Security Breaches: A Lesson For All From A Small Company

News of security breaches has become so commonplace that we hardly react with surprise or outrage any longer. The scenario plays out in an almost scripted fashion. Computer hackers located in Russia or China identify a system’s vulnerability, break in, and steal sensitive customer or patient (in the case of electronic medical records) information. Defending against these outsider attacks has become a high priority for any organization which possesses confidential records. The failures which make headlines are those where data thieves have looted the systems of large entities containing millions of records and huge infrastructures. We’ve all been impacted to some degree as consumers, but as business managers and owners we may harbor a false sense of immunity to data security breaches. A recent action brought by the Department of Health and Human Services Office of Civil Rights (OCR) brings the problem closer to home for smaller entities which manage more limited amounts of information.

The case involves Anchorage Community Mental Health Services, Inc. (ACMHS), a five-facility nonprofit provider of behavioral health care services to children, adults and families in Anchorage, Alaska. As required by the Health Insurance and Portability and Accountability Act (HIPAA), ACMHS notified OCR of a breach of 2,743 patient records caused by malware on one of its desktop computers. OCR conducted an investigation of the incident and found ACMHS had failed to protect sensitive patient information. On December 10, 2014, ACMHS agreed to pay a $150,000 fine and undertake a corrective action plan to address the deficiencies which caused the breach. Here is what OCR’s investigation revealed:

1) ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization’s employees for a seven-year period, from 2005 to 2012.

The practices at ACMHS are not unique to health care providers. All too often organizations maintain a template of written policies and procedures which are not tailored to the organization’s actual method of operation. For health care providers, simply having in place template policies and procedures is insufficient to satisfy HIPAA requirements. Organizations outside the health care industry do not face monetary penalties for security breaches but nonetheless are exposed to data security risk for failure to evaluate compliance with written data security protocols.

2) ACMHS failed to update its software.

OCR found that the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. The settlement agreement stated, ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.” Once again, all organizations, not just health care businesses, can suffer losses for delaying or neglecting software updates. It’s not always an easy task, and the cost to implement an upgrade may push it down on the company’s priority list. But the downside to avoiding the upgrade process has potential for serious consequences, not to mention the eventual value impact on the organization caused by using old software.

C3 Advisors, LLC
December 15, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

Are LinkedIn Contacts Protectable Trade Secrets? For Now, The Answer May Be Yes

Stealing customer lists from an employer for competitive motives is nothing new. Court dockets are full of legal disputes between employers and former employees for trade secret theft. One recent case, though, is worth careful consideration because of its implications for social media in a business development context. The controversy involves an employer which sued a former salesperson for trade secret protection of the LinkedIn contacts that individual maintained after he was terminated from employment. Given the vast networks of individuals and organizations available to the 300 million LinkedIn users across the globe, it hardly seems likely that such information could be deemed secret. But for now, the courts have agreed with the employer’s claim that the former employee misappropriated its proprietary information. Employers and anyone in a sales or business development role should pay close attention to this case as it winds its way through the courts.

The majority of facts in this case are not unusual. David Oakes worked as a sales manager for Cellular Accessories for Less, Inc. (Cellular) from 2004 to 2010. While employed there he signed an employment agreement that precluded him from removing any proprietary information from Cellular, either physically or electronically, including Cellular’s customer database. He also signed a statement of confidentiality forbidding the disclosure or use of the company’s information without prior consent. In 2010, Cellular terminated Oakes, and he then struck out on his own to start a competing business, Trinitas, Inc. Shortly after his termination, Oakes emailed himself a file containing the contact information for more than 900 personal and business contacts, another file with information for purchasing agents, detailed client billing preferences, client pricing requests and a Cellular strategy document. What merits attention is that he also maintained his LinkedIn contacts after termination. Subsequently, Cellular sued Oakes for trade secret misappropriation. See Cellular Accessories for Less, Inc. v. Trinitas, LLC, No. CV 12-06736 DDP (C.D. Cal. Sept. 16, 2014).

Customer lists are not trade secrets, per se, because they may contain information which is readily accessible through open sources. They tend to be considered trade secrets when time and money has been expended through sophisticated methods to compile the information. The court agreed with Cellular in this instance that the customer lists taken by Oakes are trade secrets due to the economics of their creation and development. But LinkedIn is commonly viewed as a personal network, not the proprietary information of an employer. So why did the court rule in favor of Cellular? Here are the arguments which resulted in that decision.

Oakes asserted that the LinkedIn contacts were not secret because Cellular had encouraged its employees to create and use LinkedIn, his contacts were viewable to any other contact he has on LinkedIn, and any competitor could search LinkedIn to recreate the list. Finally, he argued that Cellular authorized salespeople to disclose the identities of clients to other customers as a way of attracting new business and failed to inform employees that the LinkedIn contacts were proprietary or confidential.

Cellular refuted Oakes defense saying that LinkedIn contacts are not automatically viewable because an account is only visible to the extent that the user chooses to make it public. LinkedIn is not configured to automatically share contact information and Oakes deviated from the default settings in deciding to make his network public. The court declined to take judicial notice of the functions of LinkedIn (judicial notice allows a court to accept the existence of a commonly known fact) and stated that the parties did not make clear the extent to which the contacts were made public, or whether it was done with Cellular’s permission.

Considering that social media has become inextricably woven into marketing and business development philosophies at every level of commerce, this ruling should be carefully examined. The concept that a social media account is not public and that it belongs to an employer may be difficult for an employee to understand. From the employer’s perspective, a client list may lose its value as a trade secret if employees are encouraged to use social media without restrictions for business development purposes. What’s more, as demonstrated by Cellular v. Trinitas, it cannot be assumed that judges understand the intricacies of social media forums, including the mechanics of privacy settings. While there is no perfect solution, businesses can establish practices to better protect their trade secrets.

Agreements and Policies—Frequently update employment contracts, non-compete agreements, non-disclosure agreements and social media policies to redefine trade secrets in the context of online networking and spell out restrictive terms and conditions regarding the use of various social media platforms. Specify that the accounts remain the property of the company.

Training—Educate employees regarding the proprietary and confidential nature of customer information located in social media platforms, privacy settings and how to avoid unwanted disclosure.

Business-Only Social Media Accounts–Require that employees’ personal social media accounts remain completely separate from their business accounts, which should be linked only to a company email address.

Client Database—Establish a password protected internal database to which employees should add any client contact information that they obtain through social media or otherwise.

Costs—Maintain records which capture the time and money spent to develop customer lists.

Employee Termination–Upon employment termination, voluntary or otherwise, terminate the employee’s access to business accounts.

The federal judge denied Oakes’ motion for dismissal and found that the case can move forward. Stay tuned for the next phase, and consider changes to policies and procedures which are important for the protection of company proprietary information.

C3 Advisors, LLC
November 13, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.