How to Respond After Leaking Your Customer’s Data

The most recent consumer-hostile disclosure of an account breach was Uber’s leaking of 57 million accounts almost a year ago. I’d like to say this is an extraordinary event, but much like a favorite character getting killed in Game of Thrones, companies leaking customer data is just another regular occurrence we’ve come to expect. What continues to surprise me is how badly so many companies screw-up their response to a breach. The one principle that should guide companies following a breach is, “make the decisions you would want a company to make if it was your account that was compromised.

And sure, it’s easy to point fingers when it’s not you in the hot seat, so I’ll use the breach I managed as an example… The breach I was responsible for was in September 2015, when I was CEO of a company that had over 100 million registered accounts.

Initial Response

The breach was caught around 11:00 PM at night… within a couple of hours we had a fire-team of employees in the office. The priority was confirming that the breach was indeed fully contained, and then validating we understood the full extent of the breach. We wanted to communicate to customers as quickly as possible, and we wanted to be able to accurately convey the amount of exposure. Every other project was de-prioritized and employees were working 24/7 on projects related to the breach.

Thanks to some security precautions we had in place, we were able to detect the breach in real-time, limit the data that was accessed, and understand exactly what data was exposed. Also, due to the nature of the data that was accessed, the actual customer exposure was minimal (e.g. no credit cards, social security, addresses)… assuming the attacker had planned to use the data for malicious purposes, the actual value of that data was extremely low.

As we reached morning, we contacted law enforcement and legal counsel, both of which informed us that the data exposed was insignificant in terms of risk. We were also told that, because of the type of data accessed, there was no requirement to disclose the breach.

While we had a pretty solid understanding of what happened as part of the breach, we didn’t want to be overly confident, so we continued the process of going through hundreds of servers and employee computers to look for anything that might have been missed, a process that took a little over two full days.

The Ransom

Within 24 hours of the breach I started receiving emails that threatened to release the customer data and publicly announce the breach if we didn’t pay a sum of money. My response to the blackmail was letting them know I would consider their proposal, but ultimately the damage they would do is to customers that didn’t deserve to be exploited, and to employees, good people that already feel a ton of weight from the responsibility. They gave me a few days to make a decision.

Talking to Our Customers

After we had confidence that we had contained the breach, removed any attack vectors, and fully understood the data accessed, we were ready to talk to our customers. Less than 72 hours had passed, but it felt like an eternity getting to this moment.

We posted to our forums and messaged our customers individually with the details of the breach, specific data accessed, how that data can be used, and what steps to take (on our service and others) to protect against any further attack. We also disclosed that the hacker had tried to extort money in exchange for silence.

While I can’t say that any customer was pleased that the exploit occurred, many responded very positively to our handling of it. Earlier that year credit card and health care breaches of highly-sensitive data took many months to be announced, so many of our customers appreciated how quickly we moved to keep them informed.

Evidently the hacker didn’t read our forum post, as the next day they gave me the final warning that they were about to announce the breach to our customers and the media. I informed the hacker that we would not be paying the ransom, reminded them that the people they will hurt don’t deserve it, and pointed them to the forum posting fully disclosing the breach, accessible to all of our customers and the media.

Post Breach

Through a process of many, many postmortems and follow-up action items, the company continued to improve security in several areas, projects that extended many months. We understood exactly how the breach occurred, and the human component that enabled the breach. What we explicitly didn’t do is punish or threaten anybody – throughout the whole process we made all employees feel safe, which enabled people to be fully transparent and quickly disclose their mistakes, a critical aspect of quickly understanding how the breach occurred.

The moment that sticks out in my mind the most was an email I received from an employee in response to a detailed summary of the events I sent to the company. That employee expressed that they had never been so proud to be at a company, in the integrity we demonstrated to our customers, and the unwavering support for the employees. It was one of those emails that CEOs move to their “save forever” folder. 

Key Takeaways

While there are a lot of opportunities for companies to make customer data more secure, the unfortunate reality is even the companies with the best security practices experience breaches – this is going to happen. However, a few steps can provide better outcomes for all parties:

  1. Treat your customers as you would want to be treated.
  2. Make your employees feel safe. Fearful employees will conceal critical information that is necessary to fully understand the problem.
  3. Don’t negotiate with criminals. It’s bad for your customers, there is no way to enforce the criminal’s end of the agreement, and the deception is likely to be revealed at some point. Perhaps one acceptable variation on this takeaway is, if you do negotiate with criminals in the interest of your customers (e.g. to get details about how the leak occurred), still be transparent with your customers and disclose that a transaction occurred.
  4. Do the follow-up work. After an exhausting amount of effort getting past the initial breach it’s easy to feel like your work is done… make sure all of the known exploit vectors are eliminated.

 

Have you been impacted by a company’s data breach? I’d like to hear about your experience – please leave a comment!

My Favorite Recent Inventions

In the spirit of enjoying a lovely holiday by keeping the conversation topics away from politics, and focusing on humor and technological advancement (or, more specifically, technological advancement humor), I thought I would share some of my favorite recent inventions, and include commentary from random people in the Twittersphere.

