McGuireWoods LLP presents
Data Security & Privacy
Prepared for the Association of Corporate Counsel, Charlotte
Presented by:
William J. Cook
C. Andrew Konia
Mark J. Maier
Presentation to ACC Charlotte
Data Security & Privacy
Presented by:
William J. Cook
C. Andrew Konia
Agenda
•
Identifying the Issues/Concerns
•
Current State/Impact of Breaches
•
Susceptible Targets
•
Key Terms and Standards
•
Questions You Should Ask
•
The Laws and Enforcement
•
Case Studies –
PCI/HIPAA/Industrial Espionage
•
Consequences
•
The 12-Step Program –
Mitigating Risk
What’s the Problem?
•
Russia & Bulgaria –
Organized Crime
•
China –
Advanced Persistent Threat
•
Unaffiliated Internet Gangs US / Europe
•
Corporate Inattention
–
Employees
–
Not aware of threat magnitude
In the News
•
Unprecedented rise in the number of hacker attacks and data
breaches
•
Wide range of companies and organizations have been attacked
–
Sony
–
Citigroup
–
ADP
–
–
EMC Corp
–
Epsilon
–
Lockheed Martin
–
International Monetary Fund
–
Senate website
•
Industry survey showed cost to breached companies averaged
$7.2 million (Ponemon
Institute survey)
October 2011
•
Hannaford Data Breach Lawsuit (October 20, 2011)
–
Class upheld
–
Foreseeable that data loss will cause individual damages
–
A jury could reasonably conclude, therefore, that an implicit agreement to
safeguard the data is necessary to effectuate the contract."
•
Widely Used Web Encryption Algorithm is Vulnerable
–
XML encryption, used to secure communications between Web services,
can be exploited.
–
Allows remote break in without physical access.
•
DOD $4.98B Data Breach Lawsuit
–
Proposed class action suit involves TRICARE, seeks $1,000 per victim.
–
Physical loss of unencrypted data
–
Healthcare, banks, telecom, governments (fed/state/local) at risk
•
JavaScript Hacking Tool Can Intercept PayPal & Other “Secure”
Sessions (9/2011)
The Million Dollar Subway Ride
•
An employee of General Hospital Corporation and
Massachusetts General Physicians Organization
Inc. (“Mass General”) left documents on a subway
that included a patient schedule containing PHI of
192 patients, and billing forms with PHI for 66 of
those patients. This included PHI of patients with
HIV/AIDS.
•
The records were bound only by a rubber band!
Current Targets of Hostile Technology
Individual company loss $1
million to $52
million per incident
•
Payment Processor Breaches: 130
million customer records
•
Account Transfers Fraud: $85
million to $255
million keyloggers
•
Securities and Marketing Trading Exploitation
•
Bank ID and DDOS -
$399,000 from account
•
ATM Skimming / POS Schemes –
one net $600,000
•
Mobile Banking Exploits
•
Insider Access –
Vendors-
Industrial Espionage
•
Malvertising
•
Supply Chain Infiltration
•
Teleco and Network Disruption –
DDOS
Know Your Geek Quiz
You Should Know Each of These
•
AES 128 bit
•
SSL
•
RBAC
•
2 Factor Authentication
•
8 Characters with
Symbol and #
•
Social Engineering
•
Law Enforcement
Notification Delay
•
Business Associate
•
PCI DSS
•
Breach Notification
•
Cloud Security
contracting
•
DDOS attack
•
Social Engineering
•
Ping attack
Corporate Managers are Forced to Ask
•
How safe are our systems?
•
What can be done in advance to prepare for an attack?
•
How should we respond if attacked?
•
What will our liability exposure be in the event of an
attack?
•
What can be done to protect customers, consumers
and trade secrets?
•
What can be done to reduce losses, minimize potential
damages, and protect shareholder value?
