Cyber Security Report Card

Cyber security

Cybersecurity was a major topic at the recent Canadian IT Law Association conference.  It can be a daunting subject to ponder when dealing with various types of services, cloud providers, and the methods, standards and assurances available to lower the risk of a security breach.  Cyber insurance to cover some of these risks is a growing field.

This Cyber Security Report Card (pdf) is a good high level summary of the things that businesses should think about when considering security issues for their organization.  It was provided by one of the luncheon speakers, John Millar of Digital Boundary Group, which is an IT security testing firm.

(For transparency, Digital Boundary Group is a client of mine.)

Cross posted to Slaw

8 Things to consider when using the Cloud

top legal issues for tech buscloud

The cloud is a fluffy concept, and takes many different forms, but basically means any computer services that are provided on systems that you access over the internet. Examples include things like gmail, dropbox, and Google docs. It can include sophisticated applications for accounting, document management, and other business processes. Other forms include just the physical infrastructure that you install and manage your own software on. The cloud can offer many advantages when used properly, but also carries risks that need to be managed.

Here are 8 things to consider when using the cloud.

  1. Consider how mission critical the cloud service is to your business. Far more diligence and care is required for a service that is crucial to the operation of your business.
  2. Make sure you have a backup or mirror of the data in case something goes wrong.
  3. If the application is mission critical, make sure you have a continuity plan in place to keep operational if the cloud service is temporarily out of service or permanently gone.
  4. Privacy, security and encryption are essential to consider. Look at what information is stored and manipulated, who has access to it and how they access it, and what the consequences are if that information was compromised. Encryption is a complex subject and requires the right questions to be asked. Is it only when at rest? Is it during transit? Who has the encryption key? While it is not always practical, a zero knowledge approach where the vendor can’t access the data is ideal.
  5. If you use platform or infrastructure as a service where you are in control of certain aspects of it, make sure you get expert technical advice to set it up to make sure it is done right.
  6. Pay close attention to the provider’s service agreement. For basic, commodity services, the agreements will be non-negotiable and will include limited or zero liability if something goes wrong. As the cloud service becomes more sophisticated, personalized, and costly, those agreements tend to become more negotiable. The terms of the service agreement can be a risk assessment factor.
  7. In some circumstances privacy laws can dictate where data is stored or manipulated, or what you have to tell customers. Or your customers may perceive an advantage for the data to be housed in Canada, even though from a practical basis the risks may not vary much amongst first world countries. If any of these apply to you, make sure the location is where you need it to be.
  8. All the promises a vendor makes about data location, service levels, and data security have no teeth unless they are referred to in the service agreement, and are meaningless if not backed up by some consequence.

James Bond, Spectre, and the Surveillance Society

SPECTRE-Film-Stills-08234I don’t normally do movie reviews, but Spectre, the latest James Bond Movie, has a cautionary tale about the surveillance society that is worth commenting on. It deals with the undemocratic / totalitarian / dystopian aspects of ubiquitous surveillance.

Some reviewers have been critical about the movie, but my view of Bond movies is that they are more about entertainment than plot and character development.

Some elements of the movie are uncomfortably real – like its spin on the five eyes network .  After I saw it I wondered what Ed Snowden would think. This is what Wikipedia has to say about Snowden’s thoughts about five eyes.

The former NSA contractor Edward Snowden described the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”] Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The Intercept has a good article about the movie entitled Only Edward Snowden Can Save James Bond

From The Intercept article:

Knowing everything about everyone is actually of limited use to the good guys. But it’s hugely useful to the bad guys — be they extortionists, terrorists, or power-mad bureaucrats. And if it’s collected, somewhere, be assured the bad guys can get their hands on it.

While Bond is pursuing his super-villain, his boss M wages a losing bureaucratic war with C, who’s more of an NSA/GCHQ type. M inevitably describes the massive surveillance network that C is building as “George Orwell’s worst nightmare.” In response, C literally laughs at M’s devotion to the quaint notion of “democracy.” Subtle it ain’t, but the central point — that ubiquitous surveillance is an inevitably totalitarian tool, not just inappropriate for democratic society, but actively inimical to it — is often underappreciated in the current debate.

