The April issue of Technology Review magazine ran a fascinating story about the work of Marc Stevens, a PhD student at a school in the Netherlands. Using nothing more than a laptop and his PlayStation 3, Marc was able to force the MD5 (Message-Digest algorithm 5) digital fingerprint for an unrelated file to match that of a target file. He did this by appending junk data to the unrelated file. While this kind of “collision” is theoretically possible using almost any hash function, the possibility of intentionally forcing collision by such modest computing means is disturbing. Other flaws have been identified since MD5 was first released in 1991 by Ron Rivest, including the potential to fake SSL certificate validity. This points out the continuing (and expected) trend that as our knowledge of cryptography increases and computing power becomes less expensive, previously secure algorithms and technologies are being compromised at an ever more rapid rate.
Following on with our discussion of best contracting practices, this week we discuss the essential elements of non-disclosure agreements (NDAs). NDAs are used in several situations. Most notably, NDAs are used at the inception of a relationship to ensure confidential information disclosed in anticipation of a potential business relationship is adequately protected. If the parties decide to enter into a final contract, say a professional services agreement, following their initial discussions, the NDA would be replaced by the confidentiality provisions of the final agreement. In the foregoing example, an NDA is used as an interim agreement to ensure initial discussions are protected by written confidentiality obligations, but the NDA is not intended or designed to be used on an ongoing basis. Rather, the parties contemplate the NDA will "sunset" when they ultimately sign a final agreement to govern their relationship (e.g., a master license agreement, ASP agreement, professional services agreement, etc.).
In just the past week, two embarrassing data compromises were widely publicized. Those compromises resulted from a failure to adequately scrub old hardware (e.g., laptops, Blackberries, and USB drives) of residual data. Given the currency of this issue, I thought it appropriate to take a slight detour from my current series of postings on contract issues to present some sample contract language to address this problem.
Continuing our discussion of best contracting practices, today we discuss letters of intent (“LOIs”) and memoranda of understanding (“MOUs”). Businesses use these types of documents to summarize the terms of a proposed transaction to guide contract negotiations. The idea is to ensure both parties have alignment on the key business issues before moving forward with negotiation of a final agreement. The idea is a good one, but the execution is frequently flawed.
Let me wish you all a very happy and prosperous new year. In keeping with that theme, I thought it would be useful to start the new year with a series of postings about contracting best practices. Specifically, our focus will be on the basics of negotiating key terms in vendor agreements for technology-related goods and services. I have previously made a number of postings relating to the integration of information security into the contracting process. In these new postings, we will discuss other key contracting practices and terms.
You may recall a blog entry some months ago about recent studies showing the incredible waste of business productivity resulting from constant interruptions in employee work to review e-mail. Now a new contender for lost productivity champion has appeared on the horizon: microblogging. Supporters argue that employees can continuously update their progress on projects and other matters throughout the day by posting brief (micro) entries on an internal blog. Of course, like 99.9999% of other blogs on the Internet, the likelihood anyone, other than a very select few, will ever review postings is remote at best. The question then arises, couldn’t the same result be obtained by an e-mail, with a predefined project distribution list, achieve the same result, without the investment in implementing yet another technology solution that will likely find little use? Also, what is the likelihood these blogs will be perused by other employees having no real business purpose in doing so – presenting yet another opportunity for lost productivity. The blog could certainly be configured to permit only relevant employees to review its contents, but that argues in favor of simply using an e-mail to update progress on a project rather than implementing an entirely new technology.
Vendor contracts are increasingly including provisions that could lead to breaches of security. At first glance, these types of provisions may appear innocuous, but they create the circumstances under which compromises of security may occur. A few examples:
Following up on my last posting, this week I talk about the basic elements of a document retention policy. While a review of the broad range of applicable laws cannot be addressed here, there are certain general guidelines for the establishment and implementation of a retention program that should be considered in developing a policy:
Most businesses have retention policies governing how long documents are to be retained before being destroyed or discarded. A growing number of businesses are extending their existing retention policies to include electronic documents, particularly e-mail. For example, a common retention policy for e-mail would require deletion after 60 days. In many instances, the deletion is accomplished automatically by programming the business’ computers to review the dates on e-mail and to delete those messages having dates beyond the allowed limit. If an employee desires to retain a message past the automatic deletion date, she must take affirmative action to preserve the e-mail (for example, contact the MIS department or copy the e-mail to a special directory).
In the event a security compromise results from the potential actions of a third party (e.g., an employee exceeding the scope of their authority, hacker, competitor, etc.), it will likely become necessary to engage the assistance of forensic experts in marshalling and dealing with electronic evidence in the context of litigation.
