You Detected a Data Breach. Now What?

You have detected a data breach. Alert!

You are the CEO of a mid-size company. As you are going about your day, minding your business, you get a call from your security department. It’s a call you really didn’t want. Security has detected suspicious file movements and wants your directions about what to do next. You have likely suffered a data breach.

Now what?

Ideally, you will go to your shelf and pull out your executive copy of the company’s data breach plan. But what if you don’t have a plan?

As with most policies, the time to develop your data breach plan is “before you need it.” In this case, it’s important for two main reasons. First, the law requires you to have a plan if you have Massachusetts customers (as part of a Written Information Security Plan, or WISP) or are in one of any number of regulated industries. Second, odds are high that your business will suffer a data breach sooner or later.

If you don’t have a plan yet, you are not alone. About 20% of companies have not yet developed a plan, according to a 2015 Ponemon study. If you do have a plan but aren’t totally confident in it, again, you are not alone. About 2/3 of companies with a plan weren’t confident in their plans in the same study. If you don’t have a plan, or if you do have a plan and wonder whether it covers everything it should, this post is for you.

Your company’s data breach plan should include each of these important elements:

    The Right Crowd. When you develop your plan, you should include at minimum your security, technology, legal, customer service, and PR/communications folks, as well as representatives from any areas specifically affected. For example, include someone from HR when developing policies about handling HR data. Depending on the size of your organization, this group might include anywhere from 2 people to 20. In final form, your plan should include the roles and responsibilities of people from all of these groups as well. If you don’t have the right people in the room from the start, you face the very real possibility of chaos when a data breach occurs.

    Administrative, Technical, and Physical Safeguards. Your plan should cover how you are going to keep your data as safe as possible. You may not be able to prevent every breach, but you can reduce the number and severity of breaches by taking some basic cybersecurity steps. Administrative safeguards have to do with people’s behaviors and knowledge. Examples include policies about access to and use of data, hardware, and software; background checks; agreements; and training. Technical safeguards have to do with preventing access electronically. Examples include encryption, separating identifier and content data, roles-based systems access, and regular logging and auditing of access to systems. Physical safeguards have to do with preventing physical access to sensitive information. Examples include locked filing cabinets, secure workstations, video surveillance, biometric locks, and ID badges.

    Business Continuity. Your plan should tell you how to keep your business running if you do not have access to your computers or files. This may or may not be included in your normal business continuity plan, so be sure to check. A natural disaster that takes out one of your two locations will play out very differently from a ransomeware attack that ties up your entire network.

    Specific Steps. A data breach plan should ideally cover exactly who does what, and when. In the heat of the moment, your employees may not be thinking clearly; your plan should guide them so that they avoid panicked mistakes. In creating the plan, your organization should spend some time figuring out what its greatest vulnerabilities are and how it will address a resulting breach should it occur. (Ideally, of course, you will find ways to reduce these vulnerabilities during the course of developing your plan, but we live in the real world where time and budget are always constraints.) A data breach plan should cover these specific steps:

    • Escalation: When do you contact your internal and external security team and lawyers? When do you contact your Chief Information Officer? CEO? Your board? If there is any indication of a major incident, your first call should be to your data forensics consultant; the consultant will help you avoid accidentally harming your own systems or destroying any evidence. Beyond that, your next calls will depend a great deal on your organizational structure and preferences.
    • Investigation. If your business can afford it, you should enlist outside help with a data breach; legal, PR, and data forensics consultants will have experience that you may not have internally. They will also be able to give you perspective in a stressful situation. It is important to know who you will contact for outside help ahead of time. Be sure to keep their contact information in your breach plan. During the course of investigation, no matter who is conducting it, it is most important that you avoid destroying evidence, notify law enforcement, and ask the right questions: What specifically was compromised? What can we do to prevent further damage? Can this system be quarantined? What data can be salvaged? What data can we still trust? Can we trace who did it? And perhaps most importantly, is it a data breach as defined by law?
    • Most laws and regulations define “data breach” slightly differently from one another. Generally, though, a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

    • Responses/Reporting. If you determine that your incident is a data breach under applicable law, you will need to report the breach. The law or regulation that applies to your situation will tell you who you need to contact. Most of the time, you will need to tell law enforcement and the people whose information was affected by the breach. You may also need to tell investors, state attorneys general, regulators, credit reporting agencies, or the media. In order to expedite reporting, you should consider having template versions of communications to these parties in your data breach plan.
    • Remediation. First, protect your customers from further damage. Make sure that any information that has been placed on the web is removed, including information on cached sites. Second, make sure that your company is protected for the future. Ideally, the same kind of incident should never happen to the same company twice. After the excitement has died down, evaluate what happened. Follow any steps recommended by your data forensics consultant. Consider whether you need to revamp any contractor relationships, contracts, technology, training programs, or physical safeguards.
    • Re-Evaluation and Practice. Take a look at your breach plan. How well did it perform? Would you do something differently next time? If so, amend the plan. If the plan worked well, practice it. You should run internal and external drills regularly, so use this opportunity for another run-through.

