Episode 31: David Marlin on Royalty Management and Company Security

In this final episode of 2022, we are joined by David Marlin, President of MetaComet Systems. David has been working in the publishing industry for the last 24 years, and is an expert in royalty automation. We discuss his background and how he got into publishing, the recent move to paying author royalties through electronic payment services, and more.

David shared how MetaComet has recently become SOC 2 Type 2 certified, and we discussed the process they had to go through to get that level of security certification. We also talked about how some publishers are moving toward outsourcing their royalty management and how MetaComet is responding to that change.

Transcript

Joshua Tallent 

In this episode of the BookSmarts Podcast, I’m talking with David Marlin, who is the President of MetaComet, a company that specializes in royalty automation. David’s been involved in publishing for about 24 years, and he and I have known each other for a very long time. David, thanks for coming on the podcast.

David Marlin 

Yeah. My pleasure, Joshua, looking forward to being here.

Joshua Tallent 

Yeah. So let’s actually talk about your history. How did you get involved in royalty management specifically, and kind of what was that path in the publishing world?

David Marlin 

Oh, wow. Yeah, it was an interesting path. So, I was doing marketing at American Express in downtown Manhattan. And—wasn’t, you know, wasn’t quite the right fit for me. So, I had an opportunity to do some independent consulting, I had been a programmer in my previous life. So, I was able to build up this stable of clients in the publishing industry, just doing like custom programming, type work, fixing other software that they had, or creating some little software tools that they might have needed. And one of my clients, Richard Curtis, from E-Reads, back in 1999… So, I started this back in early 98, maybe at about 98. And in 99, Richard Curtis, one of my clients approached me and said, can you put together a spreadsheet to help me do royalties? Because he was, as some of you may know, he was one of the very early pioneers in the ebook world. He had this amazing insight, he was a literary agent, and he had this amazing insight to go grab the digital rights for his hundreds of clients all their works, some really classic works. And—he had to start dealing with royalties, so he approached me and I studied the problem was like, this is way beyond what you can do in a spreadsheet. So he commissioned me to develop the first version of royalty tracker, and that’s how it started. And then, he and I actually co-founded MetaComet systems together with the goal of reselling this to other ebook publishers. We were going to focus on ebook publishers, we were both convinced that ebooks were going to explode. And of course, ebooks did nothing of the sort for the next six or seven years until Amazon came out with the Kindle. It was 2007, that’s when it really started to take off. So we quickly realized that we had to start attracting traditional publishers, as well as ebook publishers. And so that’s how I got started.

Joshua Tallent 

So how did you make the connections into publishing in the first place? You were working at American Express? It’s not a publishing industry kind of thing. But did you have friends in the industry? Or was it just a random connection?

David Marlin 

Yeah, so—is actually my now brother-in-law was the one who introduced me to this. He—had created this, two tools that were widely used in the publishing industry. One was a publicity tool called Publicity Assistant, and the other was a literary agent tool—and he was, you know, each instance of this tool installed at each client, was a little unique, and customized. And so he had more work than he can handle. So, you know, when I told him I was thinking of leaving American Express, he’s like, well, you’re a programmer, why don’t you just see if you can—you know, why don’t I just start giving you these clients, because I can’t handle them all. And I that’s how I get into it. He wasn’t my brother-in-law at that point, but he’s now.

Joshua Tallent 

Haha, he made it into the family! Ok, so you’ve been around for a long time, obviously. And Royalty Tracker is, in my opinion, the leader in how royalties are tracked and managed by publishers. So, tell me a little bit about what you see, since you’ve been doing this for a long time, and you’re on the BISG Rights Committee, or co-founded that committee at the BISG, right. And so, you’ve seen a lot of trends, you’ve seen a lot of things that have changed over the years, you talked about ebooks and the changes that happened there in the mid-2000s. What are you seeing as trends right now, where do you think royalty tracking is headed in the next couple of years, or in the in the near future?