Enforcement
•
Retail environment
-
Actual damages from intrusion
-
Noncompliance with PCI DSS
•
HIPAA
-
OCR-
150 audits by KPMG before 12/31/12
•
SEC 10K disclosures under discussion
•
States
-
Breach notification requirements (all but 4 states)
-
Security standards based on PCI standards
-
Some encryption requirements
-
AG lawsuits
•
The FTC and online/mobile marketers
•
EU vs. US data storage issues
PCI Case Handling
•
Define the damage
-
Preserve data environment
-
Determine point of intrusion
-
How long has vulnerability existed
-
How long has it been exploited
-
Vendor involvement with vulnerability
-
Contact law enforcement
•
Communicate with your bank
•
Determine, with bank, need for forensic audit
•
Respond to all credit card company inquiries
HIPAA Breach Case Study
•
Laptop stolen from key vendor
•
Investigation disclosed all company PHI, PII and salary details
lost
•
Audit clause of contract triggered at vendors expense
-
Vendor didn’t know data location –
most overseas and
insecure
-
Contrary to contract vendor didn’t have uniform security
practices
-
Contrary to contract vendor didn’t notify company of
breach
ePHI Security: HIPAA vs. NIST
Standard
HIPAA
NIST
Role-Based Access Controls
Addressable
Based on assigned duties; employee
satisfies personal security criteria
Unique User ID
Required
Ensures that system activity can be traced
to a specific user
Two-Factor Authentication
N/A
Provides “high level”
of confidence in
validity of identity
Automatic Session Termination
Addressable
Achieved by locking session or
disconnecting network
Password Requirements (e.g.
character length)
N/A
8-character minimum
Encryption Technology
Addressable
128-bit AES
Industrial Espionage Case Study
•
Immediate Emergency Response Team meeting
•
Investigate to determine sensitivity level
•
Bring in outside counsel to supervise and develop plan
•
Consider outside forensic examination
•
Interview potential targets
•
Seize personal computers and personal computing devices
•
Obtain civil search warrant for subject’s home
•
Keep written record of each step taken and why
Consequences
•
Noncompliance (DSSs, Laws, etc.)
-
Fines/Penalties from card associations
•
On acquiring bank as well (passed through)
-
Possible sanctions from federal agencies
-
Curtailment/termination of card processing
-
Probation
-
Actual damages are irrelevant
•
Data Security Breach
•
Reputational Damage
–
Even without breach or noncompliance
–
Whistleblowing
–
Exponential effect of social media
•
Director/Officer Liability/Fiduciary Duties
The 12-Step Program
1.
Be proactive!
2.
Establish intracorporate, interdisciplinary Emergency Response Team
with authority, mission statement and plan
•
Pre and post; internal and external
3.
Create risk-based internal information security regime (policies,
technology and HR)
•
Ensure appropriate and consistent application
and updating
(patches)
•
Employee education (keep a record)
•
Discipline and Termination
4.
Protect Personal Information
•
Collection, storage and destruction; Encryption;
Non-Disclosure
The 12-Step Program (cont.)
6.
Cooperate with and use law enforcement and its resources (pre/post)
7.
Consider intrusion insurance
8.
Protect website, marketing & advertising
9.
Media Management (pre/post)
10.
Routine audits (QSA)
•
Requires regular monitoring and testing (per PCI DSS)
11.
Vendor/contract management (pre/post)
•
All vendors are not created equal
•
Give contract drafting due consideration; ensure responsibilities
are specific and feasible; Follow-up
The 12-Step Program (cont.)
12.
Know the law and standards that apply to you, and
consult with outside counsel when warranted
•
Focus on PCI DSS, SEC requirements and federal and state
laws applicable to your business
•
Understand the rapidly changing nature of the laws,
regulations and standards
•
Work with experienced and tech-focused outside counsel to
establish…
-
The Emergency Response Team and its functions and policies
-
Due diligence track record (pre/post)
-
Compliance programs that meet laws, regulations and
standards
Questions or Comments?
