Topics generally focused on technology, law, government and management practices for small businesses and nonprofits. (Links to my Twitter and LinkedIn pages are at the end of the "Twitter Updates" sidebar, below right.)
Thursday, April 30, 2009
Everyday Risks: Communications Within Your Organization
Communication within organizations is a double-edged sword: you need it, yet it is one of the primary sources of complaints and lawsuits by employees. Most organizations suffer from inadequate and ineffective communication overall, while pockets of unacceptable communication may exist that should not. This post explores the need for better communication as well as the risks for both employer and employee. (Managing trade secrets and business reputation will be the subject of a future post.)
"As Sam once said..."
By now we should "get it." If you have read Sam Walton's book, Made in America, or have worked for Walmart, you know that among the core principles upon which the largest retail business in the world was built, communication ranks very high. Mangement guru, Steven R. Covey commented in 2007, “Great leaders involve their people in the communication process to create the goals to be achieved.” Business schools offer courses on the subject and there are innumerable online resources on the importance of effective communication within organizations, how to ensure your communication is effective, as well as the consequences of poor internal messaging.
At the same time, there are new giant settlements and jury awards announced frequently in sexual harassment suits (e.g., Waffle House and Cracker Barrel) and hostile work environment claims (e.g., DishNetwork and AT&T).
“What you say CAN be used against you”
We need communication and communication happens whether we want it to or not. Then what should a business manager do? The answer is essentially the same for every risk you want to manage: train, monitor and respond promptly. None of these, alone, is sufficient. Together, they outline your risk management plan.
Train your managers on the benefits and key elements for successful communication as well as the boundaries and consequences of inappropriate communication by management and other employees. Address every form of communication that occurs in your organization: bulletin boards, electronic mail, spoken comments, text messages, slide show presentations, posters and internal newsletters. Explain the types of speech that give rise to hostile work environment claims, but be sure to promote positive, effective communication that helps your organization or department achieve its goals with higher morale. Point them to tools and resources for motivating and communicating, how to communicate effectively, and the importance of choosing one’s words wisely.
“Eyes Open!”
Knowing what to do and not to do is the first step. The next is monitoring the work place. There are countless court decisions, statutes and other rules that use the phrase “knew or should have known.” They address the “ostrich syndrome” by many who want to hide behind an intentional ignorance. It will not work.
Managers must monitor communications the way they monitor the most precious processes within their departments. It can be no less important than pilfering, waste, trade secrets or accurate invoicing. But there are limits, here, too. Stay inside the employer’s property, both physical and virtual. Avoid unauthorized intrusions into an employee’s personal property or online accounts, as this employer learned the hard way.
It is also important to set expectations around the work place. The training for managers should not be considered secret information. Train your staff, too, just as schools are now teaching staff and students about the elements and consequences of bullying. You gain nothing positive by avoiding the discussion and you will not plant suggestions in employees minds they cannot and likely already may get elsewhere.
One key place to shape expectations is in your computer use policy. Make sure employees know that the computers, company email accounts and other employer-provided collaboration tools AND ALL INFORMATION in them belong to the employer. Inform staff openly that there is no reasonable expectation of privacy there. They should know that anything they store on the employer’s equipment, including personal photos, belongs to the employer.
“What happens in Vegas…probably will not stay in Vegas”
Unfortunately, in real life, secrets are not kept and actions speak volumes for days on end. Indiscrete comments and faux pas under the influence of alcohol, drugs, lack of sleep, stress or even so-called “convention syndrome” tend to live much longer than most would hope. They also create unintended consequences around the work place and can get out of control very quickly.
With any anti-harassment policy, there must be an effective reporting system. “Effective” means that people can report violations safely without concern for retribution and that those who receive the report will investigate the facts fairly and promptly. But an effective reporting system is only as valuable as the effective responses to verified reports of violations. Action must be reasonably calculated to address that situation and prevent future violations while maintaining confidentiality and respect.
Each of the cases noted above includes the comment that management ignored or responded inadequately to reports. In each case, there was ultimately a significant cost for that. Treat each report as if it could be the tip of an insidious iceberg, because you may not be aware of what is happening. Then take prompt, decisive action that also communicates your intolerance for the behavior at issue. Doing so documents your effective response plan in action.
“Communicating Communications Correctly”
Workplace policies are designed to control risks to the organization and the employees. You cannot leave people to do the “right” thing all the time, behave reasonably or know what they should and should not say. It does not take much. I have seen the most compliance-oriented managers make comments during a presentation that revealed confidential facts about an employee who was in the room. Some in the audience were horrified, but the speaker was oblivious to what she had done. If the employee wanted to pursue a complaint, he may have had enough to at least create a significant legal distraction for the employer for a while.
So what should a business manager do? Train, monitor and respond promptly to any reported violations.
Tuesday, April 28, 2009
UPDATE on the Discoverability of Tweets, TXTs and IMs
The whole article is worth the read, but I liked this nugget from a compliance perspective:
"Employees need to understand that (1) they may be creating “records” when they use these technologies and (2) they must think before they create potential records, bearing the risks of what they create in mind."
