DFW Business Leaders, I have 2 questions for you …

(1) Are you ready to improve as a leader?

(2) Do you know my friend Robert Hunt?

If I were giving a presentation and asked an audience of business people in DFW those two questions, I would be willing to bet that at least 75% of the people attending would know Robert Hunt. The more influential the crowd, the higher that number would be. Here is why: Robert had lunch with Gabray.

1ce897f (1)A Story of Character

Who is Gabray, you wonder? Gabray is the parking garage attendant at Robert’s office building.

Stop and think about that for a moment.

Have you ever stopped your busy, all-important life long enough to have lunch with the attendant at the parking garage of your office? Have you ever even thought about taking the time to stop and have lunch with someone in such a position?

Are you being honest with yourself when you answer those questions?

For most of us the answer is an emphatic “of course not!”

But, when it comes to Robert, I am not the least bit surprised because that is just who he is. You can read more about what he learned from lunch with Gabray at this link. There is a lot more to the story about Robert than just his having lunch with Gabray but the reason I’m making this point is because this one simple event exemplifies Robert’s character, his compassion for others, and his genuine interest in people — regardless of what they can or can’t do for him.

The Most Interesting Man?He is truly one of the most giving and genuinely caring people I have ever met. That is who he is as a person. He has leadership roles in more charitable and volunteer organizations in the Dallas/Fort Worth Metroplex than anyone else I know. He is as actively involved in his church as he is in the lives of the people he knows. While he may not quite be “the most interesting man in the world” as he sometimes tries to appear to be (isn’t that picture great?), he is the man of integrity that so many men pretend to be.

As I was paying while leaving the parking garage of Robert’s office, I met Gabray and mentioned to him that I had been at a meeting with Robert. He stopped and looked me in the eyes. The look on his face was priceless, filled with gratitude and sincerity, as he looked at me and in broken English said, “Robert is such a wonderful man, he lives in the spirit of Christ.” We talked briefly and closed in agreement that any time spent with Robert Hunt is time well spent. I will never forget the look in that man’s eyes — it was solemn and reverent, as real as it gets.

I thought about that look as I drove back to my office and was reminded of an old saying that went something like you can judge a man’s character by the way he treats those who can’t do anything for him. That led to my thinking about my old Zig Ziglar calendar that I have written about and the following pages jumped out at me and, ultimately, what moved me to write this post:

Photo Jan 30, 11 11 00 PM   Photo Jan 30, 11 10 44 PM   Photo Jan 30, 11 11 13 PM

What’s in this for Business Leaders?

So, what was I doing at Robert’s office this morning?

Robert leads CEO peer groups through Renaissance Executive Forums Dallas. His purpose:

To influence leaders and encourage their efforts to lead with excellence. To fan the flames of creativity, to focus on their passions, and bring clarity to their vision. To be a Trusted Advisor who understands their burdens, to remove their isolation; to help them reach their DREAMS.

Sounds great, right? But how? That is the million dollar question. Robert has been telling me about his work for quite some time but it never really clicked with me until today when he invited me to join in on one of his half day “open” CEO peer group meetings so that I could see for myself. It helped.

Most of you know that I have a “coach” — Cordell Parvin — and I have written about my experiences with Cordell’s coaching a fair amount on this blog. I trusted Cordell to be my coach because he not only had a lot of knowledge and a proven track record of coaching other lawyers, but he had also done it himself in the real world. He was a true rainmaker when he was practicing and that gave him an added measure of credibility with me.

In the past, when Robert described his “peer groups” to me, I viewed them through the lens of my experiences, as a sort of coaching for CEOs. Admittedly, that always made me wonder (without asking), “Robert, what qualifies you to coach these folks???” Now I understand. THIS IS NOT COACHING!!!

Here is how I describe what I witnessed, from my own perspective: This is like a supercomputer that combines the brain power, knowledge and, more importantly, experience, of 10 highly successful real-world CEOs who get together as a group to discuss and work out solutions to issues that are important to their companies. They do this in a structured manner that is facilitated by Robert. Now compare that to a 4-year-old Dell laptop with the outdated CPU, broken fan, maxed out hard drive, and no antivirus software? :)  Which do you think is more effective? (see, I worked in the cyber connection)

While I am not a CEO by any stretch of the imagination, I am someone who is extremely interested in improving in my profession and finding ways to deliver outstanding service and value to my clients. One of the things we talked about today was our vision and our mission. It was deep and powerful. I have some refinement to do here. We talked about a lot of other things and I took a ton of notes and have more solid action items than you could imagine, but that is exactly what I was hoping for. Expect to see more effective work out of me going forward — and hold me to it.Photo Jan 30, 8 58 54 PM

One of the lighter points of discussion that I really enjoyed was our discussion of the book Raving Fans. Robert has also written about this. After this discussion, I committed to myself that I would re-read it this weekend so, with that, I have blathered on long enough and will sign off to get to reading.

Hopefully, you know and trust me well enough to know that I would not have taken the time and energy to write something like this if I did not believe the message could help you. For non-business leaders, there are plenty of lessons about life in this post. For business leaders, I encourage you to get in touch with Robert and learn more about what he does, how it does it, and why he does it. Heck, just go have lunch with him — no obligation whatsoever. And, if you want to do this but don’t want to spend the money on the lunch, call me and I’ll be happy to tag along and pick up the lunch tab (my choice of restaurant). Remember, any time spent with Robert Hunt is time well spent!