David Marlin 

It’s a really interesting question. There’s a few trends that we’ve been noticing that I think will continue. One of the biggest ones, is the movement to electronic payments, and electronic payment platforms. Interestingly, the payment piece of royalties can be pretty complex, and it has a lot of security issues. Because if you’re going to pay an author electronically, you’ve got to get their banking information, and that’s very sensitive information. And you should not be transmitting that via email, which is how most people do it. But email is not secure. So—we’re seeing publishers start to move towards these payment platforms. We partner with a company called Tipalti, for instance, for payment automation—and it’s a really neat platform, so rather than managing the payments internally, we’re seeing them being managed by these third-party payment providers. We’re also seeing that, you know, because royalties really sit in the finance realm of publishers. We’re seeing some other interesting, related services pop up for taxes, for instance, like, all these major providers, like ERP systems have pretty much gotten out of the 1099 and other tax form game. So, there’s a lot of providers popping up to do that. But mainly, it’s the outsourcing of the payment, or using these payment automation platforms. Another trend that we’re seeing, and this is, you know, I think, a little more limited, but we are starting to see this increase amongst smaller independent publishers, is more sharing of the risk with the authors. So, you hear the word Hybrid publishing, and that’s a very broad—category, but I think generally, it falls into this idea where the publisher, and the authors are taking on more of a shared risk. And there’s really a whole continuum of “hybrid publishing,” where you’ve got on the one extreme, you’ve got the author paying for everything. And then on the other extreme, you have the publisher paying for most things, but deducting some of their costs before they calculate royalties and paying a higher royalty percentage. So basically, deducting some marketing costs, and distribution costs, maybe some production costs, some editorial costs, and then paying a royalty after that. We’re paying a higher percentage of royalty. So, by sharing the risk, they’re paying the authors a higher royalty. And then, sort of on the other extreme, you’ve got the ones where the authors are paying, and that’s been around for a while. And there can, sometimes, be a little bit of controversy around there, although all of our hybrid publishers that we work with—you know, we’ve only heard positive things about them, but we are seeing more of this shared in different ways this shared risk taking. Because publishing a book is a risky endeavor, you’re investing a lot in it, and you don’t know for sure how it’s going to pan out. So that’s another trend that we’re seeing. And I think, a third trend that we’re seeing, I think, it was back in 2016, or 2017 we launched AuthorPortal.com. which was an online portal for authors. And—we always had some uptake on that, but it seems like a much higher percentage of publishers now want to provide online royalty statements to their authors. So, we’re seeing that trend as well.

Joshua Tallent 

So on the payment side of things you were talking about, you know, paying directly, I guess the benefit to a publisher in that situation is obviously they don’t have to mess with all of that accounting side of things, they can let the payment system handle the payments to the authors, and they can stay out of the security issues that might be involved in that as well—and then get reports, pull them into their ERP and be able to report on them more effectively. Let’s talk a little bit on that front about the potential for security problems, because I’m assuming that as a royalty software vendor, you actually have to deal with that security as well. How do you handle security at MetaComet? What are the security implications of the work that you’re doing as well?

