clouds and lightningIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes).  How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, through cloud providers.  We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: Continue Reading Why govern your information? Reason #4: Your information is in others’ custody … but you’re still responsible for it.

Hurricane between Florida and CubaHurricane season is in full swing.  As I write this, Tropical Storm Emily is drenching Florida, and the governor has declared a state of emergency.  Having lived in Florida myself, I know that most coastal residents do take hurricanes seriously.  There are always those, however, who either don’t grasp the possibility that if a hurricane hits they can suffer real damage, or simply play the odds that it won’t happen to them.  Hurricane readiness for them is a bottle of Cuervo Reserva and some DVDs for entertainment in case the power goes out.  And so, too, it goes with data breaches.

Breach readiness today ranges from total denial, through half-hearted attempts at maintaining current backups, to—for a minority—sophisticated IT security teams and technology ready to detect, respond, and recover.  Even the technologically prepared, though, have likely not planned beyond containment and recovery.  Consider our hurricane scenario.  Minimal readiness includes necessities for riding out the storm: an evacuation plan, water, food, flashlights, medical supplies, and so on.  Those things should get you through the first 48 hours, much like the immediate IT response to a data breach.  But what next?

Continue Reading It’s readiness season

Weapons of Math DestructionThe hand-wringing continues about robots, and for whose jobs they’re coming next. But the “robots” needn’t be tangible to transform our lives. Actually, they’re already here, in the form of big data algorithms – predictive mathematical models fueled by astounding computing power and endless supplies of data.

This doesn’t have to be ominous.  Well-designed models, properly applied, are a beautiful thing.  But some models are toxic, and such bad modeling has become ubiquitous, with far-reaching impacts on where we go to school; how we get a job and how we’re evaluated; how we get and maintain financial credit and insurance; what information we access online; how we participate in elections and civic life; and how we are treated by law enforcement and the judicial system.  That’s why Cathy O’Neil’s book Weapons of Math Destruction is such an important book for our time.  Continue Reading Big data gone bad: Weapons of Math Destruction

Mobile portable public toilet WiFi provider Purple recently added a “Community Service Clause” to its usual terms and conditions for wireless service:

The user may be required, at Purple’s discretion, to carry out 1,000 hours of community service. This may include the following:

  • Cleansing local parks of animal waste
  • Providing hugs to stray cats and dogs
  • Manually relieving sewer blockages
  • Cleaning portable lavatories at local festivals and events
  • Painting snail shells to brighten up their existence
  • Scraping chewing gum off the streets

More than 22,000 people accepted these terms during Purple’s two-week-long T&C gambit, with only one attentive person claiming the prize Purple offered to anyone who noticed this silliness. Purple conducted this experiment “to highlight the lack of consumer awareness when signing up to use free WiFi.” Winners include snails, local parks, sewer lines, and stray dogs and cats, now the potential beneficiaries of up to 22 million community service hours.  The clear loser? Those. Who. Don’t. Read. Notices.    Continue Reading Reading privacy policies to avoid surrendering your firstborn child

“GarGarbage Dumpbage in, garbage out” – we know that already, right?  Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.

Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management.  It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry.  Deming exhorted American management to adopt product and service quality as the driving force in all business practices.

What’s that got to do with Information Governance?  It’s this – regardless of industry, in today’s world you’re actually in the information business.  So, business quality increasingly means information quality.   Continue Reading Why govern your information? Reason #5: Bad information results in bad decisions.

Business woman screaming at laptopMany years ago, before common sense kicked in, I thought it would be a good idea to rent a storage space for all the extra furniture and other stuff I could not fit in my new house.  Knowing it would only be temporary, I stashed everything from upholstered and leather furniture, to boxes of books.  Fast forward twelve months.  The rental agreement was expiring, and I realized that I would never need nor have room for all that I’d stored, so I decided to have a sale to dispose of it.  When I went to the storage space I was horrified to see that everything was covered in a thin film of mold.  (This was years before climate-controlled storage was widely available.)  I had no choice but to trash it all, which both cost me money and prevented me from converting my goods to profit.

I was reminded of this long-ago event when I heard about the latest ransomware attack.  We’ve been reminded countless times of the importance of backup, and ransomware is only the most recent reason.  If you have ever had a hard drive fail, you know the pain that comes with irretrievable data.

So what happens when your backup media fails.? Or your archival media?  Don’t CDs last forever? Continue Reading Backup failure in the age of ransomware

Dr. Lawrence WeedAmerican architect Louis Sullivan, who coined the iconic phrase “form ever follows function,” was flat wrong – at least when it comes to the relationship of what we do and how we capture it with data.  The reality is instead that the medium shapes the message, and that record-keeping alters the processes it records.  Need a current example?  One only has to consider how the President’s staccato bursts of tweets now drive public attention, media focus, and policy debates, both domestically and abroad.

But a more profound example is the life’s work of Dr. Lawrence Weed, who passed away last week at age 93.   Continue Reading With business processes and records, we have it backwards – function follows form

checklistIt’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:

  • Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
  • Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
  • FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
  • HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazardsto ePHI security or integrity.
  • The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.

Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant.  So, why do these laws stop short of telling us specifically what to do?

Continue Reading Why don’t data security laws simply tell us what we need to do?

disk cleanupIn a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information).  Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives.  Here’s where Audit comes in.

Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach.  Needless to say, such events draw the attention of the C-suite and boards of directors.  That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information.  Audits, whether external or internal, can serve the same function.

Continue Reading InfoSec Audit’s role in cleaning up ROT

Lawyer holding a target on his faceWhile preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016.  Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.

Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.

Continue Reading In-house Counsel in the Cybersecurity Crosshairs