As we wrote recently, a global survey of senior technology executives conducted by KPMG and Oracle revealed that worrying about data security is the thing that most keeps them awake at night. The concern is especially acute for data stored in the cloud, but it also exists for on-premises servers.

For users of ERP software systems, this can be especially troubling. Every ERP system may hold a wealth of information about everything from production techniques to the supply chain and customers, from financial data to employee information, and other highly sensitive, often proprietary secrets.

ERP data security continues to loom as a huge issue during the COVID-19 emergency. Some employees in some states are back in the office, others may still be at home using their own PCs and other devices as they work. Senior executives, in-house counsel, technology directors, and even line employees all must understand and work to mitigate the mounting risks of breaches and leaks, even those that are inadvertent.

There are five must-do steps that organizations need to take in checking ERP data security and then close any gaps that are revealed.

1 – Assume nothing. Begin with the premise that the outcome is unknown. We have lost track of the number of times over the years when a client stated, “But we had everything under control!” when, in fact, the opposite was true.

Making assumptions will put an organization at risk. Surmising in advance where the greatest security risks may be can have a devastating effect on even the most-sophisticated organization.

Rather, consider the evidence that emerges before reaching any conclusions. The bias that bedevils data security is when decisions are not made from facts; even professionals search for information that supports their original assumption.

2 – Use every tool to assess risks. Recognize that no single tool will solve the problem of ERP data security. For example, assuming that a firewall, anti-virus program, and a Security Information and Event Management (SIEM) program is foolproof all but guarantees failure. While essential on their own, their shortcoming is that they miss what might be happening in between their protections.

It is far safer to also assess risks that may arise elsewhere, using things such as network detection and response software. Without a comprehensive solution, a company will only be scratching the surface of knowing the data security in its ERP software system.

3 – Keep an open mind. Something often happens in the brain when a data security professional is testing a system such as ERP: They are accustomed to spotting problems in the same places, which has them looking for something here when the problem may be over there. This raises the possibility of overlooking a danger.

So, it is vital to keep an open mind to what the data is showing, not what anyone expects it to reveal. This does not mean ignoring years of accumulated experience and expertise. It does require including the possibility of chance in the discovery process, to see what might be seen, uncovering a threat where one was not expected to be found.

Relying on the history of what you have always found in the past creates its own bias. It is vital to look at the data from all angles.

4 – Don’t judge in advance. Many security professionals are influenced by what they have been accustomed to seeing on their network. This is what they often look for first and, when they find it, might assume they’ve located a problem.

But what appeared on Monday may not have anything to do with something that is occurring on Tuesday. This sort of judgment call undermines the ability to make a comprehensive determination of the potential risks in the system or the network.

No matter how keen one’s judgment and experience might be, a holistic approach – and solution – to solving a problem is needed. Professionals need to see everything happening on a network.

5 – Beware of what the eye sees. Both state-sponsored and criminal threats often come from what could be considered primarily benign tools to penetrate an ERP software system. Be wary. A small discrepancy that isn’t usually perceived as a genuine threat could well be masking a more lethal attack.

The best security teams look for – and often find – genuine threats in places where they had not been expected or discovered previously. Often, a threat is lurking in a most unlikely place.

Combine the tools you have with the knowledge and experience you’ve gained to separate a threat from legitimate activity.

Never Be Totally Certain

One of the things we have learned as data security attorneys who have spent much of our career working with ERP is that users often hit bad road bumps when they are absolutely, positively, totally certain about an outcome.

Yes, experience and training are important. But security professionals responsible for the safety of an ERP software system must go out of their way to ensure that they don’t have blind spots masking problems that prevent finding a solution to an issue.

If you are a corporate executive, general counsel, or network professional and have questions about ERP data security, feel free to contact us. If we cannot provide an answer, we can refer you to reputable consultants and advisors who can.

A debate is raging between some politicians and public health officials over the timing of reopening the economy. Noisy arguments in the news media, on Facebook or Twitter aside, the fact is that corporate executives need to be thinking seriously about the status of planned ERP software system upgrades or proceeding with projects that were slowed or put on hold during the COVID-19 emergency.