Monday, April 27, 2009
Legal Tweeting
(My examples are from Twitter, though there are likely analogous examples in other systems.)
If your practice includes keeping up with the latest developments in a particular practice area, create a Twitter account and ONLY subscribe to those who post updates and developments on that topic. Here are some examples by practice area of very practical Tweeters that even the senior partner or GC would find appropriate for your in-office Twitterings (by listing these examples, I am not promoting or validating any of these Twitterers, though I do "follow" a number of them myself):
□ Risk Management: Risk Management
□ Product Liability: USRecall News and RecallsAlert
□ Insurance Defense: Legal Alerts
□ Chasing Ambulances? Toronto, Los Angeles and San Antonio are some of the major cities whose fire departments stream alarm reports and California Fire Rescue has an account, as well.
□ Real Estate Law? Try LegalRealEstate or one of the 350+ real estate marketing accounts
□ Looking for an expert? Try InsWeb for insurance or individuals who promote themselves as Business Video, Real Estate or Search Engine Optimization experts.
There are a number of academic streams, too, such as Harvard Law School, Yale Law Library, YourDiseaseRisk from the Washington University School of Medicine and MIT Sloan Business School.
If you want to stay tuned into your state legislature or what is happening in Congress, subscribe to the U.S. Senate, U.S. House or a state equivalent (so far, I only have found Texas, Missouri, Nebraska and Florida)
There is a mountain of data that piles up every day from the millions of Tweets per hour. Some may even be from your opponent or her client. Want to find some needles? This article compares six Twitter search tools.
And finally, there is the growing category of Twitterers dedicated to helping you improve your law practice management skills: JD Journal, Law Practice News, Virtual Law Practice, etc.
If you subcribe to more than a few of these message streams, you will likely want a free tool like TweetDeck. I use TweetDeck because it allows me to group Tweets from certain sources and display them in separate columns. My legislative updates are therefore separate from law-related bloggers I follow and all are separated from people I know personally. I do not know of a comparable application (yet) for mobile phones. I like TinyTwitter on the Blackberry (mobile: http://www.tinytwitter.com/m/), because you see more of the Tweets than Twitter's mobile app will display. HelloTxt is supposed to have a mobile app in the near future. Twitter has a downloads page and there is a larger list on the Twitter Fan Wiki. My colleague, Ross Kodner of RossIpsaLoquitur fame, shared this nice write up on other similar tools.I remember lawyers who once thought the PC had no place in a lawyer's office, that it was a tool for secretaries. Attitudes change as technology proves useful. Who knows? If products like this mind-reading Tweeting tool start to catch on, there may be more fuel for litigation among Tweets than any lawyer ever dreamed of. Seriously, though, Twitter and its kin are just tools. If they help you stay on top of current legal issues or remain competitive, then use them. If they reduce your productivity, then don't.
So stand up straight. Walk with confidence. Tweet like a big dog. As long as you avoid the temptation to follow your favorite movie stars or pop idols during work hours, you can whip out your smart phone in any crowd to check your "Friends Timelines" for important updates. And even sniff dryly, for effect.
Friday, April 24, 2009
Are Your Tweets, TXTs and IMs Discoverable in Litigation?
Most local government codes require businesses and building owners to establish and rehearse emergency evacuation procedures and everyone has been through a fire drill. But no one requires “lawsuit preparedness” drills. That means small businesses, especially, are generally unprepared when it happens.
In 2006, the federal courts adopted new rules and amendments to adapt to the real challenges of electronically stored information (ESI) in modern litigation. The old rules contemplated paper and commercial litigation was well beyond that. The first “one million document” cases had come in the 1980s, so it was about time.
“Quick! Start deleting everything!”
The first ESI challenges involved massive databases of documents and scanned images of millions of pages of paper files. As the usage of electronic mail grew through the 1990s, however, ESI discovery requests had to evolve as well, since so much information was never printed. An entire industry has now grown up around the electronic data discovery (EDD) needs on both sides of any large case.
But human nature is essentially unchanged. There are scores of stories about so-called “smoking gun” emails found before or during litigation that had significant effects on the outcome of each case. Remember the outcry in 1998 over the “independent” special master who was to preside over the Justice Department’s claims against Microsoft? (Story.) Oliver North’s emails—ones he was certain had been deleted—were recovered and used against him in litigation related to the Iran-Contra mess. In 2004, during a patent case by SCO Group against IBM over the Linux operating system, SCO found emails in the vast amount of data turned over by IBM that SCO said proved its case.
More recently, text messages have been used to unseat politicians and even initiate criminal prosecutions. Who can forget the Detroit mayor who was caught with his TXT down last year? (Story recap here.) He never imagined those messages still existed somewhere after he deleted them from his phone.
“That’s OK. I only use Instant Messaging.”
“What should my organization do now?”
