NEW PRIVACY REGULATIONS: BIG JOB AHEAD FOR BUSINESSES! COMPLIANCE DEADLINE: JANUARY 1, 2010

We are fortunate this month to have an article about the New Massachusetts Privacy Regulations written by Karen A. Whitley, Esq. and Kathleen E. Cross, Esq., experts on this subject, and lawyers at Hanify & King, Professional Corporation. Please read carefully.

In response to several highly publicized breaches of confidential customer financial information, the Massachusetts Legislature passed a well-intentioned and straightforward law in August 2007 intended to “safeguard the personal information of residents of the commonwealth.”   In February 2009, the Office of Consumer Affairs and Business Regulation (“OCABR”) fulfilled its charge to prepare regulations implementing the new law, with a set of extensive requirements for every person or business which “own[s], license[s], store[s] or maintain[s]” personal information of a resident of the Commonwealth.  The breadth, cost and implementation timetable for these regulations, found at 201 C.M.R. 17.00 et seq., has elicited a concerted backlash from notable business groups from lawyers to the mutual fund industry to health care providers.

In the short term, to ease the predicted strain on businesses, the OCABR postponed the deadlines for compliance with the regulations from January 1, 2009 to May 1, 2009, and more recently postponed the deadlines to January 1, 2010. However, many businesses will still be hard pressed to comply fully within that timeframe, especially given the possible added costs for revamping information technology policies and software.  Notably, neither the law nor the regulations contain any exemption or opt-out for any category or size of business (which may be as small as a single person’s sole proprietorship).  Considerations such as the “size, scope and type of business” as well as the volume of personal data handled by a particular business will be taken into account when evaluating compliance with the regulations.  All businesses, including those outside of Massachusetts, are subject to these regulations if they hold personal information of residents of the Commonwealth.

What is Protected: Personal information is specifically defined as a resident’s first name or initial along with his or her last name plus one or more of the resident’s 1) social security number, 2) driver’s license number or state identification card number, 3) financial account number, credit card number, with or without personal i.d. number or password.  If any of the foregoing information is lawfully available to the general public, it is not considered personal information under the statute and regulations.

How Personal Information Must Be Protected: Generally, each business must create a written information security program (“WISP”) that sets forth the components of their privacy plan “applicable to any records containing  . . . personal information” and customized to their business.  The regulations recognize two levels of protection, one generally applicable to all records with personal information and a second level applicable to personal information on computer and other electronic devices.

General Protections for All Personal Information:

Every WISP must contain provisions for:

1)      Designating one or more employees to maintain the security program;

2)      Placing limits on collection of personal information, on the length of time it is retained, and to the persons allowed access to the information to “that reasonably necessary to accomplish the legitimate purpose for which it is collected”;

3)      Identifying all records and places personal information is stored within the business, unless all information will be treated as personal information;

4)      Providing, in writing, reasonable restrictions on physical access to personal information and storage of such information in locked areas or containers;

5)      Assessing the risk of disclosure of personal information in all records which the business holds, including an assessment of existing safeguards (for example, employee training, compliance with security policies, how breaches of security are prevented/detected);

6)      Identifying security policies for employees (for example, use and transport of personal information outside the business, discipline for violations of policy, and cutting off access to information immediately upon termination of employment);

7)      Verifying that third-party vendors with access to personal information comply with the regulations, including revising contracts requiring vendors to maintain security safeguards.  Effective January 1, 2010, a business must ask each third-party vendor for a certification that it has a WISP which complies with the regulations;

8)      Including procedures for regular monitoring and upgrading of security measures;

9)      Requiring at least annual review of security procedures or review whenever a business undergoes a material change in practices implicating records containing personal information; and,

10)   Outlining procedures for documenting any breach of security, mandatory post-breach review of events and remedial measures to protect personal information.

