The 20 Announces Strategic Advisor
Full press release here
The 20, leading MSP consortium, announced the appointment of Daniel K. “Danny” Astin as Strategic Advisor to Tim Conkle, Chief Executive Officer of The 20.
In this position, Astin will be a thought leader and trusted strategic advisor to the CEO on the strategic direction of The 20’s corporate and security organizations which includes guiding the C-Suite in managing compliance issues for the company related to cybersecurity initiatives, governance and providing senior management with actionable guidance regarding company strategic growth opportunities.
“Danny is a trusted advisor with a strong background and proven success in advising high-growth private technology and companies in many different sectors and strategic situations. He will be instrumental as The 20 continues to execute on our MSP growth strategy,” said Tim Conkle, CEO of The 20.
A frequent presenter and advisor to SMB’s in the IT sector Astin has over 30 years of unique business experience advising corporations, SMB’s and the entrepreneurs that lead them. Astin’s advices regularly concern core strategies related to business, contract, litigation strategy, dispute resolution, geopolitical relations, reputation enhancement, crisis management and other key business strategics. Astin’s advisory experience includes prior service in the U.S. Navy’s Judge Advocate General’s Corps., as counsel to the Commanding Officer Michael; B. Nordeen (call sign “Nordo”) USS Constellation (CV64). After leaving active service Astin and Nordeen assisted a delegation of investors’ attempt to privatize shipyards in Taiwan at Keelung and Kaohsiung. During active duty Astin served simultaneously as Prosecutor and Defense attorney. Astin served in the Office of The United States Trustee, United States Department of Justice, (America’s bankruptcy “Watch Dog”), for oversight of some of the largest and most complex restructuring cases pending at that time.
“I am excited be a part of The 20 team, whose core values reflect mine and with such a talented team of professionals,” said Astin. “I am looking forward to playing my part in The 20’s growth story.”
Astin is founder of March Brown, Envoys & Advisors, and is Managing Partner of Ciardi Ciardi & Astin LLC (CCA) of Delaware, a nationally recognized boutique law firm headquartered in Philadelphia. Danny Chairs the International Business Law Consortium’s (“IBLC”), Salzburg, Austria, “Creditor Working Group”, and recently presented to foreign firms on the newly enacted bi-partisan “Corporate Transparency Act.” Danny is the Representative for the IBLC in Delaware interfacing with exemplary advisory firms situated throughout the globe.
About The 20 MSP
The 20 is an exclusive business development group for Managed Service Providers (MSPs) aimed at dominating and revolutionizing the IT industry with its standardized all-in-one approach. The 20’s robust RMM, PSA, and documentation platform ensures superior service for its MSPs’ clients utilizing their completely US-based Help Desk and Network Operations Center. Extending beyond world-class tools and processes, The 20 touts a proven sales model, a community of industry-leaders, and ultimate scalability. For more information, contact us.
Follow The 20 MSP: Twitter, LinkedIn, and Facebook.
by Dan Astin
1) Change in Control
One of the most important legal tips every MSP should know involves “Change in Control.” In the event of an acquisition or other change in control of the client/customer, the MCA and ancillary SOW’s remain in full force and effect. “Change in Control” means any sale, exchange, transfer, conveyance or termination of any equity or ownership interests in the client/customer, or any corporate, limited liability company or partnership reorganization, restructure, merger, acquisition, transfer of assets, consolidation or adjustment with respect to Client if the persons currently in control of the client/customer would no longer have such control after such event.
2) BAA Requirements
HIPAA requires a covered entity to enter into “business associate contracts” with business associates to safeguard protected health information and to restrict its uses and disclosures to those permitted by the contract or required by law. Business associates are also required to enter into business associate contracts with their subcontractors. Business associates are persons or entities that perform, or assist in the performance of, any activity involving use or disclosure of individually identifiable health information. 45 CFR §160.103. This includes, e.g., claims processing, data analysis or processing, quality assurance, billing, practice management, and accounting and legal services.
3) Cybersecurity Insurance
According to the Ponemon Institute’s “2018 Cost of Data Breach Study,” the average cost of a stolen or lost record is $148, while the overall cost of a data breach is nearly $4 million. In addition, the likelihood of getting hit with another breach within two years after the initial one is 27 percent.