Sheet Muffins

The innovation team at Slate discovered a sweetened bread that replaces the need for individually held muffins…

Innovations in Co-Living

Millennials invented a way to have other people leave dirty dishes in the sink and drink all but the last 1/10th of an ounce of milk in the fridge…

Underground Group Transport

Elon Musk, the Thomas Edison of our age, found a way to have subterranean vessels pick up and drop off people at regular intervals…

Street Group Transport

Not to be outdone by Elon, Uber came up with a similar concept where the transportation uses roadways to pick up and drop off people at predefined locations…

Dedicated Short Term Visit Buildings

Airbnb continues to innovate by solving the problem of not having large, multi-unit buildings that are dedicated to short-term visits…

Automated Product Dispenser

And finally, solving both the problem of human interaction and the inability to purchase goods, a startup developed a way to pay for and receive products from a mechanical device…

An Amazing Time to be Alive…

Technology has truly taken us to places that could only have been imagined 30 years ago. Embrace these advancements and marvel at how they change the world before our eyes.

 

Are you aware of other incredible innovations that are changing our lives? Please leave a comment!

Your Agency is Hurting Your Chance of VC Funding

Early-stage venture capital firms have high deal flow and very little time to assess each company, so understanding key assessment criteria will help you get your deck from the “no” bucket to the partner discussion. A common reason many companies fail to get past “no” is they are agencies.

Is Your Company an Agency?

In an agency, value created by the company is unique to each customer. As a result, the company revenue reflects more of a work for hire relationship. The problem with this model is, while an agency can still be a very good (or even great) business, it is hard to scale and typically doesn’t improve margins when it does scale.

When asked, entrepreneurs don’t always recognize that their business model is an agency… they may see the unique customer work provided as building support in the underlying platform, or a way to help onboard early customers. While all possible, it’s unlikely, and VCs that have looked under the hood of hundreds of companies will understand the signals indicating this is an agency:

  • A majority of revenue comes from additional work provided, not from the product / service
  • Work performed is applicable to a specific customer (e.g. content creation, integration, customization)
  • Customers largely came from relationships, not from a repeatable sales process
  • The company is pivoting from a consulting business

What if My Company is an Agency?

So, what do you do if your business looks like an agency? Well, it depends on what you want for your company. If you’re happy with a potentially good (or even great) business that may grow at a reasonable rate, be a source of employment for a bunch of people, and maybe never have an exit, skip the VC and run your business (of course, you have to run cash positive or get loans to get you there). And, the lack of an exit doesn’t preclude a payout… I’ve met several owners of “lifestyle businesses” that, on top of a good salary, pull substantial amounts of money out of their company.

If you do want to go the VC route and have a VC-sized exit, you’re going to either prove your business is the exception (unlikely), or make some fundamental changes to your business to achieve some combination of the following:

  • A consistent shift in revenue away from unique customer work and towards your product or service
  • A convincing process showing the unique work for each customer is scalable (i.e. not limited on the supply side)
  • Margins improving with growth   

Pivoting to a new business model is usually easier written than done. And, if your agency model is working for you, a pivot away from a working business model can be risky. The again, if you’re the type of entrepreneur that is excited by building VC-backed businesses, you probably eat risk for breakfast.

 

 

Less Minimal, More Viable – Creating Better MVPs

I had the exceptional luck to work with Eric Ries at both the company that was his inspiration for The Lean Startup, as well as the company that was his catalyst for the change needed to build companies differently (and I hope someday I can convince Eric to release his insightful yet unpublished manuscript “The Bloated Startup” – maybe your tweets can help #EricPleasePublishTheBloatedStartup).

One of the fundamental ideas from The Lean Startup embraced by startups is the Minimum Viable Product (MVP), a product strategy that minimizes investment while maximizing learning and market validation. And while MVP is a great and seemingly simple concept, many startups fail to execute it successfully.

There was a time not too long ago when startups regularly burned many millions of dollars in years of stealth mode, building massive projects anticipating the use cases for all of their future customers, and the concept of releasing anything that wasn’t robust being heresy. A combination of those companies spectacularly imploding, investor expectations that companies achieve validation faster,  and the embrace of accepting failure while chanting the mantra “fail fast”, made the pendulum swing the other way.

The most common criticism of MVP is too often it is actually Mvp, where minimal is emphasized and viable is highly subjective, but leans towards not viable. It’s not that MVP is a bad concept, it’s simply difficult in practice. As a result, others have looked to redefine MVP – Jason Cohen proposed the SLC (Simple, Lovable and Complete), and Laurence McCahill proposed the MLP (Minimum Loveable Product), both emphasizing the importance of delighting customers to being “viable”, and reducing the opportunity to simply ship a broken experience to customers using “learning” as an excuse.

Rather that create another TLA, I’m offering guidance to make the implementation of MVPs more effective:

  1. The MVP Delivers Your Value Proposition
  2. The MVP is a Functional Product
  3. The MVP Provides Validation or Valuable, Intentional Learning

Let’s dig into each of these a little more..

The MVP Delivers Your Value Proposition

The MVP must deliver the customer value proposition for a subset of customers that will be early adopters. Delivering on your value proposition may seem obvious, but in the interest of trying to achieve the minimum investment, it can be overlooked.

Core to IMVU’s value proposition was connecting people through expressive avatars, which was initially delivered via a 3D client on the PC. IMVU had an early mobile product that connected customers by enabling messaging from their phone, and while we called it a mobile MVP, it wasn’t. Specifically, the messaging was text-based, so it didn’t deliver on avatars or expressive communication. Since it didn’t include avatars, it also didn’t test the business model, which involved selling items to stylize an avatar. Many existing customers liked the functionality provided, enabling them to perform some basic functions while not at a PC, but nobody would become a new customer on this product – is was simply a helpful add-on.

