SARS-CoV-2 or 2019-ncov coronavirus“If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus, rather than a war.  Not missiles, but microbes.”  That’s from Bill Gates’ 2015 TED Talk, in the midst of the Western African Ebola outbreak.  Gates added “W]e’re not ready for the next epidemic….  With Ebola, the problem was not that we had a system that didn’t work well enough.  The problem was that we didn’t have a system at all.”

Let’s fast-forward to a couple years ago, the 100th anniversary of the 1918 flu pandemic.  What should have been understood in 2018 as the risk, in the near-term, of an epidemic or pandemic with major impact in the United States?

Understanding risk is how we address uncertainty.  Whether you prefer the common definition of risk (the possibility of loss or injury) or the more technical concept under ISO 31000 or COSO’s ERM Integrated Framework (the effect of uncertainty on objectives), understanding risk requires us to evaluate the likelihood and severity of potential outcomes.  Understanding risk also requires us to evaluate our current readiness to mitigate or control the risk, in light of our risk tolerance.

So, in 2018, what did we know about the likelihood and potential severity in the United States of epidemics and pandemics, and what did we know about our readiness to respond? Continue Reading Pandemic Lesson 1 for Information Governance: Understanding risk matters

SARS-Cov-2 CoronavirusIt’s been a challenging 2020, as each of us adapts to our new pandemic reality.  In the United States as of today, Covid-19 has infected more than 2.4 million and taken the lives of over 124,000, with southern and western states surging ahead of the northeastern states as Covid hot-spots.  Meanwhile, in the wake of state and local stay-at-home orders,  United States unemployment has exploded, businesses (particularly small businesses) remain under stress, and the economy is in recession.

There’s a growing realization that the U.S. response to this pandemic could have been more timely, more organized, and more effective.  So, in the spirit of finding the pony in these strange, troubling times, it’s worthwhile to explore what lessons we can learn from our pandemic response, and how these lessons can be applied to how our organizations manage information.  Doing so reminds us of four fundamental insights about Information Governance.  I’ll be posting on each of these in more detail, but for now, here are the key points:

  • Understanding risk matters.  It’s a fact that novel viruses can proliferate, and it’s a certainty that data proliferates.  At any given moment the risks may seem remote, but the risks are nevertheless there, and the repercussions of simply ignoring those risks can be devastating.
  • Planning matters.  It takes time to assess risks, develop a plan, and put in place the rules, tools, and resources to manage those risks.  Like procrastinating until a virus becomes a pandemic, waiting until there’s a data breach, or a large-litigation preservation duty, or a business continuity or enterprise data system failure, is at best hugely and unnecessarily expensive, and at worst it can be disastrous.
  • Testing the plan matters.  The 2018 Clade X pandemic tabletop exercise, hosted by Johns Hopkins Center for Health Security in Washington D.C., identified significant gaps in our pandemic preparedness, and the U.S. government’s 2019 Crimson Contagion simulation of an influenza epidemic revealed massive holes in our response capabilities. Organizations that test their information governance capabilities with audits, reviews, and table-top exercises will see how to improve their systems for retaining, securing, and compliantly disposing of information.  Data is not static, and dynamic risks require a dynamic governance response, so reviewing, exercising, and improving the program is essential.
  • Commitment matters.  Though hindsight is 20/20, it seems clear that the U.S. actually unwound and defunded many elements of our pandemic preparedness that were in place before 2020.  There were surely “competing priorities” in 2018 and 2019, but we are now paying a massive price for our lack of commitment to pandemic preparedness.  Similarly, there are always competing priorities for organizations, and it is tempting to lose focus on governing information, especially if all seems like smooth sailing in the moment.  But like pandemic preparedness, the point of managing information is to stay ahead of the curve, so that when data-related risks become today’s reality, the organization is prepared.

How we remember and apply these lessons can make the difference in the long-term success, if not the survival, of our organizations.  Because whether history repeats or merely rhymes, organizations that assess risk, plan, evaluate, and remain committed to Information Governance will do better than those that fail to do so.

 

People on peak mountain climbing helping team work , travel trekking success Management support is crucial for successful Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change will require committed support by management to overcome initial push-back. And because effective Information Governance is an ongoing business process, rather than a one-off project, continuing tone at the top is essential.

Attention is always in short supply in organizations – executive focus even more so. Given that reality, your IG initiative will more likely secure the ongoing support it needs if the initiative (1) focuses first on a concrete, measurable project; (2) advances higher-level, strategic objectives for governing the organization’s information, and (3) aligns with the organization’s business model. These three elements will provide both the foundation for your initiative and the fuel for attaining it.  They are also invaluable in demonstrating how the initiative will be relevant to the organization’s success.