A recent report from McKinsey & Co. suggests that a corporate reopening strategy needs to include shifting IT and technology to what amounts to a restart mode. Prime among them is accelerating digital transformations to ensure they reflect the needs of customers, employees, and the status of an entire supply chain.

McKinsey writes, “The IT infrastructure (including ERP) must be relevant, secure and able to meet emerging (and changing) expectations … Executives will need to draw up a business-led technology road map to accelerate their digital transformation with urgency.”

This speaks directly to issues surrounding ERP software systems during and after COVID-19 and why users should at least consider fast-tracking projects regardless of whether lockdown restrictions are eased.

Assess, Measure, Recalibrate

Granted, any technology project must reduce a company’s costs during and after the emergency. Yet investments in the right ERP technology can contribute significantly to growth during the recession which shows no near- or intermediate-term signs of recovery.

The key is to ensure that the project is relevant to an organization’s digital ecosystem in whatever comes during and after the pandemic.

If the contract for an ERP software system is negotiated and drafted – or redrafted – properly, and performance of the vendor and integrator is monitored closely, once it comes online the system should help enable the user to restart successfully and cost-effectively. Here are five things a company needs to keep in mind as it considers fast-tracking at least portions of a new or upgraded ERP software system sooner rather than later.

1 – Business has changed. What ERP consultant Eric Kimberling calls the “next normal” will require another major change as dramatic as the one when the lockdowns were ordered. ERP users will continue to face a raft of unknowns that won’t be clear for some time to come. The user’s operation may be functioning in one location but not in another. Supply chains will continue to be disrupted or new sources being onboarded. Access to markets may be restricted.

2 – Recalibrate your ERP strategy. For most ERP users, what was a solid technology strategy in February 2020 may not be valid or even practical today. After the broad corporate strategy and direction are recalibrated, do the same with the ERP strategy because it may need to be altered or modified. This does not mean that an integration needs to be deferred. Rather, it might be necessary to change the requirements that led to upgrading a legacy system or installing a new one prior to the pandemic. ERP vendors and integrators are much more likely now to be willing to renegotiate the terms of a contract.

3 – Create a new implementation roadmap. One of the reasons so many ERP integrations fail and end up in a prolonged court battle is that the user did not start with a clear idea of the implementation process and how milestones would be measured and monitored. Not doing this always has been an expensive mistake but in the time of COVID-19, it can lead to disaster for the company with an impact on not just operations but the bottom line. Whether or not you used a consultant at the beginning of the project, retaining one now is critical to restart or launch an ERP project.

4 – Include a change management program. Everyone in your organization has been affected by the pandemic, whether something simple like wearing masks and stay at home orders or because their pay was reduced and their job redefined. Just as senior management needs to work closely with IT to monitor the progress of an ERP project shifting back into high gear, they also need to collaborate with HR to create an effective change management program. Many employees still are in a kind of shock from the effect of the pandemic on their daily lives. No matter how relieved they might be at escaping the worse effects of COVID-19, without an effective change management program in place they are likely to revert to form fairly quickly and try blocking any significant shift in how they do their job.

5 – Executives can control the change as they restart ERP projects. Despite the many unknowns over the next six-to-12 months, senior management can find ways to control restarting ERP software system projects effectively. Doing so requires understanding how the project will fit into Kimberling’s “next normal” and what the system needs to deliver now, however the business has had to change.

Restarting ERP With Care and Caution

A problem that has plagued many ERP projects is a slow decision-making process and seeing ERP as a technology solution rather than a management tool.

Put bluntly, right now slow decision making is the same as not deciding. A plan-ahead team is needed to identify and work through potential stumbling blocks.

One way to avoid possible problems is to work with counsel to renegotiate contract provisions that need reconfiguring to the corporate reality of today. As we mentioned, vendors and integrators are in a vulnerable position at the moment. In particular, certain deliverables and the detailed responsibilities of the user, the vendor and the integrators need to be very specific. Spell out what work will be subcontracted, and which party will be responsible for third-party performance.

