Thank You to Hartford Business Journal and Advanced Copy

Posted on February 26, 2010 by N. Kane Bennett

Thank you to Advanced Copy for nominating me for Best Use of Blogs for the Hartford Business Journal's Strateg E Awards for 2010.  Thank you to the Hartford Business Journal for selecting this Blog as a finalist and putting on a great event yesterday. 

Congratulations to Thomas Clifford who won for his Blog, Bringing Brands to Life.  Tom is a big fan of Daniel Pink who has some revolutionary ideas for business management.  I just read Pink's latest book "Drive: The Surprising Truth About What Motivates Us."  Great read. 

Tags: , , ,

Class Action Lawsuit Filed In Connectiut Against AT&T Over Internet Access Tax

Posted on January 14, 2010 by N. Kane Bennett

On January 11, 2010, a class action lawsuit (download here) was filed against AT&T alleging that it improperly charged sales tax to access the Internet in violation of Connecticut law and the Internet Tax Freedom Act.

The case was brought on behalf of David Rock who subscribed with AT&T for a "wireless data plan that permits access to the Internet by radio device."  The plan permits Internet access remotely by computer or smartphone, such as an iPhone or BlackBerry.

The complaint alleges improper charges from AT&T for state and local sales taxes on internet access on monthly bills.  The complaint is based in part on Connecticut General Statutes 12-407(a)(26)(A) which excludes Internet access from the state's sales tax on telecommunications.  The Internet Tax Freedom Act also prohibits taxes on Internet access.  The complaint alleges thousands of potential members for the class in Connecticut.  The complaint alleges breach of contract and violation of Connecticut's Unfair Trade Practices Act.

Nate Anderson of ars technica reported on several identical lawsuits filed in Georgia, Indiana, and Alabama over the last month.  Mr. Anderson reported that the same lawyers where behind the multiple filings.  In a Hartford Courtant article today by Matthew Sturdevant, the attorney for Mr. Rock,Michael Koskoff, noted that perhaps a dozen similar suits will be filed in various states.

Mr. Anderson made a humorous comment that all the complaints in the Georgia, Indiana, and Alabama cases have the same typo or misuse of the word  "I-Phone" rather than iPhone.  The complaint in the Connecticut case has the same misuse of "I-Phone."  So, either there is some cooperation nationwide on the plaintiff side on the content of the complaints or perhaps none of the lawyers involved own iPhones.   

In any event, these cases will be interesting to track as all of the lawyers involved on the consumer side have significant experience in class action lawsuits, including against telecom providers.  I also agree with Mr. Anderson that the actual definitions of "sales tax" and "Internet access" might seem simple enough, but can actually be quite complicated.  I expect AT&T will make use of those complications. 

 

Tags: , , , , , , , ,

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

Posted on January 5, 2010 by N. Kane Bennett

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace.  RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords.  The suit alleges violations of California Civil Code, breach of contract, and negligence.

 Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..."  As such,  RockYou may face liability for data exposures across other platforms. 

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers.  I agree with Mr. Remillard that avoiding storage of such personal data  in the first place is often the best way to prevent liability exposure for both loss of data and a security breach.  If a business must store PII in its systems then a data loss and security plan must be in place to protect the data.  In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System.  The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords.  The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes.  He noted that RockYou stored the information in plain text words.  In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text. 

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords.  Encryption is the method used to make the passwords unreadable once the hacker gains access to the system. 

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan. 

 

Tags: , , , , , , , , , ,

New Study Shows Small Businesses Vulnerable to Cyber Attacks

Posted on November 14, 2009 by N. Kane Bennett

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

Tags: , , , , , , , , ,

Do Not Count On Beating Goliath: Implement A Management Plan To Avoid Software Licensing Problems

Posted on August 11, 2009 by N. Kane Bennett

This month's business technology tip arises from the recent David v. Goliath story reported on by Douglas Malan of the Connecticut Law Tribune.  Kent Johnson, the owner of a small computer repair shop in Connecticut was sued by the software Goliath Microsoft for allegedly selling one improperly licensed version of Microsoft Office. Microsoft put 15 people on the case and sued Mr. Johnson in federal court for copyright infringement.  

