. For example, residential tenants are given more protections than commercial tenants because generally residential tenants have much less bargaining power and sophistication than commercial tenants who have the means to negotiate with their landlords.  

Farm tenants, since 1939, have been given certain statutory protections because of the seasonal nature of the business and the historical importance of agriculture to Iowa. Particularly, in terminating a farm tenancy, the landlord must follow timelines set by the legislature.  Generally, the law requires written notice of termination to be given on or before September 1, with termination to occur the following March 1. This assures that there is sufficient time for the tenant to harvest growing crops and for the parties to negotiate a new lease or find other land to rent, or find another tenant. A 2006 amendment to the statute added grazing to the existing list of agricultural activities.

The parties in the Porter case had a month to month lease. In those cases, either party has the power to cancel the lease by giving 30 days notice to the other party, if the subject of the lease is not agricultural land. Porter, the landlord, gave Harden, the tenant, notice that it was canceling the lease in 30 days, thus following the legal requirements for terminating a month to month lease. The tenants on this six-acre property, which was their primary residence, claimed they were entitled to the much longer notice required to terminate a farm tenancy because they had a horse grazing on the property. They claimed that a close reading of the statute regarding farm leases required only one grazing animal to qualify the property as a farm. The district court did not agree and ruled in the landlord’s favor saying, “the keeping of one 38-year old horse does not make this a farm tenancy.” The tenant appealed.

The Iowa Court of Appeals reversed the district court and ruled that, even though it might be an absurd result, as the statute was written, the definition of livestock “means an animal …”. Reading the statute strictly, one old horse could make a farm tenancy.  The landlord asked the Supreme Court to review the Court of Appeals’ decision.

The Supreme Court looked again at the statute and decided the Court of Appeals was reading the statute too literally. To determine what the legislature meant required reading the statute in context of its purpose as well other statutes addressing the same or similar subject matter. It then said, “just as we would not conclude that someone with a small vegetable garden ‘produces crops . . . on the land’ …, we think it would be questionable to hold that someone keeping an old mare at the homestead ‘provides for the care and feeding of livestock on the land’ within the meaning of the same statute.”  

The Court emphasized that it would assume the legislature intended a reasonable interpretation of the statute and imprinted a primary purpose test on the statute. That is, one must look at the property to see if its main object was the growing of crops or the feeding of livestock. By accepting the “one old mare” argument, any tenant anywhere could create a farm merely by bringing an old horse or a few chickens onto the property. Probably not what the legislature intended.

However, one justice dissented essentially adopting the Court of Appeals reasoning. When a statute’s language is plain and unambiguous, a court should look no further than the statute. Here the statute says “an animal.” Even though the result may be absurd, it is up to the legislature to fix it, not the courts. The courts have only to apply the statute as written, even if poorly written. If the legislature does not like the result, it can rewrite the statute.

If you have questions about this case, or other issues involving leases, you need not hesitate to contact us.

Apologies to William Shakespeare’s play, Richard III,  Act-V, Scene-IV.

Crowdfunding On the Horizon

Back in 2012, there was quite a stir when Congress and the President worked together to create the controversial Jumpstart Our Business Startups Act (JOBS Act), Public Law 112-106. It was widely predicted at the time that the JOBS Act would be a disaster, and the naysaying has continued as the SEC’s regulations have wended their way through the implementation process.

We have very nearly, but not quite, reached the end of the very long implementation road. The SEC has announced that it has adopted final rules (PDF) for crowdfunding, but that 1) the forms for registering as a crowdfunding portal are not effective until January 29, 2016; and 2) the implementing regulations do not go into effect until May 16, 2016, 180 days after they were published in the Federal Register.

