protecting intellectual property and data loss prevention (dlp)
DESCRIPTION
Protecting Intellectual Property and Data Loss Prevention (DLP) – what makes your business unique, different, valuable, and attracts clients and customers - presented at the Boston Business Alliance 9/23/09TRANSCRIPT
Protecting Intellectual Property and Protecting Intellectual Property and
Data Loss PreventionData Loss Prevention
Are your competitive differentiators and client Are your competitive differentiators and client lists walking out the door?lists walking out the door?
Protect your competitive advantage!Protect your competitive advantage!
** Second in a series of Informational Breakfast Events with topicsSecond in a series of Informational Breakfast Events with topics of timely and valuable information for small and of timely and valuable information for small and medium size business owners and organization leadersmedium size business owners and organization leaders
Informational Breakfast Meeting*Sponsored by: Boston Business Alliance
www.BostonBusinessAlliance.com
September 23, 2009 September 23, 2009 –– 7:007:00--9:00 AM9:00 AM800 W. Cummings Park, Suite 4750800 W. Cummings Park, Suite 4750
Woburn, MA 01801Woburn, MA 01801
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 22
AgendaAgenda
7:007:00 Coffee and NetworkingCoffee and Networking
7:157:15 Intellectual Property (IP) Intellectual Property (IP) –– What is it and What is it and how do you protect it?how do you protect it?
(Attorney Vern Maine)(Attorney Vern Maine)
8:008:00 Information and Data Loss PreventionInformation and Data Loss Prevention
(Bob Carroll, Consultant)(Bob Carroll, Consultant)
8:458:45 Questions and AnswersQuestions and Answers
Speakers available for questionsSpeakers available for questions
9:009:00 AdjournAdjourn
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 33
SponsorsSponsors
Website Sponsor:
TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com
Facilities/Location Sponsor:
Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com
Refreshment Sponsor:
Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 44
Moderator and SpeakersModerator and Speakers
For more information about the event or Boston Business Alliance, go to:www.BostonBusinessAlliance.com
Bob CarrollBob Carroll has more than 20 years experience in information technology, business consulting, data services and engineering. He has been a key contributor on projects running the gamut from the B-2 Stealth Bomber to improving student performance in New England public and private schools. His work involves selecting and implementing next generation strategies, methodologies, and technologies for clients. Most recently, Bob is focused on Data Loss Prevention, Security and Regulatory Compliance, such as Mass 201 CMR 17.00 for private sector business and public sector, such as schools and local government. See www.bobcarrollconsultant.com
Vern MaineVernon Maine, of Vern Maine & Associates, leaders in intellectual property strategies and law. Founder and managing partner of the firm. Registered to practice in New Hampshire, Massachusetts, and New York, and before the U.S. Patent and Trademark Office and the Court of Appeals for the Federal Circuit. Founded the practice in 1993, providing legal counseling, services and seminars on intellectual property and business law, including U.S. provisional, utility, and design patents, PCT patent applications, trademarks, copyrights, trade secrets, licensing, infringement, contracts, and related business matters. For more info, www.vernmaine.com
Ray Arpin - ModeratorRay Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00. For more information, www.rayarpin.com
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 55
Possible Implications and Why be Possible Implications and Why be
Concerned?Concerned?�� Intellectual Property Intellectual Property –– most business owners have invested their unique knowledge, expemost business owners have invested their unique knowledge, experience, rience,
and creativity in their business and creativity in their business –– that should be treated as that should be treated as propertyproperty and should be protected from and should be protected from
competitorscompetitors
�� Trade SecretsTrade Secrets OUTED OUTED –– What if your confidential business deal with another company toWhat if your confidential business deal with another company to exploit exploit
your newly developed technology is scuttled before it is announcyour newly developed technology is scuttled before it is announced because a competitor got wind ed because a competitor got wind
of it and made the other party a better offer for the same technof it and made the other party a better offer for the same technology? ology?
�� InfringingInfringing –– What happens if you get a “Cease and Desist” letter from a lawyWhat happens if you get a “Cease and Desist” letter from a lawyer saying you must er saying you must
stop using your trademark, or that your production method is infstop using your trademark, or that your production method is infringing their patent, or that your ringing their patent, or that your
website or marketing collateral are using their copyright protecwebsite or marketing collateral are using their copyright protected materials?ted materials?