Let’s start with a recap of the definitions and rules:
□ ESI is any information stored in electronic form
□ All ESI is discoverable if relevant and reasonably accessible
□ Privileges and other exceptions to discovery can apply to ESI
□ ESI can be obtained from third parties (like your telco or hosting company)
□ At the outset of litigation, each party has an automatic duty to preserve ESI
□ Sanctions are available if a party is found to have intentionally destroyed ESI
The next task is to ensure you have appropriate policies and procedures in place and that you adhere to them as part of your normal course of business. If you back-up data every night, and keep those tapes for six weeks, for example, before recycling the media and overwriting each one, then the rules protect you from a sanctions claim for the data lost in that routine. That is, of course, until you get notice that a lawsuit has or is reasonably likely to occur. At that point, you must begin to save those media in a safe location with a clear chain of custody for each one.
If you do not routinely back-up and save ESI—such a the chat histories in your employee’s instant messaging programs or their Tweets on Twitter—there is enough ambiguity among the court decisions now that you are better off finding a way to do so the moment you learn that a lawsuit has been or is reasonably likely to be filed. This is going to present a challenge, of course, but consider the alternative: if the other party finds a way to get the data from a third party, would you want them to surprise you with it later in the litigation?
Other Resources
Here are some additional articles that I found useful:
“How Far is Too Far in e-Discovery?”, from Law.com’s “Legal Technology” section
“Messaging Mess”, from Inside Counsel
“The Conclusory Conclusion: Fourth Circuit Makes Seemingly Incorrect Evidentiary Ruling Regarding Admissibility Of Instant Messages”, from the EvidenceProf Blog
Wednesday, April 22, 2009
Update on the FaceBook TOS Situation
This is an interesting move following all the negative publicity FB received from its "sneaky" change last time (see my earlier post). They do not have to do this, but I commend them for being open about their proposed changes.
Hurry! Voting ends tomorrow, April 23, 2009.
Process Improvement for Nonprofits – Part 7: Monitor Test Results
Step 1: Diagnosis/Assessment: “What is happening now?” “Exactly how do we do everything that we do?”
Step 2: Analyze Workflow: “Is this the best way we can operate?” “Do we need to do any parts of our work better/cheaper/faster/with fewer people?”
Step 3: Identify Options for Improvement: “Where can we work differently?”
Step 4: Design new processes or steps: “What will work for our organization?”
Step 5: Gather feedback: “Is this in line with the organization’s mission?” “Does it actually improve the way we work?”
Step 6: Test the new workflow: “Does it work in the real world?”
Now, in Step 7, you have to pay attention. With your realistic test plans in place and a standardized reporting system for participants to record results, you should be free to observe other aspects of the new process in test operation.
Here, the key questions are “Are we getting the results we sought in this test?” and “If not, why not?” After you account for a reasonable learning curve and the challenges among staff who like to keep doing things “the way we always have,” can you tell whether the change make a positive difference? If it does, is the benefit going to outweigh the efforts to implement the change over time? Have you communicated the vision of this better end result to everyone?
Pay attention to all feedback you get from testers, not just comments and scores on your feedback form. What do they say to each other? What do you hear at the water cooler? Does their body language tell you anything?
For most process changes, your staff will not care much which way you want them to do the work. They only want clear instructions so they can do it correctly. For some, however, you may find an almost religious devotion to the old method. No one knows why they ever started doing that task a certain way, but it has become a fiber in their coats of many colors and provides security and identity. The more credibility you develop throughout the entire exercise, the more likely you will be able to win these types over without a compliance mandate that squelches candid feedback and input on the next similar initiative.
Some habits have a lot of traction and will require deliberate efforts by your staff to change. Make sure the new process has benefits for them and use the benefits as carrots where possible. For example, to get employees to move from a paper-based review process to an online electronic review, make sure the online version is at least as easy as on paper, then tout the added benefits of less clutter, less paper, reduced costs and faster response times for corrections. You can even toss in the “green” label if it applies! It may require a big-picture perspective, because sometimes the level of effort shifts up or down the line and may impact one person more than another. If your staff can be mindful of the "trees" and the "forrest," it will help this entire process.
The next post in this series will discuss the “post-mortem” review.
Monday, April 20, 2009
Government's Duty to Make “IT” Matter
Each election season is in one respect very similar to all the others: we hear rhetoric on improving government, shrinking government, raising governmental accountability, and various variations on that variety of verbiage. We also hear a tremendous amount of discussion of homeland security, military spending and budget deficits. Lately, there are growing concerns about the impending retirement of about 60% of the federal workforce, and a similar concern is probably facing most state agencies.
Now we have an extended economic squeeze on state and local governments and record projected budget deficits in many of them. There will be pressure to cut spending everywhere and lay off government employees—even teachers—to balance budgets regardless of the impact on services to and for constituents.
In tough economic times, the private business sector continuously seeks new, innovative ways to squeeze more productivity out of resources and processes. Can we expect the same from governments? Will wide-spread, major budgetary and employment pressures finally be what it takes to revamp the way government employees at all levels do their jobs?