And, as was widely predicted at the time, it does appear that the 685 pages of SEC regulations could make crowdfunding a less-than-attractive option for startups, particularly those at the earliest stages. The SEC estimates “a cost range estimate for Form C and the financial statement review of: $2,500 for the smallest offerings, $4,000 to $23,000 for the larger offerings, $6,500 to $38,000 for first-time crowdfunding issuers conducting offerings between $500,000 and $1,000,000, and $7,500 to $50,000 for other issuers conducting an offering in the largest offering amount category.” This means that the cost of raising funds could be up to 7.6% for a first-time issuer conducting a $500,000 offering. This is on par with taking out a small business loan, an old-fashioned financing option that should not be discounted. While taking out a small business loan will involve quite a lot of time, effort, and paperwork, it won’t involve making the extensive disclosures and ongoing disclosures required by the JOBS Act implementing regulations. Small business owners should, as always, speak with their financial and legal advisors about their best options in their own situations.

So what’s next? Once they are allowed to begin to register this coming January, we see how many companies register as funding portals. Portals are how most small businesses (or “emerging growth companies,” as the JOBS Act calls them) will connect with their investors.

What do you think? Now that the process has become clearer, will crowdfunding be a good option for your business, or are you going to stick with more traditional funding methods?

Preventative Practices: Dodging Trademark Bullying

Various sticky trademark disputes have been in the news lately. First, there was the dispute between Apple and Proview Technology over the IPAD trademark in China (the dispute was settled on July 2). Then there was the still-ongoing dispute between the United States Olympic Committee and the knitting website Ravelry over the crafters’ use of the term RAVELYMPICS in connection with an Olympics-viewing event. My local newspaper is even getting in on the act, writing about how devastating a trademark dispute can be to small businesses.

So what can you, as a small business owner, do to protect yourself from a trademark dispute? Take some good old-fashioned advice!

  • An ounce of prevention is worth a pound of cure. Do not choose your business name or other trademarks without making sure that they are available and will not infringe on another company’s marks. This means conducting a thorough search. If you have the budget for it, hire a trademark attorney to obtain and interpret a full search report from a third-party provider. If you don’t have the budget for it, your attorney should at minimum conduct a preliminary check of potentially problematic trademarks in the U.S. Patent and Trademark Office (PTO) database and on the web.

  • Don’t cry over spilled milk. If you find that your favorite trademark is already taken, especially if it’s been taken by a company with deep pockets, take a deep breath and bid it farewell. As the examples in the Star Tribune article demonstrate, responding to an allegation of infringement can be financially devastating to a business. It is much better to let it go now and find a new mark that will better differentiate your business from the competition anyway.

  • The best defense is a good offense. Register your trademark as soon as possible. If you are operating only in one state, register it with the state. If you are operating in more than one state, register it federally with the PTO.

  • Know thyself. Keep good records regarding how you have used your trademark and in what markets. Keep copies of every advertisement you run in a file for each trademark you own (for electronic advertising, keep a record of what trademarks you have advertised in what geographic areas, your view rate, and your and click-through rate). Keep copies of complimentary (or not-so-complimentary) letters and emails from outside your immediate geographic region so that you know who has heard of your company and where they live. Keep track of where and when you have made sales. These records can be vital evidence of your geographic scope of ownership in the event of a dispute.

Follow these tips and make sure you have a great trademark attorney on your side, and you may be able to avoid disputes altogether. If not, you will be in good shape going into any disputes.

Pinterest for Employers

Pinterest for Business

I was recently interviewed for the Society for Human Resource Management article “Pinterest Might Facilitate Copyright Infringement.” Below for your viewing pleasure is the entire text of the email-based interview with Workplace Law Content Manager Allen Smith.

[box]

What special copyright issues arise in using Pinterest and how should employees be trained to comply with copyright laws when they are pinning content on Pinterest in a work-related capacity?