The Project(s) at Hand
In most organizations, abstract notions alone are simply not compelling enough to secure resources and drive change. So, what do you specifically and concretely want to accomplish now, in the short run?  What would be a meaningful improvement in governing information compliance, cost, risk, and value, but not such a time-consuming, against-the-odds effort that will squander momentum or risk early failure?  And what project will involve active participation of some or most of those you want to be involved in your ongoing initiative, to foster collaboration and ownership?

Common projects under Information Governance initiatives include one or more of the following: (a) reducing email volumes, (b) controlling unstructured data in file shares, (c) mitigating legacy troves of paper or digital records, (d) applying security controls to protected data and repositories, (e) controlling data compliance and risk with service providers, (f) preparing for data breach response scenarios, or (g) simplifying and improving legal hold processes.

Proper framing of a specific IG project clarifies who should be involved, when to start, what resources are needed, and what project success will look like.  Specific projects also tap into a sense of urgency, to get and keep things moving.

A quantified IG business case is best done in the context of specific projects, based on the particular project’s scope, expected outcomes, and the data targeted. What measures are pertinent in the business case will depend upon the project’s nature and purpose.  For example, let’s say your initial project will focus upon gaining control of excessive, uncontrolled email volumes.  For that project, one can quantify measurable hard cost savings (such as from reduced storage costs and allocated system support costs) and soft cost savings (such as from faster information retrieval, improved productivity, and business process efficiencies).  Remember to consider the costs of expected growth in email volumes over time, comparing the status quo approach to cost reductions to be achieved.

Risk mitigation can also be quantified, such as for an email volume reduction project.  The value of potential ediscovery costs and data security exposures can be estimated based on the data volumes within project scope.  For example, though there are many variables in calculating ediscovery costs, a rule of thumb of at least $1 per document is quite conservative.  With estimates of roughly 3000 documents per gigabyte (depending on document type/file extension), and considering that data volumes in IG project-targeted repositories may range from hundreds of gigabytes up to multiple terabytes, the estimated cost of processing unnecessarily retained data in ediscovery looms large indeed.  As for quantifying data breach costs, the 2019 IBM/Ponemon annual report Cost of a Data Breach indicates an average of $240 per compromised record for United States breaches, with significant variations per industry.

Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your IG initiative.  But to help secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives, discussed in Part 2.

 

People on peak mountain climbing helping team work , travel trekking success

Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your Information Governance initiative, as discussed in Part 1.  But to secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives for Information Governance at your organization.

Strategic IG Objectives

While a single successful project is fine, higher-level strategic objectives are needed to foster an ongoing information governance initiative.  The strategic objectives connect the dots of the benefits from individual projects, providing the 1 + 1 = 3.  Strategic IG objectives provide both a road map for next steps and also a narrative of impact worthy of ongoing executive support.

Strategic IG objectives usually focus on one or more of (1) reducing unnecessary data volumes, (2) retaining and using valuable, reliable data, (3) safeguarding protected and confidential data, and (4) preserving data as required for litigation. Each of these strategic objectives usually also align with some combination of (a) ensuring information compliance, (b) controlling information risk, and (c) maximizing information value.

INFORMATION GOVERNANCE STRATEGIC OBJECTIVES

Reduce Unnecessary Data Volumes

  • Compliance: Comply with regulatory and contractual requirements for disposing of information.
  • Risk: Dispose of information not required for legal compliance or business need and reduce creation of unnecessary information, to mitigate data security exposures and data volume litigation exposures.
  • Value: Realize operational cost-savings and increased productivity and efficiency by decreasing the amounts of unnecessary information.

Retain and Use Valuable, Reliable Data

  • Compliance: Comply with regulatory and contractual requirements for retaining and managing information.
  • Risk: Avoid loss of valuable information and protect information vital for continuing operations and enforcing legal rights.
  • Value: Maintain reliable information to support analysis for decision-making and ensure accessibility of reliable information for productivity and efficiency.

Safeguard Protected and Confidential Data

  • Compliance: Comply with regulatory and contractual requirements for privacy and security of protected information and for safeguarding confidential information.
  • Risk: Avoid unauthorized use or compromise of protected and confidential information and detect and respond effectively to breaches and other security incidents, to minimize reputation damage and legal exposures.
  • Value: Enhance reputation as trusted custodian of protected and confidential information.

Preserve Data for Litigation

  • Compliance: Comply with legal requirements for preserving and collecting data relevant to litigation or regulatory proceedings.
  • Risk: Reduce costs and inefficiencies in preservation and collection and reduce exposures for preservation failures.
  • Value: Achieve more efficient, timely, and accurate case assessment and valuation.