Tale of Two Cities
Not too long ago, a television reporter investigating neighborhood code enforcement in the Dallas/Fort Worth, Texas, metropolitan area commented that of the 10 area municipalities she had contacted, only two were able to generate a list of “worst offending residential properties” from their data systems. The reporter seemed in disbelief.
The reporter’s efforts to turn over a few rocks, figuratively speaking, and shed light on the property owners who cause the most distress to their neighbors as well as the perception of lack of enforcement actions by the municipalities—including Dallas and Fort Worth hit a stone wall. She inadvertently shined a light on something the public is increasingly questioning: technological inefficiencies in government business processes.
The two cities that could list the “worst offenders” got more than good publicity out of the story. After the initial news story, one property owner promptly cleaned up his act while the other city revitalized and completed its pre-demolition process to remove a dangerous and unsightly structure. Both cities moved a serious offender off its list and undoubtedly sent a message to those in the “next worst offender” category. Taxpayers benefited.
Tackling Two Questions
Taxpayers who hear stories like this ask two questions: “With all the tools widely available, why are they not at work in our local water department, code enforcement, county attorney or state human services departments?” and “Would it really matter to me as a taxpayer anyway?”
The first answer may be as simple as attitude. “We’ve always done it this way,” may still rule the offices where data is religiously entered into systems that do not give it back in usable form. There also may be a bit of ignorance at play. People who do not even understand spreadsheet software will certainly not see the benefits of relational databases over paper files.
As for the second question, it does matter because this is government waste at its most personal level—it affects you and me, the consumer-taxpayers. Agencies that waste time and money cost us more in the long run than if they installed the proper information processing tools for our government employees. They waste our time when we have to stand in a line to conduct a simple information exchange that could be done electronically as much as they waste their staff resource time by having employees process information in outdated systems that do not meet their needs. They squander millions on projects that are designed to keep everyone doing things the way they have always been done.
During an investigation several years ago, our team presented the agency with a harsh picture of how contractors could deliberately steal millions of taxpayer dollars by taking advantage of one known weakness in the system: the lack of communication, coordination and data integration between offices of the same agency. These silver-tongued businessmen knew that staff in one regional office were completely disconnected from those of the next nearest regional office, so they were able to plot their fraudulent systems and nearly get away with it.
Government is different.
There are many reasons that government offices do not function exactly as private businesses. Private sector businesses ultimately survive only by making a profit: they have to eventually generate more money than they spend doing so. If costs of doing business rise, businesses must either increase prices, reduce consumption, or otherwise trim costs to maintain the profit. Survival demands it.
Non-profit organizations have similar requirements for survival. When financially stressed, these businesses get busy raising revenues or cutting costs so that they can carry on with their missions. If revenues rise, so can services. The will to survive keeps successful private businesses continually searching for revenues that meet or exceed costs.Survival for a government agency is typically not conditioned on profitability (though the quality and quantity of services—and consequently taxpayer satisfaction levels—are certainly affected by revenues).
Because governments must provide certain services and functions, whether or not profitable, the pervasive attitude may be “we don’t have to upgrade because it does not increase our funding.” Plus, the political risks of mistakes when investing in technological solutions (short term effects) are higher than the potential return on the investment over time (long term effects). Many terms of office are shorter than typical large technology projects!
ROI= Reducing Obvious Inefficiencies
A long term “return on investment” mentality should guide state, county, and municipal governments into re-thinking their strategies for managing information and delivering services. Commercial, off-the-shelf software is available to help them manage growing workloads without expanding staff. Moving processes from paper to electronic systems means speed and effectiveness go up. That translates to efficiency. More efficiency, means costs of services go down, collections go up, “losses” are reduced, and taxpayer satisfaction grows. Who knows? Maybe taxes could go down as well!
Taxpayers want the government agencies to be effective and efficient in every way that touches their lives. Computer systems that are old, inflexible, unsatisfactory, and a hindrance to efficiency and accountability have to go. Inefficient and ineffective office systems also negatively affect hiring. Who wants to work in an office that stubbornly refuses to modernize and for significantly less pay than most comparable private sector jobs?
The days of “I’m sorry, it’s in the computer and we can’t change that even if it is wrong” should be over for everyone. In place of these circa 1975 systems, we should see more circa 2000 systems at the least, circa 2010 systems at best. There is no technological obstacle, for example, to a single information management system for the whole county government where the courts, legal department, human services, and physical operations are connected, sharing only the data they need from each other, yet efficiently maintaining centralized records so that code enforcement, police & fire, tax appraisal and assessment, and other offices can update the records for each tract, ensuring the most current information when needed.
Rays of Hope
There are signs of awakening. Even before the current economic crisis, Minneapolis, MN, announced a project to enable its City Attorney’s offices to pull data from numerous sources around the county and state when needed for a civil or criminal matter. When a person is charged with a crime, for example, the prosecutor will receive an automated notification of the first hearing date within minutes and can then instantly pull into one screen the most recent digital color “mug shot,” criminal record, driver’s license data, and the underlying police incident report, creating a “document” that does not exist until it is printed. Citizens can run their own reports on crime and other public statistics by neighborhood—right from the City’s web site.