Protections for Personal Information in Electronic Form:  When a person or business “electronically stores or transmits” personal information, the WISP must include security procedures covering computers and wireless systems, such as:

1)      Secure user authentication protocols to a) control user ids, methods of assigning and selecting passwords or other unique access technologies b) restrict access to active users and active accounts and c) block access after multiple unsuccessful attempts to access the system;

2)      Restrictions on access to records with personal information to only those employees with a “need to know” and assignment of user id plus passwords to access the secure system;

3)      Encrypting all transmitted records with personal information that will travel on public networks or by wireless transmissions;

4)      Monitoring electronic systems for unauthorized use;

5)      Encrypting all personal information on laptops and other portable devices;

6)      State-of-the-art firewall, malware and security software as well as OS security patches that are regularly updated; and,

7)      Employee training and education on security of electronic personal information.

Although each WISP will be different based on the size and needs of a business, a sample WISP for a small business can be found on OCABR’s website.

Disclosure of a Breach: Disclosure obligations under the statute are triggered whenever a person or business becomes aware of a security breach or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose.   A security breach is broadly defined as the unauthorized use or acquisition of encrypted data containing personal information with enough information about the security process to create a substantial risk of identity theft or fraud against a resident.  If the person  or business merely stores or maintains personal information, it must timely disclose the breach to the owner or licensor and provide required information about the breach as well as cooperate with the owner/licensor.  An owner or licensor of personal information must provide notice of any breach to effected residents, the Attorney General of the Commonwealth and the director of OCABR.  The statute (c. Mass. G.L. c. 93H) describes the information which must be provided about the breach.

Enforcement: Enforcement will be handled by the Attorney General’s Office, which may seek injunctive relief as well as penalties.  The Attorney General’s office has not yet issued any guidance about its enforcement of the law or regulations.

Bottom Line:  Almost all businesses will be subject to the new regulations as the most basic personnel information for employees is, by definition, personal information.  However, many businesses subject to these regulations already take some, if not all, of the foregoing measures to protect personal information, as well as other information considered confidential or proprietary to its business, whether dictated by law (in which case, these entities may already be considered compliant) or by industry standard.  However, most will need to re-examine current protections and practices, if not start from square one, to create a WISP that includes the key components mandated by OCABR.  Including a senior IS employee or consultant will be essential for any business keeping personal information electronically.  Furthermore, each business should collaborate with any of its third-party vendors who handle personal information to ensure that those vendors (payroll companies, copying facilities, document storage facilities, etc.) are also compliant.

While OCABR is not unsympathetic to this new financial burden for businesses in a difficult economic time, any burden is outweighed by the interest in protecting personal data.  In light of the imminent deadline for enforcement, businesses are well-advised to begin the process of bringing systems into compliance as soon as possible.

Concurrent with the survey of information which will be necessary to draft a WISP, it is advisable to review and update other related policies, such as document or email retention policies, confidentiality policies, and policies governing employees’ use of company property, including laptops and electronic devices. In situations where personal information might have been compromised, Hanify & King’s lawyers are also available to help employers determine the appropriate course of action, and will guide employers through the required steps of notifying affected individuals and various governmental agencies.

For more information about the new privacy regulations or for assistance drafting a WISP or implementing other compliance measures and employer policies, please contact Karen A. Whitley, Esq.

Karen A. Whitley, Esq. represents employers and management in all types of employment-related legal matters, including litigation, training, investigations, and counseling.  Ms. Whitley is a shareholder of the firm and also a founding member of the firm’s WomenatLaw initiative.

Kathleen E. Cross, Esq. is a shareholder of the firm and a founding member of the firm’s WomenatLaw initiative, concentrating her litigation practice in areas of internal business disputes in closely-held corporations and limited liability companies and partnerships, as well as bankruptcy litigation.  Ms. Cross also advises charter schools in all areas of charter school law.

This alert may be considered advertising under the rules of the Supreme Judicial Court of Massachusetts.  The information in this alert is provided for background purposes and should not be considered legal advice.