David Marlin 

That’s a really interesting question, Joshua. In January of 2022, this year. I’ve always been nervous about security. And you know, we’ve been trying to understand and follow the best practices, but we just felt like we didn’t really have a good grasp on what those best practices were. So, we made the decision in January, just so we didn’t have to worry about this as much. I think, you can’t never stop worrying about security. But we wanted to at least know that we were following a broadly accepted set of best practices when it came to security. So, we made the decision to become certified secure. And in the US, in North America, there’s a standard certification, is called SOC 2 Type 2. There’s also SOC 2 Type 1, but that’s not really security, it’s just kind of stating your intention to become secure. SOC 2 Type 2 is, you have an outside auditor come in, and make sure you’re following all these best practices. In SOC 2 Type 1, you basically say these are the practices we’re going to follow. And I think, there’s like 19 standard areas of best practices that you’re supposed to have set up. And then SOC 2 Type 2, you actually have an auditor to come in and verify that you’re following all those, and that’s where the real work—is. What I discovered with that, is that security is such a deep and broad issue, I had no idea all the aspects of the business that had to be taken into account to be secure—certified-secure. It’s some of the obvious stuff, like, obviously, you want your software secure. So, as part of this, we had to hire a penetration testing company, and they did two rounds of penetration testing on our software. The first one, they found a few vulnerabilities, we patched all those, which I was so nervous when they do that first penetration test. So, we patched all those up, and then they did another penetration test to try again, and we successfully passed all those up. But that’s just one aspect of getting your software secure. So, if you’re using components in your software, you’re going to make sure you’re using all the latest components, that all those components are secure as well, that you’re hosting in a secure environment. So, there’s a lot of aspects to the technical part of a company software being secure—and that’s certainly a vulnerability, I think the bigger vulnerability is our human issues, like phishing, and you know, phishing emails, really, that’s how a lot of these ransomware attacks are successful. I almost got tricked by one a few weeks ago, they’re getting so good—and really, the only way around that is, you know, there are some tools that can help, you know, identify some phishing—expeditions, if you will. But really, you’ve got to just train your employees, and so that’s another part of becoming security compliance. So, every single person that works for MetaComet has to go through formal security training, and everybody has to go through it at least once a year, that’s the baseline, we’re going to try and do it a couple times a year. But the baseline is you’ve got to go through security training at least once a year, so that’s another aspect of it. And then just things like making sure your—work environment is physically secure. So, we had to add sign in sheet, you know, we’re, you know, a relatively small company. When you walk into MetaComet offices, you have to sign in, if you don’t work here, we have to make sure our laptops or computers are encrypted, and that they’re set to go to sleep with password protection after 10 minutes of idleness. So, if you’re sitting in a cafe, and you go to the bathroom or something, you know—your computer’s locked when you come back. Password sharing, that’s just a huge problem, and so we all had to implement a password protection tool. So, everyone now stores all their passwords, using this tool, if you need to share a password, which is sometimes unavoidable, there’s no secure ways using this tool that we can share a password with each other. And it just goes from my version of the tool to your version of the tool, so that when you log into that website, I never have to see the password and don’t have to know what it is just goes into my version of the tool. There’s just so many of these little things that you have to take into account that are real potential vulnerabilities, and they kept coming back to us, you know, we think we’d be done and all you got to do this, but then you think about it like yeah, I guess. I guess that makes sense, we should be doing that. So, it was a major endeavor for us. But as of two weeks ago, we are officially certified SOC 2 Type 2 compliant, we finished our audit our auditors passed us. I mean, it’s really great, you know, If you get a good auditing firm, they’re really great because they kind of tell you along the way where you’re gonna fail, and so you can start addressing those gaps. And the funny thing is, I feel so much better about it, but I’m still nervous about it because now it’s so much more aware of what vulnerabilities there are. And I think it’s good, I think everybody should be a little nervous about security—but that was a really big thing for us. And part of it is you know, talking about the payment piece is making sure that you’re using secure forms of communication to share sensitive data, and then you’re also using secure storage techniques for that sensitive data. So, if you’re going to store, when it comes to payments, if you’re going to store banking information for an author, you need to have a whole another level of security certification, it’s different than SOC 2 Type 2, it’s a whole different thing. And that’s not something that most companies should have to do and want to have to do. And by outsourcing the payment piece to one of these third-party platforms, they deal with all that security for you. You never need to know what your author’s banking bank account and routing number is to pay them, and—you don’t have to be sharing that via email. I cringe now when I see publishers asking their authors to email them their banking information. So—that’s just a—you know, a burden that you don’t have to deal with if you outsource the payment piece.

Joshua Tallent 

Yeah, security is actually a really important issue for publishers because this is something that most publishers aren’t aware of, and, sometimes, don’t even have to mess with—themselves, or don’t think they have to think about. I did a couple of episodes last year, episode 16 and episode 17. Episode 16 was with Nick Espinosa, who’s a security researcher and expert, and we talked about how publishers could handle some of these issues and what they need to be aware of, what are the big issues to think about. And then, Fran Toolan, our CEO, talked on Episode 17 about Firebrand’s approach to security and some other things that kind of opened up the door a little bit and said, hey, these are some things that we’ve done, and had issues with security on the Firebrand side. Obviously, we’ve been working, like you guys have, on locking all of it down and becoming much more secure.  And you mentioned, the phishing expeditions, you know, they’re getting pretty sophisticated. I got a text message on my phone, my personal number, which isn’t connected to work at all, that was ostensibly from Fran saying, “Hey, I’d like you to, you know, text me so we can talk about something, I’m busy in meetings all day.” I’m like, I know Fran is not in meetings all day, I just chatted with him on Slack. But also, I knew it wasn’t his number, because I have his number in my phone. It’s interesting how sophisticated they are, and they’re getting to a point where if you’re not careful, and you don’t know, it can become a real problem for anyone. And that’s for publishers as much as it is for software companies because it’s not about the—type of company, it’s really just about the type of data that they’re trying to collect and gain. I’m glad to hear that you guys have completed that SOC 2 compliance. That’s really awesome.