Having spent our professional life dealing with ERP contracts, we’d be happy to share our thoughts on restarting a project. We can also refer you to independent, technology-agnostic consultants to advise on the business issues involved, and to oversee the work of all of the participants. Feel free to call or send an email.

In July, the European Court of Justice ruled that the Privacy Shield, which allows for the transfer of data on European Union (EU) residents to the United States, is invalid. Privacy Shield certification was granted to companies if they met certain requirements regarding data security and information use.

 

The agreement between Washington and Brussels ensured that U.S. companies adhered to EU standards on data protection and privacy. In exchange, businesses were able to shift personal data on EU residents. But the high court ruled that American laws do not provide adequate protection for personal data.

 

While the ruling does not entirely kill data transfer, it still has major implications for users of ERP software systems and other businesses that hold information on European customers, suppliers, and employees, and want to move it across the Atlantic.

 

As a result, U.S. businesses that have been shifting personal data to America from the EU now need to find a new process or they will face potential fines under Europe’s General Data Protection Regulation (GDPR).

 

ERP Users Need to Adapt

More than 5,300 American companies were Privacy Shield participants, including hundreds that have been shifting ERP data to the U.S. from Europe. 


Although the ruling continues to allow one annual data transfer, there is a complication that must be taken into account: ensuring that transferring data does not add any additional risks to security. The European court makes it clear that a more in-depth assessment of an organization’s data collection and transfer process is required. 

 

What this means for ERP users – along with any other business shifting personal data into the United States – is that they need to evaluate the sensitivity and volume of data transfers as well as whether there is a genuine business need to move the information into the United States. 

To justify data transfers, ERP users must assess what type of additional data security safeguards are required. While data can still be transferred “if necessary,” some clients are telling us that they are considering barring any transfers altogether.

 

Greater Compliance Burdens

While the Privacy Shield was a single set of compliance requirements covering all personal data, because the European court decision continues to allow Standard Compliance Contracts (SCC) the lives of chief information officers’s and chief information security officers have become even more complicated. This is because SCCs are specific to each data movement. A large organization might have hundreds of SCCs in place.

 

Compliance officers need to work closely with counsel to understand not just what the ruling means but to understand data flows across the entire company – often one of the key purposes of ERP.

 

Businesses now are required to evaluate each data transfer recipient to determine whether they provide an adequate level of protection. This means assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes, and what safeguards are available. Few businesses are able to make those assessments. 

 

Another U.S. – EU Clash on Privacy

This is the second time the European court has struck down a data transfer agreement between the EU and Washington, the first being when it invalidated the so-called “Safe Harbor” rules. The U.S. needs to adopt a tough privacy and data security law, as national regulations are sorely needed. Privacy reform should be crucial for the business interests of Silicon Valley and all ERP users.

Taft partner Scot Ganow, co-chair of the firm’s Privacy and Data Security Practice, will present a interactive virtual session for The Greater Cleveland Partnership’s Tech Week 2020 on “California is Just the Beginning: Why Small Businesses Need to Think Big about Privacy & Security. Now.”

Ganow will give attendees a primer on what they should be doing to be ready for enforcement of California’s new privacy law. In addition, he will discuss why companies should use this opportunity to strategize on how a broad approach to data privacy and security will not only keep them “compliant,” but will also elevate and distinguish their business from the competition.

Ganow’s session will be part of a virtual half-day symposium on Aug. 27 from 1 p.m. – 5:30 p.m. The program targets business owners, CEOs, and other C-level executives. Relevant information and education about cybersecurity, including cybersecurity basics, cybersecurity insurance, the legal landscape/legal considerations, cybersecurity risks, and mitigation strategies will be presented.

Launched in 2011, The Greater Cleveland Partnership’s Tech Week is an annual initiative to support and engage the local tech community through education, networking, and programming for entrepreneurs, executives, students, educators, and other stakeholders of the IT industry.

For more information, or to register, please click here.

State Farm got the Internet’s attention this year with a deepfake advertisement of ESPN SportsCenter anchor Kenny Mayne. To many, this was an introduction to a new and accessible technology that creates convincingly realistic fake videos.

