| | | | | |
Douglas Panzer
June 4, 2013

Should General Counsel Audit Sales Promises vs. Technical Requirements?

The consulting company’s “sales guys” do a great job of bringing in the client, promising efficiency from a quickly implemented, not-overly-complex integration of out-of-the-box-technology. Management is thrilled to win the contract. The tech folks are intrigued by the prospect of curing a big client’s business pains. And then reality hits. The technology architects have to square their real-world solution and the consulting costs of its implementation with the sales team’s promises regarding time, price and disruptive effect (or lack thereof). As both a technology attorney and a former software/web developer I’ve seen it a hundred times and – to turn a phrase – sixty percent of the time it’s a mismatch every time.

This appears to be precisely the situation in the recently settled suit between Lehigh Valley chemical manufacturer Avantor and IBM, in which Avantor’s business was, per their federal district court complaint (PACER login req’d.), crippled by the mismatch between IBM’s sales promises and their allegedly amateurish and unsuitable implementation.

Tech consultancy general counsels need to involve themselves in these situations from the inception to assure sales teams have adequately consulted technology resources prior to the sale and that technology and business leaders have properly understood and prepared to deliver their contractual obligations to the client.

IBM was said to be “surprised” by the suit. While this is likely PR speak, it should also be a red flag. While it is likely inappropriate for in-house counsel to insert its judgment into the process of each sale, GC’s need to educate their organizations to measure and accurately quantify/qualify their promises to clients. Whether this involves establishing technology/business/sales team collaboration processes or even direct involvement from legal is a question for the organization. However, general counsel cannot remove itself from the establishment of such procedures. In order to manage litigation risk, consulting companies’ general counsel should establish review, collaboration and/or audit procedures to appropriately match contractual promises to technical capabilities Anything less leaves litigation risk management to chance.

April 22, 2013

Dear General Counsel, Is Your Customer-Facing Website Storing Plain Text Login Credentials? (Part 1)

Your business relies on its website to provide information and service to customers and to increase the business’s own efficiency. What happens when that efficiency is stymied by a customer’s “senior moment”…the all-too-common forgotten password? If the answer is a reminder email to the customer containing his or her username and password in plain text, you may want to notify your insurance carrier and replenish your litigation counsel retainer.

Now, I’m not saying the practice of emailing usernames and passwords is a slamdunk path to civil or criminal liability. However, the risks associated with such a practice may be greater than you know and are undoubtedly greater than your business should be willing to subject itself. Perhaps customers manage their contact information or email subscriptions online. Perhaps you provide true e-commerce and store credit card information. In providing their information, your customers rely on your business to provide reasonable safeguards for the personal information you store about them and your business has a duty – in the truest legal sense of the word – to do so.

E-Mail: Just One Link in Your Non-Secure Communication Chain

Did you know that email is not a secure means of communication? It’s true. Of course, many readers will already know that the vast majority of email messages traverse the Internet as unencrypted messages; binary strings simply transmitted from sender to recipient without any form of obfuscation. Some small comfort may be found in knowing that the email programs used to send and receive these messages require usernames and passwords, but this does not remove the fact that the messages themselves, if intercepted, require no translation or decryption to reveal their full contents. If the message is intercepted, any private information contained therein is visible for all to read. But even the ability of your business to send plain text login credentials signals larger technical shortcomings.

Plain Text Means Something is Plain Wrong in the System Architecture

In order for a customer support system or representative to be able to retrieve a username/password combination and send it to the user, one of two scenarios must be at play: Either a) your tech folks are storing the information in your company’s database as plain text; or b) the login information, though stored encrypted, uses reversible encryption. In either case, your business is not using tech security best practices and arguably you are failing in your duty to safeguard private customer information. Heck, that practice doesn’t even comport with common state privacy laws’ definition of encryption.

Massachusetts statute 201 CMR 17.00 (that state’s data privacy law), for example, defines “Encrypted” as “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.” If your company’s customer-facing system can decrypt stored user credentials, there is at least one software developer who has seen the key or process while coding it. If your company’s email system can then send that decrypted information over standard email, there is likely at least one system administrator who can see those sent emails on your system. We’re up to two people who shouldn’t have access…shall I continue? What if – please don’t be the one reader whose company does this – your CSR’s can look up usernames and passwords in order to communicate them to customers? What’s the number now? By the letter of the law (at least Massachusetts’ law…which, by the way, is nearly identical to many others) your process may not even represent encryption at all since the process or key is arguably no longer confidential.

Do a Legal Review and Work With IT to Craft a Policy

In order to minimize the risk of data loss by and resulting negligence claims against the organization, it is incumbent upon counsel to apprise themselves of the practices used by their company with regard to login credential storage, encryption, communication and reset procedures. Find out what your tech people are doing now and work with them to craft a written policy for the future. Then, be sure to follow up at regular intervals to ensure compliance with the policy. Anything less may be less than due care.

Next Time: Is plain text credential storage criminal?


* indicates required