March 2011

I happened across a blog post yesterday on the federal GSA.gov website from Mary Davie, the Assistant Commissioner for the Office of Integrated Technology Services in the U.S. General Services Administration (“GSA”). As we have noted in prior posts (here and here), the federal government continues to explore opportunities to offer more of its technology products and services into the cloud. Ms. Davie’s blog post addresses what she sees as four “myths” surrounding the use of cloud computing, particularly for government agencies. In particular, she addresses the following myths:

1. Cloud can be anything. Ms. Davie notes that “not all cloud offerings are created equal” and that they must adhere to five essential characteristics.

2. Public clouds are not secure, and agencies can’t control security requirements. In her post, Ms. Davie acknowledges that public clouds are not “inherently secure,” but observes that, with guidance, agencies can create secure systems. She adds that keeping information secure requires constant work and that agencies should carefully consider what services and data to push to the cloud.

3. Agencies will lose control of their data. Ms. Davie recommends that agencies build into their requirements a prohibition against data-mining and monetizing.

4. Moving to the cloud is difficult. Ms. Davie states that “[g]ood practice in technology generally dictates that systems, applications, or data be moved in pilots or phases.” She notes that the GSA is developing cloud-specific blanket purchase agreements to help other federal agencies compare services and move to the cloud.

While Ms. Davie’s post was direct primarily to government agencies, her comments remain true for other companies and organizations considering a move to the cloud. The bottom line is that cloud computing can offer a wide variety of benefits to its users, but companies should make sure that they’ve planned ahead and put in place a framework to ensure a smooth transition.

I just read the new report issued by the Ponemon Institute on the cost of data breaches. This is their sixth annual study concerning the costs of data breach incidents for U.S. based companies.

According to the report, the average cost for an organization experiencing a data breach in 2010 increased to $7.2 million and costs companies and average of $214 per comprised record. I note that both of these were higher than in 2009.

There were other interesting findings and lessons in the report including:

• Rapid responses to data breaches by companies costs the companies an average of 54 percent more per record than companies that moved more slowly. Presumably this is because companies that moved more slowly are able to more accurately ascertain the extent of the breach and possible remediation actions.
• Criminal attacks and malicious attacks are the most expensive kind of data breach to deal with and these are on the rise.
• The most common threat with to respect to data breaches remains negligence on the part of employees and partners.
• Encryption and other technologies are gaining ground with respect to post breach remediation. However, training and awareness programs remain the most popular post breach remedies.
• Companies are becoming more vigilant about preventing system failures.

Overall, the main takeaway from the report is that data breaches and the costs to remediate them continue to rise and show no sign of abating. You can see the report here.

I recently read highlights of a very interesting survey put out by the Ponemon Institute regarding data security. The survey, which was entitled “What Auditors Think of Crypto Technology” was conducted by the Ponemon and was commissioned by Thales, a firm that specializes in encryption software and Host Security Modules (HSMs). According to the survey, 43% of the auditors queried selected encryption for protecting data at the point of capture such as point of sale terminals, websites, cost centers, and email gateways. The survey found that tokenization came in second to encryption for protecting this type of sensitive information.

The results of the survey were interesting in that encryption was the favorite method of protecting data even though a lot of organizations have problems with key management systems. However, the survey noted that tokenization is an up and coming technology and that tokenization will become a solid alternative to encryption.

It was also interesting that most auditors suggested that they used encryption primarily for compliance reasons and, in fact, use these types of tools only as required to achieve compliance. The auditors specifically noted that HIPAA and PCI were the biggest drivers of encryption followed by state data protection requirements and data breach notification laws.

In our information security practice, however, we are seeing more and more security technologies being implemented by companies not only from a compliance standpoint but also from a best practices standpoint. Notably, the question is beginning to be asked of C-suite executives and boards of directors as to the inquiries they have made regarding information security for their companies. This awareness and potential exposure at the C-Suite and board levels will continue to drive better practices with respect to information security. What questions are you asking?

A Washington state court has granted an injunction in favor of Microsoft against a former executive that prevented the executive from taking a similar job at Salesforce.com. The injunction is based on a non-competition agreement in the former executive's employment agreement with Microsoft. The executive is also alleged to have taken information regarding Microsoft's strategy for selling cloud computing services to governments. It should be noted that this is only a preliminary ruling, and a full hearing has been scheduled for March 25. Click here to read more about the case.

This type of case is fairly common, particularly in tech companies. It does illustrate, however, that large companies consider their cloud computing resources to be valuable, and worth seeking legal protection. The enforceability of covenants not to compete varies from state to state. Georgia recently passed legislation to make covenants not to compete more enforceable.