410 likes | 505 Views
Linking Information Valuation, Information Security & Protective Legal Countermeasures… Michael D. Moberly & John W. Grimes January 23, 2001. Linking Information Security & Information Valuation. Michael D. Moberly - John W. Grimes, JD January 19, 2001. 1. Framing problems….
E N D
Linking Information Valuation, Information Security & Protective Legal Countermeasures… Michael D. Moberly & John W. Grimes January 23, 2001
Linking Information Security & Information Valuation Michael D. Moberly - John W. Grimes, JD January 19, 2001
1. Framing problems… Information Valuation a. Existing methods… 1.Snapshots intime 2. Rely on after the fact valuation b. Existing methods do not address/recognize… 1.Evolution-flow (dynamics) of information 2.Enterprise-wide knowledge management (value-added) initiatives 3. Demand, attractivity for information 4. Necessity for perpetual information inventory 5. Allocation of information protection/security resources
al mcguire’s no harm, no foul…Info Loss - Info Value - Info Protection If I don’t know… - What info was lost or - When the info was lost, and - I haven’t missed it yet, then - That info must not have had much value… Moberly
2. Framing issues… Underlying questions… Management today is increasingly about managing intellectual capital…but, • How real is the threat…? • Legal protective countermeasures…?
a. Is information property…? If I only take information, and you retain as much use and possession of that information as always had…What’s the problem? b. Is information cheap…? It’s abundant (quickly expands/proliferates, easily replicated, replaced) Exists primarily in passive state (unless/until applied) Emphasis on short-term use (step-by-step thinking/planning) Reliance on subjective/intuitive value estimates Michael L. Dertouzos c. Does information have value…? “…my argument about the value of information is not that it is wrong to regard information as being valuable, merely that we should reconsider our mindsets about the value…” Karl-Erik Sveiby
d. Can valuation occur in nanno second environments…? A company’s value (competitive advantage) may be determined by it’s ability for rapid and timely conversion of individual and organization knowledge (information)… e. Information as an intangible…? A rapidly growing share of corporate wealth is in the form of items not traditionally viewed as assets…Brookings
3. Methodologies To Assess Information ValueInformation value… Information value…often elusive and the result of unplanned and uncoordinated actions, not necessarily the result of a single act or decision… Brookings – Understanding Intangible Sources of Value
Information Valuation Methodologies a. Objective value… - Linked to business continuity (legal, financial, etc.) b. Subjective value… - Follows from it’s nature (customer lists, planning, etc.)
Information Valuation Methodologies c. Inherent Value - Cost to produce, reproduce vs replace, substitute d. Inputted Value - Potential costs associated legal exposures, criticality e. Income Approach - Present worth, future economic benefits f. Reactive Value (Moberly) - Devaluation of asset(s) after loss Roosma,Sullivan, Osborne
Information Valuation Methodology g. Based on content… 1. Essential characteristics (project specific) 2. Choice alternatives made possible 3. Enterprise-wide efficiencies Coupled with ability to identify, distinguish, assess…
Information Valuation Methodology h. Based on Critical Information Components… 1st Combinations of CIC’s mentioned or inferred - Who, what, when, where, how, and competitors, adversaries - Operations, objectives Luzwick 2d Assign $ value to each CIC by estimating loss exposure to organization if…
DEMAND for InformationAs a driver of value… Evolution of Demand - Attractivity… 1. Rapid shifts, realignments, mixtures of interest 2. Value cycles – shelf life 3. Frequency, intensity of competitor/economic intelligence initiatives a. Egalitarian, utilitarian perspective b. Originators, end users (internal, external) c. Information brokering and derived demand… Moberly
4. Conceptual model for information valuation… To link and align… Information Valuation & Information Audit Processes to Management of Information Security/Protection Resources Moberly
Conceptual features of the model… a. Enhance enterprise-wide awareness of strategic and organizational factors which contribute to information value… b. Address demands for information by recognizing (factoring)… 1. Inter-dependent accessibility and use of proprietary information 2.Dynamics of info valuation relative to enterprise-wide info sharing and knowledge management initiatives… c. Reduce limitations of traditional info valuation methods… 1. Utilize objective, quantifiable factors, not subjective classification 2. Insertion of maneuverable, trackable, real-time security/protection measures
Conceptual features of the model…cont’ d. Keep pace with changes in value, vulnerability and threats to designated information… 1. Provideon-going info valuation and perpetual info inventory 2. Not impede information (flow) demands e. Accelerate, facilitate timely decision-making to… 1. Manage information protection resources and costs more effectively 2. Minimize stealthy advantages posed by adversaries, threats through technological-based risk management.