Pinterest raises more or less the same copyright issues as any other website, but it has gotten more media attention than others. In general, no one should ever place any content on the web that he or she does not own or have a license (permission) to place on the web. Employees should be aware of what intellectual property their employer owns, any of which may be posted on the employer’s behalf (in compliance with any other laws and workplace policies, of course), and what intellectual property may be subject to licenses which limit the employer’s (and by extension the employee’s) right to post. Otherwise, content located on the web is generally off-limits; making material public does not abrogate any copyright rights. Exceptions include content that is in the public domain (there are several online databases of public domain works—in general, a work published prior to 1923 will be in the public domain); content that is explicitly licensed for pinning; content that falls under fair use exceptions to copyright; and content that is subject to a Creative Commons license (though be careful with that one, as work-related uses may not qualify for some Creative Commons licenses).

Employees should be trained to look for key phrases in website Terms of Use indicating that it is safe to use content on Pinterest (a handy shortcut: if a site owner who clearly owns or licenses the content has placed a “Pin It!” button on the site, pinning should be fine; Etsy is a good example). In addition, a Pinterest account holder that pins its own content has granted a license to Pinterest, so that the content can be re-pinned by other users. The tricky part can be determining whether content was pinned by the rights owner since Pinterest does not have a corollary to the Twitter Verified Account badge.

Could you provide examples of how employees might use Pinterest for work purposes?

I have seen some companies doing wonderful things with Pinterest, primarily retailers. Random House Books has an account and pins not only its own books (brilliant given that “Books Worth Reading” is one of the default pinboards), but also interesting book- and reading-related images. Home Depot has become very involved in the home decor suggestions boards and re-pins content in addition to posting its own proprietary photos, which of course gets people thinking about ways they could improve their homes using Home Depot products. Service professionals can use Pinterest as well; one of my favorite accounts belongs to a style consultant, Sasha Westin, who uses Pinterest to gather suggested wardrobes for people, such as “Men’s Relaxed Professional,” complete with links for purchasing each item.

If employees are using their personal Pinterest accounts to promote their employer, they should be aware of FTC blogger regulations, which require disclosing that relationship.

How are the copyright issues that arise when using Pinterest similar to copyright challenges employees face with other forms of social media that’s used in their work?

As noted, they are really very much the same. No one should post content on any site that he or she does not own or have a license to use. The difference between posting a link to an article on Facebook and posting it on Pinterest, though, is that on Facebook a thumbnail of any photo accompanying the article appears (which has been pretty well, but not definitively, established as fair use), but on Pinterest the full image appears and is uploaded to the Pinterest servers. Pinterest also has a more visual focus, which encourages people to post infringing material such as the work of photographers or painters.

Is pinning content owned by others any different from a legal standpoint from retweeting content on Twitter, and if so, how?

Yes. When someone posts something to Twitter, one of two things is happening: either it is original content, which that person has granted a license to Twitter to use (and that use includes retweeting by other users), or it is not original content. Content that is not original generally must be paraphrased or be a brief introduction to linked content. Linking does not infringe on copyright, and Twitter’s 140-character limit is short enough that it would be difficult to infringe any Twitter-external content. Pinterest has no such limitations.

Are many employees oblivious to the copyright concerns that may exist in their work-related use of Pinterest and, if so, what kind of training might employers provide?

I can’t speak to employees in particular, but much of the general population has developed an ethic about sharing that is not sensitive to the rights of copyright holders. This ethic extends to personal and professional use of social media, including Pinterest. Employers should ensure that their employees are aware that when it comes to copyright, creation, not possession, is 9/10ths of the law. Employees using Pinterest in a work-related capacity should always consider the source, whether the source owns the copyrighted material, and whether the source has given the employer a right to use the copyrighted material. For employers who may be cost-sensitive, the Copyright Office maintains a series of easy-to-understand Circulars, which explain much of what an average person needs to know about copyright. Circular 1 contains the fundamentals. The Copyright Office, however, does not give information about what to look for in a license.

There are also social media certifications becoming available for employees whose routine duties involve social media; the one I am familiar with, from the National Institute for Social Media, should be coming out this fall and will be accredited. (Disclosure: I am chair of the Industry Advisory Committee for NISM, so I wrote the portions of the exam dealing with legal questions. I do not benefit financially from my relationship with NISM.)

[/box]