Later IMVU built a real mobile MVP, starting with the very basic set of functionality that enabled expression via your avatar, and the ability to purchase items for customization (also important to expression). Knowing the PC offering, the mobile MVP felt pretty bare bones, didn’t include 3D (something we knew customers wanted), but the customized avatar was present, enabling self expression. We gained new customers that only knew of IMVU as a mobile experience, and we validated that the business model worked. Eventually full 3D was added with a lot of other features that did an even better job at reinforcing the value proposition, but it was a pretty humble beginning.

The MVP is a Functional Product

The need to be minimal yet completely functional is where great product design comes in, recognizing that the best products are fully functional without being complex – simplicity delights customers.

The test I’m proposing is, without adding additional functionality, does your MVP continue to deliver value to your early adopters? Asking another way, can you imagine walking away from the MVP and seeing your early adopters still using it in 24 months?

When it comes to applying MVP to new product functionality for an established product, this simple but complete requirement is even more critical. I witnessed many MVP projects that shipped in half-done limbo as some customers liked it sort of, but it was broken, but not valuable enough to finish… the result is many rough edges and missed opportunities to delight customers.

The MVP Provides Validation or Valuable, Intentional Learning

One of the most disappointing results to hear from a failed MVP is, “we learned it didn’t work”. Aside from the obvious desire for projects to be successful and delight customers, this result represents a failure to intentionally learn. A great indicator this is happening is a product manager presenting data harvested after the fact, hand picking metrics that were not identified before the product was built, creating learning theater.

The MVP should reduce uncertainty, either by validating previous decisions or providing information necessary to make specific future decisions.

When building the MVP, there should be a clear hypothesis, identification of the metrics that will be used to gauge progress, the ability to capture those metrics, and an understanding of the critical decisions that will be influenced by the results. In addition to creating a discipline around honest assessment of progress, these requirements guide the team’s product development decisions.

 

Have you learned something valuable from building a MVP? I’d love to hear your story! Please leave a reply in the comment section.

Congratulations Successful Entrepreneur: You’re Fired

Most startup entrepreneurs understand that the odds of success are not in their favor… only about 1 in 10 startups will survive. Of course, most startup entrepreneurs don’t believe they fall into the 9 out of 10… a healthy amount of self delusion is required to go down down the startup path in the first place. But there is that 1 in 10 that does make it… and, if you are lucky enough to be the CEO that delivers that success story, the odds are you’ll be fired.

Before explaining why being fired is the most likely outcome for a startup CEO, it’s necessary to explain the startup journey…

Your Mission as a Startup

Investment-backed startups are created to discover scalable businesses, usually by inventing a new product or service that can become a large business, or by creating substantial efficiencies that take customers away from an existing large business. There is no clear, obvious path to doing either of these, otherwise success would be the expectation, not the exception. So success requires reasonable self delusion that you will succeed, as well as experimentation / rapid iteration necessary to adjust to the challenges of discovering the successful business. In practice, this can often manifest itself as the CEO coming in with the crazy idea of the day saying, “let’s try this… can we ship it by tonight?” If you like the excitement that comes from working through challenges with great uncertainty, this process can be a rewarding experience.

Through this process of discovery, a few things can happen. If the company runs out of money before a scalable business is discovered, most likely everybody loses their job, although it is possible that the board still believes in the company but sees execution or leadership as the problem, fires the CEO, and then puts in new money to support a new leader. From the CEO perspective all of these paths lead to the same place… you’re effectively fired.

But wait, Brett… those are failure scenarios… I’m that 1 in 10! I discovered product market fit! I delivered on my mission! I found the scalable business!

You’re probably fired anyway.

It’s Not Us, It’s You

You’ve done something truly amazing… you’ve lead people down a crazy path, likely engaged in some mixture of know-how, magic, luck, skill, and insanity, and came out the other side with a scalable business. It takes a particular type of person to do that successfully.

Unfortunately, that particular type of person is usually the exact opposite of the particular type of person you want growing a scalable business. Growing a scalable business is more about efficiencies and optimization, much less about discovery. That same crazy idea of the day behavior that miraculously lead to discovering the scalable business is exactly what derails the consistency a company’s organizations need, and what customers will expect. As the organization grows, process and management becomes necessary to handle the challenges that come with simply trying to get hundreds of people to work towards the same goal. The needs of operating a scalable business probably contributed to the CEO quitting their previous job and creating the startup in the first place.

The board has a responsibility to driving shareholder value (including their own investment) and, seeing how maximizing the value of the business now requires a different expertise, likely determines that it’s time to get somebody best for that job. It’s possible that the startup CEO has the rare set of skills to transition, or it’s possible that the board will bring in supporting executives to help. In these cases the same end result is usually just delayed.

Of course, getting fired doesn’t happen every time… you can look at examples like Mark Zuckerberg, Drew Houston, Jeff Bezos, and Steve Jobs and, using that healthy amount of self delusion, say “I’ll be like them” (forgetting, of course, the first run of Steve Jobs at Apple). But if you look at all of the companies in the valley that scaled successfully, you’ll find most had the founding CEO “step aside”.

Yikes! How Do I Prevent This?