900 Lawyers | 19 Offices
www.mcguirewoods.com
2011 McGuireWoods LLP
www.mcguirewoods.com
Corporate Preparation & Response to Hacker Attacks
Every day brings more Wall Street Journal coverage of new computer break-ins or an update on earlier break-ins that are worse than previously thought. This rash of heavily publicized hacker attacks on corporate systems has corporate managers questioning how safe their systems are, what they can do to prepare in advance for an attack, how they should respond, and what their liability exposure might be in the event of an attack. Additional issues include: what can be done to protect consumers, customers, and trade secrets; reduce losses; minimize potential damages; protect shareholder value; and otherwise control the problem as much as possible. Some due diligence steps that should be taken include the following:
1. Set up an intracorporate Emergency Response Team now, in advance of any attack. Do not limit its members to IT staff. Effective incident response requires a broad range of corporate talent. Include the corporate risk manager, corporate privacy officer, compliance director, CFO, HR department, the company’s physical security director, an in-house spokesperson and in-house counsel. Document each person’s duties. The CEO and the corporate board should be advised and sign off on the make up of the Response Team and their authority.
2. The Response Team should meet monthly to go over contingencey plans and review the current intrusion trends. These meetings should also contain a report from the IT staff about what type of probing the network is receiving from the Internet. Unusual IP addresses that are repeatedly probing the system should be noted. In the event of an intrusion, the Team can quickly form an organized response that minimizes losses and confusion and makes decision about contacting law enforcement agencies, determines whether outside forensic assistance is necessary and determines immediately if customers need to be alerted to any data compromises.
3. Only one person speaks to the press. The company spokesperson clears all comments through the Response Team and upper management.
4. The Response Team should reach out and identify local law enforcement agents such as the FBI, the U.S. Secret Service or local police cyber teams before any break-in. Join private sector reach out programs sponsored nationally by these agencies such as the FBI InfraGard program, and U.S. Secret Service Computer Crime Task Force. A Response Team member should attend the quarterly meetings of these groups to get updated information about current cyber attacks and to gather business cards from agents that specialize in countering cyber attacks. Once you return to the company, circulate the meeting results and the agent contact information to other members of the Team.
5. Consider the rapidly expanding corporate liability for protecting personal information. Twelve states require corporations to provide security for personal information. Three states impose a specific duty to protect credit card information. Additionally, six states require the encryption of personal information held by companies. As a result, inside the company, identify, isolate and/or encrypt the critical assets of your company. This includes stored trade secrets, emails regarding advanced project research, patent research, customer lists, employee healthcare information, stored credit card information and any personal information you save on your customers and employees.
McGuireWoods news is intended to provide information of general interest to the public and is not intended to offer legal advice about specific situations or problems. McGuireWoods does not intend to create an attorney-client relationship by offering this information, and anyone’s review of the information shall not be deemed to create such a relationship. You should consult a lawyer if you have a legal matter requiring attention.
achieve “reasonable security under the circumstances.” After the boxes are checked, steps need to be taken to insure that internal security standards are actually being applied.
8. Discuss with outside legal counsel, as part of their cybersecurity audit, the advisability of having them hire an outside forensic company to “tiger team” your system for potential holes. They should conduct penetration tests, scan your systems for vulnerabilities and map out your network structure. Their report to legal counsel should be evaluated and used as actions items by the corporate Response Team. 9. Obtain, or at least evaluate obtaining, intrusion insurance. The costs are coming down for insurance
products offered by some of the largest and smallest carriers.
10. Have the Response Team prepare potential media responses that account for various scenarios: lost trade secrets, lost consumer information, denial of service attacks, etc. Spontaneous
comments are no good and “no comment” will often lead to reporters contacting employees for informal comments. It’s better to have a corporate response that is thought out and appropriate if questions are asked.
11. Recognize that in almost all states, consumers whose information has been lost or compromised will have to be quickly notified about the breach. As soon as an event happens, the Response Team needs to start tracking the names of consumers who have been put at risk.