5. Preventive legal counter- measures to disclosure…
Preventive Legal Countermeasures to Disclosure… PURPOSE: To provide Corporate Information Management (CIM) professionals involved in the dispute resolution process with an overview of legal concepts and perspectives in order to better prepare and equip them to overcome attacks upon the information management systems of corporate employers/clients. Special emphasis will be placed upon federal and state rules of evidence and procedure (discovery and trial) as they relate to the role of the CIM professional in the dispute resolution process.
Preventive Legal Countermeasures to Disclosure… I. Overview of the Dispute Resolution Legal Process. A. Civil actions for damages. B. Criminal actions for fines, penalties and incarceration. C. Equitable remedies. D. Alternative dispute resolution measures. II. Recent Proliferation of Parallel Civil and Criminal Proceedings. A. Background: The new litigative environment. B. Constitutionality. C. Sources of investigations. 1. False Claim Lawsuits. 2. Media reports.
Preventive Legal Countermeasures to Disclosure… 3. Audits. 4. Complaints obtained from/among governmental hotlines. 5. Congressional inquiries. 6. Tips or complaints from competitors, vendors, etc. 7. Interviews and “deals” with current and former employees. D. Investigative Tools in the Prosecutor’s Arsenal. 1. Grand jury subpoenas. 2. Search warrants. 3. Civil investigative demands. 4. Discovery requests/demands. 5. Interviews with employees under penalty of state or federal conviction for noncompliance or uncooperativeness.
Preventive Legal Countermeasures to Disclosure… E. Concerns of the civil/criminal defendant in parallel proceedings. F. Corporate compliance. G. Seven practical safeguards for prevention and early detection: 1. Established compliance procedures. 2. High-level corporate accountability. 3. Resist over-delegation of release authority over information. 4. Communicate…train…publish…ingrain protective procedures into the corporate culture and climate. 5. Develop a multi-disciplined team and systems for internal audits and compliance controls. 6. Enforce the systems (#5) overtly, but legally, against violators. 7. Reevaluate the systems periodically and in view of violations.
Preventive Legal Countermeasures to Disclosure… III. Protection of proprietary information to include intellectual property. A. Trade secret protection tools available to businesses. 1. Economic Espionage Act of 1996 (EEA). a. First federal trade secret protection law, including commercial intellectual proprietary interests. b. Up to ten years/$500,000 for individuals; and $ 5,000,000 for corporations, plus criminal forfeiture of all property constituting or derived from proceeds obtained as result of violating EEA. 2. State “Trade Secret” Acts. a. Most define “trade secret” broadly as any information that… .
Preventive Legal Countermeasures to Disclosure… i. Is used in a trade or business; ii. Is included or embodied in a formula, pattern, compilation, computer software, drawing, device, method, technique, or process; iii. Is not publicly known and is not generally known in the trade or business of the person asserting that it is a trade secret; iv. Cannot be readily ascertained or derived from publicly available information; v. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and vi. Has significant economic value. 3. Recovery of lost profits is specifically provided for in most. 4. Showing of “due-diligence” typically prerequisite to recovery. .
Preventive Legal Countermeasures to Disclosure… 5. Checklist of preventive countermeasures: a. Develop written policy statements and guideline concerning proprietary information. b. Restricting access. c. Employees must know that confidential information is protected. i. Employee Policy Manuals; ii. Employees sign reasonable non-disclosure agreements; iii. Employees area regularly trained and reminded of importance and need for confidentiality. d. Departing employee interviews and protective measures. e. Formal notification of new employees. f. Consult with legal counsel. g. Conclusion: Yesterday’s ally may be tomorrow’s adversary! .
Preventive Legal Countermeasures to Disclosure… 6. Engaging legal counsel and full utilization of attorney-client and work- product privileges. a. Attorney-Client Privilege defined. b. Commonly recognized exceptions to the attorney-client privilege: 1) Furtherance of crime or fraud. 2) Claimants through the same deceased client. 3) Breach of duty by an attorney or client. 4) Document attested by an attorney. 5) Joint clients c. Attorney Work-Product Privilege defined. d. Evidentiary showing needed to overcome work-product privilege: 1) Ordinary work-product… a) substantial need of information b) undue hardship would result .
