CSO

I have written before about the recent concerns regarding border searches of laptops and other electronic devices. More recently, you have probably read about the memo issued by U.S. Customs and Border Protection, entitled “Policy Regarding Border Search of Information.” The memo more clearly defines the broad rights granted agents to search “documents, books, pamphlets, and other printed material, as well as computers, disks, hard disks, and other electronic or digital storage devices.” Translation: border agents can search essentially everything even “absent individualized suspicion.”

It seems not a week goes by that we don’t hear about yet another instance in which company confidential information is compromised because someone failed to carefully review an Office document (e.g., Word, Excel, and PowerPoint) before disseminating it publicly. The most common problem is failing to remove information contained in embedded comments or available through “track changes.” There are many examples. Consider a vendor who sends a pricing proposal to a potential customer. The proposal uses a vendor template. When the customer receives the proposal, it turns on the track changes functionality and is able to see not only the name of the last customer, but also the pricing the vendor proposed to that customer.

A recent study prepared by the Poneman Institute claims over 10,000 laptops are lost or stolen every week at airports in the United States. If this number is to be believed, the threat to corporate security from the loss of these laptops is certainly extreme. Various tips have been offered by several authorities to reduce this threat: clear marking of the laptop as “property of _____,” always making sure the laptop goes through the security conveyor belt before the traveler steps through the metal locator, promptly reporting thefts, use of encryption and biometric authentication, remote destruction capabilities, phone-home features, etc. The purpose of this entry is not review the report or the tips offered by others, but to highlight the threat in the context of the time of year – the vacation season.

Trade secrets are confidential business information that have value because they are not generally known and are the subject of efforts by the business to keep the information confidential. The most well known example of a trade secret is the formula for Coke. Every company, however, has trade secrets (e.g., customer lists, source code for software, methods of creating products, etc.). Every state has enacted laws to protect trade secrets. There are also federal laws that provide additional protection for trade secrets by way of severe civil and criminal penalties for theft or other misappropriation of trade secrets.

A very old idea in business is the concept of “management by walking around” (MBWA). If I recall correctly, the founders of Hewlett-Packard, Dave Packard and Bill Hewlett, created this concept to define an active strategic management style that required active information gathering and active problem solving – primarily by encouraging direct contact between senior management and key employees, customers, and suppliers.

Continuing the discussion from my last two entries, this week I provide additional items for a “checklist” of key issues for drafting effective statements of work. In this entry, I will continue the checklist with regard to documentation, roles and responsibilities, project management, escalation, and risks. Consider the following items with regard to those issues:

Last time, we discussed some of the key points to be kept in mind in drafting effective statements of work. In this entry, I will continue the checklist with regard to the technical environment, acceptance testing, and deliverables.

You can draft the best, most protective contract in the world, but if the statement of work (SOW) fails to adequately describe the deliverables and the services to be rendered, the project can fail, cost overruns can result, and project schedules not achieved. It is amazing how much time and effort goes into drafting an appropriate agreement for an engagement, but so little time spent on the key business documents, particularly the SOW.

When businesses entrust highly sensitive information (e.g., non-public information of a consumer or valuable trade secret information) to their consultants, a best practice is to preclude the consultant from storing any of the information on its laptop computers. The risk is simply too great a compromise of the laptop will lead to the business being featured in yet another front page story involving data loss.

Sadly this is not the title of new spring break video. Rather it reflects the continuing growth industry that is lost and stolen laptops. As the number of laptops going missing grows at an ever alarming rate, many businesses have adopted policies regarding laptop security, tried to better educate their users regarding the security risks associated with this problem, and implemented stronger user authentication and even encryption on laptops containing sensitive information. Proactive businesses are now taking a further step in deploying "phone home" software in their laptops or installing applications that can be triggered remotely to irretrievably erase or encrypt data on a missing laptop. Clearly, these are all steps in the right direction. There are, however, some risks associated with implementing remote erasure software that should be addressed in your contract with the vendor.