27 September 2015

Safe Harbor: Achieving a Defensible Standard of Care...

"Achieving a Defensible Standard of Care" within the enterprise requires an astute and proactive legal framework.  Operational Risk Management becomes a key component of the legal framework in multiple junctions of technology, data science and privacy law.

U.S. National Security continues to be in the center of the legal jousting between the European Union and the United States.  Underlying the debate is the data flowing through the Internet from data centers in Europe owned by U.S. companies.

What are the implications of a change in the Rule of Law and the rules associated with the collection, storage and analysis of data by companies such as Facebook?  How will the future of Operational Risk decisions impact the safety and security of nation states?  Is "Safe Harbour" ready for legal reengineering and a new updated global data privacy architecture for the Internet of Things (IoT).

III –  Conclusion 237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:

Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
  Chief Privacy Officers and General Counsel within the ranks of Amazon, Google and Facebook are on a proactive mission quest.  How to keep business models fueled by advertising from erosion of data flows from outside the U.S. if precluded and if, all data from the EU must stay within the EU.

The Office of the Director of National Intelligence (ODNI) will be tracking the data privacy legal frameworks across the globe and the continuous changes that will be necessary to stay in compliance with U.S. laws.  Henry Farrell sums this up nicely in his WP analysis:
Thus, if the court rules as expected, the U.S. has to choose between two unattractive options. The first is to refuse to make any concessions on surveillance, hence endangering the business models of big and influential U.S. e-commerce firms, and making life much harder for other big corporations that e.g. have to transfer personnel files across borders. The second is to make real concessions to the EU on spying, moving away from indiscriminate surveillance to a system that would provide real protections for European citizens.
We are on the edge of many years of new business process reengineering (BPR), but this time it is not about the demise of proprietary client / server architectures and the addition of Internet Protocols.  The new data privacy BPR is now just underway and it has all to do with creating the sound contractual negotiations of digital devices across borders.  More importantly, the trusted business assurance questions being asked by Operational Risk Officers and the building of digital trust as data and rules are executed at the speed of light.

Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted. 

As you pick up your mobile device to access Messenger, or Wickr, the rule of law is being put in motion in nanoseconds.  When you type the message to your colleague in Ireland or Germany from Detroit, your data is being processed across data centers in multiple countries.  Machines executing business rules with other machines.  Are the rules correct?  Are they all legal?

"Achieving a Defensible Standard of Care" in the next decade will be one of our most interesting challenges.  The Safe Harbor of our way of life may go beyond the simple integrity and assurance that the message simply gets delivered.

19 September 2015

Trust Decisions: Future Risk Architecture...

Leadership within the enterprise requires "Trust Decisions" that they can count on.  Operational Risk Officers have a fiduciary duty to provide top executives with the confidence that the data and information they provide is trusted.

So how do you assist any corporate leader, who has the responsibility and accountability to the Board of Directors to make informed and sound decisions?  The answer is, that it depends on how willing the CxO's in the enterprise are to engineer a "Trust Decision" model and framework for the business.

The truth is, most executive managers have their own way of doing this.  The process that the CEO makes decisions, is quite different from how the CFO makes decisions and the COO may have a documented and tested way to make their decisions.  The point is, that major "Trust Decisions" for the good and welfare of the enterprise are being made by people who are each doing it differently.  These human decision makers are relying on a number of ways to get to the final answer.  The decisions from leadership are not as trusted and reliable as they could be.

As an Operational Risk executive charged with making timely and correct decisions you have no choice but to have the tools and the trusted sources to enhance your situational awareness.  The safety and security of the facility, information or peoples lives are at stake.  That is why you test and continually improve the process so your analytics dashboard, intelligence feeds and data sensors are all operating with integrity and in real-time.

You are relying on information that changes by the nanosecond and a system designed to provide decision support.  Intelligence-led investigations or reacting to the latest incident requires systems designed and tested to support human "Trust Decisions."  Now back to the executive leadership and their process for decision-making.  What is it?  How does the CEO make the final decisions for the future wealth of the company and it's stakeholders?  Are they trustworthy?

Unless you have seen the "Trust Decision" process and trusted data framework engineered for your enterprise, then probably not.  Think about all of the leadership level projects and how they turned out.  How did executive leadership decide to buy that other company or merge with their favorite supplier?  What process did they use to ensure all of the due diligence data was correct?  Why are the sources of data trusted?