�� InfringedInfringed –– What happens if your competitor launches a new service using a What happens if your competitor launches a new service using a trademark similar to trademark similar to
yours? What if a competitor launches a new website and it has clyours? What if a competitor launches a new website and it has clearly copied images or text from early copied images or text from
your website? What if you just invented a new gizmo and filed ayour website? What if you just invented a new gizmo and filed a patent application and are patent application and are
investing to get it into production, and your competitor comes oinvesting to get it into production, and your competitor comes out with a product just like it?ut with a product just like it?
�� Employee ObligationsEmployee Obligations –– What control do you have over an employee’s intellectual contriWhat control do you have over an employee’s intellectual contributions butions
and confidentiality during and after his or her employment ends?and confidentiality during and after his or her employment ends?
�� Data [Information] LossData [Information] Loss –– important and confidential information may be walking out the dimportant and confidential information may be walking out the door oor
or even unintentionally leaked to others; even competitors or even unintentionally leaked to others; even competitors –– such as client lists or informationsuch as client lists or information
�� ComplianceCompliance –– HIPAA in health and benefits, FTC ‘Red Flags Rule’, GLBA and BASHIPAA in health and benefits, FTC ‘Red Flags Rule’, GLBA and BASEL II in finance, EL II in finance,
MASS. 201 CMT 17.00, Electronic Medical records MASS. 201 CMT 17.00, Electronic Medical records –– all require protection of data/informationall require protection of data/information
�� Data Loss during Downsizing Data Loss during Downsizing –– As employees exit, does the corporate data? What about loss byAs employees exit, does the corporate data? What about loss by
way of temporary or contract help?way of temporary or contract help?
�� Possible FinesPossible Fines –– $5,000 per occurrence, and/or per person effected or compromise$5,000 per occurrence, and/or per person effected or compromised; in addition d; in addition
to a basis for a law suit, bad publicity, and other serious riskto a basis for a law suit, bad publicity, and other serious riskss
�� Professional Malpractice RisksProfessional Malpractice Risks –– if you are an attorney, CPA, doctor, or any other professional, if you are an attorney, CPA, doctor, or any other professional,
did you know that you are at risk for a malpractice lawsuit if ydid you know that you are at risk for a malpractice lawsuit if you fail to adequately protect client ou fail to adequately protect client
information?information?
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 66
What is Intellectual Property?What is Intellectual Property?
��KnowledgeKnowledge and/or and/or ExpressionExpressionconceived, created or constructed conceived, created or constructed by a person or entity.by a person or entity.
�� Some protectable by Some protectable by NOTICENOTICE and and REGISTRATIONREGISTRATION, e.g. patents, , e.g. patents, trademarks, copyright.trademarks, copyright.
�� Some protectable only by Some protectable only by SECRECYSECRECYand/or and/or CONTRACTSCONTRACTS..
�� Some protected by Some protected by LAWLAW..
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 77
Elements of Intellectual PropertyElements of Intellectual PropertyElements of Intellectual Property
�Trademarks
�Copyright
�Design & Utility Patents
�Trade Secrets
What’s in your IP portfolio?
�� TrademarksTrademarks
�� CopyrightCopyright
�� Design & Utility PatentsDesign & Utility Patents
�� Trade SecretsTrade Secrets
What’s in your IP portfolio?What’s in your IP portfolio?
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 88
WHY IP? WHY IP?
WHY NOW?WHY NOW?IP Strategies help IP Strategies help
drive the Business drive the Business
Plan!Plan!
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 99
Trademarks Trademarks –– Source IdentifiersSource Identifiers
A word, phrase, symbol or design, A word, phrase, symbol or design, sound, smell, or combination.sound, smell, or combination.
E.G., NBC chimes, Pink Fiberglass, E.G., NBC chimes, Pink Fiberglass, Nike swoosh, golden arches, Harley Nike swoosh, golden arches, Harley sound, Microsoft graphics, Apple for sound, Microsoft graphics, Apple for computers, Target for department computers, Target for department stores.stores.