ICIC is Calling for Nominations

Do you know any fast-growing firms located in an inner city?  Are you a high growth inner city company?  Initiative for a Competitive Inner City ICIC is seeking nominations for its 2009 Inner City Capital Connections Program and 2010 Inner City 100 Program.

For more information and nomination forms, please go to www.icic.org/nominations or call Alex Rodrigues at 617. 297.3140

Reframing the Marketing Plan in a Tough Economy

All too often in difficult economic times, as companies evaluate budgets, marketing programs and personnel are eliminated as a cost saving measure. In most cases this short-sighted decision quickly and negatively impacts lead generation, customer relationship management and perceived competitive differentiation. In fact, a period of market silence can make it difficult – if not impossible – to realize the company’s ability to ultimately achieve the market position necessary to achieve long-term goals.

Rather than starting by eliminating the most expensive programs and personnel, I encourage my clients to take a step back and rethink the overall marketing strategy with the goal of creating a marketing plan that is both affordable and effective. Such an approach starts with reviewing your marketing objectives to make sure they’re aligned with near-term business objectives and long-term business strategy. This exercise is especially critical for young companies, where functional groups frequently work quickly and independently from one another. In a fast-paced, siloed environment, it’s easy to develop a disconnect between marketing and business objectives.

So the first step is to eliminate any marketing objectives that do not directly relate to achieving the company’s business objectives. Sometimes this may require a total reframing of the marketing objectives. Once this is complete it becomes a straightforward exercise to eliminate those programs that don’t serve the new marketing objectives, and to replace them with a marketing plan and programs that do.

Consider the following as you construct or revise your marketing plan:

1. Don’t waste resources on unimportant items. If you are a B2B company, don’t spend countless hours and inordinate money on your company name and logo. Keep it simple. If someone can spell it, pronounce it, and it is unique in its industry and doesn’t offend when translated into another language, then it’s good enough.

The best logo for a B2B company will incorporate the company name. I don’t believe in spending extra marketing dollars trying to make prospects remember an independent symbol that is only meaningful to you. Beyond that, the logo also needs to be shrinkable – in other words, it needs to be recognizable even at a small size. If your logo is grandiose and overly complex, there is a chance that your company name will disappear when it is shown in a small format, such as when publishers or event managers squeeze lots of logos onto a page.

The same lessons apply to product nomenclature. Don’t make your customers choose whether they remember your company name or your product name – trust me, they will never remember both. Keep it simple by focusing on the corporate brand and sticking to basic product names when first launching. Once you’ve built the corporate brand, you can leverage its positive attributes across many product lines.

2. Invest in seasoned experts. Make sure someone is in charge of strategy, positioning and messaging.Hire the most senior person you can afford.Don’t try to save money by hiring a junior marcom manager unless someone on the executive team has a background in positioning and developing a marketing strategy – it will cost you more money in the long run.I’ve seen companies make this mistake over and over again. They hire a junior person who doesn’t understand strategy and who focuses instead on what they know best – execution and “look and feel.”The end result is a lot of expensive programs with beautiful graphics that are disconnected from a positioning perspective and don’t produce measurable results.

If you can’t afford an internal marketing person, then leverage outside consultants. In today’s world, there are plenty of independent marketing specialists (design, web development, events, public relations, writing, etc.) who are more than happy to work on both short-term and long-term projects. In fact, many are open to flexible compensation options (i.e., cash vs. equity) and are willing to work with you to build a solid program within the constricts of your budget.

3. Construct a Positioning/Messaging playbook. The most powerful marketing programs are those in which all program elements are aligned from a positioning and messaging perspective and “everyone is singing the same song.” The easiest way to make this happen is to create a Positioning/Messaging playbook that serves as a reference for all organizations, both internal and external, that are engaged in customer and market communications. The playbook should provide an overview of the company, product positioning goals, and key messages related to the company, its products, competition, strategy, market and customers. Once the playbook is created, distribute it as a confidential document to those persons within the organization who communicate externally with customers, investors and influencers. Provide subsets of the document to external marketing support personnel to ensure consistency in messaging across marketing programs. Treat the playbook as a living document and update it regularly.