And now? If you already have a plan, great! You should make sure it contains all of these elements, then practice it this week. If you do not have a plan, don’t panic! Gather the folks in your company who need to be involved and develop one. This week.

Does your company have a plan? Do you trust that it will work if you need to implement it tomorrow?

What Should I Put in My Company’s Social Media Policy?

Privacy & Data Security

It seems like someone is in the news for getting into trouble on social media almost daily. Many companies have adopted social media policies as part of their employment policies to help guide their employees’ behavior and prevent embarrassing mishaps. If you are considering a social media policy, here are some things to think over and include.

Trust your employees. You wouldn’t have hired them if you didn’t think they were reasonably intelligent adults. Don’t over-do your social media policy, particularly if you go into detail about rules for external communications elsewhere. One of my favorite social media policies is Best Buy’s: short, sweet, and to the point. You don’t want to anger or alienate your employees.

FTC regulations. There are a lot of them, but the ones most relevant to social media policies have to do with privacy (don’t disclose information that doesn’t belong to you) and disclosure of relationships (do disclose a relationship when you could have something to gain from your comments).

NLRB rulings. The National Labor Relations Board has been extremely active in regulating social media policies for the past few years, all on the theory that certain provisions might discourage protected activity. Make sure your policy doesn’t run afoul of any of these rulings.

Public companies. Social media is a must for public companies these days, but public companies are subject to special rules about what they can tell people and when. Remind your employees to think about those rules when posting on social media sites. A single thoughtless comment about what an engineer is working on at work can reveal a great deal more than s/he intended.

Regulated industries. If you are in a regulated industry, social media is not exempt from the requirements for your company’s communications. Remind your employees of this fact and make sure that you have the technology in place to support any documentation requirements.

Use during working hours. Companies approach this one in many different ways. Employees can use social networking as a valuable tool for creating and maintaining working relationships; or they can dither away time watching videos of cats. There can be some overlap there, too; finding that one has a shared love of cat videos with an important customer can solidify a working relationship. You need to take a look at your own company’s culture in deciding whether to restrict use of social media during working hours and on company equipment. Some common approaches are 1) the outright ban, blocking access from work computers (though you cannot physically/technologically prevent people from using mobile devices, without blocking all mobile signals); 2) the partial ban, allowing access only to selected sites or by selected employees who use social media as part of their jobs; or 3) the “use responsibly” policy, allowing employees to choose whether and when to use social media during working hours and on work machines, within reasonable limits.

Intellectual property. One area that your average employee likely does not have to deal with extensively in the normal course of business is intellectual property. Furthermore, the ways in which photos, videos, and so on, are shared on sites like Facebook, Twitter, and Pinterest has eroded the public sense of what is or is not acceptable practice under the law. Your policy may need to spell out the intellectual property practices of your organization, depending upon how and how often your employees have reason to come into contact with them.

Special concerns. You know your company. You know your industry. There are very likely one or two things that should be in your policy that are unique. You know what they are.

What does your company have in its policy? What else do you think a company should include in its policies?

7 Things You Must Know Before You Text Your Customers

Texting has become a more and more popular mode of communicating with business customers and potential customers. Texts are fast, easy, convenient, and your customers may even initiate the conversation. But there are many traps for the unwary lurking in the texting relationship. Here are seven things to consider before the next time you text with your customers.

You may have to have permission. The Federal Communications Commission has rules prohibiting unsolicited commercial text messages by auto-dialer. That’s quite a lot of jargon, so in translation: you cannot send text messages automatically to many people (let’s call those “mass texts”) that each customer did not give you permission to send. If you are trying to convince the people you are texting to purchase something (e.g., notifying them of a sale), that permission has to be in writing. If you are not trying to convince them to purchase something (e.g., notifying them that you have shipped their order), that permission may be either oral or in writing. The exception is emergency situations, when you may send mass texts without permission.