Counties have begun to procure single, comprehensive criminal justice software systems rather than separate software for each office. Some municipal utility departments use electronic tags and wirelessly gathering data from usage meters and monitoring devices and feed it into an account file for each monitoring station for billing or quality assurance tracking. Several police and parking enforcement departments use hand-held devices to issue citations and wirelessly record them in the city’s court records system automatically.
Software currently available "off the shelf" can track the minute factual details gathered in arson investigations, electronically audit contractor invoices and adjust them when they do not comply with an agency’s billing practices, and plot not only results obtained by staff, but the future impact on agency resources if regulatory changes are effected.
Perhaps the day is not far away where that investigative reporter can get the list of “worst offenders” in her community from an online database. Or, due to better tools in the hands of those same public servants, that list would be so short it would not be interesting to her in the first place.
Thursday, April 16, 2009
Is Your Software Vendor Your "Friend?"
If you do not receive frequent useful communication from your vendors, find out why. Perhaps the company decided to cut back on printing and postage costs as their business dropped off. Or they may have cut their long-distance and travel budgets, meaning fewer phone calls and visits. It takes very little time or money to send out an email update to important customers (and you know they can use email, right?).
These days, however, with so many more immediate and inexpensive ways to keep customers connected to their product issues and development plans, you have to wonder why a vendor would "hide." Social media is not just for socializing. Twitter users are not just your typical teens and twenty-somethings, either, as noted in this Reuters story.
Before you buy, ask your prospective vendors these questions:
(If you are a business and do not understand the technologies described above or how to get started, read my earlier posts, including “Develop a Twittering for Your Causes” and "Tweets & Twitters" for the basics.)
Tuesday, April 14, 2009
Who is the client? A comment on the Irell & Manella sanction order.
I read Kevin LaCroix’s blog post about the conflict of interest issues that got one of California’s prominent large law firms in trouble. As Mr. LaCroix notes, the opinion itself is noteworthy in its severe critique of the firm’s violations of California’s Rules of Professional Conduct.
What I find amazing is the fact that such an obviously prohibited situation even occurred. The lawyers in that case appear to have either completely fallen asleep at the wheel or acted maliciously to deceive their clients for their own pecuniary interests.
Here’s why. The American Bar Association’s Model Rules of Professional Conduct, as well as almost every state’s specific rules that govern the legal profession, has a specific rule that addresses the situation where an organization is the client (rather than a single human being). In this case, the ABA Model rule is number 1.13 and you can read the text there yourself as well as the Rule Committee’s Comments about the rule.
The rule contains these basic tenets:
» The organization is the client, not the people working there
» The lawyer’s duty is to the best interests of the organization
» When working with employees of the client, the lawyer must remind the employees who his or her client actually is
» A lawyer cannot represent two clients who have a conflict of interest unless each client gives written consent AND they do not have claims against each other
Clear, logical and pretty darn easy for most non-lawyers to understand. There are sticky situations and very strange facts that can be less clear, but not so in this particular court case.
Under the facts in the U.S. v. Nicholas case, the law firm was retained to represent both the company and its Chief Financial Officer. All three legal matters were about stock options and accounting. (Red flag #1; Strike 1.) The lawyers interviewed the CFO on the allegations against him personally and the internal investigation into the accounting practices that were also at issue in the lawsuits, but did not remind him that they were representing the company. (Red flag #2; Strike 2.) Then the company instructed the law firm to turn over to the SEC and U.S. Attorney the information the CFO provided them in that interview. (Another red flag; Strike 3!) The firm should have been “outta there!” The federal district judge agreed.
Here’s what you need to know as a potential client:
1. Lawyers have strict duties of confidentiality as to information you provide in order to seek or during representation. Very limited exceptions apply.
2. When a firm represents your business, you have to designate a primary point of contact for that firm, but the firm’s duty is to the company, not you or any other officer, director, shareholder or employee.
3. If one of your officers or employees appears to need representation, always resist the temptation to have the same firm represent him or her. Get another law firm. Period.
It comes down to a simple rule: the only thing you know for certain about anything is that you never know everything about it. What you do not know can, in too many cases, come back to hurt you.
Monday, April 13, 2009
What Should You Know About International Data Privacy Protection Laws?
In 1995, the European Commission issued its Directive on Data Protection, directing all member states to adopt laws consistent with the Directive. The goal is to protect private, personal identity data [1]. Article 25 specifically prohibits transfer of personal data to non-EU nations (such as the U.S.) that the EU believes do not adequately protect such information.
These laws are very broad. The UK’s Information Commissioner’s Office describes the UK act as applicable to everyone “unless you are an individual holding personal information for your own domestic use, e.g. an address book.” In other words, personal data may not be processed unless it fits in one of the express exceptions [2]. The EU member laws differ substantially from U.S. laws.