Mr. Johnson represented himself against Microsoft and reportedly reached a favorable settlement.   Mr. Johnson has a website that provides all the details of the case form the very beginning.   As much as Mr. Johnson's apparent success against Microsoft was unusual, the notion of Microsoft going after business owners for copyright infringement is not. 

Microsoft, and other software publishers, might pursue an infringement case directly or through enforcement groups such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SSIA).  These groups estimate that piracy costs software publishers seven billion dollars annually.

When you purchase software for your business, the software comes with a license that restricts your use of the software.  If you violate the restrictions in the license by copying or distribution, software publishers consider it piracy.  For example, typically you cannot install a software program for several users on multiple computers without purchasing additional licenses.  Also, you generally cannot install a program on a network server and let multiple users have access to it without the proper number of licenses.

Violation of a software license or copyright can implicate significant civil (and potential criminal penalties) in piracy cases.  Penalties can range up to $150,000 per offense for copyright infringement and there may be additional damages for lost profits. Many of these cases result in significant financial settlements in favor of the software publisher. 

You might be wondering how Microsoft finds out about a small company violating its software license.   Typically, an anonymous informant (an employee or IT consultant) reports the company to the software publisher, BSA, or SSIA in hopes of recovering a reward.  These groups openly advertise rewards of up to a million dollars for anonymous tips that lead to successful enforcement  actions. 

Many times businesses can inadvertently run afoul of licensing restrictions without realizing it.  Violations can occur when trying to cut costs, relying on bad advice from IT professionals,  or an employee's improper downloading of software.  When groups like the BSA become aware of allegations of software piracy, they usually issue a software audit letter to the business or initiate a lawsuit in federal court.  The BSA will request proof of proper licensing from the business.

After receiving an audit letter a business will have to decide to either fight it in court or cooperate.  Facing Microsoft or the BSA in court can be risky financially and many businesses chose to cooperate.  Problems often arise for businesses that cooperate because they cannot establish sufficient proof of licensing or the business is not aware of the extent of the infringement. 

The best way to prevent problems with software licensing or an audit is to implement a software asset management plan.  Ideally, the plan would include at a minimum a written policy covering: (a) terms for copying, use,and transfer of company software; (b)  the risks or improper use of software and piracy; and (c) disciplinary action for employee misuse.  The plan should also include software management including a system for record keeping of all receipts, licenses, and original copies of the software.  The plan should further include regular self-audits of company computer systems to verify proper licensing.

With a good software management plan in place, a business will be better equipped to defend a software audit or avoid it in the first place.  In either case, if your business is facing an audit or other enforcement action, you should seek legal advice.  If you face Goliath alone, do not count on obtaining the same success as Mr. Johnson.

Tags: , , , , , , , , ,

Connecticut State Court To Phase In Mandatory E Filing

Posted on August 10, 2009 by N. Kane Bennett

The Connecticut Judicial Branch will implement mandatory electronic filing in Connecticut state superior courts in all civil cases by December 5, 2009.  The Judicial Branch is also going paperless for short calendar and notices will no longer be sent by paper in the mail (unless the firm or litigant is exempt) starting September 1, 2009.

The mandatory e-filing will be implemented in phases as follows:

E-filing will be available in all remaining civil cases (with few exceptions) starting August 22, 2009.

E-filing is mandatory in all foreclosure cases starting September 1, 2009.

E-filing is mandatory in all remaining civil cases starting December 5, 2009.

Law firms and attorneys can receive e-filing training in each judicial district.

E-filing will be mandatory starting December in Connecticut in both state superior and federal district courts unless a law firm or litigant qualifies for an exemption.