4. Pay attention to your website. Most companies make a significant investment in the initial development of their website. The good news is that in today’s economic climate the costs of site development have dropped and talented web development organizations are easy to find. The bad news is that many companies view website development as a milestone event when in fact it should be viewed as an ongoing marketing program.

A website is only valuable if the content is fresh, current and visible. If your last site update is dated six or more months in the past, it sends a message that your company is inactive – not the perception any company wants to create.

Investing in site development but not search engine optimization (SEO) is akin to throwing money away. If you aren’t visible in the search engine results pages, prospects won’t find you. As noted on Intraspin.com, 62% of searchers click on links on the first page of results and only 23% of all searchers progress beyond the first page of results[1]. SEO should be an integral part of all site and content development. Investing in SEO after the site has been designed is like building a house without a foundation – a costly exercise that can undermine all the work you’ve put into the site.

If you don’t know anything about SEO, I strongly recommend that you attend a Bruce Clay Seminar or read Search Engine Optimization for Dummies authored by Bruce Clay and Susan Esparza. Note: one way to keep long-term site costs down is to invest in a content management system (CMS) when you develop the site. This will enable any non-technical company personnel to quickly and easily update the site without the need for external development support.

5. Communicate on a regular basis with prospects and customers. Maintaining mindshare with prospects and customers doesn’t have to be an expensive proposition. Email newsletters, a company blog and phone calls are simple and cost-effective ways to reach out. Keep it short and sweet and communicate regularly. Invest the time in making sure that the information you communicate is relevant and valuable to the recipients. If your missives are not relevant, they will be quickly labeled junk. On the other hand, by delivering something of value, you’ll enhance your position in the mind of your audience.

6. Keep talking to the analysts. I used to be quite negative about working with the industry analysts. With a few notable exceptions (shout out to Tom Nolle who was fantastic!), meetings weren’t productive and frequently deteriorated into the vendor pushing for an endorsement and the analyst trying to coerce the vendor into becoming a client. A lively conversation about the market landscape and technology trends rarely materialized.

It’s a different world now. Recently while working with a client, I had the opportunity to meet with IDC, Forrester and Aberdeen and was more than pleasantly surprised. In all cases the analysts were knowledgeable about our market space, offered great insight, and engaged in a spirited dialogue. We didn’t have to beg for an endorsement. In this new world of social media, if analysts like what you are doing, they blog about it. Likewise, if they don’t agree with your strategy, they also blog about it or say nothing at all. It’s somehow so much more honest.

Of course, analysts would like you to become a client of their firm, but not at the expense of everything else. They understand the current economic climate and its impact on marketing budgets. They’re banking on the fact that if they provide real value you’ll become a client when the budget is there.

So the big message here is: even if you don’t have the budget now, engage with this community. They can offer a big-picture perspective of your industry that is hard to come by when you’re focused on your own day-to-day strategy. Plus they know your competitors and can frequently provide insight into who would make a good partner.

7. Leverage social media. Twitter, Facebook, YouTube, blogs and other social media outlets have given us efficient, cost-effective and useful tools for communicating directly with our key constituent audiences. Having said that, engaging in social media is an extremely time-intensive task. Just because all these new outlets exist doesn’t mean that you need to use them all. Social media options should be evaluated like any other program to determine which, if any, best serve the business objectives.

Once you commit to a social media program, it’s important to stay engaged to gain long-term positive mindshare. While the thought of producing a steady stream of content may seem daunting, don’t forget you have numerous resources within your company. In fact, one of the nice things about social media is that it gives you an opportunity to leverage the talent across your organization. Engineering, operations, customer service and even sales can all become credible public voices for the company. If you are new to social media and unsure of how it fits into the bigger marketing picture, I recommend reading The New Rules of Marketing and PR by David Meerman Scott.

