The Myths of Innovation: Lecture by Scott Berkun

March 28, 2010

A week or so ago I came across a video lecture by Scott Berkun, a well-known writer and former high level project manager at Microsoft, in which his topic is “The Myths of Innovation.”  The lecture is a couple of years old, but I imagine that many have not seen it, so I thought it might be worth sharing. 

While the lecture is on the long side, it is worth sticking with, as Berkun’s exploration of how organizations might consider facilitating innovation is thought provoking as he weaves in a good deal about the history of technological  advancements.  Among his many useful observations is the reminder that most successful approaches to foster innovation accept that failed development efforts — and, by extension, failed entrepreneurial ventures — are both valuable and essential to the innovation process and should be looked upon as the learning experiences that they truly are (or can be).

Washington State Joins PCI / Encryption Bandwagon for Data Breaches

March 22, 2010

Washington State is following closely on the heels of Nevada, which updated its data breach statute at the beginning of this year to add encryption usage and compliance with the Payment Card Industry — Data Security Standards (PCI-DSS) as a factor in determining liability for damages (see Tech Razor post on 1/1/10).  The Governor of Washington today signed into law an amendment to the state’s data breach statute that exposes certain businesses to liability for damages incurred by financial institutions unless the subject business utilized encryption or was PCI-DSS compliant at the time of the breach. 

The new provisions, which are effective July 1, 2010, will subject any business that processes over 6 million credit or debt card transactions annually to liability to financial institutions for not exercising reasonable care to prevent unauthorized access to account information unless the business encrypts processed account information or is  compliant with PCI-DSS standards.  Similarly, vendors of software and equipment designed to process, transmit or store account information or vendors that maintain account information for third parties will also be liable to financial institutions for damages that result from a data breach caused by the vendor’s negligence with respect to their software, equipment or services unless the data was encrypted or the vendor was certified within the prior 12 months as being compliant with applicable PCI-DSS requirements. 

Compared to the Nevada Act, the Washington legislation is narrower.  Washington’s latest revision is only focused on damages incurred by financial institutions and does not mandate encryption or PCI compliance, whereas Nevada imposes PCI-DSS compliance on businesses accepting credit cards and encryption on all other businesses transmitting or transporting covered data.  Although this amendment may be viewed as an attempt to address the very real concerns of financial institutions, which incurred substantial card re-issuance and other costs following several major data breaches over the past few years — most notably from the TJX/TJ Maxx and Heartland Systems incidents — the amendment is also a harbinger of both the increased attention focused on data security issues and of similar legislation that may be expected in the near future from other states.  In addition, the differing scopes of the Washington and Nevada statutes highlight the challenge that businesses will face by having to keep up with another layer in the patchwork of data-security requirements as such state-level legislation continues to emerge. 

PDF of Washington Amendment:  HB 1149 Washington State

Trend Continues on Limiting Actionable “Loss” Under CFAA

March 19, 2010

Although much attention has been focused on the split within the courts on the meaning of  permissible “authorization” to access a computer (see 10/20/09 Tech Razor post), the differing interpretations of the types of losses that may be pursued under the CFAA also pose a substantial hurdle to employers seeking to use the CFAA as a means of pursuing a trade secret misappropriation claim in federal court.  Two recent federal  district court decisions continue the trend of limiting the scope of what may be regarded as an actionable “loss” under the Computer Fraud and Abuse Act (CFAA).

Liability Under The CFAA

The CFAA provides, in part, that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. . . .”  Section 1030(g).   Based on this an employer or other person who has had a “protected computer” accessed without authorization (or in a manner that exceeds the scope of authorization) may pursue a CFAA claim.  However, if “damage” or “loss” cannot be shown then the CFAA does not provide any source of recovery.   Section 1030(e)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information” and Section 1030 (e)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

While some courts have been liberal about construing the scope of eligible losses under the CFAA, the majority of courts that have addressed the issue have made clear that unless there has been actual damage to data, program or a system or an interruption of service, then a CFAA claim may not be pursued.  Adding to the majority view are two cases decided earlier this year, ReMedPar v. AllParts Medical, et al., Civ.  Action No. 3:09-cv-00807 (M.D. Tenn. Jan. 4, 2010), and Mintel International Group v. Neergheen, Case No. 08-cv-3939 (N.D. Ill. Jan. 12, 2010). 

ReMedPar and Mintel

ReMedPar presented the situation of a competitor company, AllParts, aided by former employees of the plaintiff, ReMedPar, making use of proprietary ERP and CRM systems developed by ReMedPar.   While it was very likely that the former employees breached confidentiality and other obligations to ReMedPar, at no time was ReMedPar prevented from use of its systems or data and there was no physical damage.   Because of this, the court found that while the business of plaintiff, ReMedPar, may very well have suffered from the defendant’s wrongful action, ReMedPar did not suffer a recoverable “loss” covered by the statute.