Emails sent to cell phones as texts are subject to CAN-SPAM. The Federal Trade Commission has rules governing commercial email messages that are sent to cell phones as text messages. You may not have even known that this was possible, but it is, and there are rules about how to do it right. You have probably already heard of the CAN-SPAM regulations. They say that if you send an email that is commercial (as opposed to informational or transactional), you must:

  • Not use false or misleading information about who sent the email.
  • Use subject lines that accurately reflect the content of the email.
  • Identify the message as an ad.
  • Provide a valid physical postal address.
  • Provide information about how to opt out of receiving future emails from you.
  • Honor opt-out requests within 10 business days.
  • Monitor what others are doing on your behalf—you are responsible for your vendors.

Emails sent as text messages must comply with both the FTC’s rules about content and the FCC’s rules about permission. Importantly, CAN-SPAM applies no matter how many email messages you send. Even a single email you send directly to an existing customer as a text message would be subject to the CAN-SPAM rule.

You have to include certain information. For plain old mass texts of the non-email variety, you should provide information about who is sending mass text messages and about how to stop receiving them. For emails sent as texts, all of the elements of CAN-SPAM compliance have to be included.

Direct texting is less complicated, legally speaking. If you are sending a text to a specific customer with information about something you are doing for the customer, the regulations discussed above do not apply, at least for now. Texting is a communication tool, and you can generally use it as a communication tool. This is true whether your customers are other businesses or individual consumers. That said, you may want to let your customers make the first move when it comes to texting; not everyone appreciates this mode of communication.

Texts can be saved forever. As with all written communication, consider that texts can be saved forever. Be conscious about what you put in writing.

Consider your timing. There are the obvious courtesies of not sending texts to your customers outside business hours unless they have initiated the conversation. Beyond that, make sure you do not send text messages at a time when you know your customers might be doing something where texting could be dangerous, such as driving. Bad timing could cause a tragedy.

Charges to your customers. Although cellular plans with unlimited texting have become ubiquitous, not everyone has this feature. Make sure you aren’t sending so many texts that you could cause a problem for customers who still use older plans. You don’t want to annoy or alienate them.

Updated to add Bonus #8: Beware misdirection. As with email, be very careful not to send a message to the wrong person.

What do you think? Do you text with customers? Has it been a good experience?

Crowdfunding On the Horizon

Back in 2012, there was quite a stir when Congress and the President worked together to create the controversial Jumpstart Our Business Startups Act (JOBS Act), Public Law 112-106. It was widely predicted at the time that the JOBS Act would be a disaster, and the naysaying has continued as the SEC’s regulations have wended their way through the implementation process.

We have very nearly, but not quite, reached the end of the very long implementation road. The SEC has announced that it has adopted final rules (PDF) for crowdfunding, but that 1) the forms for registering as a crowdfunding portal are not effective until January 29, 2016; and 2) the implementing regulations do not go into effect until May 16, 2016, 180 days after they were published in the Federal Register.

And, as was widely predicted at the time, it does appear that the 685 pages of SEC regulations could make crowdfunding a less-than-attractive option for startups, particularly those at the earliest stages. The SEC estimates “a cost range estimate for Form C and the financial statement review of: $2,500 for the smallest offerings, $4,000 to $23,000 for the larger offerings, $6,500 to $38,000 for first-time crowdfunding issuers conducting offerings between $500,000 and $1,000,000, and $7,500 to $50,000 for other issuers conducting an offering in the largest offering amount category.” This means that the cost of raising funds could be up to 7.6% for a first-time issuer conducting a $500,000 offering. This is on par with taking out a small business loan, an old-fashioned financing option that should not be discounted. While taking out a small business loan will involve quite a lot of time, effort, and paperwork, it won’t involve making the extensive disclosures and ongoing disclosures required by the JOBS Act implementing regulations. Small business owners should, as always, speak with their financial and legal advisors about their best options in their own situations.

So what’s next? Once they are allowed to begin to register this coming January, we see how many companies register as funding portals. Portals are how most small businesses (or “emerging growth companies,” as the JOBS Act calls them) will connect with their investors.

What do you think? Now that the process has become clearer, will crowdfunding be a good option for your business, or are you going to stick with more traditional funding methods?

Crowdfunding and Your Business

In March, Congress passed the controversial Jumpstart Our Business Startups Act (JOBS Act), Public Law 112-106, and President Obama signed the bill into law on April 5, 2012. The Act is designed to stimulate job creation (and, by extension, the economy) by helping emerging companies get better access to capital. This post explores some of the changes to crowdfunding brought about by the Act and what you might consider in deciding whether crowdfunding is right for your business.