8. Swap out expensive programs for cheaper alternatives. Just because your budget is constrained doesn’t mean you have to eliminate programs in their entirety. Tough times require creative alternatives. Consider replacing a Public Relations agency with a freelance contractor. If you can’t afford a freelance contractor, then restrict your PR activities to social media oriented news releases that you can disseminate easily and cost effectively through outlets like PRweb.com. Instead of large expensive tradeshows consider regional seminars (you can charge for those to help cover costs) or webinars. Instead of printing collateral, invest your money in collateral content development and disseminate electronically.

In today’s economy, you need to squeeze the most out of every marketing dollar. That starts with a solid foundation (i.e., plan) comprising the most effective components for the lowest cost. Regardless of what programs you put in place, you can’t treat marketing as a one-dimensional activity or endeavor. Choose a range of activities and channels that will best help you meet your objectives.

I can’t stress enough the importance of making sure that every program on the marketing plan serves either a short- or long-term business objective. If you can’t articulate how a program does that, it doesn’t belong there. In tough economic times, the old rationalizations of “creates good will,” “is good for the brand” or ”helps build awareness” aren’t good enough. Every program that you implement should be measurable against a series of objectives. If the program isn’t successful, it should be quickly eliminated.

By taking the time upfront to map out your plan – and making a commitment to investing needed funds and the best resources – you’ll set the stage for short- and long-term success.

Anita J. Brearton | Managing Director | Golden Seeds, Boston | ajb@goldenseeds.com

http://www.intraspin.com/webstrategyblog/10-statistics-that-demonstrate-the-value-of-seo

Consider Outside Investors? Begin With their Financial End in Mind

What Do Angels and VCs Ultimately Want?
If you are considering taking outside money to fund your company, it is in your interest to understand the goals of your investor. While many entrepreneurs understand the psychic gratification that angels get from helping the next generation of entrepreneurs, they may not understand the implications of capital that’s invested for the purpose of seeking high returns (angel and venture capital). These motivations can drive how long the entrepreneur is involved in the company, when to sell the company, how to prioritize the company budget, recruiting, which customers to pursue and on and on.

To understand the financial motivations and behaviors of angels and venture capitalists, let’s look at the ending they want and work our way back. Both angel and venture capital investors seek investment returns that are greater than what can be achieved by investing in the stock market, say the S&P 500. These investors place capital in and work hard with earlier stage, illiquid but hopefully high growth companies. Why? Because they expect that one or two out of a portfolio of 10 companies will generate high enough returns to pay for all those that don’t pan out, yielding an average return over investments that exceed the expected S&P return.

Returns are determined by the amount of money invested over the course of the company’s development (capital in), the money paid by the acquirer or the public markets (capital out) and the amount of time that has passed from investment to return. Let’s look at each of these in turn.

Capital In: Capital In is the total amount of capital the company will need over the years to achieve the revenue growth rate or other milestones that will justify the desired (or required) high exit valuation. But it’s more than just the total. Each slice of capital needs to accomplish some critical milestones that take the company to the Next Stage of valuation. Here’s an oversimplified example:

  • Early Stage Financing- You self-funded the company to make a prototype, show to customers and you think you know who your “first, best” customers are. You need to generate revenues from a handful of customers to prove the market and the value proposition. To prove this, you might raise $500k from angels or an angel group.
  • Once you’ve validated with some initial customers, you’d like to go after the rest of the customers in that market and perhaps an adjacent market. If they believe the company can grow rapidly, venture capitalists might be willing to invest $2-5M in a Series A financing to flesh out the business. Figure that VCs want to own ¼ to ½ of the equity, so this means the company needs to justify a pre-money valuation in the $3-8M range.
  • Series B is to expand the business faster than organic cash flow can supply. Areas of expansion might include developing related products or markets, expanding internationally, or expanding sales through distribution. Series B might range between $7M to $20M or more depending on the industry and the opportunity.
  • Series C can be to further expand the business beyond cash flow generated, or to create the scale of operations that can achieve profitability.
  • Note: Rarely do companies step without faltering between each of these stages. Sometimes it takes a couple of rounds to accomplish each of these goals.