As noted by FICO, businesses typically shun cybersecurity insurance for three primary reasons:
A) The organization isn’t investing in cybersecurity overall, despite an increase in threat levels.
B) Leadership believes the organization will never be the victim of a cyberattack because it is too small to be targeted, or they believe security systems will protect it.
C) Leadership doesn’t understand how cyber insurance policy premiums are estimated or what exactly is covered.
Generally, cyber policies include coverage for costs incurred for remediation in response to a data breach, liability for claims arising from the data loss or breach, fines or penalties imposed by law or regulation, and additional payment card industry fines and penalties.
Dan Astin is a Managing Partner for Ciardi Ciardi & Astin law firm and regularly represents and provides legal and business consultations to commercial creditors, litigants, contract parties, corporate debtors, importers/ exporters, MSP’s, small business owners, and trustees, in matters of commercial business practices, litigation, customs and international trade, bankruptcy liquidations, administrative law, foreign corrupt practices act FCPA, contract negotiations, business restructuring, IT, select domestic and international trade. Dan’s legal experience includes prior service in the U.S. Navy’s Judge Advocate General’s Corps, as counsel to the Commanding Officer of USS Constellation (CV64); concious objector hearing officer in the first Gulf conflict; prosecutor and defense attorney United States Navy; trial attorney with the United States Department of Justice, Office of the United States Trustee; Associate Council customs and international trade.
So, who should be held responsible when a company’s data system gets breached? Historically, the CIO, the CISO, or both have shouldered the lion’s share of data breach responsibility; well over half of security decision-makers expect to lose their jobs if a hack happens at their organizations. However, breaches don’t happen in vacuums, and CIOs and CISOs don’t operate in them, either. Many CIOs report directly to the CEO, and some security experts feel that CISOs should be elevated to the same reporting level.
Whatever an organization’s reporting structure, the bottom line is the same: the responsibility for everything that happens within the organization, positive or negative, ultimately falls on the CEO and the board of directors. This includes data breach responsibility. This has been reflected in the numerous CEO firings (or resignations) that have followed bad breaches over the past few years, including those at Target, Sony Pictures, and the Democratic National Committee.
Apparently, Yahoo didn’t get the memo about this a couple of years ago. After years of poor cybersecurity practices caught up with them, resulting in multiple breaches affecting over a billion user accounts, putting its acquisition by Verizon into question, and making the Yahoo brand name synonymous with the phrase “data breach,” the company decided to fire its General Counsel, Ron Bell. Shockingly, CEO Marissa Mayer remained in place, albeit with a pay cut (she then went on to leave Yahoo after the Verizon acquisition, however, but it was of her own choosing).
In Yahoo’s case, the CISO and the rest of the security staff couldn’t be fired. Fearing that a major security incident would eventually happen, they’d already run for the hills. The New York Times reported that former CISO Alex Stamos and his team had spent years warning Mayer of potential security issues, but Mayer insisted on putting “the user experience” ahead of cybersecurity and even cut the team’s budget.
Preventing Breaches Is Everyone’s Responsibility
Cybersecurity isn’t just an IT issue. It impacts every individual and department in an organization — from the board of directors all the way down to minimum-wage clerical and retail employees. The overwhelming majority of data breaches originate inside an organization, either because a negligent or untrained employee makes a mistake or a malicious insider decides to strike back against the company. No cybersecurity policy is complete unless it addresses the human factor behind data breaches by promoting a culture of cybersecurity awareness. This culture must start at the top of the organization; if the board, the CEO, and the rest of the C-suite do not take security seriously, front-line employees certainly won’t.
Yahoo’s firing of Ron Bell certainly shook up the legal community and caused much debate over where data breach responsibility ultimately lies. While this may have served to light a fire under organizations with questionable cybersecurity practices, the focus should not have been on whose heads would roll if a breach happened; it should have been on implementing proactive cybersecurity and compliance measures to prevent hacks from happening in the first place.
As for Yahoo, they settled in September a worldwide class-action lawsuit that alleged security issues dating back as far as 2003. Yahoo’s attorney and lead plaintiffs’ counsel told the U.S. District Judge in federal court that both sides had reached an “agreement in principle” — $47 million to be exact.