The movie also shows us what kind of hero we need to prevent such a dystopian future — and it isn’t Bond. It’s Q, who bears a striking resemblance to Edward Snowden.

When it comes to surveillance data, it’s hard to know who the bad guys really are. Depending on what it is used for, it can be those who should be protecting us.  And if you think this information can’t get into the wrong hands, take a look at this article about the lack of security in an FBI database.

Cross posted to Slaw

Web terms of use

top legal issues for tech bus

Most businesses have a web site – or at least should have one. Many customers get frustrated or don’t take a business seriously if it doesn’t have a web presence with at least some basic information. The web site might be a basic brochure site that tells about your location and hours and what you sell, or it could be a sophisticated e-commerce site or social media platform.

Web terms of use may not be crucial for a basic brochure site, but they become far more important as the site becomes more complex and sophisticated.

Web terms will get more complex and become more important as the web site becomes interactive, sells things, invites comments or third party posts, or deals with user generated content.

Browse wrap terms – where they appear only at a link at the bottom of the page – may not be enough. Where practical it is safer to bind the user to web terms in a click-wrap agreement.

Cutting edge is great – but sometimes not easy

I got a Microsoft Surface Pro 4 last week – the plan being to replace my main computer and my tablet.  It’s a great machine – essentially a tablet that works like a laptop.  Its noticeably faster than the desktop it replaces.  Using it as a tablet takes some getting used to – because it seems weird to have a tablet that is a full featured computer.  For example, I have apps on my Android tablet that my first inclination is to get for the Surface – but then I realize that the app isn’t needed when you are using a computer.

The high resolution display makes things like Flipboard content, magazines and video look better than I’ve ever seen on a tablet or laptop.

The biggest headache has been getting the document management software we use at HP to work.  It just isn’t designed to scale properly on a high resolution display, and took a lot of work by our IT department to make it useable.  Unfortunately specialty software like that often lags behind current tech and operating systems.

Cross-posted to Slaw 

10 things you may not know about Trademarks

top legal issues for tech bus

Protecting your brand with a registered trademark can reduce the chances that someone else will try to compete using a confusingly similar brand, and make it easier to stop them if they do.

Here are 10 things you may not know about Trademarks

  1. Trademarks can’t be clearly descriptive of your goods or services. “Cold Ice Cream”, for example, can’t be registered as a trademark for an ice cream store.
  2. The best marks are unique and memorable, not descriptive. The goal of a trademark isn’t to tell your customer what your goods or services are, it is to make them recognize and want your products.
  3. The infringement test for trademarks is one of confusion and includes appearance and sound. For example, if two marks are spelled different but sound alike, they are still confusing.  If a typical consumer sees an ad for breakfast cereal, and later in the store buys a different cereal thinking it was the one they saw in the ad, then it is confusingly similar.
  4. Trademarks can be registered for a brand name, a slogan, a logo, a sound, a shape, or a colour.
  5. In some circumstances, an unregistered (in legal terms a “common law”) trademark can trump a confusing registered mark. Searching for unregistered marks before registration is a good idea.
  6. Trademark registrations are done on a country by country basis (except for the European Union, where one registration covers all the EU countries). So one needs to look at where their goods and services are sold and in what volumes to determine where the trademark should be registered.
  7. Trademarks are registered based on their use description, and the drafting of that use description is crucial to ensure proper protection. For example, identical trademarks for a software application and for car parts are not considered confusing.
  8. Trademark registrations last for 15 years (being reduced to 10 years when pending changes to the Trademarks Act are in force), but can be renewed.
  9. If your trademark registration is ever attacked, or you want to enforce it against someone else, it can be crucial to have kept samples of how it has been used over time.
  10. If you don’t “use” your trademark, you can lose your registration and the ability to enforce it. “Use” for trademarks is narrower than you might think.  It does not include, for example, a sign on a building or on your letterhead.  Even on packaging or in text describing or advertising your products, it may not be considered use if the trademark doesn’t look different than the text around it.