12. If your company webpage has advertising, make sure you know who is placing the advertising on a continuing basis. “Malvertising” is a growing threat to consumers who go to your webpage and trust you to secure your site.
Perfect information protection is not possible and the evolving nature of hostile technology is reflected by the daily news. But, keep in mind, corporate protection from liability is established by a showing of due diligence both before and after a computer intrusion.
McGuireWoods Global Data Security Team
Counseling regarding data protection, including global data breach and privacy issues is one of the services of McGuireWoods’ interdisciplinary Technology & Outsourcing practice. For assistance on UK and EU data protection matters, contact Phillip Rees in London at +44 (0)207 632 1600. For assistance in the United States on export control and data breach issues, contact Bill Cook in Chicago at 312.750.2750 or Janet Peyton in Richmond at
804.775.1166. For assistance with other business matters driven by technology, contact Steve Gold, chair of the Technology & Outsourcing Practice at 312.321.7664.
William J. Cook Partner
77 West Wacker Drive Suite 4100
Chicago, Illinois 60601-1818 T: 312.750.2750
F: 312.698.4536
wcook@mcguirewoods.com
Mr. Cook focuses his practice on IP litigation, internal investigations, data security and privacy counseling and litigation and export and import regulatory compliance and litigation. He served as an assistant U.S. attorney in Chicago, serving for 14 years in the Special Prosecutions Unit of that office. He has tried 85 cases as a prosecutor and in private practice. Each year since 2008, he has been recognized as a "Leader in the Field" by Chambers USA and Global for his security and privacy practice.
As an intellectual property litigator, he handles cases involving trade secrets, copyrights, patents, malvertising, privacy rights, and unfair competition before federal and state courts and the FTC. He has handled white collar criminal matters for victims and defendants concerning healthcare fraud, defense contracting fraud, mail fraud and violations of U.S. export restrictions. He conducts internal corporate investigations involving industrial espionage, employee misconduct, computer intrusions and corporate security audits. He also has experience with e-commerce, as well as advertising, database protection and domain name transfers. He also counsels clients with respect to all aspects of the payment credit card industry data security standards (PCI DSS) and related liability exposures. He counsels corporate clients regarding business continuity planning, export and import regulations, regulatory compliance with HIPAA and other federal security standards.
Mr. Cook also advises clients on export and import regulations and compliance with respect to the Commerce Department’s Export Administration Regulations and the State Department’s
International Traffic in Arms requirements. He litigates matters with respect to export and import compliance, as well as new shipper review designations.
Representative Matters
• Conducts complex, internal investigations into alleged violations of Payment Card Industry Data Security Standards by Fortune 500 oil, health, office supply and sporting goods companies, as well as health club and fashion retailers. Following the internal
investigations, handles settlement negotiations with Visa and MasterCard, and represents the retailers before the FTC in Washington.
• Conducted privacy and data security liability audit of international construction company's intranet and extranet, including evaluation of ramifications of new state employee privacy protection requirements, as well as an evaluation of Commerce Department export control issues surrounding international intranet/extranet exchanges of technical information.
• Conducted deemed export audit of international chemical manufacturing company, established Commerce Department required export control and information security program and handled the company's voluntary self disclosure (VSD) petition with the Commerce Department's Office of Export Enforcement.
• Advised U.S. corporation regarding encryption export control requirements.
• Advised U.S. corporation on U.S. privacy laws regarding employee privacy expectations in personal communications devices used for company business.
• Defended U.S. company charged with illegally importing commodities from China and impeding Commerce Department's new shipper review investigation.
• Conducted investigation into cloud computing data loss from a Fortune 500
telecommunications manufacturer as a result of security vulnerabilities with their CRM vendor.
• Appointed receiver by Judge John Grady over a multimillion dollar telephony telemarketing fraud case brought by the FTC.