Nearly anyone with Internet access can create a realistic video clip of events that never happened. Deepfakes are videos that use artificial intelligence to “face-swap” one person’s face (often a celebrity or politician) onto another person’s body. Deepfakes are created by a pair of neural networks called Generative Adversarial Networks. One of the networks uses a set of real images to create new, fake images. The opposing network then attempts to detect whether the fake image is forged. This adversarial relationship continues until the first network creates an image that the second network cannot detect as fake.

At worst, deepfakes can threaten consumers’ ability to rely on information they see online – even more than “fake news.” At best, deepfake technology can be used to create more affordable and accessible content. Your business should be aware of the prevalence of deepfake technology to both guard against its dangers and become aware of its ability to generate helpful content.

Deepfakes Threaten Private Sector Businesses

Deepfakes pose unique risks to private sector businesses and rapidly evolving deepfake technology might allow for attacks on companies by unprecedented means.

ShuftiPro, an identity verification software company, warns that deepfakes are used to tarnish business reputations by staging fake events or spreading fake news about businesses or individuals. Bad actors can also use them to impersonate executive officers of companies – even on a Zoom call – and give misleading or detrimental instructions to a company. Deepfakes circulated on social media can threaten publicly traded companies by creating fake news of takeover bids, scandals, or breakthroughs in an attempt to manipulate stock prices.

Social media also makes it possible for a single deepfake video to alter public perception of a brand or business, even if it later comes out that the video was fraudulent. This inflicts lasting damage on businesses and individuals, regardless of whether the victimized party can later prove its innocence.

Companies are also responsible for navigating ambiguities and unpredictability in the law surrounding deepfakes. Deepfakes have garnered the attention of legislatures across the country. In 2019, the U.S. Senate passed the “Deepfake Report Act.” The bill remains pending in the House.

Many states, including California, Texas, and Virginia, have already enacted laws regulating deepfakes through criminal and civil causes of action. This area of the law will quickly evolve in the coming years, affecting issues ranging from privacy torts, the First Amendment, and intellectual property.

The Upside — Benefits of Deepfakes

While troubling in many ways, deepfakes also present many positive educational, entertainment, and marketing opportunities.

In education, deepfakes can make lesson plans come to life. For instance, Scottish company CereProc used deepfake voice-cloning technology to assemble “lost” audio of the speech President John F. Kennedy intended to give in Dallas the day of his assassination. The Illinois Holocaust Museum and Education Center used deepfakes to showcase interviews with 15 Holocaust survivors and allow visitors to ask questions of the survivors. Last year, the Dalí Museum in St. Petersburg, Florida, displayed a deepfake of the artist explaining his artwork and taking selfies with museum visitors. Businesses can similarly enliven training and educational materials.

Likewise, deepfakes revolutionize entertainment and advertising. Production companies can forgo re-shoots by using deepfakes to correct filming errors and adjust scripts. What’s more, deepfakes can expand the global reach of content by seamlessly dubbing scripts into other languages.

Deepfakes also present other amusing advertising opportunities. As mentioned above, viewers lauded State Farm’s TV commercial that used deepfakes to feature an ESPN analyst from 1998 accurately predicting events in 2020. This type of creative use can create marketing opportunities that leave a lasting impression.

So, while businesses should beware of the downsides of deepfakes, they should also consider how this can be an effective tool to cut costs, expand markets, and energize advertising and education.

Next Steps — Creative Solutions for Using Deepfakes

In the future, deepfakes may be the source of many headaches and successes for businesses. The first step in familiarizing yourself with this new technology is to protect your business and employees.

Start by training employees to recognize the difference between real and fabricated content. Employees should be able to acknowledge the difference between real videos and deepfakes before sharing them on company pages and social media. Continually monitor your business’ online presence. To prevent the spread of false information, search for videos related to your company and employees. Finally, stay on top of the latest technology for detecting and avoiding fraud.

While deepfakes can present an obvious threat to your business’s reputation and finances, they can also serve as a creative marketing solution. Consider reaching out to your marketing team to see if they can translate videos into multiple languages to make them more accessible to a wider audience. Alternatively, you might consider using deepfakes to create new ads out of pre-recorded clips. An appropriate application of the technology can save your business time and money. Businesses may also consider using deepfakes to animate corporate training videos and programs.

