Privacy Trumps Freedom in Italy as Google Execs Prosecuted

/

With all the talk about the new Massachusetts privacy regulations about to set a new aggressive standard in the United States, it looks like the real privacy hawks are in Italy.  An Italian court convicted three Google executives today in a case that is certain to create confusion throughout the Tubes.  Italy, meet YouTube, and welcome to the 21st century. As reported by Wired Magazine (among many other today), the case against the three Google execs - none of whom is apparently in Italy - centered around what sounds like a disturbing video of Italian schoolkids bullying and beating up a mentally disabled classmate.  The problem was not that Google did not take down the video - it did! - it was simply that they didn't take it down fast enough.

With today's "share everything" mentality on the Internet, this case sets a dangerous precedent when you consider the "sue everyone" mentality that has also become pervasive in our society.  If adopted here, it seems as though this case could set off a new wave of litigiousness that would not weaken the freedom we have come to know on the Internet, but also our legal system.  This is exactly the type of problem that Philip K. Howard talked about recently at the TED conference.

But that could never happen here in America, right?

REMINDER: Massachusetts Privacy Regulations Launch March 1st. Here is what you need to know.

/

There are only two weeks left to comply with the new Massachusetts privacy regulations.  And before you think that they won't apply to you, think again. I have written before about the new privacy regulations, which will be the toughest and most aggressive privacy rules in the country.  Even though the process has been long and included delays and adjustments, the regs are finally going into effect on March 1st.  And you don't have to be in Massachusetts to worry about them; the new rules will apply to anyone - whether based in Massachusetts or not - that holds certain information about Massachusetts residents.  As a review, here is what you need to know:

Who is covered?

The new law covers any individual, corporation, association, partnership, or other legal entity that handles a Massachusetts resident's personal information in connection with employment or with the provision of goods or services, as long as that information is not otherwise publicly available.  The personal information described here means a Massachusetts resident's name (first name and last name or first initial and last name) in combination with that resident's Social Security number, a driver's license or state ID number, or a financial account or credit card number.

What is required?

Those who are covered must create a comprehensive written information security program (a "WISP") to safeguard the information.  The WISP need only be appropriate to the size, scope, and type of operation the person or business is engaging in, the amount of resources available, the amount of the stored data, and the need for security and confidentiality, but that still means that most people will need to make some adjustments. Your WISP must cover:

  1. Designation of a someone to maintain the WISP.
  2. Identifying and assessing reasonably foreseeable risks (both internal and external) to the confidentiality of the information whether on paper or electronic, and continually evaluating and improving the effectiveness of the safeguards through employee training and means of detecting and preventing security system failures.
  3. Developing security policies for the way the information is stored, accessed, and transported outside of business premises, and especially for the way the information is stored or transmitted on computers or wireless systems, including email.
  4. Imposing disciplinary measures for violations of the WISP rules.
  5. Taking reasonable steps to ensure that third-party service providers are capable of maintaining similar protections and requiring them by contract to implement and maintain appropriate security measures.

What kind of protection is necessary?

For paper records, you must provide for secure storage of materials containing personal information, such as physical restrictions (e.g storage in locked storage facilities or containers) and limiting access.

For electronic records, the WISP must include, to the extent technically feasible, a system to secure control of user IDs, password selection and control, and restricting access to active users.  In addition, all electronic personal information transmitted wirelessly or across a public network, and all personal information stored on a laptop or other portable device must be encrypted.  It is important to note that encryption for this purpose does not mean password protection; the regulation requires the information to be transformed into a "form in which meaning cannot be assigned".  In other words, the information must be unreadable.  Password protection alone does not satisfy the requirement.

Are there standard procedures to follow?

The quick answer is no - each person or company needs to come up with unique procedures and safeguards that are both reasonable and feasible for its specific operation.  A large company will necessarily have more detailed procedures than a smaller company, and one industry may be held to a different standard another on a case-by-case basis.  Your current procedures may be a good starting point and may, in some cases, already comply with the new requirements.  There is ambiguity in the law's use of the terms "technically feasible" and "reasonable" that leave latitude for the specific terms of compliance.  Some of these will be clarified over time through lawsuits and enforcement actions, which simply reinforces the need to re-evaluate your program over time.

However, that ambiguity should not be confused with making compliance optional.  There are real consequences including lawsuits for breaches and in some cases civil penalties and fines imposed for each violation.

The bottom line is that you need to take this new Massachusetts law seriously, even if you are not in Massachusetts.  But you can mitigate the risk by establishing these minimum standards to safeguard the personal information and prevent unauthorized access.

Here are some additional resources for information on the regulations:

What Are the Essential Components of a Business Plan?

/

As I prepare to mentor teams from MIT Sloan as part of the Business Plan Contest of its 100k Competition this month, I was thinking about what companies need to produce.  Business plans out there vary from a single page summary to an excruciatingly long dissertation.  The key to a good business plan is to only have the information you need and forget the rest.  Easier said than done though. However, here are some thoughts for companies as they are preparing their plans.  You can see an overview from some very recognizable entrepreneurs in this video.  The entrepreneurs here stress that the market itself, due primarily to the growth of the Internet, is different today than it was in the past, so the model for preparing a business plan is different.  The key is to know the market and have a good idea.  As Marc Andreessen, founder of Netscape turned venture capitalist, notes:

The process of planning ... is very valuable, but the actual plan that results from it is probably worthless.

And as summed up by Kevin Ryan, CEO of DoubleClick, the questions you have to ask to create a good business plan are (1) is this market big enough, (2) do we have a good idea, and (3) do we have good people.

So what should be included?