Education
• Creighton University Law School, Omaha, Nebraska, J.D., 1973
• Creighton University, Omaha, Nebraska, B.A. History, 1968
Honors
• Named a "Leader in the Field," Privacy & Data Security, Chambers USA & Global, each year since 2008
• U.S. Justice Department Special Commendation and Special Achievement Awards
• Federal Bureau of Investigation Commendation for Computer Fraud Prosecutions and Establishing Chicago FBI/ InfraGard Program
• U.S. Customs Commissioner’s Award for Export Prosecutions
• U.S. Commerce Department Award for Commerce Commodity Control Litigation
• U.S. Secret Service Award for Law Enforcement Assistance
Previous Experience
• Partner, Wildman Harrold Allen & Dixon
• Assistant U.S. Attorney, U.S. Justice Department, Chicago, Illinois, 1975-1991
• Chief Computer Crime Task Force, Regional Coordinator of Counter-Espionage and Counter-Terrorist Investigations
• Justice Department Representative to Regional FEMA Office
Publications
• “Increased Federal Scrutiny, Sanctions & Penalties for High Tech Companies,” McGuireWoods News, June 2, 2011
Classes Taught
• Adjunct Professor, Internet and Web Law, University of Illinois Law School
• Guest Lecturer, Information Security Law and Liability, Harvard, Yale, Purdue, University of Illinois, University of Salzburg
Speaking Engagements
• "Legal Incident Response to Computer Intrusion from the Cloud," SC International Congress Conference, New York, New York, November 11, 2010
• "Cloud Computing – Legal Best Practices," SC International Congress Conference, New York, New York, November 11, 2010
• "Data Breaches: Lessons Learned and Guidelines for Developing an Incident Response Plan," PLI 10th Annual Institute on Privacy & Security Law, July 21, 2009
• "Internal Investigations and Breach Liability" IDGA Cyber Security Conference for National Defense Contractors, Washington, D.C., May 19, 2009
• "Current Information Security Threats and Security Laws and Liabilities," International Corporate Executive Program, London, May 7, 2009
• "Internal Investigation Of PCI Compliance and Data Breaches," VeriSign's Corporate Briefing Series, Rosemont, Illinois, March 26, 2009
• "Internal Investigations into Data Breaches and Liability Exposures," Litigation Management Super Course, Network of Trial Law Firms, Carefree, Arizona, October 31, 2008
• "Internet Liability and Future Issues," President's National Security and Telecommunications Committee, Washington, D.C., November 2007
• "Internet Liability Issues," Executive Forum of the International Computer Emergency Response Teams, Boston, Massachusetts, November 2007
• "Internet Law and Liability Circa 2007," Northwestern University, Chicago, Illinois, October 2007
• "Internet Privacy and Liability," International Association of Privacy Professionals, New York, June 2007
• "Scope of HIPAA and Internet Liability," Marsh Health Care Liability Conference, Geneva, Illinois, June 2007
• "Internet Security Standards and Enforcement," Remington Security Roundtable, Rosemont, Illinois, May 2007
• "Payment Card Industry Security Standards," Petroleum Industry Attorneys, Washington, D.C., April 2007
• "Legal Aspects of the Payment Card Industry Standards," PCI Expert Forum, San Francisco, California, March 2007
• "Data Security Liability," National Science Foundation Cybersecurity Summit, Washington, D.C., February 2007
• "Online Fraud," CLE Cyber Law Forum, San Francisco, California, November 2006
Professional Affiliations
• President, Infragard - Chicago (F.B.I. computer crime unit community reach out program)
• Founding Member, U.S. Secret Service Chicago Electronic Crimes Task Force
• American Bar Association
• Illinois State Bar Association
• Chicago Bar Association
• National Science Foundation’s Critical Infrastructure Protection and the Law Committee, 2001-2003
• Illinois Commission on Electronic Commerce and Crime, July 1996
Civic Affiliations
• USA Triathlon Association
• U.S. Army Ranger Association
Admitted
• Illinois 1975
• U.S. Court of Appeals for the 7th Circuit 1975
• U.S. Supreme Court 1978
C. Andrew Konia Partner
1750 Tysons Boulevard Suite 1800
Tysons Corner, Virginia 22102-4215 T: 703.712.5071
F: 703.712.5294
akonia@mcguirewoods.com 201 North Tryon Street
Charlotte, North Carolina 28202 T: 704.343.2070
F: 704.444.8834
Mr. Konia counsels companies on a wide variety of corporate and transactional topics, with a focus on the negotiation of large-scale complex commercial contracts for Fortune 500 clients. He has particular experience identifying and correcting risks (gaps and deficiencies) present in a company’s "lifeblood" contracts in order to strengthen that company’s competitive position in the marketplace. Mr. Konia helps clients anticipate and avoid costly disputes and litigation with their vendors and institutional customers. He and his team provide, usually on an alternate fee basis, an individually customized and comprehensive review and evaluation of the client’s suite of contracts, together with suggested recommendations for remedying deficiencies determined during the analysis. Depending on the client’s needs and objectives, he can then undertake a full-scale revision and renegotiation of the relevant agreements, or develop a more targeted approach of focusing only on the essential provisions.