 

Tags: , , , , ,

Three Lawsuits Against Facebook For Fraud Raise Concerns For Advertisers

Posted on August 3, 2009 by N. Kane Bennett

If your business is advertising on Facebook, or considering it, you should do some research on the newest allegations of advertising fraud against the online giant.  Facebook reportedly has over 250 million users so it is understandable that a business would want access to Facebook's users.  Facebook offers businesses advertising space online that is targeted to specific demographics of its users.  Facebook charges for the advertising based on the number of views or clicks that the ad receives from users.

As reported by TechCrunch's Michael Arrington, massive complaints started surfacing recently against Facebook for "click fraud."  Basically, advertisers were clicking on competitor's ads, or paying others to do it, to artificially drive the price up.  Advertisers were also reporting that Facebook was charging for more clicks than the ad was actually receiving. There are now three lawsuits filed against Facebook for advertising click fraud.

 The most recent lawsuit was filed on July 31st by an individual advertiser seeking class action status.   The second lawsuit was filed by Unified ECM, a software company, seeking class action status for massive click fraud by Facebook.  The first click fraud lawsuit was filed by sports company RootZoo and it also seeks class action status. 

BNET Media's Catharine Taylor posted a good report on the details of the first two lawsuits including email comments from Facebook.  In the email, Facebook maintained that the Unified lawsuit is "unnecessary and baseless."  Wendy Davis of Online Media Daly posted a good report on the fist lawsuit by RootZoo. All three suits alleged discrepancies between the charges by Facebook and the actual number of clicks recorded by the advertisers.

Although Facebook has denied all the fraud allegations, TechCrunch takes the position that the click fraud problem is real and confirmed by Facebook. The Lost Press Marketing Blog presents a different view accusing Unified ECM of a "marketing stunt" to get exposure through press coverage of its lawsuit. 

Any business considering advertising with a pay per click campaign, should take caution whether on Facebook, another website, or a search engine.  If you want to measure your return on investment, you should consider monitoring any pay per click campaign internally.   If you are considering Facebook, you should wait to see what Facebook does to reassure its advertisers that fraud will be monitored effectively.  For now, the problem does not appear to be going away.

 

Tags: , , , , , , , ,

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Posted on July 21, 2009 by N. Kane Bennett

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Tags: , , , , , , , , , ,

Technology Tips For Connecticut Businesses To Avoid Litigation

Posted on July 9, 2009 by N. Kane Bennett

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

Tags: , , , , , , , , , ,

Social Networking Lawsuits Are Big Risk to Business

Posted on July 6, 2009 by N. Kane Bennett

I just read an excellent article posted on Law.com from the New York Law Journal on social networking and challenges to business owners and their legal counsel.  The authors Christopher Boehning and Daniel Toal focus on a new emerging problems associated with electronic discovery of social networking data.  The authors also point out many of the potential problems for employers and businesses related to social networking sites.

When Facebook started exploding in popularity, you could see that the future in communication was social networking.  Boehning and Toal cite to a New York Times articles that indicates the future is now upon us as more people spend time on social networking sites than e-mailing.  The authors correctly point out something I emphasize to all my business clients:  businesses need to have a policy on how to handle social networking sites like Facebook, MySpace, LinkedIn and Twitter.  The policy should cover the business' use of such sites and use by employees.  Policies on preservation of the data should also be included as social networking data is akin to the new email.

Lawsuits involving some aspect of social networking sites are increasing in frequency from across the country. Take for example the recent jury verdict in New Jersey against Hillstone Restaurant for violation of the Federal Stored Communications Act. 

In that case, the employers accessed an employee MySpace group that was dedicated to criticizing the employer.  Although the verdict amount was relatively small, the implications are far reaching.  This case was reported on by Charles Toutant in the New Jersey Law Journal.  The employees' trial brief is a good read and spells out some of the arguments in favor of employees' rights to privacy with social networking sites. 

The outcome in the New Jersey case may have been different if the restaurant had a policy addressing use and access to social networking sites.  Businesses will have different concerns when it comes to adopting a policy, and no policy will cover every situation.  However, the lack of any policy at all is likely to lead to problems and potential litigation.  The best way to avoid litigation is to implement a written policy on use and access to social networking sites.  

Tags: , , , , , , ,