Your gut response as a startup entrepreneur is likely something like, “I’m going to make sure that doesn’t happen to me.” However, I encourage looking at it a different way… this happens, you’re probably going to be replaced, and that’s probably okay. It’s better to prepare for the possibility rather than assume it can’t happen. You may find being replaced is actually be the desired outcome if you prefer building new things rather than optimizing existing ones.

The most reliable way to avoid being replaced is by not giving the board (or anybody else) the power to replace you. In practice this is usually only possible if you don’t take outside investment… venture capital investors will usually take board seats and almost always retain the ability to replace the CEO. The tradeoff you make for getting extra cash to accelerate your progress comes with the price of forfeiting some control.

Assuming you’re taking investment, the best path is likely making accommodations for a transition as part of that investment. Address things like an ongoing role post-handoff (operational and board), vesting of stock, participation in success rewards, and your treatment for liquidity events (acquisition, IPO, secondary offerings). Also account for variations to the plan… while you may want to maintain a significant operating role after a transition, it may be determined that the new CEO can’t be successful while employees still look to their founding CEO hero for direction.

Finally, if you do get to the point where you are being fired after successfully delivering on your mission, make sure you recognize your truly amazing accomplishments… you knowingly engaged in a difficult challenge, with all odds against you, and you were a success. Many people, employees and customers, will be better off because of what you built.

Congratulations.

 

This posting was greatly inspired by over 20 years of stories from many friends that have been founding CEOs, and by Steve Blank’s great presentation, Why Accountants Don’t Run Startups.

 

Have you been a startup CEO and been through this journey? I’d love to hear your story! Please leave a comment.

Joining Social Starts as a Venture Partner

My short-lived backpacking career is in jeopardy… I’m a Venture Partner at Social Starts.

Why a Venture Partner Role

Most recently I spent several years growing a company from startup to millions of customers. In each role of the company, from technical executive to CEO, I needed to spend time deeply understanding the technology and markets related to the business (social, expressive communication, VR, avatars, communities, virtual goods, scalability, digital currency, and virtual economies). While being able to get a deep understanding of subject matters was great, it left little time to explore the breadth of ideas powering innovation, and I missed that.

So, one of the ways I’ve spent my down time over the last few months is getting exposure to a wide range of companies doing things I’ve never done before. In addition to some advisory work for startups, I went to a few sources of amazing entrepreneurs with great ideas. Steve Blank generously invited me to sit in on his Lean Launchpad class at UC Berkeley’s Haas School of Business, where entrepreneurs formed and iterated businesses around IoT, energy management, and medical devices. I also spent some time at Obvious Ventures getting exposure to some really impressive companies in areas ranging from consumer packaged goods to gene therapy and wellness.

I found I really enjoyed the exposure to new companies, especially those outside of my fields of expertise… seeing how people are applying new technology towards opportunities drove my natural curiosity to research topics that were new to me.

I also found satisfaction in my advisory work, helping startups by sharing what I’ve learned, both from my successes, and my failures. Surprisingly, many companies deal with the same patterns of challenges – it’s great to help people get past those so they can move on to newer, more exciting challenges unique to their situation (I wish I could write “eliminating challenges”, but businesses just move from challenge to challenge… you’re fortunate when you’re working on the challenges with possible outcomes ranging from “good” to “great”).

When the opportunity came up to research and help fund all sorts of great startups while providing me with the flexibility to work more deeply with a few companies, I knew this role was right for me.

Why Social Starts

There are many reasons I joined Social Starts, and two factors that most greatly influenced my decision are the team and the deal flow.

In regards to deal flow, Social Starts focuses on very early stage funding, from moment of inception to Series A. The closer you are to the top of the funding funnel, the larger the pool of companies to consider. And, Social Starts considers a lot of companies… it’s been named the top fund under $100M since 2013, the 5th most active early stage fund worldwide of any size in 2015, and the 6th most active early stage fund in US tech in 2016.

For any organization I would join, it’s a requirement that I respect and appreciate the team. In my discussions with partners, I experienced many characteristics I value, including candor, humility, thoughtfulness, and pragmatism. As a bonus, the COO is a friend that is on my short list of “people I would work with at any company, any time”.

Let’s Work Together!

If you’re working at an early stage company in fields like VR / AR, health care technology, AI, work platforms, internet of things software, mobile commerce, blockchain, security, content, wellness, analytics, or human-brain interface, I’d love to hear more about your company.

I also have some availability for advisory / consulting roles for companies that need somebody with executive-level experience successfully scaling startups, helping execute through the challenges that come with growth.

Leadership Requires Taking a Stand

For reasons I’ll cover in the future, I took a break from blogging. I did not intend to resume this week, and I did not expect that this would be my returning topic, but recent events have been a catalyst for me, and silence wasn’t really an option.

“We must take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented” – Elie Wiesel

I had no intention of covering politics on this blog. In speaking to the importance of leaders taking a stand, the public and obvious failure of Donald Trump was an example that could not be avoided. Further, it would be hypocritical for me to cover this topic without taking a stand myself.

A Leadership Softball

History’s losing flags on display in Charlottesville

Last weekend Nazis rallied in Charlottesville, spouting words of hatred and eventually murdering Heather Heyer. As much as the “Unite the Right” mob wants to claim that they are non-hateful and simply defending white heritage, chants like “Jews will not replace us”, “Fuck you, faggots”, and “Blood and soil” (which comes from Nazi roots), combined with marching under the flags and other imagery of Nazi Germany, clearly reveals the true intent. Describing these people as Nazis is not hyperbole – they are literally marching under the flag that many of our grandfathers gave their lives to defeat.