Mintel involved a former employee, Neergheen, who in the course of his employment copied a wide variety of confidential information of his then employer, Mintel, which the employee then utilized when he went to work with a competitor business.   Again, because there was no impairment or damage to the employer’s data or systems and no interruption of use by the former employer, the court observed, “[defendant’s] allegedly unauthorized acts of copying and e-mailing Mintel’s computer files did not impair the integrity or availability of the information in Mintel’s system . . . .  As several judges in this district have already found (or confirmed), the ‘underlying concern of the [CFAA] [is] damage to data’ and ‘the statute was not meant to cover the disloyal employee who walks off with confidential information.’ . . . Rather, there must be destruction or impairment to the integrity of the underlying data. . . . Thus, Mintel has not demonstrated that it suffered the type of damage contemplated by [the CFAA]. ”  Mintel also did not suffer a recoverable loss because an “alleged loss” must also have stemmed from the impairment or unavailability of data or interruption of the service of a system.

Bottom Line

In both these recent cases, the plaintiff employers are not without other remedies against the offending parties, particularly under relevant state laws dealing with protection of trade secrets and confidentiality.  The  CFAA has a definite place to play in protecting valuable data and system assets, but its role fits a very specific set of circumstances.  Beacuse of this in many courts, at least, it will  continue to be more difficult to shoehorn within the CFAA framework claims for breaches of trade secrets or confidentiality obligations.  


Opinion in ReMedPar v. AllParts MedicalReMedPar

Opinion in Mintel v. NeergheenMintel

Enlightenment Sensibility of Netflix Prize Runs Afoul of FTC

March 13, 2010

The data privacy and breach stories that have made the biggest headlines over the past couple of years have principally involved companies either not adequately securing data or being the subject or hackers, which in turn resulted in exposure to statutory breach claims under various state laws, contractual breach claims and tort liability under negligence theory.  So, the news this week that Netflix is suspending its much vaunted Netflix Prize 2 until it resolves data privacy concerns expressed by the Federal Trade Commission (FTC) provides a good reminder of the authority at the federal level of the FTC to hold companies accountable for the assurances they provide their customers about data privacy.

Well before the advent of the Nobel Prize, arguably the premier prize for scientific achievement, there existed a tradition dating back at least to the Enlightenment of science-focused groups and clubs staking a prize for the proving of some scientific theorem or mathematical conjecture.  In a sense, Netflix was following in this long tradition, with a little bit of marketing and general business savvy thrown in to the mix, when in 2006 it announced its initial Netflix Prize contest in which it would award $1 million to whoever could most improve its movie recommendation algorithm.  Much like a mini-space program, this spurred numerous teams of professional and amateur researchers to pore over the data that Netflix then made available to facilitate the contest.  Therein lies the rub.  The data was supposed to be anonymous — and for all practical purposes this may have been the case.  The data was purged of all names and other personally identifiable information.  Yet, proving that clever people can do a lot with very little, a separate researchers uninterested in the Netflix prize proceeded to show that with a little effort the purportedly anonymous data was, in fact, not so anonymous. 

While the parallel analysis did not achieve any sort of prize recognition, it garnered the attention of the FTC.  Made aware of the research after the second Netflix Prize contest was announced and that Netflix actually planned to provide even more demographic information than was provided in the first contest, the FTC opened an investigation this past fall pursuant to its broad authority under Section 5 of the FTC Act to address unfair and deceptive trade practices.  While businesses other than those in certain  regulated areas (for example, financial institutions and healthcare providers) do not have to have any privacy policy, if they do have such a policy they are obligated to adhere to what they promise. 

The current Netflix Privacy Policy states, in part, that:  “We may also disclose and otherwise use, on an anonymous basis, movie ratings, consumption habits, commentary, reviews and other non-personal information about customers.” (Emphasis added.)   The quoted portion of the Netflix Privacy Policy is a fairly plain vanilla statement.  Variants of this are commonly found in many consumer-focused websites and work just fine so long as the policy is adhered to.  Netflix is not alone in wanting to use its storehouse of seemingly anonymous customer data for analytical purposes, and there is real good that comes from such efforts.  But, with advanced methodologies and the telling ingredient of a little ingenuity continually posing challenges to long-held assumptions about how secure data is, you can be sure the FTC will keep knocking on the doors of those who are less than vigilant.