��Notice: Notice: ™™ symbol after the marksymbol after the mark
�� Federal reg: Federal reg: –– use the use the ®® symbol.symbol.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1010
Trademarks Trademarks –– 5 steps to protection5 steps to protection
#1 Choose a defensible mark.#1 Choose a defensible mark.
#2 Clear the mark.#2 Clear the mark.
#3 Apply common#3 Apply common--law Notice and/or law Notice and/or register.register.
#4 Use the mark correctly.#4 Use the mark correctly.
#5 Police the Mark#5 Police the Mark
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1111
CopyrightCopyright
�� Protects EXPRESSION, not idea)Protects EXPRESSION, not idea)
��NOTICE:NOTICE:
©© or or Copyright 2008, XYZ Inc.Copyright 2008, XYZ Inc.
�� Federal Registration available.Federal Registration available.
�� Best IP Bang for the Buck!Best IP Bang for the Buck!
�� File within 3 months of publication.File within 3 months of publication.
��www.copyright.govwww.copyright.gov
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1212
Copyright OwnershipCopyright Ownership
1) author/artist or its employer unless 1) author/artist or its employer unless
independent contractor independent contractor
2) joint or co2) joint or co--ownership ownership
3) work for hire3) work for hire
ALWAYS use Written Agreements ALWAYS use Written Agreements
conveying ownership of copyright in conveying ownership of copyright in
important works.important works.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1313
What Is a What Is a PATENTPATENT??
��Right to Exclude (SUE) others from: Right to Exclude (SUE) others from:
––MakingMaking
––UsingUsing
––Selling, Offer to sellSelling, Offer to sell
––ImportingImporting
…the Patented Invention!…the Patented Invention!
�� 2020--21 year term. 21 year term.
��Quid pro quo?Quid pro quo?
NoTrespassing!
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1414
What Can Be Patented?What Can Be Patented?
What Should Be Patented?What Should Be Patented?
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1515
Design PatentsDesign Patents
versusversus
Utility PatentsUtility Patents
�� Appearance of Articles of ManufactureAppearance of Articles of Manufacture
�� Structure or Functionality of Methods and Structure or Functionality of Methods and
MachinesMachines
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1616
Priority Dates andPriority Dates and
Foreign Filing RightsForeign Filing Rights
•• First to file vs. First to InventFirst to file vs. First to Invent
•• U.S. Provisional Patent Applications. U.S. Provisional Patent Applications.
•• Patent Cooperation Treaty Patent Cooperation Treaty
applications preserve right to file in applications preserve right to file in
over 130 countries, including U.S.over 130 countries, including U.S.
•• Regional filing opportunities.Regional filing opportunities.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1717
PATENT INFRINGMENTPATENT INFRINGMENT
1.1. Patent Holder must prove Patent Holder must prove
Infringer incorporates each Infringer incorporates each
& every element of at least 1 & every element of at least 1
independent claim.independent claim.
2.2. Infringer is unable to prove Infringer is unable to prove
the patent invalid or the patent invalid or
otherwise unenforceable.otherwise unenforceable.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1818
TRADE SECRETSTRADE SECRETS
�� Information, the disclosure of which Information, the disclosure of which
would be disadvantageous for the would be disadvantageous for the
company.company.
�� Protection against those that Protection against those that
MISAPPROPRIATE confidential MISAPPROPRIATE confidential
information. 2 Basic Requirements:information. 2 Basic Requirements:
1) 1) Documented InformationDocumented Information that has that has
commercial value.commercial value.
2) Safeguarded by all reasonable means.2) Safeguarded by all reasonable means.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 1919
Trade Secrets Trade Secrets –– DO’sDO’s
��COMPANY POLICYCOMPANY POLICY
��NON DISCLOSURE CONTRACTSNON DISCLOSURE CONTRACTS
��PHYSICAL SECURITYPHYSICAL SECURITY
�� ELECTRONIC SECURITYELECTRONIC SECURITY
��VET OUTGOING MATERIALSVET OUTGOING MATERIALS
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2020
Intellectual Property Rights Intellectual Property Rights ––
Valuable but PerishableValuable but Perishable
�� Recognize and evaluate IP early.Recognize and evaluate IP early.
