Threatening dark clouds covering the skyIt all seemed so routine, so straightforward.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials? Continue Reading Bad news on law firm data security

Magnifier On Computer KeyboardSometimes one needs to zoom in to understand the big picture.  This year we’ll continue to explore Information Governance, but through the lens of a particular industry segment – law firms – and a particular focus – data security.

Why law firms?  Well, for a couple reasons.  First, a weak link for many companies is applying Information Governance to their service providers, and private practice law firms are key service providers to companies across all industries.  Second, many law firms have a ways to go in fully embracing Information Governance for themselves, and on their clients’ behalf.

And why law firm data security?  Law firms have highly valuable information, and they are especially vulnerable to security exploits and incidents.  Many firms are behind the curve in their security posture.  The resulting risks and exposures are significant, both to the firms themselves and to the clients they serve.  Also, law firms that take the steps needed for improved data security find themselves far down the road toward more effective Information Governance generally, which is a boon to the firms themselves and also to their clients.

So, here goes.  We’ll first look at the current realities of data security in law firms, touching upon both the bad news and the good news.  Next, we’ll focus on why security risk assessment is absolutely crucial for understanding the data security risks (threats, vulnerabilities, repercussions, and likelihoods) for law firms and their clients, and for prioritizing what must be done.  From there, we’ll take up essential components of law firm security, including security policies; data retention and disposal; technical, physical, and administrative controls; monitoring and testing; training and awareness; incident response preparedness; and cyber insurance.

Along the way we’ll explore key considerations for both on-premises IT configurations and cloud environments; the unrelenting rise in connectivity and remote work; and the explosion of new apps and tools, coupled with the increasingly consumerized expectations of law firm lawyers and staff.

Lots to cover, for the benefit of law firms themselves and also the clients they serve.  Stay tuned.

Security dial turned to highest settingHow time flies.  Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc.   Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com.  Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.

Lots has changed since then.  New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike.  We’ve all seen the scary statistics on increasing information volumes and the security risks that follow.  Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace.  Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.

During my years at CFI and since, I’ve found myself pondering “what if?” questions.  What if we only had to protect 20% of our information?  What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements?  What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible?  The promise of information governance is that we can answer these questions affirmatively.  This is good news, and more importantly, news you can use. Continue Reading Information governance – the foundation for information security

Fried egg on the sidewalk
“This is your information, ungoverned.”

2017 was rife with data dangers.  Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms.  Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics.  Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance?  So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond:  Continue Reading 12 reasons to govern your information in 2018

Charging ElephantOur firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions. Continue Reading Why govern your information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

Weird SportIt’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply. Continue Reading Why govern your information? Reason #3: “Your” information may belong to others … and you’re responsible to take care of it.

Zuzu's PetalsFacebook this week announced its new social media application targeted at children,  Messenger Kids.  Designed to be COPPA-compliant, the text, video chat and photo-sharing app combines parental controls with all of the quirky features that tweens and younger folks will simply love, thereby ensuring Facebook will enjoy a next generation of engaged customers … and also their data.

The new app drops smack into the ongoing cultural debate over the wisdom of young children being exposed to regular internet and social media use.  Detractors of the new Facebook app note concerns about data collection and use.  The Wait until 8th campaign advocates for no smart phone use until eighth grade.  Notably, both Bill Gates and Steve Jobs limited their children’s access to technology.  And studies regularly link social media use with increased rates of depression among youth.

The notion is that young people should be protected from unfettered exposure to social media and the Internet until they are old enough to use these tools with responsibility and moderation.  Fair point, but a flawed premise: when it comes to responsible and moderate use of technology, we adults still have a lot of work to do. Continue Reading Forget petals – Zuzu wants a smartphone for Christmas

Angry BossIt’s 4:20 p.m. on Friday.  You’re looking forward to meeting your friends soon for happy hour at the local bar.  Your boss is on vacation, and you’re caught up for the week.  All is well.  As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT.  The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account.  They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution.  They helpfully provide the correct bank routing information and demand the payment be made today.  Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change.   The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.

Of course, you—the reader—already know the ending of this story.  The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job.  Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses. Continue Reading It’s time to annoy your boss

Tom HanksTom Hanks excels at illuminating our nation’s history, from John Adams to Band of Brothers, Saving Private Ryan, Bridge of Spies, Apollo 13, and Charlie Wilson’s War.  Much of the impact springs from Hanks’ reverence for the primary source materials – the underlying records – that ground these compelling stories in the integrity of historical truth.  So it was no surprise last month when the National Archives Foundation honored Hanks with The Records of Achievement Award, an annual tribute to an individual “whose work has cultivated a broader national awareness of the history and identity of the United States through the use of original records.”

Fidelity to the facts, as documented in public records, is neither a quaint notion nor a mere gimmick to sell movie tickets or HBO subscriptions.  The integrity of our public institutions’ recordkeeping is an essential pillar of our democracy.  And it’s in peril. Continue Reading The importance of records in a post-truth America

Am I Drunk signWe’re addicted to information, but we can’t stand to think about it again once we’ve seen it, saved it, hoarded it.  Why?  We collect or create it in the moment, but have no thought or plan for its future.  Even when it was once and briefly useful, neglected information soon becomes the effluvium of our digital landfills.  And, like most landfills, the odor is disagreeable and no one wants to be near it.

Pinterest and the P:\ Drive

There is little doubt that social and cultural factors exacerbate and feed our addiction.  The immediate gratification of social media interactions, and the availability of “productivity” tools and data storage accelerate the accumulation of information.  “People hoard because they believe that an item [information] will be useful or valuable in the future. Or they feel it has sentimental value, is unique and irreplaceable . . . . They may also consider an item [information] a reminder that will jog their memory, thinking that without it they won’t remember an important person or event. Or because they can’t decide where something belongs, it’s better just to keep it.

How to Change

Addiction draws us into information overload, but our aversion to uncertainty keeps us from managing what we save or create.  Part of the challenge is that it’s just too hard to focus on something so big, yet so invisible.  We’ve all read the stats on how much information is created each year, but who understands how much 5 exabytes of information is anyway?   It’s beyond our tactile experience—like knowing how many gallons of water are in the ocean, or stars in the sky.

In thinking about change, Tali Sharot, associate professor of cognitive neuroscience at University College London, proposes, “Messages that tap into basic human desires — such as the need for agency, a craving for hope, a longing to feel part of a group — are more likely to have impact.”

In a previous post I talked about the consequences of allowing our private selves to bleed into our work selves.  The answer comes back to the summary of human desires, “what’s in it for me”?  So, using Dr. Sharot’s examples, I add here to the list of things we can do for ourselves, and ultimately for our organizations: Continue Reading Addiction and aversion … the yin and yang of information