Whether you are concerned about the potential risks of deepfakes or are interested in using deepfake technology as a business tool, Taft’s Technology team would be happy to help you navigate this new legal landscape.

This blog post was written by Taft summer associates. 

As SAP and some other vendors are forcing users of ERP software systems into vendors’ proprietary clouds, a significant percentage of the world’s Chief Information Officers are concerned about the security of the data being stored there.

This is one of the main takeaways from a KPMG and Oracle survey released during the midst of COVID-19. Due to the timing, many executives may have missed this news as they focused on the security and safety of their families.

ERP security is not the only concern for technology heads – this applies to all information stored in the cloud. However, for many public and private sector businesses, ERP contains a huge amount of information, concentrated in one place and covering many functions in the company. The global study also found that CIOs are concerned about how their organizations are taking a mixed, often confusing approach to data security.

(We highlighted some of the growing issues surrounding ERP migration to the cloud in an earlier blog post from Sept. 2019)

Multiple Security Systems

The hodge-podge approach to security in ERP software systems is just one thing keeping technology chiefs awake at night.

  • Some 78% of respondents said they used more than 50 discrete cybersecurity products to protect their data and nearly four in 10 use a whopping 100 or more, making them concerned about how they do – or do not – work together.
  • Organizations that uncovered misconfigured cloud services experienced 10 or more data loss incidents in the previous 12 months.
  • A mere 8% of those surveyed fully understand the shared security responsibility for data stored in the cloud, unsure about what is their obligation to protect and what the cloud provider oversees.

Many organizations responded to the stay-at-home orders that found everybody working remotely by accelerating moving both workloads and data to the cloud. In doing so, it revealed current vulnerabilities and created new ones in the protocols governing company systems.

Despite this, 92% of respondents do not believe their organization is well-prepared to secure data in public cloud services. Eighty percent take some comfort in reporting that news of data breaches at other businesses increases their organization’s focus on securing the data in ERP software systems and other technology. Nearly nine out of 10 people believe that artificial intelligence and machine learning will help improve data security in the cloud.

Tightening ERP and Cloud Data Security

Many heads of technology worry that the corner office turns its attention to data security only after there is a problem. It seems to take security breaches and data leaks, usually reported in the media, to attract the attention of the C-suite, even though it is a management issue that needs to be discussed and reviewed on an ongoing basis at the board level.

As a result, some 69% of CIOs responding to the survey complain that CEOs and Chief Information Security Officers – if the organizations have one – get involved in public cloud projects only after a cybersecurity incident.

Address the issues and concerns uncovered in the study in the contract for cloud services, whether it involves migrating ERP or some other data-rich piece of technology. We have spent our career focusing on all aspects of ERP software system contracts and protecting the security of the treasure trove of data they hold.

As one example, a well-crafted cloud contract will specify the responsibilities of the user and the cloud provider. Not only does this eliminate the confusion many CIOs expressed in the survey, if there is a data incident, each side will know who to hold accountable for the problem.

If you want to discuss your situation, whether you are an executive of a private business or a senior technology manager in a public sector organization, feel free to contact Taft. We will be happy to share our knowledge and insights regarding negotiation of a cloud contract.

As is happening with almost everything in business, COVID-19 is having an impact on ERP software systems and digital transformation projects – particularly with respect to interruptions or delays in software implementation projects. Some companies are postponing their implementation or drastically reducing the scope of their implementations.

While halting or postponing an implementation project in the face of COVID-19 may make sense, there is a risk of losing the institutional knowledge accumulated by the integration team working on the project.

Consultants that understood your business requirements may not be available at a future date. There will also be additional costs associated with getting new consultants on board who have an understanding of where the implementation project has been, where it is going, and how the project addresses unique business requirements.

We went through the options facing users when we spoke at the virtual 2020 Digital Stratosphere conference in late April. We also explored how current contracts can be renegotiated and what should be included in new contracts.