�� Review portfolio regularly for focus Review portfolio regularly for focus
and cost control.and cost control.
�� Reassess opportunities to exploit Reassess opportunities to exploit
your IP regularly to maximize return your IP regularly to maximize return
on investment.on investment.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2121
Intellectual Property is KINGIntellectual Property is KING
�� There is an inexhaustible supply of new There is an inexhaustible supply of new
intellectual property, accessible in some intellectual property, accessible in some
degree to everyone that wants it.degree to everyone that wants it.
�� The law provides a limited opportunity The law provides a limited opportunity
for those that discover or create it to for those that discover or create it to
profit by it. profit by it.
�� The skillful exploitation of IP is the The skillful exploitation of IP is the
single biggest factor in business single biggest factor in business
success today.success today.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2222
IP Management and ControlIP Management and Control
�� Have an IP strategy component to the Have an IP strategy component to the
business plan.business plan.
�� Demonstrate a topDemonstrate a top--down commitment down commitment
to cultivating and protecting IP.to cultivating and protecting IP.
�� Have a rational internal process for Have a rational internal process for
handling and safeguarding IP.handling and safeguarding IP.
�� Conduct employee training regularly.Conduct employee training regularly.
�� Document, document, document.Document, document, document.
�� Search for and Evaluate competitor’s IP Search for and Evaluate competitor’s IP
with same intensity.with same intensity.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2323
SpeakersSpeakers
Vern MaineVernon Maine, of Vern Maine & Associates, leaders in intellectual property strategies and law. Founder and managing partner of the firm. Registered to practice in New Hampshire, Massachusetts, and New York, and before the U.S. Patent and Trademark Office and the Court of Appeals for the Federal Circuit. Founded the practice in 1993, providing legal counseling, services and seminars on intellectual property and business law, including U.S. provisional, utility, and design patents, PCT patent applications, trademarks, copyrights, trade secrets, licensing, infringement, contracts, and related business matters. For more info, www.vernmaine.com
Bob CarrollBob Carroll has more than 20 years experience in information technology, business consulting, data services and engineering. He has been a key contributor on projects running the gamut from the B-2 Stealth Bomber to improving student performance in New England public and private schools. His work involves selecting and implementing next generation strategies, methodologies, and technologies for clients. Most recently, Bob is focused on Data Loss Prevention, Security and Regulatory Compliance, such as Mass 201 CMR 17.00 for private sector business and public sector, such as schools and local government. See www.bobcarrollconsultant.com
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2424
Possible Implications and Why be Possible Implications and Why be
Concerned?Concerned?�� Intellectual Property Intellectual Property –– most business owners have invested their unique knowledge, expemost business owners have invested their unique knowledge, experience, rience,
and creativity in their business and creativity in their business –– that should be treated as that should be treated as propertyproperty and should be protected from and should be protected from
competitorscompetitors
�� Trade SecretsTrade Secrets OUTED OUTED –– What if your confidential business deal with another company toWhat if your confidential business deal with another company to exploit exploit
your newly developed technology is scuttled before it is announcyour newly developed technology is scuttled before it is announced because a competitor got wind ed because a competitor got wind
of it and made the other party a better offer for the same technof it and made the other party a better offer for the same technology? ology?
�� InfringingInfringing –– What happens if you get a “Cease and Desist” letter from a lawyWhat happens if you get a “Cease and Desist” letter from a lawyer saying you must er saying you must
stop using your trademark, or that your production method is infstop using your trademark, or that your production method is infringing their patent, or that your ringing their patent, or that your
website or marketing collateral are using their copyright protecwebsite or marketing collateral are using their copyright protected materials?ted materials?
�� InfringedInfringed –– What happens if your competitor launches a new service using a What happens if your competitor launches a new service using a trademark similar to trademark similar to
yours? What if a competitor launches a new website and it has clyours? What if a competitor launches a new website and it has clearly copied images or text from early copied images or text from
your website? What if you just invented a new gizmo and filed ayour website? What if you just invented a new gizmo and filed a patent application and are patent application and are
investing to get it into production, and your competitor comes oinvesting to get it into production, and your competitor comes out with a product just like it?ut with a product just like it?