David Marlin 

And to your point, I don’t necessarily recommend get becoming SOC 2 Type 2 certified for most smaller businesses. We did it because we deal with really sensitive data, and we have so many customers data that we just felt like—we should do it. Because, you know, we have all of their authors information, we have all their sales data, all the payment information for a lot of these authors. So—we were nervous about having that information. But you know, one of the things that you can do to just solve a lot of these problems is moving everything to the cloud, because most of these cloud providers, provide really strong security and kind of takes a lot of the burden off of you, you know, like AWS (Amazon Web Services) and Dropbox and other platforms like that. Dropbox supposedly has some level of like, ransomware protection, so we use Dropbox. So theoretically, if everything gets encrypted, Dropbox can go to an earlier version of all those files, and we’ll be okay. You know, I don’t want to ever have to check that out and see if it really works. But yeah, moving most of your stuff into the cloud is one of the easiest ways to achieve a level of security quickly.

Joshua Tallent 

So, we’ve got just a couple of minutes here, I did want to chat about just one more thing, and that is, as far as other trends that you’re seeing on the royalty management side, when we were chatting before, and you mentioned, outsourcing royalty management is another thing you’re seeing publishers start to do. Taking all of that effort of having to collect the royalty information from all the different partners put it all together, you know, make sure it’s all vetted properly sending out the royalty payments, or the royalty reports and things to the author. So, are you seeing an uptick in that kind of interest among publishers?

David Marlin 

Yeah, so that’s a really good question, Joshua. So, we, for the last few years, we’ve done royalties for about four-five publishers, just because they asked us to, and, and we kind of needed to do it if we wanted to work with them. So, we decided to do it. But it wasn’t something we really wanted to get into. And then just within the last couple months, we made a decision that we were going to start offering this service, and the interest level in it has been amazing. We were at Frankfurt, just a couple of weeks ago, and we closed the deal there just because, you know, the company came to us pretty good-sized company—and they’re just like, listen, you know, we don’t have the resources to do this. I don’t know how we’re gonna get this done. And I saw, what if we just do it for you? And they’re like, yep, that’s gonna work. And like a day later, they signed, it was crazy. Because we have this software that automates it substantially. Most of our customers experience, they tell us about a 90% reduction of effort—but we are so freaking good at it because everybody here just deals with our customers, they know how royalties are done, we can do it so fast and quickly. We know exactly what publishers want to see in terms of reporting—so we just decided we are going to start doing it. And so we’re really excited about that, to just take that whole problem off of the publishers plate.

Joshua Tallent 

Yeah, that’s great. Well, it’s interesting. I mean, there’s a lot of things that are changing in publishing, but one thing is always true and that is that, you know, there’s money that’s got to change hands, and somebody has to pay the author so that they get the benefit from the book, and that’s great.  So, we’re gonna finish up here, just—anything that you want to say, in closing, and also where can people follow what you’re doing online, what MetaComet is up to, how can they learn more about you?

David Marlin 

Yeah, thanks, Joshua. So, our website’s the best source of information metacomet.com. You can also follow us on LinkedIn, we post once or twice a week on LinkedIn and Facebook. I don’t personally use Facebook, but we’re on there as well. You can also sign up for our newsletter, so if you want to just stay up to date, you can just go to our website and sign up for our newsletter. Yeah, so that’s it. So thanks so much for having me, Joshua. This was a lot of fun.

Joshua Tallent 

Yeah. Thanks for coming on, I appreciate it. That’s it for this episode of the BookSmarts Podcast, if you like what you’ve heard, please leave a review or rating on Apple podcasts, or Spotify, or wherever you listen to the podcast. And also, please share this podcast with your colleagues. If you have topics, suggestions, or feedback about the show, you can email me at joshua@firebrandtech.com. Thanks for joining me and getting smarter about your books.