Mr. Konia also has substantial experience in general corporate governance, M&A and private equity. He regularly counsels companies on a variety of topics and transactions, including entity selection and formation, equity and debt financings (control and non-control), securities
Practices & Industries
• Securities & Corporate Finance
• Technology & Software
• Private Equity & Venture Capital
• Mergers & Acquisitions
• Intellectual Property
• Emerging Company & Venture Capital Group
• Sports Law
• Technology & Outsourcing
Representative Matters
• Assisted Fortune 100 wireless telecommunications provider in negotiating with an industry-leading debit card provider to migrate the client's rebate submission and issuance program from a check-based system to a prepaid debit card-based system.
• Routinely represents multiple technology and healthcare companies in connection with various M&A transactions, venture capital investments and private equity financings.
• Represents medical device companies in negotiating strategic alliance, linking and intellectual property licensing transactions.
• Negotiated key business and legal terms on behalf of financial services company with its e-commerce and online banking services provider, focusing on consumer electronic billing and payment services, e-bill hosting and distribution services, service level agreements, pricing models, integration of legacy platforms and protocols relating to information security, fraud management and disaster recovery.
• Represented international property and casualty insurance company in negotiating and drafting global information systems outsourcing agreements with ACS Outsourcing Solutions.
• Represents Southeast regional supermarket chain in negotiating and drafting technology, pharmacy and consumer products vendor contracts, including agreements with Western Union, IDT Telecom, Taleo and Accruent.
• Managed negotiations and document drafting for leveraged buyout of assets of manufacturing business.
• Represented international industrial thread manufacturing company in negotiating and drafting various supply chain and customer contracts, including agreements with General Electric, Michelin and Kimberly-Clark.
• Negotiated and drafted value added reseller and sales agent agreements for publicly held industrial products company.
Education
• University of Virginia School of Law, Charlottesville, Virginia, J.D., 1999
• The Darden Graduate School of Business, University of Virginia, Charlottesville, Virginia, M.B.A., 1999
• Georgetown University, Washington, D.C., B.S. Foreign Service, magna cum laude, 1993
Previous Experience
• Member, Helms Mulliss & Wicker, PLLC, Charlotte, North Carolina
• Morris, Manning and Martin, Charlotte, North Carolina
Professional Affiliations
• North Carolina Bar Association
• North Carolina Bankers Association
Civic Affiliations
• Chairman, Men for Change, Domestic Violence Prevention, 2005-2010
• Board of Directors, Oratorio Singers of Charlotte, 2006-2010
Admitted
• Virginia 2011
Mark J. Maier Associate
1750 Tysons Boulevard Suite 1800
Tysons Corner, Virginia 22102-4215 T: 703.712.5135
F: 703.712.5296
mmaier@mcguirewoods.com
Mr. Maier uses his multifunctional background as an electrical engineer, business executive and U.S. Army officer to promptly close technology, outsourcing, intellectual property and corporate transactions. He also helps his clients obtain, retain and grow government contracts by navigating through and complying with regulations covering acquisitions, telecommunications and data security. His recent areas of focus include:
• Classified services and products.