�� Employee ObligationsEmployee Obligations –– What control do you have over an employee’s intellectual contriWhat control do you have over an employee’s intellectual contributions butions
and confidentiality during and after his or her employment ends?and confidentiality during and after his or her employment ends?
�� Data [Information] LossData [Information] Loss –– important and confidential information may be walking out the dimportant and confidential information may be walking out the door oor
or even unintentionally leaked to others; even competitors or even unintentionally leaked to others; even competitors –– such as client lists or informationsuch as client lists or information
�� ComplianceCompliance –– HIPAA in health and benefits, FTC ‘Red Flags Rule’, GLBA and BASHIPAA in health and benefits, FTC ‘Red Flags Rule’, GLBA and BASEL II in finance, EL II in finance,
MASS. 201 CMT 17.00, Electronic Medical records MASS. 201 CMT 17.00, Electronic Medical records –– all require protection of data/informationall require protection of data/information
�� Data Loss during Downsizing Data Loss during Downsizing –– As employees exit, does the corporate data? What about loss byAs employees exit, does the corporate data? What about loss by
way of temporary or contract help?way of temporary or contract help?
�� Possible FinesPossible Fines –– $5,000 per occurrence, and/or per person effected or compromise$5,000 per occurrence, and/or per person effected or compromised; in addition d; in addition
to a basis for a law suit, bad publicity, and other serious riskto a basis for a law suit, bad publicity, and other serious riskss
�� Professional Malpractice RisksProfessional Malpractice Risks –– if you are an attorney, CPA, doctor, or any other professional, if you are an attorney, CPA, doctor, or any other professional,
did you know that you are at risk for a malpractice lawsuit if ydid you know that you are at risk for a malpractice lawsuit if you fail to adequately protect client ou fail to adequately protect client
information?information?
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2525
WorldWideWeb
WorldWideWeb
What is DLP ?What is DLP ?
Data Loss Prevention (DLP) is a Data Loss Prevention (DLP) is a computer security term referring to computer security term referring to systems that identify, monitor, and systems that identify, monitor, and protect dataprotect data
0111011000111
.qbm
.qbb
.qbm
.qbb
Endpoints In Motion
At Rest
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2626
Data Loss Prevention DriversData Loss Prevention Drivers
Customer DataCustomer DataSocial Sec. Num.Social Sec. Num.
Credit Card DataCredit Card Data
Health RecordsHealth Records
TheThe
RiskRisk
� 1:400 Messages contains confidential data
� 1:50 Network files is wrongly exposed
� 4:5 Companies lost data on laptops
� 1:2 Lost Data on USB Devices
Corporate DataCorporate DataFinancialsFinancials
Mergers and acquisitionsMergers and acquisitions
Employee dataEmployee data
Intellectual Prop.Intellectual Prop.Source codeSource code
Design documentsDesign documents
Work productsWork products
ConfidentialConfidential
DataData
TypesTypes��
��
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2727
Areas of ConcernAreas of Concern
-3
-2
-1
0
1
2
3
4
Accidents Insider theft Network
penetration
Theft or loss Espionage
Note: Mean average ratings based on a fiveNote: Mean average ratings based on a five--point scale where 1 is “not at all concerned” and 5 is “extremelpoint scale where 1 is “not at all concerned” and 5 is “extremely concerned”y concerned”
Data: Data: InformationweekInformationweek Analytics Data Loss Prevention Survey of 218 business technologAnalytics Data Loss Prevention Survey of 218 business technology professionalsy professionals
How Concerned are you about the following sources of data leaksHow Concerned are you about the following sources of data leaks
Out of a maximum rating of ‘5’Out of a maximum rating of ‘5’
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2828
The Concern is Well FoundedThe Concern is Well Founded
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 2929
……AndAnd
Of course there is the elephant in the room that Of course there is the elephant in the room that
people don’t want to talk about:people don’t want to talk about:
Data Loss Risks During DownsizingData Loss Risks During Downsizing
As employees exit, so does the As employees exit, so does the
corporate datacorporate data
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3030
What type of confidential, sensitive or proprietary What type of confidential, sensitive or proprietary
information did you keep after leaving your information did you keep after leaving your
former company?former company?