Creating Workarounds in a COVID-19 World

For implementation projects in progress, instead of stopping them altogether, a better option may be to narrow the scope to essential modules or pieces of functionality. If you are moving forward with your implementation, whether with a reduced scope or not, you need to ensure you have reasonable workarounds in place to account for the project disruption associated with stay-at-home orders, social distancing, and consultants working remotely.

Diligently managing the scope and the cost of the implementation is more important than ever. It is imperative you focus on project governance. You need to ensure you receive project status updates on a regular basis, and that the updates you receive provide meaningful information that allows you to make informed decisions about the project.

Similarly, you need to focus on change orders to counteract the likelihood of scope creep and budget expansion. You may also be able to use change orders to “back-door” amendments to the implementation contract.

Protecting Remote Integration

Data security and maintaining confidentiality of information in an ERP software system has always been critical, but is now even more so with consultants working remotely.

Long before COVID-19 created worldwide problems, the ERP software system contracts we negotiated for clients always included clauses that detailed specific responsibilities for the vendor, the integrator, and the user. Now, with many people using their personal computers, the chances of a breach, whether by accident or due to a hack, have multiplied ten-fold.

With consultants working remotely, having a structure in place for coordinating a project is essential. Users need to incorporate proper nondisclosure provisions into their contracts, which take into account the increased data security risk. Important data could be compromised. It is critical to account for the consultants who have possession of your information, as well as the security protocols you have in place to protect your information.

Right now, users have more leverage over vendors and integrators than they realize. This is important with new contracts and existing agreements, whether those contracts are on-premise or cloud contracts. Renegotiating onerous provisions or provisions that no longer make sense in the current environment is critical to success.

Take a practical approach and begin with the premise that vendors are your partners. However, don’t talk with the sales team who sold the project. Have the conversation with a senior decision-maker who is empowered to say yes and can fully appreciate the value of maintaining a long-term customer relationship.

It may also be possible to arrange for discounts and fee adjustments for either cloud services or the ERP software system.

Create a Long-Term, Flexible IT Strategy 

Now is a good time to evaluate your critical IT initiatives and prioritize those that are strategically important to your business. Digital transformations are often complicated undertakings with many moving parts. If you have questions or concerns, feel free to contact Taft. We are happy to share our experience, and can also refer you to highly reputable consultants.

Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) continues to be the most consumer-friendly biometric privacy law in the country. In the wake of the Illinois Supreme Court’s seminal 2019 decision in Rosenbach v. Six Flags, plaintiffs have filed hundreds of class action lawsuits against businesses and employers in a broad range of industries, including manufacturing, logistics, retail, hospitality, food and beverage, health and technology. These lawsuits have been filed because of a perception that BIPA, as interpreted by the Illinois Supreme Court in Rosenbach, creates significant liability where biometric information has been collected from an employee or consumer without first providing notification and obtaining consent, even if no actual damages have been suffered.

In the spring of 2020, however, there have been a handful of court decisions that have bucked the previously plaintiff-friendly BIPA trends and perceptions.

To read the full Taft law bulletin on this topic, click here.

In an interview with TechTarget, Chicago Taft partners Marcus Harris and Daniel Saeedi explored the impacts that the pandemic will have on ERP implementations and what customers can do to alleviate risk and protect their ERP investments. In a separate interview, Marcus Harris also provided advice on renegotiating ERP contracts when the scope of ERP implementation projects change due to the COVID-19 crisis.

The full interviews are available by clicking on the following links:

Taft Chicago partners Marcus Harris and Daniel Saeedi presented several sessions during the Digital Stratosphere Online Edition, April 20-24, 2020. Each day featured different presenters discussing the new realities of ERP, HCM and digital transformation projects in a post-COVID-19 world. Harris and Saeedi spoke jointly on “How to Negotiate (and Renegotiate) ERP Contracts During Crisis;” Saeedi spoke on “Cleanse and Protect: Why Data and Cybersecurity are More Important than Ever” and Harris spoke on “Mitigating Digital Transformation Risk Amidst Disruption and Uncertainty.”

If you are interested in learning more about these topics, please contact Marcus Harris or Daniel Saeedi.