Data Security: IP Yes; Db No?

June 4, 2007 | Filed Under Technology, Compliance, General 

A recent white paper prepared by Application Security and sponsored by the Ponemon Institute shows that organizations may be more focused on protecting their IP over various sensitive Dbs (databases). It’s a constant struggle trying to figure out how to protect data while allowing necessary access. Two key findings:

- Forty percent said their organizations don’t monitor their databases for suspicious activity, or don’t know if such monitoring occurs. Notably, more than half of these organizations have 500 or more databases – and the number of databases is growing.

- “Trusted” insiders’ ability to compromise critical data was cited as the most serious concern – with 57 percent perceiving inadequate protection against malicious insiders and 55 percent for “data loss” by internal entities.

We’ve previously seen the data security risks posed by departing employees. Law departments need to understand what their IT brethren are doing about this, knowing that some of the biggest potential risks are posed by the very people you are asking.

Who has the key?

As Goes SOX?

May 31, 2007 | Filed Under Technology, Compliance 

The financial gravy train ridden by auditing firms due to Sarbanes-Oxley compliance may be slowing down a bit.

ComputerWorld reports that average SOX compliance costs declined from $4.5 million in 2004 to $2.9 million in 2006. The main reason is not a surprise:

“Technology has a lot to do with the cost reduction,” said Sanjay Anand, chairperson of the Sarbanes-Oxley Institute. Public companies “are actually automating their controls. A good 20 to 30%, even as much 40%, of the cost reduction is actually coming from automated controls rather than manual controls.”

(A clear sign that SOX may be a bit over the top is that it has spawned its own institute.)

The experience that companies gained in automating processes due to Sarbanes-Oxley may now be extended to other areas of the enterprise. Lawyers know that a good deal of what constitutes ongoing legal services could be automated, or a least tracked better from a technology standpoint in the first instance.

That’s the start of any process improvement. Almost like magic, or like just adding water.

Update (1 June 07): One CEO writes in the Wall Street Journal that he doesn’t see Sarbox-related costs going down.

Open Source, Open Season?

May 14, 2007 | Filed Under Litigation, Technology 

Fortune reports that Microsoft is taking a hard look at various free and open-source software (FOSS) and is planning a strategy to assert patent claims. Many large companies use such software in various applications across the enterprise.

Microsoft General Counsel Brad Smith and licensing chief Horacio Gutierrez sat down with Fortune recently to map out their strategy for getting FOSS users to pay royalties. Revealing the precise figure for the first time, they state that FOSS infringes on no fewer than 235 Microsoft patents.

Mr. Smith has been aggressive in building up Microsoft’s patent portfolio. When he became general counsel in 2002, the company filed 1,411 patent claims; in 2004 it submitted 3,780.

There were three options for the Microsoft GC regarding potential infringement:

First, it could do nothing, effectively donating them to the development community. Obviously that “wasn’t very attractive in terms of our shareholders,” Smith says.

Alternatively, it could start suing other companies to stop them from using its patents. That was a nonstarter too, Smith says: “It was going to get in the way of everything we were trying to accomplish in terms of [improving] our connections with other companies, the promotion of interoperability, the desires of customers.”

So Microsoft took the third choice, which was to begin licensing its patents to other companies in exchange for either royalties or access to their patents (a “cross-licensing” deal). In December 2003, Microsoft’s new licensing unit opened for business, and soon the company had signed cross-licensing pacts with such tech firms as Sun, Toshiba, SAP and Siemens.

Microsoft has not said whether it will pursue litigation over alleged FOSS patent infringement. If it does, expect the IP practice areas of major firms to get very busy.

GE Legal Takes the Lead

April 18, 2007 | Filed Under Technology, Managing 

Corporate Counsel magazine has announced the winner in its second annual selection of the best US legal department. Out of 500 legal departments who were invited to participate, 30 responded, with self-nomination materials.

The winner: GE. As the full report notes, GC Brackett Denniston leads an in-house team of 1,225 lawyers (with a budget near $1 billion), who make particularly good use of technology. One example is the Early Case Assessment (ECA) program:

The matter gets logged into the legal department’s tracking system. Within 60 days to 90 days, lawyers assigned to the case identify and interview witnesses; collect, review, and report on relevant documents; and assess the risks. The attorneys can also tap into a system designed by the legal department’s technology team and pull up any legislation or case law that could affect the dispute. Ultimately, the litigation team can decide, early on, whether it’s best to settle or take the case to trial.

ECA and other initiatives allowed GE to reduce litigation costs from $120.5 million in 2002 to $69.3 million in 2005. It’s an interesting and important statistic when a growing company lowers legal costs. Something for law firms scrambling for more business to ponder.

GC Legal also uses a robust IT department to make it work, including:

… ten full-time staff and one attorney. They custom-tailor systems to meet the company’s legal needs, such as virtual deal rooms, work-flow tools, and tracking systems. The group spends $2 million a year developing and supporting those systems — but they estimate the up-front costs save millions in lawyer productivity each year. “I’d love to buy more [software] off the shelf,” says John Brudz, senior counsel of legal tech, “but we get more added value [developing it ourselves] because off the shelf just doesn’t work for our size.”

You can hear a collective sigh from the legal tech community, who would love to get some of that spend allocated to their products.

Like its core businesses, GE Legal leads from a combination of top-shelf talent and a concentration of financial and capital resources. It almost seems like they have reached critical mass, and are generating improvements that come from the network that is GE Legal.

Also recognized by Corporate Counsel are the legal departments of J.C. Penney, Allstate, and Accenture.

You Can Take it With You

February 6, 2007 | Filed Under Technology, Compliance 

Departing employees are apparently taking more than fond memories with them when they leave.

According to UK’s SecurityPark.net, McAfee research in Europe revealed that over 50% of employees surveyed said they would take company data with them when they walk out the door.

Even more troubling is the proliferation of portable memory devices (such as thumb drives) in the workplace, which makes it easy to remove large amounts of data and are easily concealed. What is interesting is that the most common method of removing documents is very old-school:

Company email remains the most common means of sending information externally with 86% admitting to forwarding documents regularly by email. However, many employees are also using methods which corporate IT departments have little or no control over. A quarter (26%) of those that have sent customer information outside of the business admit to using web-based email services such as Yahoo or Hotmail to do so while a significant proportion (83%) are printing customer records out to remove from the business.

Few companies have policies governing bringing portable memory devices into the workplace; fewer still have policies about the use of web-based mail services. In fact, some companies may unwittingly encourage the use of such services by warning employees against using company email for personal matters.

And it’s likely that company data is the least of compliance worries. The widely reported breaches of employee and retiree data can pose civil penalties and reputational risk.

There is a feeling out there that for every publicized data breach there are many others that are never reported. Or worse, detected.

Locking down company data will be an increasing headache for corporate IT departments. And corporate legal departments better be looking over their shoulders from time to time.

« Previous PageNext Page »