For the NonFor the Non--BelieversBelievers
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3131
How Was Data Removed?How Was Data Removed?
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3232
Other Reasons for DLP ?Other Reasons for DLP ?
�� Most SMB’s fall are regulated by law(s) Most SMB’s fall are regulated by law(s)
that mandate controls over information;that mandate controls over information;
–– SarbanesSarbanes--Oxley (SOX) Act Oxley (SOX) Act
–– HIPAA in health and benefitsHIPAA in health and benefits
–– American Recovery and Reinvestment Act American Recovery and Reinvestment Act
(ARRA)(ARRA)
–– FTC ‘Red Flags Rule’FTC ‘Red Flags Rule’
–– GrammGramm--LeachLeach--Bliley Act and Basel II in financeBliley Act and Basel II in finance
–– MASS. 201 CMR 17.00MASS. 201 CMR 17.00
–– Payment Card Industry (PCI) Data Security Payment Card Industry (PCI) Data Security
Standard (DSS)Standard (DSS)
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3333
So, What Should I Do?So, What Should I Do?
�� DLP is more than just technologyDLP is more than just technology
�� A comprehensive initiative or ProgramA comprehensive initiative or Program
–– StrategyStrategy
–– PeoplePeople
–– ProcessProcess
–– TechnologyTechnology
�� Outline ‘DLP Recipes’ (Recommendations)Outline ‘DLP Recipes’ (Recommendations)
� Recipes for DLP
�Check Bostonbusinessalliance.com for ‘How To’s’ links, resources, and articles
� Recipes for DLP
�Check Bostonbusinessalliance.com for ‘How To’s’ links, resources, and articles
Recommendations
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3434
StrategyStrategy
�� Stakeholders and business owners need to be Stakeholders and business owners need to be aware of this and understand the concepts and aware of this and understand the concepts and consequencesconsequences
�� Governance Governance –– What applies to your business?What applies to your business?–– 201 CMR 17.00 ?201 CMR 17.00 ?
–– FTC Red Flag ?FTC Red Flag ?
–– HIPAA ?HIPAA ?
�� Put policies and agreements in placePut policies and agreements in place
� Start with an assessment. Where is the risk, what is the risk and how much could it cost my business ?
� Adopt an acceptable Use policy – (no it is not ok to view pornography on company resources.)
�Consider Free and Open Source (Truecrypt, Pretty Good Privacy, PGP)
�Execute non-Compete, NDA, Confidentiality
� Start with an assessment. Where is the risk, what is the risk and how much could it cost my business ?
� Adopt an acceptable Use policy – (no it is not ok to view pornography on company resources.)
�Consider Free and Open Source (Truecrypt, Pretty Good Privacy, PGP)
�Execute non-Compete, NDA, Confidentiality
Recommendations
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3535
PeoplePeople
�� Most likely the biggest risk to SMBMost likely the biggest risk to SMB–– If you use Temporary LaborIf you use Temporary Labor
�� BookkeepersBookkeepers
�� ParalegalsParalegals
�� ClerksClerks
�� Contract attorneysContract attorneys
–– If you use contractors (1099)If you use contractors (1099)
� Assign roles and responsibilities e.g. “Data Stewards”
� Conduct initial and ongoing training and record acceptance
� Allow access on “Need to know” basis only
� PRIOR to the employee leaving, companies should monitor the employee’s access to the network or system to make sure sensitive and confidential data is not being downloaded or send to the employee’s personal email account.
� Assign roles and responsibilities e.g. “Data Stewards”
� Conduct initial and ongoing training and record acceptance
� Allow access on “Need to know” basis only
� PRIOR to the employee leaving, companies should monitor the employee’s access to the network or system to make sure sensitive and confidential data is not being downloaded or send to the employee’s personal email account.