Unlike building a quantified business case for specific projects, the value of attaining strategic IG objectives is usually best expressed qualitatively, highlighting the significant general benefits of improving compliance, mitigating risk, and maximizing of information value.  But IG strategic objectives can easily be converted into SMART goals (Specific, Measurable, Achievable, Relevant, and Timely).  To do so, simply adopt the most compelling IG strategic objectives, which provide the strategic direction, and then graft onto them your SMART elements from the related, pending project(s).  For example:

“Reduce unnecessary data volumes [i.e., the strategic objective] by completing Phase 1 of Email Retention and Disposal Project by end of 3rd Q 2020, including implementation of (1) going forward storage and retention strategy for record-quality email, (2) new retention policy for non-record email, and (3) related updates to legal hold process [i.e., the initial project’s parameters, with incorporated project measures].”

Upon completion of the initial specific project, this same SMART goal can be updated with whatever is the next project to advance this strategic objective:

“Reduce unnecessary data volumes [i.e., the ongoing strategic objective] by completing Phase 2 of Email Retention and Disposal Project by end of 1st Q 2021, including processing of legacy email troves isolated in Phase 1 [i.e., the subsequent project’s parameters, with incorporated project measures].”

So now you have the clarity of one or more specific, concrete projects, each with outcomes, measures, and a business case, and also tied to strategic objectives for governing compliance, cost, risk, and value for your organization’s information.  Yet there’s still something missing – how is all of this relevant to what drives your organization?  To tap into relevance, you will want to align your IG initiative with your organization’s business model or brand, discussed in Part 3.

People on peak mountain climbing helping team work , travel trekking successAs noted in Part 1, attention is always in short supply in organizations, and especially so for executive management. Amidst the distractions and complexity of today’s businesses, executives often use a relevance filter – “is what I’m asked to support relevant to what drives our organization to success?  Will it help move us ahead, or get in our way?”

No matter the anticipated benefits of an IG initiative, if what is proposed does not align with the organization’s business model, it will be difficult to demonstrate its relevance, and the proposed initiative will likely never be fully considered by management, much less approved and supported over time.

Alignment With the Business Model/Brand

There is profound value to be realized by aligning information practices with the organization’s business model or brand. Such alignment reinforces the organization’s fundamental values, because information is managed in a way that fits the organization’s desired culture.  All of the subtle (or unsubtle) cues that consistently drive behavior to conform to the organization’s business model can be harnessed to elicit the right behaviors under your Information Governance initiative.  Alignment allows your IG initiative to swim with the current, instead of against it.

Alignment also helps bust through silos that impede Information Governance.  When the projects and strategic objectives of an IG initiative clearly advance the core values and business model of the organization as a whole, the initiative has a better chance of overcoming the parochial interests of silos within the organization.

Compelling examples are found in the Sedona Conference Commentary on Information Governancehighlighting such alignments of Information Governance with four prevalent, contrasting business models.

Low-Cost Provider
These businesses are laser-focused on operational efficiency and cost control, such as companies in high-volume, low-margin industries or market segments.  Low-cost providers should be motivated to avoid squandering money on information inefficiency and unnecessary retention.  They may adopt Information Governance practices to streamline information workflows and reduce unnecessary information storage and retention, thereby reducing costs and increasing business efficiency.

Innovative Excellence 
These organizations are driven by creative innovation and excellence in products and services.   Innovative excellence companies should want to optimize their information’s value in fueling such innovation.  They may adopt Information Governance practices to maximize the value of their information assets, helping them to capture valuable information for innovative repurpose while minimizing the distraction of unnecessary information.

Integrity/Ethics
These organizations, including publicly traded companies and those in highly regulated industries, espouse integrity and ethics as core values.  Such businesses should avoid failing to adopt measures that treat their information as a valuable asset and that detect and prevent compliance lapses. They may implement Information Governance practices as a crucial complement to their internal control systems and ethics and integrity programs, to ensure information-related legal compliance and enhanced risk management.

Trusted Provider/Adviser
These firms center themselves on the core value of being a trusted business provider or adviser to those they serve.  Trusted providers or advisers should want to avoid being seen as careless with the information entrusted to them.  They may adopt Information Governance practices to strengthen their safeguards for information that customers or clients entrust to them, and to enhance third-party perceptions of them as reliable, trusted custodians for such protected, proprietary, or confidential information.

So, by all means build the foundation for your Information Governance initiative by selecting the right initial project(s), with outcomes, measures, and a business case, and by tying them to your most compelling strategic objectives for governing information compliance, cost, risk, and value.  But don’t stop there – make sure that your initiative closely aligns with your organization’s business model.  In other words, make sure executive management can clearly see the initiative’s relevance to what drives your organization’s success.

Bomb with lit fuseLaw firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.”  This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments.  IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.