Here is how you can reach Robert: @RobertJHunt2010, LinkedIn, Facebook, Website

p.s. I am serious about lunch!

7 Ideas for Security Leaders – What Do You Think About My Suggestion?

Many thanks to CSO Online and Michael Santarcangelo (@catalyst) for including my suggestion as one of 7 inspiring ideas for small changes that lead to big improvements in both security posture and leadership within organizations.

The article is 7 Ideas for security leaders. Here is a teaser from my suggestion on slide 5 but please go check out all of the great tips in the article:

“One change for this year: reconsider and take contracts and policies that relate to the access and use of their computer networks and data seriously.”

Please go give a shout-out to Michael and re-share the article; more importantly, let us both know what you think about the suggestions and what more we could add!

Happy Data Privacy Day!

Data Privacy DayWhat are you doing to observe it?

Today is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint.

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on January 28.

Data flows freely in today’s online world. Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it. Being a good online citizen means practicing conscientious data stewardship. Data Privacy Day is an effort to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

Help is Only a Telephone Call Away

I have assisted many companies with data security issues from assessing their cybersecurity and data privacy strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. When it comes to cybersecurity and data privacy, I see the whole playing field. If you have questions about how you can help better prepare your company, please feel free to give me a call (214.472.2135) or email me (shawn.tuma@solidcounsel.com).

Part 3 of Series: Simple Ways to Use Social Media to Build Your Practice in One Hour

cordellHere is the third and final post in my 3 part series on Cordell Parvin’s blog: Lawyers: Simple Ways to Use Social Media Marketing in One Hour: Part 3 | Cordell Parvin Blog.

If you missed them, here are the first two posts:

I also have several other posts where I discuss my coaching experience with Cordell — check them out and give him a call, he doesn’t bite! Here is his website and his blog.

Part 2 of Series: Simple Ways to Use Social Media Marketing in One Hour

Here is part 2 of my 3 part guest post series on my coach Cordell Parvin’s blog: Lawyers: Simple Ways to Use Social Media Marketing in One Hour (Part 2) | Cordell Parvin Blog.

Lawyers: Simple Ways to Use Social Media Marketing in One Hour: Part 1 | Cordell Parvin Blog

Check out my guest blog post on my “coach” Cordell Parvin’s blog:  Lawyers: Simple Ways to Use Social Media Marketing in One Hour: Part 1 | Cordell Parvin Blog.

Update/Clarification: Washington AG Seeks Data Breach Law That Ends Blanket Exemption for Encrypted Data

Square peg, round holeThis update/clarification post explains how the proposed Washington state data breach notification law is really treating encrypted data and how it may actually be expanding the data breach safe harbor exceptions under that law.

I recently blogged about a newsletter I received from the Washington State Attorney General in which the AB was calling for a new data breach notification law for the State of Washington. Of the several points mentioned for the new breach notification law, the one that really stood out was the call to eliminate the blanket notification exemption for encrypted data that is the norm with these laws.

This point also got the attention of my friend Jim Brashear (@JFBrashear) who knows a thing or two about encryption as General Counsel for Zix, the world’s leader in email encryption. Not only did Jim find a link to the actual newsletter (HERE), but he shared with me some excellent analysis on what is in the proposal as well as the issue of encryption in general.

The issue of encryption is particularly relevant now, given some of the assinine talk we have been hearing about the US and UK’s possible cybersecurity “solutions” that could involve outlawing certain forms of encryption. (yeah — when you get up off the floor, you can read more here: Obama and Cameron’s ‘solutions’ for cybersecurity will make the internet worse).

Because of that, and because I always learn a lot from my conversations with Jim, I am sharing some of his insight with you that comes from an email from Jim:

The press release notes that current Washington law “does not require notifications concerning the release of ‘encrypted’ data, even when the encryption is easy to break or there is reason to believe that the encryption ‘key’ has been stolen.”

If any state data breach legislation (or rules) were to eliminate the notice exception for encrypted data, that would be bad [for everyone]. More importantly, that sort of law makes no sense. It would remove one incentive for businesses to use reasonable data protection.

But the legislation that the AG is advocating does not actually eliminate the exception for encrypted data … even though the bills delete the specific references to encryption. The legislation provides that “Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity.” That would be true in the case of strong encryption where the key has not been compromised.

Here is the key language from the proposed legislation (HB 1078 / SB 504):

(1) Any person or business that conducts business in this state and that owns or licenses ((computerized)) data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose ((unencrypted)) personal information was, or is reasonably believed to have been, acquired by an unauthorized person. ((The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.)) Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity.

THE TAKEAWAY: This proposed legislation does not eliminate the encryption safe harbor in situations where (1) strong encryption was used and (2) the encryption’s effectiveness has not been compromised. It does, however, broaden the safe harbor to include other situations where, even though there has been a breach, it “is not reasonably likely to subject consumers to a risk of criminal activity.”

The litigation to determine this “reasonably likely” standard could get real fun and the “experts” in this area will have a field day!


Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes across the United States.