First and foremost, this bill made crowdfunding legal. Before, it was (and still is) illegal. But wait, you may ask, what about sites like Kickstarter and IndieGoGo? Are they illegal? No; crowdfunding in the sense we are speaking of here means allowing unaccredited investors (read: people who are not rich) to invest in new and emerging companies that are not publicly traded. Both Kickstarter and IndieGoGo allow people to give money to others in exchange for a product or service (or nothing) to be provided in the future, as opposed to in exchange for an ownership interest in a company. Now small business owners, too, will be able to receive investments from the public, and members of the public will be able to become part-owners of the smallest of companies.

The JOBS Act allows greater access to funding by small companies (it calls them “emerging growth companies” and defines them as companies with less than $1,000,000,000 in annual revenue, if they did not have their initial public offering on or before December 8, 2011) in large part by deregulating them—giving them selected exemptions to the reporting, advertising, and other requirements of the Securities Exchange Acts of 1933 and 1934, as well as the Sarbanes-Oxley Act. It also gives a framework for operations of companies that will deal in emerging growth company securities, including brokers and the newly-created category of funding portals.

These funding portals are subject to some, but not all, of the same regulations as brokers, likely because a funding portal is far more limited in the functions it can perform — little more than selling emerging growth company securities. No matter which type of intermediary is involved, the intermediary will have a great many disclosure requirements as well as obligations to ensure certain protections are in place for investors. Emerging growth companies, as issuers of securities through these intermediaries, will have to provide a great deal of information in preparation for receiving investments. All crowdfunding will have to go through a broker or a funding portal.

If you have a small business, here are some highlights you should be aware of:

  • It will now be possible to receive up to $1 million per year in funding from investors who are not accredited. Anyone from your parents to strangers will be able to invest in your company.
  • You still cannot advertise a crowdfunding offering, except to direct people to the broker or funding portal that is supporting your securities offering.
  • You must ensure that information you provide to your broker or funding portal, which is then passed on to investors, is complete and correct. The JOBS Act lists some of the information that will need to be provided and gives the SEC authority to require additional disclosures.
  • When you seek investments, you will be required to select a target, and you will not be able to receive any funds at all unless you reach your investment target amount (think Kickstarter).
  • All officers, directors, and major shareholders of your company will be subject to background checks before you can list your securities offering.
  • Your broker’s or funding portal’s officers, directors, or partners will not be able to have a financial interest in your company.
  • You will need to make an annual report to the SEC and to your investors regarding your operating results and financial statements.
  • If you meet all of the requirements, your offering will be exempt from state blue sky laws, which are the state equivalent of the Securities Exchange Acts.
  • Securities you sell in a crowdfunding offering cannot be transferred for a year, unless they are transferred back to your company, to an accredited investor, to a family member, or in connection with the death or divorce of the investor. The SEC has the option to impose additional restrictions.
  • Crowdfunding is available only to domestic companies that are not investment companies and are not reporting companies under the Securities Exchange Acts.
  • The SEC has, in several places, the authority to promulgate whatever regulations it believes are needed. The statute gives the SEC 270 days, or 9 months, to create the regulations. They are subject to public comment both now and upon release.

Are you still interested in crowdfunding after reading all of that? Here are some more things to consider in deciding whether crowdfunding is right for your business:

  • The wait. If your company is in need of funds now, crowdfunding is not the way to go. It is likely to take at least a year to a year and a half before there are any crowdfunding opportunities.
  • The expense. Overall, complying with the disclosure requirements could be prohibitively expensive for companies in the earliest stages. The SEC has publicly stated its displeasure with several aspects of the JOBS Act and is widely expected to use its rule-making authority to create substantial barriers to crowdfunding.
  • Communicating with investors. You know how anxious your friends and family are to hear about how your business is going now? Imagine how much worse they would be if they had money riding on the outcome. Small investors, like many small business owners, are likely to be very emotionally invested in the outcome of your business and may be more likely to sue than larger investors if things do not go as planned.
  • The responsibilities. You may see crowdfunding as an opportunity to bring on some money without being beholden to an angel investor or venture capitalist. But once you take on investors, no matter how small they are, you will have responsibilities to them. Minority stakeholders have rights—make sure you know what those are and how they will affect your operations before you decide you want a few.

Do you think crowdfunding will be right for your company, or are you waiting to see what the SEC regulations look like before deciding?