Denouncing the actions of Nazis is a leadership softball. In my home town of Berkeley, which is frequently (and sometimes fairly) considered socialist and crazy, Top Dog, an establishment that is staunchly libertarian and pro-free-market, fired an employee participating in the Nazi rally. The owner of Top Dog is not a delicate snowflake with hurt feelings, he took a stand against what was morally wrong and backed it up with actions.

In contrast, Donald Trump failed to even take a swing at this leadership softball. His initial comments appeared sympathetic or even supportive of the Nazis, receiving praise from former KKK leader David Duke. In an uncharacteristic two day delay to ensure, “what I said was correct, not make a quick statement”, Trump denounced the Nazi groups, in what appeared to be a forced reading of a prepared statement, days after most leaders (and bipartisan elected officials) took a firm stance against the Nazis. After what would have simply been considered a disastrous display of failed leadership,  yesterday Donald Trump destroyed what little credibility he may have garnered, when he effectively backtracked on his condemnation of Nazis, and seemed to equate our founding fathers to people that committed acts of treason waging war against the United States.

The Nazis in Charlottesville were largely Trump supporters, so Donald Trump making a clear and decisive statement against these hate groups may have come at a cost of losing some of their support. If you assume Donald Trump was simply attempting to remain neutral, the lack of a commitment against something so obviously anti-American (Nazis), was largely interpreted as support for the hate groups – this interpretation was echoed by politicians from both sides of the isle and from the hate groups themselves. After Trump’s impromptu shit show on Tuesday in which he doubled-down on his “many sides” to blame, it left little doubt where he really stands, although he still hasn’t displayed the leadership to clearly define his position.

Taking a Clear Stand

It’s necessary for leaders to take a clear stand on issues that impact their organizations, both to act as a beacon for what is expected for the organization, and to enable people to leave the organization if it is inconsistent with their own values.

A good way to test whether a company is committed to its cultural values is looking at how the company acts when holding to those values comes at a real cost. Similarly, leaders should be judged by their actions as they face adversity… are they willing to make personal sacrifices to maintain their integrity and live by their values.

In 2015, as CEO of IMVU, I made the decision to not allow the confederate flag in IMVU’s products. Some customers reacted unfavorably, some directed hostile remarks at me, and customer service received complaints. There was also some impact resulting from customers that had purchased or sold the products. I had expected all of that. And as much as I value freedom of speech, ultimately the value of IMVU being an inclusive community for millions of customers outweighed the impact of eliminating the emblem representing a war waged on the United States to defend the right to own humans. My actions were not big and bold, they were simply doing what I thought was the right thing given the values of the company and its community.

Regarding Donald Trump’s failed leadership, six business leaders have stepped down from presidential advisory councils, citing their own values as the primary motivation for distancing themselves from Trump. These leaders have clearly taken actions consistent with their personal values, and did so at a cost, as Trump quickly attacked and belittled these leaders the moment they stepped down. Those remaining on the presidential advisory councils may not explicitly support Trump’s defense of hate groups, but their continued support of him as a leader acts as an enabler, and casts doubts on their values or the ability to act consistently with their values. Trump’s top economic adviser Gary Cohn is reportedly ‘disgusted’ and ‘appalled’ by Trump’s responses this week, yet plans to remain in the administration, implicitly supporting Trumps behavior. Gary Cohn, who was born into an Eastern European Jewish family, continues to support a man that can’t denounce Nazis – as a citizen (a member of the US organization) I draw the conclusion that Cohn values tax reform and deregulation above what I would consider a non-starter, supporting somebody that can’t condemn hate groups.

Live Your Values

An organization’s culture and values are just pleasant little phrases in the employee handbook unless the organization reinforces the values in all actions, especially in tough times.

As a leader, if you are unwilling to state a position consistent with your values or sacrifice to take actions supporting those values, you don’t actually hold those values, or you are not a leader.

 

Firing People Respectably

Firing people is perhaps the most unpleasant responsibility that comes with being a manager.  I’ve read many articles on “the right way” to handle firing, but my experience has taught me every case is different, and even following the best advice can result in a challenging interaction.

I’ve created guidelines for myself that feel fair (this is how I want to be fired), and I accepted that firing is unpleasant for everybody involved, so it’s ultimately about making the best out of a shitty situation.

My guidelines come from the perspective of a culture I want to see in a company, not the legal perspective (which tends to err on the side of corporate protection over recognizing the human components).

Guidelines for a Firing Manager

My guiding principle, be respectful, helping the employee retain their dignity, drives these guidelines:

  1. Always remember you’re firing a person, not a resource.  In almost every case being fired is an emotionally painful situation, and being mindful that you are firing a person, with feelings, fears, and personal responsibilities that will be compromised as a result of job loss.  People react unpredictably in emotion-filled situations.  As the firing manager it is important to be respectful through the whole process and be balanced in responses to the other person’s (re)actions.
  2. Don’t get into a detailed discussion.  A common pattern is the person being fired will want to get into the details about the decision to fire.  The firing discussion should be efficient (there is nuance in balancing not being insensitively fast vs. dragging out the pain).  The manager should absolutely provide a high-level explanation, and the next steps (ideally the company has a standard document that explains the issues that will be important to the employee), but the person being fired is very unlikely to actually hear a detailed discussion – they are too emotional to process it.  If a person being fired wants to get into details, I suggest scheduling coffee the following week, giving them enough time to figure out what questions are really important and getting past the initial shock so they can be receptive to the answers.
  3. Never discuss individual details with others.  When a person is fired, other employees frequently want to understand more details.  It can be tempting to want to bring others into the loop or calm an underlying “am I next?” fear they may have by sharing the details, but it is disrespectful to the person being fired (it’s also probably a liability for the company). Instead, have a culture that is transparent about the process (why and how) people are fired, while never discussing an individual’s specific situation.