• Mitigating security risks arising from enterprise wide commingled data.
• Billion-dollar international IT and business process outsourcing.
• Defining, productizing and protecting intellectual property and trade secrets.
• Implementing substantial telecommunications service for wireless broadband frequency spectrum licensing.
• Negotiating government prime and sub contracts on M&As, alliances, bid protests and go-to-market strategies.
• Counseling on the D/FARs, NISPOM, FCC CFRs, PCI DSS, IRS REIT, state PUC, etc. Mr. Maier began his career as the engineer in charge of four quality assurance teams that evaluated telecommunication, radio and voice systems across Europe. He then moved into the computer industry where he designed networks, installed software and configured applications while living in Denmark, Australia and Boston.
While called back to active duty in the U.S. Army for Operations Enduring Freedom in Afghanistan and Iraqi Freedom, Mr. Maier was the CIO (aka, the "J6") for his 5,000 person joint special
created a new capability being used by senior military and intelligence leaders in the global war on terror and worked directly with the Iraqi chief judge and numerous coalition attorneys to establish Iraq’s new judicial system known as the Central Criminal Court of Iraq.
Department
• IP Litigation/Patents
Practices & Industries
• Government Contracts
• Emerging Company & Venture Capital Group
• Intellectual Property
• Mergers & Acquisitions
• Professional & Business Services
• Technology & Outsourcing
• Technology & Software
Education
• Suffolk University Law School, Boston, Massachusetts, J.D., magna cum laude with Distinction in High Technology Law, 2000
• Dean’s List
• Pennsylvania State University, University Park, Pennsylvania, B.S.E.E., 1987
• Army ROTC
• Distinguished Military Student
• Dean’s List
• Delta Chi Fraternity
Previous Experience
• Corporate Attorney, Mayer, Brown, Rowe & Maw LLP, Washington, D.C., 2000-2006
• Area Manager, Compaq Computer Corporation, Lexington, Massachusetts, 1994-2000
• Senior Consultant, Bull HN Information Systems Inc., Billerica, Massachusetts, 1994
• National Systems Engineer, Datacraft Australia Pty. Ltd., Fyshwick, ACT, Australia, 1993
• Senior Network Engineer, Aage Hempel International A/S, Taastrup, Denmark, 1991-1993
• Quality Assurance Manager and Information Systems Integrator, U.S. Army Information Systems Engineering Command, Worms, Germany, 1987-1991
Publications
• Backdoor Liability from Internet Telecommuters, 6 Computer L. Rev. & Tech. J. 1, Fall 2001
• Affordable Internet Access for All Americans, 6 Rich. J. L. & Tech. 8, Fall 1999
Speaking Engagements
• "Building Your Company for Growth and Successful Exit," McGuireWoods LLP 2010 Seminar Series, January 28, 2010
• "Intellectual Property and Legal Careers for Engineers," Pennsylvania State University College of Engineering, University Park, Pennsylvania, October 11, 2007
• "Intellectual Property for Engineers," Pennsylvania State University College of Engineering, University Park, Pennsylvania, November 9, 2006
Certifications
• Top Secret / Sensitive Compartmented Information (TS/SCI) Security Clearance
• Microsoft Certified Systems Engineer (MCSE)
• Certified U.S. Government Contracting Officer’s Representative (COR)
Military Service
• Lieutenant Colonel, U.S. Army Signal Corps, 1987 - Present. Active Duty and Reserves tours in Europe, Afghanistan and Iraq with Special Forces, joint and conventional units. Bronze Star. Airborne parachutist. Formal leadership, management and staff training.
Professional Affiliations
• Vice Chairman & Voting Member, Montgomery County’s Dickerson Area Facilities Implementation Group Admitted • Virginia 2008 • District of Columbia 2001 • Massachusetts 2001 Languages • Danish Place of Birth