We have the opportunity to improve and to arrive at a point where we make "Trust Decisions" our priority and a prerequisite.  After all, our employees, customers, shareholders and even mankind deserve it.  The challenge begins.

Whenever you encounter your next major business decision with your CxO, ask them how they arrived at the decision.  Ask them to explain the process they used and the sources of trusted data they relied on.  Ask them why they think the architecture of the decision at hand, is the most sound and trusted decision that can be made with the time available.

You are now well on your way to better understanding the power and the future risk architecture of TrustDecisions.

11 September 2015

9/11 2015: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 14 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 14 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

06 September 2015

Rule of Law: The Privacy vs. Security Paradox...

Chief Privacy Officers and Operational Risk Officers are watching with anticipation as Microsoft argues it's case with the U.S. Court of Appeals in New York, USA on September, 9, 2015.

The trustworthiness of data and the future of "Achieving Digital Trust" for companies and countries is a priority.  The wealth created from the management, storage and processing of data across global borders is at stake.  The "Rule of Law" that intersects with that data and the legal disclosure to government authorities, has been accelerating in countries such as Ireland, Belgium and Brazil.
The company hasn’t always been so eager to comply. A year earlier, it rebuffed a request from the Department of Justice for a suspected drug trafficker’s e-mails. Those were in a data center in Dublin -- and according to Microsoft, the arm of American law enforcement doesn’t extend to Ireland. That set in motion a legal challenge putting Microsoft and its general counsel, Brad Smith, in the lead of a charged battle between the U.S. technology industry and the U.S. government.
More than two dozen companies, including Apple Inc. and Cisco Systems Inc., have filed briefs on Microsoft’s behalf in the case, which is about due process and the right to privacy, and money. Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws -- and from unilateral U.S. search-and-seizure missions.
The privacy vs. security business is apparent and a defensible standard of care remains vital.  Several companies in the data privacy industry have made the decision to establish their legal business entity in Switzerland.  Silent Circle, Proton Mail and Golden Frog are a few examples.  Why?

It is because the business of privacy is becoming a big business.  It is creating wealth.  Data privacy and the use of cloud-based products and services is now so pervasive across borders, that the collision of private companies and governments was inevitable.  Nation states are making it easier for global companies to locate, manage and operate in their data privacy friendly countries.

Digital Trust is at the center of the dialogue.  Operational Risk Management (ORM) surrounds the core conversations as you analyze the implications of building a data-centric business with the ability to comply with all of the regulatory and legal requirements.  The Electronic Communications Privacy Act (ECPA) of 1986 is being interpreted in Microsoft v. United States of America:

The Government’s brief confirms this much: Nowhere did Congress say that ECPA should reach private emails stored on providers’ computers in foreign countries. Small surprise for a statute written in 1986, before the creation of the global internet, when the notion of storing emails halfway across the globe was barely imaginable.

Congress can and should grapple with the question whether, and when, law enforcement should be able to compel providers like Microsoft to help it seize customer emails stored in foreign countries. Microsoft has outlined many reasons why Congress would be wary of granting that power: It would establish a norm that would allow foreign governments to reach into computers in the United States to seize U.S. citizens’ private correspondence, so long as those governments may assert personal jurisdiction over whatever company operates those computers. It would offend foreign sovereigns.

Business and Government across the globe are working diligently to create a balanced, legally sound and vital information sharing environment.  Consumers will continue to have a choice, on what vendor, device or data hosting company they utilize for their communications.  The features, functions and benefits will be carefully thought out, by the marketing and business executives.  Yet the question will be asked by each companies respective stakeholders:  What is the value of trustworthiness in the markets we operate in and how will we decide to create "Digital Trust"?

The consumer must also understand how these tools are being utilized by the dark and evil components of our human society.  Citizens must better understand the motivations for government to protect consumers and those organizations who choose to use certain tools on the Internet.  Those who have a fear of government also like the idea of law enforcement protecting their neighborhoods.  There are two sides to the private enterprise:
They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us. If they are to meet this challenge, it means coming up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.
As private companies and nation states collaborate to attract new business commerce and tax revenues, your privacy and your company will be at the center of the negotiation.  The consumers preference of where you want your data stored and the legal environment where you want your data to be subjected to legal jurisdictions will continue.  For the good guys and the bad guys.  "Achieving Digital Trust" will be with all of us for some time to come.  As mankind evolves and the most valuable assets of our world become virtual, we can only hope "Trust Decisions" and the "Rule of Law" will stand the test of time.