Reasons for Firing

The reasons for firing an employee generally fall into three categories: performance, role eliminated, and violating the company relationship. Each impact the person being fired, other employees, and possible outcomes differently.

Performance Problems

When an employee is under-performing it is their manager’s responsibility to make that employee successful and, if that fails, fire the employee. An employee’s performance should be a regular discussion with their manager, and missing expectations should be made explicitly clear, along with clarity around the exact expectations and a plan to improve.  If the improvement doesn’t happen, the firing discussion should be more of a final conclusion to the mutual recognition of the problem, with both parties aligned on the shared data.  My rule is, “if the employee was surprised they were fired for performance reasons, this is a failure of their manager”.

Role Change

The role change scenario is one where the company’s requirements or constraints have changed and an employee is no longer appropriate for the role.  I’m including layoffs / downsizing in this category (not being able to pay people is a constraint).  A commonality in these firings is it includes qualified, successful employees.  This is the one firing scenario where additional insights into the decision can be shared with other employees, as the decision is not about an individual (but be sure that the role change is the real reason for the firing, otherwise it will eventually result in distrust from employees).

A role change specific to an individual feels the most personal for the person being fired and can be hardest for other employees to understand. The message of “great for previous role, wrong skills for what the company needs going forward” is easy to say, harder for employees to process, often because a good employee will be leaving, and many employees won’t have the insights into the need for the change (or may simply disagree).  The best analogy I’ve been able to come up with is sports teams, where a great player may be traded to make room for a player that has different skills that make the team better as a whole (as in Moneyball, where trading stars for players that just got on base resulted in a better team).

When a role change is impacting many people (typically driven by financial situations or discontinuing a product / service), explaining to the people impacted can be more comforting than when it is a single role, since the reasons don’t feel as personal (make no mistake, for the people being fired the impact will feel very personal, it just won’t feel like they were individually targeted).

Violating the Company Relationship

Every company has it’s own unique culture, principles, rules, and expectations in the relationship with each employee, and between employees.  I’ll use “don’t steal” as an example, since I this is probably a common deal-breaker even in the most toxic environments.

When there is a violation of the relationship, the employee needs to be fired, otherwise the company is signaling that it isn’t an actual expectation of the relationship, or perhaps worse, that enforcement is selectively applied. In this firing the employee should not be surprised, however an employee willing to violate the relationship in one dimension is likely willing to double down and deny their responsibility in the situation. Unfortunately, this is one of those nobody wins outcomes that, as a manager, you simply need to get thorough it, look for the learning opportunity, and move-on.

A particular challenge in this type of situation is the inability to offer an explanation to other employees, especially if the violation was concealed. Using the stealing example, the company could have liability is disclosing the violation to others, so employees just see somebody fired for no apparent reason.  As recommended in my guidelines above,  if your company has a (trusted) transparent culture around how and why people get fired, many may infer that it was either a performance problem or violation, which a better outcome than the firing feeling random.

Management Failures

Employment is a relationship, and the manager and company have to acknowledge their responsibility in the failed relationship, both in why it failed and the importance of properly handling the failure.

Passing the Buck

If there are other existing opportunities where the employee could be successful at the company, that can provide a solution that is both a win for the employee and the company.  However, since firing is so unpleasant, managers should be challenged to understand if they are diverting the problem to somebody else or do they really feel the employee is best for the opportunity.  Ask the question, “if the employee didn’t work here but was applying for the new opportunity, would you hire them?”  If the answer isn’t a confident, “yes”, the manager is likely passing the problem to somebody else. Another red flag is the creation of a new role for an employee that would otherwise be fired… in almost every case I’ve experienced, this is a manager avoiding a tough (and necessary) decision.

Performance Improvement Plans

Performance Improvement Plans (known as “PIPs” in HR speak) are formal documentation explaining the employee’s performance problem, the expectations, a process to improve and a success evaluation date. On the surface this is all great – issues that should have been discussed in 1:1 meetings. When used as a tool with the intention of making the employee successful, PIPs can be really helpful in providing clear expectations.

The dark side of PIPs is when they are used as an HR cover your ass maneuver, in which the employee’s fate has already been decided but, because of risk or liability, there is a desire fore the company to have ample documentation around the termination. Don’t do this.  When a firing outcome has been determined, fire the employee.  Dragging-out a process or giving false hope is disrespectful, and arguably cruel.

Learning from Failure

A firing may not reflect a failure, it might actually be the best decision for the company and perhaps even for the person being fired.  However, all firings can be an opportunity for the company to learn and improve its processes. If it was a new employee, try to understand how the interview / hiring process could have identified the issue.  With longer-term employees, look for training opportunities (for the employee or management) that could have resulted in a more successful outcome.  Understand when the firing should have happened and what should be done next time. Since firing has such a big impact to both the employee and the company, there is value in continually improving the process to reduce or avoid any firings that could have been saves.

