In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:
This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA. It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure. But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).
In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5. Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.
But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure. In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.” Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice. And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary.
Continue Reading Less data is more than ever: The FTC and the reasonable data security program
This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data. Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.
First, some brief context. The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data. 15 U.S.C. § 6801(b). The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem. The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements. The NCUA adopted similarly specific safeguards for credit unions. 12 C.F.R. Part 748, App. A. In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use. And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.
The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes. The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.
But this is beginning to change. And as seen elsewhere in this series, states are leading the way:
Continue Reading Less data is more than ever: state-level data security laws for the financial services sector
This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains. Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business. Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed. And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when. But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.
State-level Secure Disposal Laws
A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded. Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information. For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of. Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).
But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need:
Continue Reading Less data is more than ever: state PII data security and disposal laws
Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments). Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.
Managing data volumes has always been prudent. Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures. Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola: “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”
But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal. With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data. And U.S. privacy and data security laws have generally been silent on retention periods for protected information. For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.
Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws. I’ll dig deeper into these developments in upcoming posts, but here are the high points:
Continue Reading For U.S. businesses, less data is more than ever
Law firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.” This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments. IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.
But all this convenience comes at a price. IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls. An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.
Let’s look at some vulnerable IoT devices commonly found in today’s law firm:
IP-Connected Security Systems and Infrastructure. Think of cameras, smart meters, and HVAC controls. Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.
Smart Video Conference Systems. This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet. Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.
Printers & Phones. Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge. Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.
Light Bulbs? Yes, light bulbs! According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks. “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.” The more nodes, the more avenues for entry into a system without being on the network.
Continue Reading Law Firm IoT: Internet of Things or Instruments of Trouble?
In a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.
The complaint paints a picture of an alleged hacker living up to the handle “erratic.” According to the complaint,
Having too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses. Keeping data without a legal or business reason also exacerbates data security exposures. To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.
Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire. PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….” HIPAA regulations mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible. Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed. And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.
Instead, most such laws and standards focus on securely sanitizing or destroying storage media. For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”
But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls. And one of the most powerful security controls is to not keep too much data, for too long.
Continue Reading Why govern our information? Reason #9: Unnecessary business data multiplies data security exposures
Being a CISO is a tough gig. The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small. But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response. For some CISOs, it may feel like High Noon, all over again.
This is unfair to the CISO, and wrong on at least two counts. First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control. Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.
Continue Reading Why govern our information? Reason #10: It’s a when, not if, world for data breaches
Most people have elevated stress during the holiday season — work, travel, family, money, time. And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use. This is when mistakes happen. It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed. It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.
According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents. These incidents occur because of the actions of employees, suppliers, customers, and previous employees. Law firms are not exempt, particularly small to medium size firms. In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.
End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations. Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.
What is at risk?
Continue Reading Law firm insider threats don’t take a break for the holidays — they may get worse.