The Risks
The risk to American organizations is that they can inadvertently violate these laws through their online activities [3] and thereby become liable to actions by governments and organizations in other countries.
Violations need not be intentional. The mere act of “exporting” personal information from an EU country to a non-EU country—even if within the same organization or family of companies—creates a risk of legal action. Under some interpretations of Canadian and EU laws, for example, an "export" occurs when a person "sees" data on a local computer via a web conference--even a technical support session!--because the data was "made available" to a third person in a non-EU country. A California firm's newsletter, "60 Seconds of Privacy," lists some examples of American businesses who have been charged with data protection violations. You may recall the stand-off in 2007 over the U.S. government’s demand for passenger data on all in-bound flights from outside the U.S. The conflict between the U.S. laws and the EU Data Privacy Act almost caused a complete cancellation of all flights from the EU to the U.S. before an EU-USA agreement on passenger name records resolved the issue.
Exports happen and can happen to you. If you have personal information about anyone—employees, customers, website visitors, etc.—in a database that is not under your control on your premises, you need to know where that data is, including all backups and mirror sites. If your web pages collect personal data on visitors who unintentionally leave such data without an adequate privacy notice AND without specific actions on your part to prevent unlawful disclosure of that data, you may be at risk of legal action by the European Commission or data protection authorities in any of the EU member countries. If any of the personal data belongs to an EU citizen, regardless of how you obtained it, it is protected.
A relatively new risk, so called “cloud computing,” can mean private data is moved across international lines even if only as a back-up or redundant “mirror” site. (The Privacy Law Blog also has a good post that expands on this risk.) Showing data in or sending a database of personal data to a non-EU country, whether for technical support or a legitimate business purpose, can also cause a violation. And clearly, doing business with any European organization, even the subsidiary of a non-EU organization, can open the door to this risk.
The "Safe Harbor" Solution
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the EU Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework (http://www.export.gov/safeHarbor/). Registration is easy and compliance is uncomplicated. It also makes a huge difference. Participation in and compliance with the Safe Harbor program can shield your organization entirely. (Explanatory slideshow here.)
What should you do if you are involved in activities that put you at risk of violating EU Data Protection laws? First, get into compliance with the Safe Harbor program and register voluntarily. Second, know where your data is at all times and ensure you comply with your own security policies. Third, stay in compliance with the Safe Harbor rules. Fourth, do what you can to make all personal data anonymous to the point it cannot be connected to any person and or encrypt it--such as at the field level in your database--to further protect from inadvertent disclosures.
The Department of Commerce’s Safe Harbor program is easy to adopt and provides several important benefits to U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor include:
>>>All 25 Member States of the European Union are bound by the European Commission's finding of adequacy. One finding fits all, even if there is dissent or disagreement.
Companies participating in the safe harbor are deemed adequate and data flows to those companies continue. It is similar to being presumed innocent until proven guilty in American criminal cases.
>>>Member State requirements for prior approval of data transfers either are waived or approval is automatically granted. This simplifies compliance immensely by reducing to one the number of regulatory schemes that affect your organization.
>>>Claims brought by European citizens against U.S. companies are heard in the U.S. subject to limited exceptions. It is much better to deal with issues in your own country.
The DOC’s Safe Harbor Checklist for joining the Safe Harbor and self-certifying your businesses walks you through the actions you must take to register, such as:
1. Affirm that your organization is subject to the jurisdiction of either the Federal Trade Commission or the U.S. Department of Transportation
2. Develop a Privacy Policy that conforms to the seven Privacy Principles and states in plain language the data you plan to collect and what you will do with it
3. Confirm that you have or will definitely use an “Independent Recourse Mechanism” to promptly and fairly resolve disputes related to alleged violations, such as the TRUSTe, BB EU Safe Harbor or American Arbitration Association
4. Put an internal compliance verification mechanism in place before collecting any private data
5. Identify the primary contact person in your organization for any inquiries from the Safe Harbor program.
In addition to Export.gov, you can find additional useful information at the Global Information Assurance Certification (GAIC) website.
References
[1] 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Directive 95/46/EC OF The European Parliament And of The Council of 24 October 1995, Article 2(a)).
[2] a) the data subject has unambiguously given his consent
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; etc. (Id., Article 7 (a) and (b))
[3] 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Id. Article 2(b))
Finally, here is a PDF with VERY helpful "FAQs."
Thursday, April 9, 2009
Forget Who's On First! Who's On Twitter?
If you watch cable news or listen to radio talk shows, you have at least heard of Twitter. Twitter is a novelty to some. It may evolve into something far greater, or it may fade away like the Pet Rock once something else comes along to supplant it. For now, though, the curve is upward. It is free, requires no special software, open to the public and accessible from mobile devices like smart phones. Set up an account here, if you are interested, then follow along.
“I’m on Twitter. Now what?”