NetFlix Blog Notice on Ending Contest: NetflixBlog–PrizeNotice

FTC Letter Closing Investigation:

Apple’s SDK for Apps: When Are Clickwraps Worth Paying Attention To?

March 10, 2010

Catching my attention this week was a recent post on the Deeplinks blog of the Electronic Frontier Foundation (EFF), which sounded an alarm about the one-sided nature of Apple’s license agreement for the software development kit (SDK) for iPhone apps.  The EFF can reliably be counted on to frame issues of electronic rights in a manner most benefitting the user community and this perspective is usually very helpful in understanding related issues.  While Apple’s SDK license is certainly written favorably to Apple, whether this should be viewed as particularly unfair or not is probably in the eyes of the beholder.  You can read the post here:

I think the more interesting aspect in this commentary is the implication that apps developers should be surprised by any of these revelations of the license terms that they presumably voluntarily agreed to when they clicked their acceptance to them.  Granted, it is all too common to glide through the fine print packed into online terms, and maybe momentarily pause before clicking acceptance.  We’ve all done it, including this writer, simply because the consensus view (which also happens to be true enough in most situations) is that the risks posed by agreeing to the expected “plain vanilla” terms of the clickwrap are almost always never greater than the benefits to be obtained by agreeing to the terms.  Certainly in the consumer context this is very often the case (even with the risks of buried “opt ins” to ad server programs, among other annoyances).  Much of the time the same can be said of clickwraps in the commercial context. 

The difficulty then is to know what exceptions justify taking a harder look at the details of clickwrap terms before taking the “I Accept” plunge.  Unfortunately, there are no objective rules here because these agreements are not uniform and too many variables are almost always at play from both the licensor and licensee perspectives.  So, what to do?  My rule of thumb is that if the clickwrap involves your use of or access to something (whether it be an application or otherwise) that is critical to the ongoing stability or continued operation of some key business activity of yours and the object of the clickwrap will be used on a regular basis in the business, then you are well advised to have a hard look at the clickwrap to make sure it can be comfortably adhered to, and, if not, to see if the proponent of the clickwrap has an alternative means of allowing access to the desired application or thing.  This goes back to the fundamental risk calculus related to assessing the potential consequences if one is wrong about a key assumption and, if so, whether your business would thereby be placed in significant jeopardy.  In addition, my general approach is almost always to at least skim such agreements before clicking acceptance to make sure that nothing obviously problematic jumps off the screen.

So, if you’re with a software development organization planning to participate in the apps ecosystem for Apple’s iPhone or Google’s Android (or, really, any other mobile devices) as a key component of your business plan, then getting comfortable with (or at least being aware of) the scope and details of the applicable SDK license terms is something that should be dealt with at the outset rather than on the back end once your wagon is hitched to that star.

The Risks That Entrepreneurs Take

March 2, 2010

I work with many entrepreneurs and other business people on fine tuning business concepts.  As part of that process, I’m frequently asked to advise on those steps that must be attended to and what things to avoid.  So, I try to be alert to particularly useful or insightful resources to pass along to people I work with who are sorting through knotty business challenges. 

With this in mind, an article from the January 18, 2010 issue of The New Yorker caught my attention.  Written by Malcolm Gladwell, the article entitled “The Sure Thing:  How Entrepreneurs Really Succeed,” examines various characteristics that distinguish successful entrepreneurs and raises a number of thought-provoking  observations.  Among these is the idea that contrary to the popular notion of the brash risk-taking entrepreneur, most successful entrepreneurs actually do as much as possible to minimize risk in pursuit of their business objectives.   Gladwell notes:

The economist Scott Shane, in his book “The Illusions of Entrepreneurship,” makes a similar argument.  Yes, he says, many entrepreneurs take plenty of risks – but those are generally the failed entrepreneurs, not the success stories.  The failures violate all kinds of established principles of new-business formation. New-business success is clearly correlated with the size of initial capitalization.  But failed entrepreneurs tend to be wildly undercapitalized.  . . . Writing a business plan is a must; failed entrepreneurs rarely take that step.  Taking over an existing business is always best; failed entrepreneurs prefer  to start from scratch. Ninety percent of the fastest-growing companies in the country sell to other businesses; failed entrepreneurs usually try to sell to consumers, and, rather than serving customers that other businesses have missed, they chase the same people as their competitors do.  The list goes on:  they underemphasize marketing; they don’t understand the importance of financial controls; they try to compete on price.  Shane concedes that some of these risks are unavoidable; would-be entrepreneurs take them because they have no choice. But a good many of these risks reflect a lack of preparation or foresight.

A pretty useful summary of tips for entrepreneurs. 

The full article may be accessed at (subscription required).