Have you been on either end of the firing process and have suggestions for improving how it gets handled?  Please leave a comment!

Fairness in Employee Intellectual Property Rights

Silicon Valley is still in the Jurassic age when it comes to employee intellectual property rights.  It’s not that Silicon Valley has lagged behind others in this regard, but there has been no innovative leadership while there is ample opportunity to set an example for fair employee policies.

Before I was the CEO of IMVU, I was SVP Engineering, and in 2011 I drove an initiative to change the company’s policy regarding the ownership of employee side projects. At the time my basic argument was we were actively looking to hire employees that are builders, creators, tinkerers and then had a policy (like every other company) that oppresses the same qualities we actively sought.  The new policy created a path for employees to have guaranteed ownership of their side projects and be protected against any future claims from the company.  I detailed the outcome in my article IMVU’s Employee-Friendly Policy on Side Projects.  My hope was other companies would embrace and improve on this first step.

6 Years of Progress!

In the 6 years that followed,  there has been a massive wave of companies acknowledging that some of the best employees they can recruit are passionate builders that actively contribute to open source and hack on pet projects to feed their creativity and passion for learning new skills.  These same companies have changed their culture and employment agreements to support these employees by recognizing that traditional intellectual property assignment agreements are over-reaching.  Actually, none of that happened.

For the most part, the state of employment agreements and employee intellectual property rights hasn’t changed.  Many companies still have policies with far-reaching claims on anything the employee creates, at any time, even if not directly related to the business and whether or not company resources were utilized.  It doesn’t matter that some of these claims are not enforceable (in particular, California has much more employee-friendly laws), many employees would simply give up rather than incur the legal costs to defend their rights.

The result of the continued inconsistency between company policies and employee behavior is an awkward cultural and legal situation, where employees have side projects and sometimes kind of keep them secret and the company sort of doesn’t acknowledge the side work when it knows about it… a wink wink, nudge nudge arrangement until it isn’t, and the company decides it owns the employee’s thoughts.

I’ll take a moment to call out (and praise) a recent exception… GitHub recently introduced a policy to let employees keep their intellectual property.  GitHub’s policy is called Balanced Employee IP Agreement (BEIPA) and recognizes that the employee has rights to projects that are not related to the company business, and also that “free time” and “company time” is fuzzy (the policy doesn’t explicitly state that employees can use company resources, but it also doesn’t claim rights either).

The Challenge of Change

As I went through the process of changing an industry-standard policy, I gained a much better understanding of the challenges. Ultimately the challenge of innovation in these policies comes down to no perceived upside for the company with fear of embarrassing failures from the innovation

Standard Employee Agreements (which include assignment of intellectual property) are heavily weighted in favor of the employer and, since they are pretty much the same at every company, there is no competitive market and little reason to change. The company’s fear of losing out on an amazing invention can also come into play, with concerns that the company will forfeit rights to what could have been a game-changing development (who wants to be the idiot that let go of the billion dollar idea?). And finally, lawyers… corporate counsel provides tried-and-true boilerplate Employee Agreements, and the same corporate counsel that reviews the policy change is typically risk-averse, seeing rights-releasing changes as mostly downside with unknown benefits.

I found that most of the challenges in changing this policy were key stakeholders taking a “why we can’t” approach instead of a “how can we” attitude.  Now having 6 years of experience with the policy, I can unequivocally state that it resulted in no downside for the company and only goodwill for the employees.

Getting to Fair Employee IP Rights

I believe the first critical step in getting to fair employee intellectual property rights is bringing awareness that change is desired and possible.  Without a push from employees, it’s too easy for employers to just keep doing things the way they’ve always been done.

If you are an employee that would value a more equitable arrangement around intellectual property rights, let your employer know!  As a starting point for what is possible, point them to the improvements made at IMVU or GitHub.  Make an offer to your employer to promote the company’s leadership in this area and use it as a recruiting tool for creative talent.  If you are interviewing with a company, ask about employee IP rights – if this becomes a common topic from candidates, HR (recruiting) will see the value in making a fair policy be a benefit.

We’re seeing progress in other areas that have similar challenges around change… I am excited that some Silicon Valley companies are establishing or updating their policies to consider employee fairness around stock option plans that actually help employees keep the rewards from their contributions.  As these companies intentionally make the choice to not just do the same thing every company has done before, I encourage them to use that same open-minded process to examine their employment agreements and create policies that are fair to the employees they strive to attract.

This guy wrote your boilerplate IP Agreement

As a leader in a company, consider whether the policy you have today was intentional, reflecting the culture and values of what you are trying to build, or if the policy is just a generic hand-me-down from the corporate dinosaurs of the past. If you experience too many challenges around making sweeping changes, at least make incremental changes and try to use them as a differentiator for your company (really, go on Quora or Hacker News – potential employees looking for companies with fair IP policies are left with almost no good examples… your company could stand out).

As more companies show that employee fairness is a differentiator that attracts and retains great talent, it will push others to do improve their policies to be competitive.

 

Know of other companies that have great Employee IP rights?  Think Brett is crazy and giving away all of a company’s value?  Leave a comment!

How to Stop Me From Spying on Your Internet Usage

Yesterday Congress voted to erase privacy protections for consumers by passing a law making it illegal for the FCC to have rules to protect consumer privacy online. Specifically, this vote allows your ISP (Internet Service Provider, the company you pay for your Internet access) to collect and sell your Internet usage information without your permission. To be fair, you didn’t yet have these protections… they were just about to go into effect, and now they won’t.