The first thing to do is lurk. See what others are writing. There are kids who post about their exams, college students who proudly proclaim their Spring Break exploits, online marketers who want you to see the latest breakthrough in multi-level marketing, celebrities who are certain everyone is watching all the time and news sources that use Twitter to announce every news story they release. And many, many in between.
Randy Cassingham, of "This is True" fame, wrote a great description on his blog entitled, "Twitter: Why You Should Care." I have seen no better description of what Twitter SHOULD be.
"What Tweeters Should You follow?"
Next, find people to follow. Use the "Find People" link to search by name. If you are a Star Trek: Next Generation fan, you might want to follow "Data" (Brent Spiner) or "Jordie" (LeVar Burton). If you adore Desperate Housewives, Gossip Girl or Britney Spears, there is a fan site for each. Maybe you could use a frequent pep talk from Tony Robbins or want to stay up on product recalls in the U.S. Subscribe to a few using the “Follow” button and you will build a “timeline”: an unbridled flow of messages from each Twitterer you follow (we are avoiding calling them "Twits").
Twitter also has a general search tool at http://search.twitter.com/ so you can search by key word, for example. See what is going out around the world related to any topic you type. Try hurricane, or North Korea. Earthquake is the term many used recently to get current news about the quake in Italy. Find people Tweeting on topics you like, such as your profession or hobbies.
“Why Tweet?”
A better question is: why should anyone follow you? There are certainly those who just sign up for everything and anything they can as well as people who have a weird sense of curiosity about strangers. Most people need a reason to follow you or send you a Tweet. If you do not have anything useful to say, then do not Tweet. There are too many Twitter accounts that appear to be on autopilot, spewing out periodic posts that either promote the sponsor or provide links to information without any identifiable reason for the link. Who cares if you are just Tweeting about something that was already available online and where everyone could find it?
But if you do have comments, news or a SINCERE thought-provoking and discussion-starting question to ask, then by all means Tweet it out loud. Twitter is like a micro-blog. Do not try to replace longer blog posts with piecemeal, 140-character snippets strung out over days. Instead, keep blogging and then Tweet the URL (this is where something like TinyUrl.com comes in handy to shrink those gargantuan links into about 16 characters).
Try a Tweet (an update) yourself. You can answer the Twitter question—“What are you doing?”—or make a statement or ask a question yourself. After your initial tweet or few, you will likely start to ask yourself how this strange tool can be of any use to your business, organization or professional practice. You can be certain that people in years past asked the same thing about email decades ago or the World Wide Web when it launched. Businessess can use Twitter to provide small tidbits of information about their products and services and links to more information on their own sites. Nonprofits can entice volunteers and donors with Tweets about their activities and needs.
"Uh oh! I get too many Tweets!!"
Following a few people is one thing. Following 1500 is total chaos. Some celebs have over 300,000 followers, but very few Twitterers actually follow more than a hundred others. Without some way to make the information manageable and searchable, it quickly overwhelms and becomes useless digital “noise” or as confusing as Abbott & Costello's famous baseball team. So now you need more tools.
I cannot list in this space all of the great tools available. Try these two lists of Twitter Tools, Toolbox and Twitter Toolbox 2 for about 150 to choose from. Jeremiah Owyang has a nice review of his favorites on his blog. Find something that lets you filter, group, segregate and manage the display of your endless stream. It helps, also, if the tool lets you post back to Twitter and your other social media in one post. (Secret tip: There is a new tool in early development called Seesmic Desktop that has promise. Get the Preview Release to try out free.)
More creative ideas for using Twitter are in my earlier posts, Think Globally, Act Locally and Developing A Twittering for Your Causes.
UPDATE: Tony Robbins sent out this link. You may like the April 2, 2009, interview of one of Twitter's founders by Stephen Colbert here.
Monday, April 6, 2009
The Open Source Risk – Are you Managing it?
When managers think of “risk management,” they typically first picture slip and fall cases or natural disasters. They may think of insured perils (fire, flood, etc.) and even security breaches. Chances are, however, that they do not think of the risks potentially hiding in their IT department. Risk management takes its general approach from Scouting: “be prepared.” When applied to litigation risk management, that often means taking an inventory of your gaps and preventive measures.
So what risks might hide among your servers, keyboards and empty Mountain Dew cans? Open Source software (“OSS”) licenses. If your IT department incorporated open source software into any part of your business, even as a component within another product that was added by the vendor, you need to know the license restrictions on that software.
Too many managers still think OSS is the same as “freeware.” Anything that does not appear to have a price on it is attractive when budgets are tight. Nonprofits and small businesses alike flock to OSS to meet their technology needs while minimizing expenses. OSS is not without strings, even if it is without an initial price tag. The strings to worry about are the licenses attached to the OSS. There is at least one and may be several, depending on how many OSS components are in the software.