HubSpot founders Brian Halligan and Dharmesh Shah also have abandoned the large, detailed business plan because once you start showing it to investors, it won't last.  If you have put all of this effort into a 50-page business plan, you either have to throw much of it out as it evolves, or you will be so invested in it that you won't want to change the plan.  Neither result is a happy one for an entrepreneur.  They prefer to think of the "business plan" as a set of three items:

  1. a PowerPoint deck describing the business and team
  2. An executive summary of the target market and business (see more below)
  3. A three-year pro forma profit & loss document

In the early stages of development and the first round of financing, investors are mostly looking at the team and what they are going to do.  It is only when you get into the later stages of financing that detailed financial data become important.  So focus on the market and the concept rather than getting lost in a complicated document.

For the summary, investors will be looking for the following:

  1. The Team.  The people who will be running the business and developing the product are key.  The best startup teams will feature a mix of strengths working together.
  2. The Market.  You need to describe the size of the target market and the environment to show that you will have customers and they are currently being underserved.  However, no business plan should say that the market is unlimited and there no competitors.  Be realistic.
  3. Your Product.  What is unique about the product or service you are providing.  If you have trouble describing it, you will have trouble with Item #2.
  4. Money and Forecasts.  Give a reasonable view of what you expect your financials to look like for the next few years (again, understanding that this estimate will change) and provide guidelines of what you see as development and customer relationship milestones to meet along the way.

See my previous post for another perspective.

The key to all of this to show that you have thought through your plan realistically but are ready to adjust when it inevitably changes.

What has been your experience with preparing business plans?  What have you found works or does not work?

Can Law Firms Act Like Startups?

/

Listening to a great webinar by Brian Halligan and Dharmesh Shah about "Money, Marketing, & Management with the HubSpot Founders", I was reminded about a discussion that has been floating around the Web recently and on this blog as well.  Can law firms act more like startups? One of the themes in the webinar was how companies (particularly a tech startup like HubSpot) should change the typical management philosophy in order to grow and thrive.  Among other things (and to paraphrase a bit):

  1. An organization should break down the pyramid and flatten the org chart.
  2. Extend the "open door" policy to eliminate doors altogether.
  3. Trust your employees and don't try to over-structure company policies.
  4. Be transparent and include your employees.

So everyone sits together and moves around every three months.  Online collaboration tools allow employees to contribute to tools, products, and presentations.  Employees are given latitude and flexibility, drive productivity.  These things work well in a tech startup where the emphasis is on agility and growth, but does that lend itself to a more "traditional" setting like a law firm?

Why not?

Large law firms have traditionally employed a pyramid structure - from the large pool of new associates at the bottom up to the few very managing partners on top.  Nothing is transparent and firm policies are monitored very closely.  Deals at large law firms get staffed with a range of partners and associates, which is sometimes more beneficial for the growth of the law firm (and higher bills) than for the sake of the deal.

Recently though, driven in part by a changing economy, clients, VCs, and even lawyers have reacted negatively to this seemingly outdated structure and have called for some changes.  As companies evolve, shouldn't their law firms?

I have seen a number of new firms pop up in the last few years that seem to embrace this new model - my firm, Trinity Law Group is one of them - by leveraging technology to focus on clients rather than high-rent office space, billable hours, and expensive marketing.  By emulating the companies we represent, law firms can provide better value while adapting to a 21st century business model.

What do you think?  Have you noticed a change in they way you interact with your lawyers?

The Innovation Economy Starts Now

/

2010 has been the bright spot in the future that we have been looking toward for the past 18 months.  When the bottom started falling out in 2008, the immediate future looked abysmal, but we knew that at some point, things would have to turn around.  When you recall that some of the country's great business successes were born out of economic slumps, this recent downturn - the Great Recession or whatever you want to call it - could transition into the most striking growth in more than a generation. Tom Friedman's recent Op-Ed in the New York Times is a call to kick-start a 21st century innovation economy.  He is right that the time is now.  Think of all of the under-utilized talent in the country right now, not to mention the capital waiting on the sidelines.  Lab Day and the NFTE are ways that the country can and must continue to develop the entrepreneurs and innovators of the future, but while real education reform based on innovation is critical to long-term success (both my parents were educators - my dad for 42 years - so I believe in the importance of education), there are many things that we should be doing on a much shorter runway.

Here are three things that may help:

  1. The Start-Up Visa.  This country needs to embrace innovation by bringing here and keeping innovators.  The startup visa movement is about making sure that technological innovation and the "expanding of the pie" happen in the U.S. In addition to recruiting entrepreneurs and giving them the resources they need, we should raise the HB-1 visa limits to bring more skilled workers that will be needed.  Giving visas to those who will create new companies does not take away opportunities for Americans - it expands the pie here to create more American jobs rather than allowing those companies to be created elsewhere.  In this regard, the U.S. is lagging behind China, India, and Pakistan, but even behind countries like the U.K. and Canada.
  2. Green Card Diplomas.  The U.S. also needs to reverse the increasing "brain drain" of bringing in and training foreign nationals on student visas and then requiring that they leave the country.  On the contrary, we should actively recruit the best and the brightest from around the world, invite them to our higher educational institutions, and then grant them the right to stay in the country if they start businesses and innovate.  In the words of John Doerr, billionaire venture capitalist, we should "staple a greed card to the diploma" of these students and get them to set up businesses here.  Already, half of the Silicon Valley startups are now started by immigrants, including such pillars as Google, eBay, and Yahoo.  We should continue to encourage this kind of innovation.
  3. Government Investment in Innovation.  Government is not a great source of innovation.  But proper government policies can encourage the type of innovation that will grow the economy.  Eliminating capital gains tax on qualified small business investment and giving tax credits for hiring employees is a start toward general economic stimulus, but the administration should also be focused on finding new ways to fund innovation directly while also staying out of the way.