Most people appreciate the right to keep private what they do in their own home and are unhappy with a violation of this privacy, but many don’t understand the potential impact on their lives, or how to protect themselves from these privacy violations.

What You Reveal Using the Internet

In your day-to-day usage of the Internet you expose to your ISP an enormous amount of data that enables them to target and classify you in ways that are valuable to advertisers, employers, insurance companies, and financial institutions.  Your ISP has the ability to sell to companies data to classify you based on health issues, financial status, sexual interests, religion, hobbies, and political views.

Every web search you make and every web page you visit is an opportunity for your ISP to understand you a little better. Searching information about depression?  Looking at the most recent coupon you got from BevMo?  Congratulations, you’re now part of the “risk of alcoholism” demographic that might be of interest to future employers or insurance companies.  Reading a medical site to figure out if that mole on your arm looks funny?  You are flagged as a cancer risk.  Searching for an anniversary present and looking at a dating site in the same week?  Divorce attorneys and real estate agents might pay handsomely to know who you are (or, more accurately, who your spouse is).

But wait, Brett – I use “Incognito” or “Privacy” mode on my browser… doesn’t that protect me?  Actually, no… these options prevent websites from permanently storing information on your browser that can later be used by that website to re-identify and track you, but they don’t do anything to secure the traffic that goes between your computer and the website, which always passes through your ISP.

But Brett, I know the little “https:” in the web address bar means secure, so I’m safe on those sites, right?  You’re better off, but you’re still leaking a ton of information… Secure websites do a great job of ensuring that the traffic sent between the website and your computer is encrypted and secure – so the contents of the interaction should be private.  However, your ISP will still have access to watching the Internet addresses you visit, so if you look at the Suicide Prevention Hotline, your ISP can’t see the specific data but they know you are interested in content about suicide. This site-identifying information is also revealed through your DNS queries (how your computer turns a URL into an IP address), and most consumers have their DNS handled by their ISP.

Okay, Brett… fine, ISPs can do this shifty stuff, but this sounds like tinfoil hat territory.  Well, maybe, but these large ISPs have a history of doing some really shady things with your data, ranging from hijacking (and replacing) your search results, inserting ads into your web pages, and secretly sending your web history back to the ISP.  The big name ISPs (Cox, Comcast, Time Warner, AT&T, and Verizon) spent money lobbying and buying votes because they are most capable of turning your private information into their profits (and they probably want a return on that investment).

You are the Product

Of course, collecting and selling information about users is the way many Internet companies (Google, Facebook) become powerful cash machines.  As a general rule, if you use a free service that doesn’t sell its products, you are actually the product being sold to other companies.  The primary difference is these privacy-selling services are optional (you don’t have to use Facebook), and you are not paying for them.

An ISP is closer to the phone company as a utility – while you may have some choice in which ISP you use, frequently these choices are very limited and, if selling private customer information is a standard practice, your only alternate choice is not having Internet access.  If you found out that the phone company listened in on your conversations and sold transcripts to other companies, you’d likely be outraged.

Which brings up the question, what protections will you have that you are not highly targeted?  You filled out a request for health insurance online, can that insurance company acquire the data to make coverage liability decisions about you based on requesting data for your IP address, if not for your name specifically?  Can I go to my local ISP and buy data because I want to understand what news my neighbors read, what dating sites they use, and what movies they watch?

Keeping Your Internet Usage Private

For the more technically inclined, there are a several options available (e.g. centralized VPN at the router, or TOR servers), but these are not really accessible for the average consumer, so I’m going to cover what I think are the two best options accessible to most people that don’t have a system administrator living in their household.

VPN

A VPN (virtual private network) establishes an encrypted connection between your computer and another server, and that server accesses the Internet and relays the data back to your computer.  A VPN prevents your ISP from seeing anything you access – they only see a single connection to the VPN server.  While the VPN does conceal your data from your ISP, you need to find a trusted VPN provider as they now have access to your data.  As an additional challenge, if you are interested in making all Internet access from your home private, a VPN is unlikely to work with all of your devices (e.g. Tablets, Roku, Apple TV, Alexa / Echo, and Amazon Fire TV).  Finally, some Internet sites (like Netflix) specifically block VPNs, adding additional frustration to this solution.

Choose an ISP That Values Your Privacy

All ISPs have the ability to take advantage of Congress voting away your online privacy rights.  The big names (Cox, Comcast, Time Warner, AT&T, and Verizon) have the most capability of leveraging your private data, but this doesn’t mean that smaller ISPs won’t also use your private data – it is quite likely that bigger companies will offer an easy revenue-generating solution that allows smaller ISPs to provide access to your data, bringing in some extra cash (tempting for small ISPs that are typically at a significant disadvantage over the big names).

However, smaller ISPs can be more committed to respecting customer desires, and may be more receptive to customer requests to maintain privacy.  For example, since the early 1990’s I’ve worked with LMi.net, who has always been a great partner for my business and personal Internet needs.  I called the owner and he told me several customers called after Congress voted and he responded, “It’s easy. We never have sold user data, and we never will.”  While big ISP’s send me weekly junk mail trying to lure me in on some great Internet package (usually including TV), I understand the value of my ISP consistently making decisions that consider the best interest of the customer.

 

Do you have other suggestions for keeping your Internet usage private? Think I’m a paranoid crackpot?  Please leave a comment!