But all this convenience comes at a price.  IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls.  An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.

Let’s look at some vulnerable IoT devices commonly found in today’s law firm:

IP-Connected Security Systems and Infrastructure.  Think of cameras, smart meters, and HVAC controls.  Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.

Smart Video Conference Systems.  This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet.  Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.

Printers & Phones.  Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge.  Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.

Light Bulbs?  Yes, light bulbs!  According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks.  “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.”  The more nodes, the more avenues for entry into a system without being on the network. Continue Reading Law Firm IoT: Internet of Things or Instruments of Trouble?

Sunshine Breaking Through the CloudsYes, with a troubling threat environment and unique vulnerabilities, law firms indeed have data security challenges.  But there are strategic opportunities too.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for stronger client relationships, lower and better-controlled expenses, and higher revenue.

As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing:

  • increased competition from nontraditional providers and technology-driven service models;
  • the Internet-driven dissolving of historic barriers to remote service delivery;
  • the post-recession tightening in companies’ outside legal spend;
  • the ongoing shift of work from outside counsel to in-house legal staff;
  • the continued consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and
  • the resulting pressure on mid-sized firms to scale/merge up or to specialize/boutique down.

It’s a more competitive world than ever for attracting and retaining clients. There still will be winners and losers, but now the margin of difference is more slim.  That’s why strategic improvement in a law firm’s data security posture can make a big difference.

Here are three key examples of how better data security is a strategic win for law firms: Continue Reading Law Firm Data Security Opportunities

pickpocket stealing walletIn a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.

The complaint paints a picture of an alleged hacker living up to the handle “erratic.”  According to the complaint, on July 18 Ms. Thompson stated in a Twitter Direct Message “Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it … I wanna distribute those buckets i think first … There ssns…with full name and dob”.  Initial press reports indicate that Ms. Thompson, a 33 year old Seattle resident, has held a variety of software engineering jobs, including a stint at Amazon Web Services in 2015 and 2016, and that, per her resume, she is currently the owner of Netcrave Communications, a “hosting company.”  Hmmmm.

Per the complaint, Capital One indicates that the compromised data was primarily related to credit card applications, with only some of the data tokenized or encrypted.  The complaint further alleges that, according to Capital One, data from tens of millions of applications may have been accessed, including approximately 120,000 Social Security numbers and 77,000 bank account numbers.
As of today, Capital One’s website states that the hack “affected approximately 100 million individuals in the United States and approximately 6 million in Canada. … Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. … The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Capital One further states that the hack compromised information beyond credit card application data, including: “[c]ustomer status data, e.g., credit scores, credit limits, balances, payment history, contact information” and “[f]ragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”  According to Capital One, “[a]bout 140,000 Social Security numbers of our credit card customers” were compromised, along with “[a]bout 80,000 linked bank account numbers of our secured credit card customers.”  Capital One adds that “[f]or our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.”

These are early days for this breach investigation, and we’ll no doubt learn more as things unfold.  But a key question will be, what does this breach tell us about the security of cloud-hosted data?

Early reports indicate that Capital One’s cloud host is Amazon Web Services, but that large enterprises such as Capital One build their own web applications on top of Amazon’s cloud platform.  The complaint indicates that “a firewall configuration permitted commands to reach and be executed by [a] server, which enabled access to folders or buckets of data in Capital One’s [cloud] storage space ….”  And Capital One’s website indicate that, upon its discovery of the hack, Capital One “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”

This suggests that the security vulnerability was not the cloud provider’s, but rather was a vulnerability in configuration by the cloud customer entity.  And, as noted in KrebsOnSecurity‘s post today, there may be other improperly secured Amazon cloud instances for other organizations.  Time will tell.  Certainly, cloud hosting by a reputable, security-conscious provider can bring with it many cyber security advantages, including patching hygiene and robust perimeter defenses.  But the devil is in the details, and configurations of user overlays are a potential risk hot spot.

Lightning Strike in ThunderstormSecurity risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of a law firm’s security posture:  computer acceptable use policy (41%); remote access policy (37%); personal technology use/BYOD policy (21%); incident response plan (25%); disaster recovery / business continuity plan (40%).
  • Only 53% of the firms have a formal policy or process to manage retention of data held by the firm, and as of 2017, only 40% have an official records retention schedule.
  • 31% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 46% of the firms have file encryption tools, only 38% have email encryption capabilities, and only 24% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards?  Here are ten factors to consider: Continue Reading Law Firm Data Security Vulnerabilities

Threatening dark clouds covering the skyJust another day at the firm.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?

Business email compromise (BEC) is a growing threat for businesses generally.  Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.

But BEC is only one of many potent threats to law firm data security.  Here are some high-profile examples from the news: Continue Reading Law Firm Data Security Threats