Capital Out: Several years after the initial investment, investors want to get all their capital back plus some compounded return in compensation for putting the initial capital at risk of 100% loss and being illiquid for several years. Even as angels and venture capitalists consider their initial investment, they are asking themselves, “Can this company generate 5-10x the original investment (after paying for investment bankers, motivating management and employees, paying the fund) over a 5-7 year period?” If the answer is no, then there’s no point making the initial investment.

What type of businesses are acquired in 5-7 years for 5-10 times the original investment? The short answer is companies with very fast growing revenues and/or companies whose revenues can be leveraged immensely by the acquirer’s distribution network. And recent transactions indicate a return to the “old way” of valuing companies; rapidly growing profits that deliver increased valuation to the acquirer’s net income.

Time: Finally, the same Capital In and Capital Out generate vastly different returns depending of the time between the investments and the final exit. In the late 1990’s the average time to exit was less than 3 years. The average time to exit in 2008 is 7 years. If an investor doubles her money in 3 years, that’s a compounded rate of 25%. If another investor doubles his money in 7 years, that’s a compounded rate of 10%. The graph below compares fund vintage to returns. Funds stared in 1995-1997 achieved extraordinarily high returns as their companies exited in the bubbly 1999-2000 stock market. Funds started in 1999-2000 have faced lower exit valuations and longer investment times, and vastly increased competition from many new funds; which yielded much lower returns.

Needless to say, venture firms today face huge issues ranging from the large number of companies funded and still alive from 1999-2000, to an out-of-reach IPO market, to an anemic acquisition market, to increased taxes on their long term gains. In fact, some venture capitalists say that the industry would be better off at half its current size.

nss-blog-lucinda

Money Isn’t Everything

This post was meant to discuss the financial motivations of angels and venture capitalists. It’s important to understand their financial goals and therefore the implications to your company, the path forward and your role.

Both angels and venture capitalists bring much more to the table than money. They bring experience, contacts, perspective and hard work that are at least as valuable as the capital invested.

Lucinda Linde, CFO Consultant
Next Stage Solutions
June 2009

Three New Services for Emerging Businesses

Our three new core service offerings help emerging businesses articulate their financial vision:
1. CFO on Demand. In emerging businesses, CFOs are often hired too early or too late; and all too frequently, emerging businesses hire a CFO who is not the right fit. The cost of these mistakes is staggering, both in dollars and efficiency: the average rate of CFO turnover at small and midsized companies is merely 20 months; the cost of screening and hiring two CFOs in a 20 month span can reach as high as $800,000, not including the disruption to the company as it transitions between the two CFOs. NSS confronts this problem by acting as an outsourced CFO on an as-needed basis. This straightforward method creates greater capital efficiency without compromising expertise and eliminates the cost of a CFO search or transition, thereby strengthening the company’s cash flow position.
2. Strategic Finance. Most financial services companies provide their clients with one game plan, strictly focused on the financial picture of the here and now. By contrast, the NSS team equips its clients with multiple game plans; a blueprint for every contingency. Moreover, the NSS plans are focused not only on the immediate fiscal present but also the future, not merely in finance but in operations and management. NSS recognizes that today’s CFO needs to wear many hats and provide the full spectrum of financial guidance to sustainable and growing businesses; governance, compliancy and financial reporting are still important, but they are just one piece of the job.
3. Collective Knowledge. When you hire NSS, you get much more than a pro tempore CFO. NSS offers years of experience – our team possesses complementary skill sets with varied backgrounds, implementing new financial strategies at emerging businesses. Our client-management system is geared toward extensive communication and unparalleled attention to detail. Our team meets regularly to exchange ideas about your company’s challenges. Together, they pass on their collective knowledge to your assigned CFO, who will communicate with you through weekly status reports. As an emerging business ourselves, we understand how difficult it can be to simply keep track of today’s financial headaches, let alone tomorrow’s.