Recommendations
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3636
ProcessProcess�� Identify your Intellectual Property and confidential Identify your Intellectual Property and confidential datadata
�� Are Standard Operating Procedures (SOP) or Are Standard Operating Procedures (SOP) or Written Information Security Program (WISP) Written Information Security Program (WISP) required by law?required by law?
�� Understand your processesUnderstand your processes
�� Are there safeguards and audits built into the Are there safeguards and audits built into the process process –– catching what is missingcatching what is missing
� Ensure that policies and procedures clearly state former employees will no longer have access to sensitive and confidential information they used in their jobs. Enforce this!
�Where possible and practical, use standard automated workflow processes and forms. These are easier to monitor and safeguard
� Re-think the process of how you send data and email
-Encryption
-sftp, https://
� Ensure that policies and procedures clearly state former employees will no longer have access to sensitive and confidential information they used in their jobs. Enforce this!
�Where possible and practical, use standard automated workflow processes and forms. These are easier to monitor and safeguard
� Re-think the process of how you send data and email
-Encryption
-sftp, https://
Recommendations
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3737
TechnologyTechnology
� Ensure that basics are in place:
-Patches are applied, AV and malware protection, Firewalls
� Prevent access to and downloads from sensitive data
�Encryption –data, computers, and email (passwords on files ≠ encryption)
�Shift the responsibility to hosted or third parties – the cloud
�Keep your kids off ‘work’ computers and NO P2P
� Ensure that basics are in place:
-Patches are applied, AV and malware protection, Firewalls
� Prevent access to and downloads from sensitive data
�Encryption –data, computers, and email (passwords on files ≠ encryption)
�Shift the responsibility to hosted or third parties – the cloud
�Keep your kids off ‘work’ computers and NO P2P
Recommendations
�� Start small with the high value dataStart small with the high value data
�� The notion of The notion of ‘Reasonable‘Reasonable,’ ,’ ‘Usual and Customary‘Usual and Customary’’
�� Break up the problem:Break up the problem:–– Data in use (e.g., endpoint actions), Data in use (e.g., endpoint actions),
–– Lost or stolen laptopsLost or stolen laptops
–– Data in motion (e.g., network actions),Data in motion (e.g., network actions),–– EmailEmail
–– Instant messagingInstant messaging
–– Data at rest (e.g., data storage) Data at rest (e.g., data storage) –– Who has accessWho has access
–– Secure storageSecure storage
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3838
Questions and AnswersQuestions and Answers
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 3939
Call to ActionCall to Action�� Intellectual PropertyIntellectual Property
–– Have an IP strategy component to the business planHave an IP strategy component to the business plan
–– Demonstrate a topDemonstrate a top--down commitment to cultivating and down commitment to cultivating and protecting IPprotecting IP
–– Have a rational internal process for handling and Have a rational internal process for handling and safeguarding IPsafeguarding IP
–– Conduct employee training regularlyConduct employee training regularly
–– Document, document, documentDocument, document, document
–– Search for and Evaluate competitor’s IP with same Search for and Evaluate competitor’s IP with same intensityintensity
�� Data Loss PreventionData Loss Prevention–– Understand and mitigate the risksUnderstand and mitigate the risks
–– Know where information resides, especially electronicKnow where information resides, especially electronic
–– Get educatedGet educated�� You have taken the first stepYou have taken the first step
–– Visit Bostonbusinessalliance.com for new details and Visit Bostonbusinessalliance.com for new details and informationinformation
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4040
Closing and AdjournClosing and Adjourn
�� Reminder about Boston Business AllianceReminder about Boston Business Alliance–– Visit website for suggesting Hot Topics for Visit website for suggesting Hot Topics for these type of meetingsthese type of meetings
–– Invite other small business owners and peers Invite other small business owners and peers who might benefitwho might benefit
–– Register for future meetingsRegister for future meetings
–– Ask us to put your name on our email list to be Ask us to put your name on our email list to be notified of future meetings and eventsnotified of future meetings and events
�� Evaluation formEvaluation form–– Please complete and leave on the table going Please complete and leave on the table going out so that we can continuously improveout so that we can continuously improve
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4141
SponsorsSponsors
Website Sponsor:
TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com
Facilities/Location Sponsor:
Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com
Refreshment Sponsor:
Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4242
Contact InformationContact Information�� Boston Business AllianceBoston Business Alliance
–– www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com
–– See website for additional Contact and Member informationSee website for additional Contact and Member information
�� Attorney Vern MaineAttorney Vern Maine–– Phone: (603) 886Phone: (603) 886--6100 x70076100 x7007
–– Email: Email: [email protected]@vernmaine.com
–– Website: Website: www.vernmaine.com
�� Bob CarrollBob Carroll–– Phone: (617) 314Phone: (617) 314--98139813
–– Email: Email: bob@[email protected]
–– Website: Website: www.bobcarrollconsultant.com
See our website and handouts for other contacts, along with information on Intellectual Property, Data Loss Prevention, the Boston Business Alliance, our members and our sponsors.–– www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com
Feel free to pick up any of the handouts on the table.
