Depiction of the outages caused by Friday’s attacks on Dyn, an Internet infrastructure company.
Depiction of the outages caused by Friday’s attacks on Dyn. Source: krebsonsecurity.com.

On Friday, a series of massive distributed denial of service (DDoS) attacks caused internet outages across much of the US, and also in parts of Europe.  The epicenter was Dyn, an Internet performance management company that provides Internet services to some of the web’s most-visited sites.  In three separate attack waves on Friday, tens of millions of IP addresses pelted Dyn with junk packets, resulting in Internet access outages at such popular destinations as Amazon, Netflix, Reddit, Spotify, and Twitter.

The culprit?  My DVR box.  Or maybe yours.

Continue Reading My DVR shut down the Internet

Woman talking with alphabet letters coming out of her mouth.At least, that is, unless overheard, written, or recorded. Just ask anyone following the presidential campaigns.  Absent concrete evidence, spoken words evaporate and any discussion of them quickly devolves into the type of “he said, she said” game usually seen in low-budget television courtroom dramas and on playgrounds.  A few weeks ago, my colleague Peter Sloan posted All we really need to know about Information Governance we learned in kindergarten.  Let’s ponder an additional learning point from Mr. Fulgham:

When you go out into the world, watch for traffic.

Continue Reading Sticks and stones may break my bones, but words will never hurt me….

Hands pointing towards businessman holding head in hands concept for blame, accusations and bullyingBeing a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or the InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.

Continue Reading Why govern your information? Reason #10: It’s a when, not if, world for data breaches

3d blue cubes come together from different directions. Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.”  Records retention reminds us that important is not the same thing as exciting.  I get it – records retention schedules are boring.  But the fact remains that literally thousands of records retention requirements apply to your organization’s information.  I know, because my firm finds and tracks these laws as part of our many years of retention schedule work for clients across industries.  And your regulators expect you to know them too.

Continue Reading Why govern your information? Reason #11: Thousands of federal and state records retention laws apply to your company

Cat watching a movieIn my last post I talked about how organizations can get employees to follow security advice. Today’s riff is on “making it personal.” Make security self-serving.  In other words, answer the question, “What’s in it for me?”  Corporate security is inextricably linked to personal privacy—here’s why.

Continue Reading Corporate security – “What’s in it for me?”

Image of one hundred bill burning on black background“If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

– U.S. District Court Magistrate Judge John Facciola (now retired, and missed)

We all know that ediscovery is expensive, and various research reports have so confirmed. The 2012 Rand study, Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery, found that median costs for collection, processing, and review are $17,507 per gigabyte (roughly 3,500 documents or 10,000 e-mails).  The math is not pretty – a case involving 482 GBs of source data could exceed $8 million in ediscovery costs.

And on top of that are preservation costs. The 2014 Preservation Costs Survey demonstrated that large companies incur significant fixed costs for preservation (for in-house ediscovery personnel and also for procurement and maintenance of legal hold management and data preservation technology systems), averaging $2.5 million annually.  More significant is the cost of employee time lost in complying with legal holds.  While companies with up to 10,000 employees incur the average time cost of over $428,000 per year, costs for the largest companies exceed $38 million per year.

There is indeed great complexity in how to cost-effectively process huge amounts of data through the ediscovery funnel. Tighter management of ediscovery processes is important, and TAR continues to be a promising alternative to traditional review, with significant cost-savings potential.

But as we ponder how to cut costs, let’s not forget to use Occam’s razor: Continue Reading Why govern your information? Reason #12: Unnecessary business data causes unnecessary litigation costs

Broken brick wall and blue sky with clouds.This week, with echoes of vintage John Mellencamp in the air, the U.S. Court of Appeals for the Sixth Circuit took a gavel to the wall that for years has blocked consumer class actions for data breach claims – Article III standing.  In Monday’s unpublished, 2-1 decision in consolidated cases against Nationwide Mutual Insurance Company, the court ruled that plaintiff consumers had standing to pursue negligence claims against Nationwide arising out of a 2012 security breach, in which hackers stole personal information of 1.1 million customers.

The Sixth Circuit is now aligned with the Seventh Circuit, which just last year in its Neiman Marcus decision similarly lowered the bar for Article III standing in consumer data breach litigation.

Continue Reading Consumer data breach litigation standing – the walls are crumblin’ down

Donald Trump speaks during introduction Governor Mike Pence as running for vice president at Hilton hotel Midtown ManhattanIt’s certainly been a wild, heated presidential race.  Information governance has remained at center stage, ever since President Obama’s successful 2008 rallying cry, “Data We Can Believe In.”  And the 2016 candidates have followed suit, with Bernie Sanders’ “What We Need is an Information Revolution,” Hilary Clinton’s “Information for America,” and Jeb Bush’s succinct slogan: “Data!”

But no candidate has tapped into the electorate’s visceral hopes and fears for information governance with more gusto than Donald Trump.  As election day nears, it’s time to take a closer look at Mr. Trump’s positions on managing information compliance, cost, risk, and value.

I’m calling for a total and complete shutdown of data entering our computer systems, until our IT representatives can figure out what the hell is going on.

Continue Reading The politics of information governance

View of crowd covering earsBy now, you’ve surely heard about the hack of the Democratic National Committee that gathered thousands of email messages, the contents of which were exposed by WikiLeaks and ultimately caused Chairwoman Debbie Wasserman Schultz to resign. But did you also know that only last fall, the DNC commissioned a two-month security risk assessment that yielded dozens of recommendations to improve the security of its network? The real story is what happened next.

Continue Reading Why people ignore security advice, and what to do about it

KindergartenSometimes we make things way too complicated – especially our relationship with business data. Allow me to “kidnap” Robert Fulghum’s classic poem – wisdom in effectively governing information compliance, cost, risk, and value is not found exclusively at the top of the data science mountain, but there in the sandpile at kindergarten.  Here are the things we learned there:

Continue Reading All we really need to know about Information Governance we learned in kindergarten