An acquaintance of mine, Jason Haislmaier, blogs on this topic frequently, drawing from his active practice representing businesses who are exposed to this very risk. In a recent post discussing the Jacobsen v. Katzer decision, Jason wrote:
“For those companies that have elected not to comply with open source licenses or, as is the case with many companies, have chosen to remain unaware of the open source software licenses to which they may be subject, Jacobsen should be all the incentive that is necessary to adopt and implement a sound open source license compliance program.”Bob Brill also has a good post on the case here. Brill delves into related areas and risks that abound if you fail to implement what Haislmaier calls “a sound, open source license compliance program.”
“What is a sound, open source license compliance program?”
A good OSS license compliance program begins with a great contract management system. At a minimum, you need an inventory and documentation. The software licenses are contracts just as much as your copier lease or your accounting services agreement.
Make a current list of every contract in effect in every aspect of your business. It probably requires a separate system. You can buy software to help you, create the list in Excel or write it on notebook paper, but do it and keep this list safe. The essential details to record are:
>Vendor/Author Name
>Contract/License Date
>Subject of the Contract/License
>Effective Date
>Expiration Date
>Location of the actual, fully-signed version, if any
>List of any clauses that survive the end of the contract
It is that last item that will keep you awake at night. For software licenses of all types, you also want to know who is using the component and for what purpose as well as where the original version of the software is stored. This may be the DVD the software came on or the original download files. Make sure for OSS you have the completely unaltered version of the software saved somewhere.
“AFL, OSL or GNU?”
There are a number of OSS licenses floating around. Typically, the original software author inserts a comment into the code stating the license that the writer intends to apply. Make sure you note that reference AND any subsequent references by authors who add to the original code. The Open Source Initiative maintains a registry of those OSS licenses that conform to the Open Source Definition and that the software itself does as well. Be aware that over time a number of iterations of many OSS licenses have been released. You need to know which specific version applies to the component in your inventory.
Some software can be transferred to others as long as you also pass along the license and the recipient agrees to honor the license. Read the license regarding transfers and make sure you understand how to comply. If you dispose of, sell, give away or otherwise transfer possession of any software, make these additional entries:
>Recipient
>Terms of transfer (including price)
>Date of transfer
>Reason for transfer
>Confirmation of delivery of license to recipient
(any other information that will help prove you complied with the license at transfer)
With the Katzer decision, OSS authors may become more litigious. Help yourself by knowing what you have, complying with your contracts and documenting your compliance every time there is some event that the contract addresses.
Finally, be careful: you do not necessarily know whether your OSS was compliant when you received it and it may be hard to tell. You are still at risk. The most prudent practice is to discard any software that you cannot prove you acquired completely in compliance with its license(s).
Thursday, April 2, 2009
Process Improvement for Nonprofits - Part 6: Real-World Testing
After an assessment, creative problem-solving and ample feedback, it is time to test the changes under actual conditions. Carefully select both the process changes you will test and the participants in the testing. You need staff who will give the changes a fair chance and also document anything they notice while employing the new methods.
Remind them of your common goals (“saving time on paperwork so we can help more callers,” e.g.) and make it clear that the new process they are testing has not been confirmed as perfect or necessarily the best, but deserves a good evaluation. You need honesty in the assessment to be confident in the results. Prepare a standardized method of recording comments and outputs to compare to the “old way” of doing things. Your baseline quantities of calls answered, cases opened or closed or fliers mailed will be useful as you find out whether the shortened processes really do speed up the flow of work. It may be helpful to set up a SurveyMonkey site to collect standardized data if your testing involves people in multiple locations and over a range of items.
Set a significant test period. Factor in the learning curve your new process will require. If significant, test for a longer period. If minor, a shorter test run will suffice.
Wednesday, April 1, 2009
Use Caution When Naming Your Business
Business entities such as corporations handle this with their documents creating the corporation. Others, such as partnerships and sole proprietorships, may forget to properly register their business name. This creates several risks that you can easily avoid with proper registration, such as inadvertently infringing on a name that belongs to someone else and preventing your business from suing or defending legal actions against it.
A small business woman I know set up a nice re-sale shop in a decent location. She picked a store name that was catchy and communicated the business mission. After she spent considerable money on branding, signage and advertising, she got “the letter.” Another person was using a very similar name in the same line of business years before this one opened its doors and wanted her to “cease and desist” using the name.
To be fair, the older business had little choice other than to write that letter. Failure to take prompt action to protect your trademarks and trade names eventually means you lose the right to do so. The lesson for the newer business is to register your “assumed name” before spending time and money on a name you may not be able to keep. The act of registration is not a perfect guaranty that you will have no problems, but the process includes a search for similar names already registered and helps identify potential problems early on.
Be careful, however. In some states, there are both state and local assumed name registries and searching one does not include a search of the other. Plus, many counties are still not digitized, requiring a manual or paid search in each county where you intend to do business.
Filing a certificate of assumed name in your county and or with the state before you invest in branding your business could save money, potential damage to your reputation and precious time away from your core business mission just when you are getting off the ground. It is far less expensive to do the searches early and get your name reserved than to fight legal battles or pay to re-brand a new business.