e. Ten rules for preserving legal protective privileges… 1) Stamp or label each document to reflect its confidentiality. 2) Formally request authorization to conduct internal investigation. 3) Document and specify role of attorney as coordinator of the investigation. 4) Maintain separate investigative file(s). 5) Formally authorize outside counsel to coordinate investigation. 6) Management should direct all employees to fully cooperate with the investigation. 7) Witness statements and affidavits should be made opinion work- product wherever possible. 8) Summary reports must reference applicable privileges. 9) Train staff that voluntary disclosure will likely waive the right to make any claim of privilege. 10) Advise employees that counsel speaks for the entity-client. . Preventive Legal Countermeasures to Disclosure…
Preventive Legal Countermeasures to Disclosure… • IV. Conclusion and Summary on Invoking the Shield Of The • Attorney-Client Protective Privilege • 1. Consult Attorney Preventively & Formally Authorize in Writing * • 2. Formally Authorize Internal Investigation/Inquiry * • 3. Label Each Document: • “PRIVATE AND CONFIDENTIAL: PROTECTED BY THE • ATTORNEY-CLIENT PRIVILEGE” • 4. Restrict Access & Dissemination Of Protected Documents • 5. Maintain Separate Investigative File • * Indicates That A Sample Document Is Attached .
Preventive Legal Countermeasures to Disclosure… . • 7. Covering Up, Concealing, Or “Doctoring” Documents. • 8. Careless Language In Documents & Correspondence.
6.Forward looking questions…
What will tomorrow’s emphasis be…? a. Management is increasingly about managing intellectual capital… 1. Brief, compressed periods of high info value cycle, shelf life 2. Info criticality, nanno second obsolescence 3. Web weeks, Internet years b. Less as intellectual property, more on the basis of the access the information provides… 1. New markets, business relationships, etc. Moberly c. Increases in demand, intensity of competitor/economic intelligence… 1. Macro, micro affects (economies, markets, etc.)
Corporate MinefieldsInformation security… • Corporate compliance • Policies, standards
Unexpected information attacks… • Strategic prevention • Contingency plans • Legal exposure
Will perceptions about information value change…? d. When victim… 1. Desire, ability to report and quantify harm/loss improves 2. Recognize harm/loss as more than mere annoyance e. When reporting intellectual capital becomes standard entry on corporate balance sheets… f. When information not considered in separate contexts…? a. Banks (integrity) b. Individuals (privacy) c.Corporations (confidentiality)
Characteristics, features of related software… • On demand maneuverability • Informed decisions • Multi-functioning software, info support to other functions, not single function • Tailored to accommodate corporate/organizations specific demands • Maximize info protection resource effectiveness • Aid in managing info protection costs • It does require reporting of all information
Should this document be reproduced or the subject matter referenced, attribution to Mr. Moberly and Mr. Grimes would be appreciated…
John W. Grimes & Michael D. Moberly Consulting & Research Services Related to… • Security of proprietary information/intellectual property • Information valuation • Investigations • Preventive legal countermeasures • Competitor/business intelligence • Integration (management) of security resources • Security/asset protection assessments • Executive training
Michael D. Moberly901 Valley RoadCarbondale, IL 62901Day Voice 618-453-5701 Fax 618-453-6377Email: mdmober@siu.eduHome Voice 618-549-1707Email: mdmober@midwest.net
John W. Grimes, JD Department of Justice Sciences The University of Alabama at Birmingham 101 15th Street Office Building 901 S. 15th Street Birmingham, AL 35294-2060 Voice: 205-934-2069 Fax: 205-934-2067
Michael D. Moberly Administration of Justice Southern Illinois University Carbondale, IL 62901-4504 Voice 618-453-5701 Fax 618-453-6377 Email: mdmober@siu.edu
Preventive Legal Countermeasures to Disclosure… . • IV. Conclusion and Summarycont’d. • 6. Management Should Enlist Full Employee Cooperation * • 7. Witness Statements Should Be Taken So As To Fall Within The “Opinion Work Product” Of Counsel * • 8. Summary Reports Must Cite & Invoke all Applicable Privileges • 9. Create Confidential & Protected Relationships When Hiring Consultants • 10. Voluntary Disclosure Will Likely Waive The Privilege • * Indicates That A Sample Document Is Attached
Measurable Variables… • Pure $ value of R&D • Criticality • Sensitivity… • Cost of info development • Projected future benefits, revenues generated • Shelf life – Value Cycle – Obsolescence • Lost revenue potential • Demand for, attractivity to competitors, economic intelligence • Intensity of initiatives • Adversary capability