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4343
Appendix SlidesAppendix Slides
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4444
Applicable Statutes and RegulationsApplicable Statutes and Regulations
�� SarbanesSarbanes--OxleyOxley (SOX) Visibility and disclosure (SOX) Visibility and disclosure regulations for public companiesregulations for public companies
�� GrammGramm--LeachLeach--Bliley ActBliley Act of 1999 (sometimes called of 1999 (sometimes called the financial modernization actthe financial modernization act
�� HIPAAHIPAA –– Health Insurance Portability and Accountability Health Insurance Portability and Accountability Act of 1996 places requirements on the health care Act of 1996 places requirements on the health care industryindustry
�� FTC ‘Red Flags Rule’FTC ‘Red Flags Rule’ –– for law firms, professional for law firms, professional services, and financial institutionsservices, and financial institutions
�� MASS. 201 CMR 17.00MASS. 201 CMR 17.00 for Personal Identity for Personal Identity InformationInformation
�� PCIPCI--DSSDSS Payment Card Industry Data Security Payment Card Industry Data Security Standards Standards –– For processing credit cardsFor processing credit cards
�� FERPAFERPA-- Family Educational Rights and Privacy Act Family Educational Rights and Privacy Act –– If If you deal with public schoolsyou deal with public schools
�� BASELBASEL –– Bank of International Settlements Bank of International Settlements –– Banking Banking lawslaws
9/23/099/23/09 Boston Business AllianceBoston Business Alliance 4545
Technology TermsTechnology Terms
�� Data Loss Prevention (DLP) Data Loss Prevention (DLP) -- Data Loss Prevention (DLP) is Data Loss Prevention (DLP) is a computer security term referring to systems that identify, a computer security term referring to systems that identify, monitor, and protect data: at the endpoints monitor, and protect data: at the endpoints -- in use (USB in use (USB devices, laptops, PDA, iPhone), in motion (e.g., moving devices, laptops, PDA, iPhone), in motion (e.g., moving through the network through the network –– browsers and email), and data at rest browsers and email), and data at rest (file systems, databases, and other storage(file systems, databases, and other storage
�� EncryptionEncryption –– Transforming information using and algorithm Transforming information using and algorithm
�� Firewall Firewall –– A device or software designed to block A device or software designed to block unauthorized access while permitting authorized comm.unauthorized access while permitting authorized comm.
�� Free and Open Source SoftwareFree and Open Source Software –– An alternative to An alternative to Microsoft Windows. Linux and Apache are the most famousMicrosoft Windows. Linux and Apache are the most famous
�� https://https:// –– Hypertext Transfer Protocol Hypertext Transfer Protocol -- SSecureecure
�� Malware Malware –– Malicious Software Malicious Software -- Software that infiltrates an Software that infiltrates an owners computer without the owner’s informed consentowners computer without the owner’s informed consent
�� SFTPSFTP Secure File Transfer Protocol Secure File Transfer Protocol –– A means of securely A means of securely transmitting datatransmitting data
�� FERPAFERPA-- Family Educational Rights and Privacy Act Family Educational Rights and Privacy Act –– If you If you deal with public schoolsdeal with public schools