5 examples why getting legal advice up front is best

top legal issues for tech bus

It’s common for lawyers to have to sort out situations after the fact.  This could be to document ownership of something, deal with differing thoughts on what a deal was, deal with a situation where someone has changed their mind, or enforce rights against someone who has done something improper.

While not every problem can be avoided, it is better for a business if their lawyer creates a fence at the top of a cliff rather than acts like an ambulance at the bottom.

Here are 5 examples why getting legal advice up front is best.

  1. Putting agreements in writing up front forces the parties to come to grips with different viewpoints, and addresses early any “that’s’ not what I thought the deal was” misunderstandings. (Fun fact – the law describes this as the parties not being “ad idem” – one of the few Latin legal terms that remain.) Far better to sort these issues out at the start rather than fester later.
  2. It’s frustrating for both a trademark lawyer and their client when the lawyer has to advise that the brand name the client had their heart set on and perhaps has created material around or talked about publicly, is simply not available. Far better to do trademark searches early, whether or not the mark will be registered.
  3. Promising people that they will be shareholders in a company is hard to later retract if it turns out that having them as shareholders is not prudent from a legal or tax perspective.
  4. Documenting ownership of intellectual property when it is created can be much easier from a practical, bargaining power, and cost perspective than trying to do it later.
  5. We don’t know what we don’t know. The more a lawyer (and accountant) know about your business and your plans, the better the advice we can give, especially when it suggests a different path.

Happy Back to the Future Day

In the 1989 movie, Back to the Future Part II they time traveled to October 21, 2015.  (The move was produced by Neil Canton – no relation as far as I know.)

Articles abound today comparing the 2015 depicted in the movie to today’s world.  While we don’t have flying cars, and hoverboards have not proceeded beyond some proof of concept demos, drones and flatscreens and a few other things are here.

Another prediction that didn’t come true is the quip that the justice system works swiftly in the future now that they’ve abolished all lawyers.

Wearable tech was envisioned, though, which Gartner currently places at just past the “peak of inflated expectations” on its hype cycle.  If you believe wearables are just a passing fad or toys, take a look at this article entitled I’m a cyborg now and so are you.  And consider that one of the panels at next weeks Canadian IT Law Association Conference is entitled “Key IT Law Issues for Wearable & Mobile Devices.”  (I’m moderating that panel.)

Cross-posted to Slaw

8 things shareholder agreements can accomplish

top legal issues for tech bus

When a company is owned by more than 1 person, it’s a good idea to have a shareholder agreement. This becomes more important as the number of shareholders increase. The content and complexity of a shareholder agreement varies greatly depending on the business and the nature of its shareholders.

Here are 8 things a shareholder agreement can accomplish.

  1. Ensure that shareholders can’t sell their shares to just anyone they please, and that any new shareholder is bound by the shareholder agreement.
  2. Ensure that minority shareholders are just along for the ride, and not getting in the way of the control of the majority owners.
  3. Alternatively, it can give minority shareholders rights they may not otherwise have.
  4. Provide a way for shareholders to sell their shares in a manner that is fair to all shareholders, and gives the existing shareholders a first ability to buy them.
  5. Provide a method to value the shares for transactions between shareholders.
  6. Set out responsibilities, roles, and expectations of the shareholders in the business.
  7. Limit the corporation’s ability to do certain things (such as major expenditures or new product lines) without the agreement of the majority of the shareholders.
  8. Restrict the ability of shareholders to take what they know about the business and start their own competing business.

Does Microsoft have its Mojo back?

MSSurfaceMicrosoft announced new products last week, including the Surface Pro 4 tablet, and its first ever laptop – the Surface Book hybrid.  Tech press reviews have been very positive. We ordered a Surface Pro 4 the day of the announcement, which is going to replace my desktop and tablet.

Windows 10 has been very well received.  Microsoft has been touting its enterprise security features.  Our IT Manager is impressed with the potential of its productivity improvements over Windows 8.1.

Microsoft is also transitioning its products into the cloud and into subscription models – which is where we are all headed.

Microsoft had been falling behind in a number of ways – but it now seems to be making good decisions and delivering cutting edge products.

This is good news for law firms and businesses that are for the most part Microsoft shops.

Cross posted to Slaw